Search NIST's ICAT
Under the Computer Security Act of 1987 (P.L. 100-235), the Computer Security Division of the Information Technology Laboratory (ITL) develops computer security prototypes, tests, standards, and procedures to protect sensitive information from unauthorized access or modification. Focus areas include cryptographic technology and applications, advanced authentication, public key infrastructure, internetworking security, criteria and assurance, and security management and support.
These publications present the results of NIST studies, investigations, and research on information technology security issues.
The publications are issued as Special Publications (Spec. Pubs.), NISTIRs (Internal Reports), and ITL (formerly CSL) Bulletins. Special Publications series include the Spec. Pub. 500 series (Information Technology) and the Spec. Pub. 800 series (Computer Security). Computer security-related Federal Information Processing Standards (FIPS) are also included.
This page consists of draft NIST Publications (FIPS, Special Publications) that are either open for public review and to offer comments, or the document is waiting to be approved as a final document by the Secretary of Commerce.
Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
FIPS publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996, Public Law 104-106, and the Computer Security Act of 1987 (Public Law 100-235).
ITL Bulletins are published by NIST's Information Technology Laboratory, with most bulletins written by the Computer Security Division. These bulletins are published on the average of six times a year. Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Not all of ITL Bulletins that are published relate to computer / network security. Only the computer security ITL Bulletins are found here. There is a link provided on this page to get non-computer security ITL Bulletins.
NIST Inteagency Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience.
The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernment). NISTIRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form.
This page lists publications, papers or documents that the staff of the Computer Security Division has written and are not classified in the publication categories listed above.
This list of papers was initially distributed on CD-ROM at NISSC '98. These papers are unpublished, seminal works in computer security. They are papers every serious student of computer security should read. They are not easy to find. The goal of this collection is to make them widely available. This list was compiled by the Computer Security Laboratory of the Computer Science Department at the University of California, Davis.
This is a collection of computer security publications that the Computer Security Division received from various sources.
The rainbow series is a library of about 37 documents that address specific areas of computer security. Each of the documents is a different color, which is how they became to be refereed to as the Rainbow Series. The primary document of the set is the Trusted Computer System Evaluation Criteria (5200.28-STD, Orange Book), dated December 26, 1985. This document defines the seven different levels of trust that a product can achieve under the Trusted Product Evaluation Program (TPEP) within NSA. Some of the titles include, Password Management, Audit, Discretionary Access Control, Trusted Network Interpretation, Configuration Management, Identification and Authentication, Object Reuse and Covert Channels. A new International criteria for system and product evaluation called the International Common Criteria (ICCC) has been developed for product evaluations. The TCSEC has been largely superceded by the International Common Criteria, but is still used for products that require a higher level of assurance in specific operational environments. Most of the rainbow series documents are available on-line.