CSRC Site Map
- Draft Publications
- FIPS Pubs
- ITL Security
- NIST IRs
- Cryptographic Standards
- Security Testing
- Security Research
- Security Management
- List of Acronyms
- Virus Information
- ICAT Alerts
Having trouble viewing
a .pdf document on this page? Click link for details.
Draft Special Publication 800-53A: Guide for Assessing the Security
Controls in Federal Information Systems
Adobe PDF (2,148 KB)
Zipped Adobe PDF (1,890 KB)
NIST's Computer Security Division has completed the initial public draft
of Special Publication 800-53A, Guide for Assessing the Security
Controls in Federal Information Systems. The draft publication is
one of a series of key standards and guidelines developed by NIST to
help federal agencies improve their information technology security
and comply with the Federal Information Security Management Act (FISMA)
of 2002. Organizations can use Special Publication 800-53A to create
viable assessment plans to determine the overall effectiveness of the
security controls employed within organizational information systems.
The guidance contained in this publication has been developed to help
achieve more secure information systems within the federal government
by: (i) enabling more consistent, comparable, and repeatable assessments
of security controls; (ii) facilitating more cost-effective assessments
of security control effectiveness; (iii) promoting a better understanding
of the risks to organizational operations, organizational assets, or
individuals resulting from the operation of information systems; and
(iv) creating more complete, reliable, and trustworthy information for
organizational officials-to support security accreditation decisions
and annual FISMA reporting requirements.
NIST invites public comments on the draft guideline until 5 p.m. Eastern
Daylight Time on August 31, 2005. Written comments on Special Publication
800-53A may be sent to Chief, Computer Security Division, Information
Technology Laboratory, Attn: Comments on Draft Special Publication 800-53A,
NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930. Comments
also may be submitted electronically to firstname.lastname@example.org.
July 15, 2005 -- Draft Federal Information Processing
Standards (FIPS) Publication 200, Minimum Security Requirements for
Federal Information and Information Systems
.pdf (344 KB)
NIST's Computer Security Division has completed the initial public draft
of Federal Information Processing Standards (FIPS) Publication 200,
Minimum Security Requirements for Federal Information and Information
Systems. The draft standard is one of a series of key standards
and guidelines developed by NIST to help federal agencies improve their
information technology security and comply with the Federal Information
Security Management Act (FISMA) of 2002. FIPS Publication 200 provides:
(i) a specification for minimum security requirements for federal information
and information systems; (ii) a standardized, risk-based approach (as
described in FIPS Publication 199, Standards for Security Categorization
of Federal Information and Information Systems) for selecting security
controls in a cost-effective manner; and (iii) links to NIST Special
Publication 800-53 (Recommended Security Controls for Federal Information
Systems) that recommends management, operational, and technical
controls needed to protect the confidentiality, integrity, and availability
of all federal information systems that are not national security systems.
NIST invites public comments on the draft standard until 5 p.m. Eastern
Daylight Time on Sept. 13, 2005. Written comments on FIPS Publication
200 may be sent to Chief, Computer Security Division, Information Technology
Laboratory, Attn: Comments on Draft FIPS Publication 200, NIST, 100
Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930. Comments also may
be submitted electronically to email@example.com.
July 6, 2005 -- Draft Special Publication 800-56,
Recommendation for Pair-Wise Key Establishment Schemes Using Discrete
.pdf (834 KB)
Draft Special Publication 800-56, Recommendation for Pair-Wise Key Establishment
Schemes Using Discrete Logarithm Cryptography, is available for public
comment. Please provide comments to firstname.lastname@example.org
by Friday, August 19th, with Comments on SP 800-56 in the
June 17, 2005 -- Draft Special Publication 800-79,
Guidelines for the Certification and Accreditation of PIV Card Issuing
NOTE: Draft document file updated June
21, 2005 -- errata includes title correction and Executive Summary.
document (Adobe PDF) (582 KB)
Form Template (MS Excel) (16 KB)
Answers about Draft SP 800-79 : (Adobe PDF) (34 KB)
NIST's Computer Security Division, responsible for development and
support of the Federal Information Processing Standard (FIPS 201)
for Personal Identity Verification of Federal Employees and Contractors
has completed the first draft of NIST SP 800-79, Guidelines
for the Certification and Accreditation of PIV Card Issuing Organizations,
for public comment. Homeland Security Presidential Directive 12 specified
that only organizations whose reliability has been accredited may
issue PIV Cards to Federal employees and contractors. The Guidelines
describe the tasks to be performed during the certification and accreditation
processes which lead to accreditation and an approval to operate the
PIV Card issuing services required in FIPS 201. The Guidelines may
be used by Federal agencies in planning and designing their PIV Card
issuing services. They may later be used by the agency to self accredit
their capability and reliability to provide the services.
NIST Special Publication 800-79 can be accessed from the Drafts Publications
page. Comments on SP 800-79 are being solicited until July 10, 2005,
from Federal agencies, industrial organizations, public interest groups,
and individuals. Comments should be prepared using the Comment
Form Template (MS Excel) (16 KB) and the completed Comment Form
should then be saved in the memory of your computer. The completed
comment form should then be attached to a short message stating the
name and address of the source of comments, an email address that
can be made public, and then e-mailed to PIVaccreditation@nist.gov.
Comments received after July 10, 2005 will not be considered when
revising SP 800-79. Additional information in question and answer
format is available in Questions
& Answers about Draft SP 800-79 : (Adobe PDF)
21, 2005 -- Draft Special Publication 800-57, Recommendation
for Key Management
Part 1 (General):
Part 2 (Best Practices for Key Management
Drafts of NIST Special Publication 800-57 Recommendation for Key Management,
Parts 1 and 2 are available for public comment. This Recommendation
provides cryptographic key management guidance. Part 1 provides guidance
and best practices for the management of cryptographic keying material.
Part 2 provides guidance on policy and security planning requirements
for U.S. government agencies.
Comments will be accepted on Part 1 until June 3, 2005. Please send comments
with "Comments on SP 800-57, Part 1" in the subject line.
Comments will be accepted on Part 2 until May 18, 2005. Please send comments
with "Comments on SP 800-57, Part 2" in the subject line.
31, 2005 -- Draft Special Publication 800-77, Guide to
.pdf (1.45 MB)
Adobe .pdf (1.16 MB)
is pleased to announce new draft special publication 800-77, Guide to
IPsec VPNs. IPsec is a framework of open standards for ensuring private
communications over IP networks. The most common use is with virtual
private networks (VPN). IPsec provides several types of data protection,
including maintaining confidentiality and integrity, authenticating
the origin of data, preventing packet replay and traffic analysis, and
providing access protection.
document describes the three primary models for VPN architectures:
gateway-to-gateway, host-to-gateway, and host-to-host. These models
can be used, respectively, to connect two secured networks, such as
a branch office and headquarters, over the Internet; to protect communications
for hosts on unsecured networks, such as traveling employees; or to
secure direct communications between two computers that require extra
guide describes the components of IPsec. It also presents a phased
approach to IPsec planning and implementation that can help in achieving
successful IPsec deployments. The five phases of the approach are
as follows: identity needs, design the solution, implement and test
a prototype, deploy the solution, and manage the solution. Special
considerations affecting configuration and deployment are analyzed,
and three test cases are presented to illustrate the process of planning
and implementing IPsec VPNs.
on SP 800-77 can be made until 3 March 2005. Please submit comments
Comment period is NOW closed.
24, 2005 -- NIST DRAFT Special Publication 800-76, Biometric
Data Specification for Personal Identity Verification
Based on the comments received on November 8th draft of FIPS 201, NIST
has decided to move technical requirements for biometric data to a Special
Publication 800-76, Biometric Data Specification for Personal Identity
Verification (.pdf). NIST is pleased to announce the draft of
SP 800-76 for the public comments. The comment period for this draft is
two weeks, ending on February 7th, 2005. Please direct all comments and
questions to DraftFIPS201@nist.gov.
Comment period is now CLOSED.
- DRAFT Special Publication 800-68, Guidance for Securing Microsoft
Windows XP Systems for IT Professionals: A NIST Security Configuration
NIST has completed
the draft NIST Special
Publication 800-68, Guidance for Securing Microsoft Windows XP Systems
for IT Professionals: A NIST Security Configuration Checklist. NIST
Special Publication 800-68 has been created to assist IT professionals,
in particularly Windows XP system administrators and information security
personnel, in effectively securing Windows XP systems. It discusses Windows
XP and various application security settings in technical detail. The
guide provides insight into the threats and security controls that are
relevant for various operational environments, such as for a large enterprise
or a home office. It describes the need to document, implement, and test
security controls, as well as to monitor and maintain systems on an ongoing
basis. It presents an overview of the security components offered by Windows
XP and provides guidance on installing, backing up, and patching Windows
XP systems. It discusses security policy configuration, provides an overview
of the settings in the accompanying NIST security templates, and discusses
how to apply additional security settings that are not included in the
NIST security templates. It demonstrates securing popular office productivity
applications, Web browsers, e-mail clients, personal firewalls, antivirus
software, and spyware detection and removal utilities on Windows XP systems
to provide protection against viruses, worms, Trojan horses, and other
types of malicious code. NIST requests comments by August 3, 2004. Comments
should be addressed to email@example.com.
Request for Comments is now CLOSED.
-- FIPS 180-2, Secure Hash Standard (change notice)
NIST is proposing a change
notice (pdf format) for FIPS 180-2, the Secure Hash Standard
that will specify an additional hash function, SHA-224, that is based
on SHA-256. NIST requests comments for the change notice by January 16,
2004. Comments should be addressed to firstname.lastname@example.org.
Request for comments is now CLOSED.
If you are looking for a "draft" computer security publication and can't
find it here, the draft probably
has been finalized (check the FIPS or Special Publication link once
on this page)
viewing .pdf files from this page? Here are several tips which will hopefully
resolve the problem.
Are you using Internet Explorer? Internet Explorer requires you to enable
Active-x controls for .pdf and other plug-ins. If this feature is disabled,
then you will not be able to view .pdf files from CSRC website and most likely
from other websites as well. When Active-x controls for .pdf and other plug-ins
is enabled, it should work.
You probably want to
check with your system administrator to see if your browser and/or Adobe
Reader is configured properly. This is a FYI on how to enable the active-x
control for .pdf and other plug-ins in Microsoft IE. Netscape uses a different
technique. Go to the Tools drop down menu (top of your browser menu bar),
then left click on the Internet options, then left click the Security tab,
then look for the custom level button and click the button, find "Run
Active X controls and Plug-ins" (there will be other references to
Active-X but choose ONLY this one), and click the Enable circle. Then hit
ok to exit.
Once this feature is
enabled, you will be able to view .pdf files from our CSRC website or any
If you don't want to
view the .pdf files from CSRC with Adobe Reader within your browser, instead
of clicking the link to view the .pdf file(s), you can place your cursor
above the link (cursor will then change to a hand) and then RIGHT click
the link. You will see a little window box. Click the save file as option.
Then you will see another window to save the file and you can save the file
to your system or to where ever you would like the file to be saved. Then
once you save the file, you should be able to open up Adobe Reader without
using your browser to view the .pdf file.
If your settings are
properly set to download or view .pdf files from the Internet, several people
had told us that in order for them to view a rather large .pdf file within
Adobe Reader, they had to close most to all of their applications. Also,
some people told us that they had to clean out their temporary cache folders,
for there was not enough memory in their temporary cache.