NIST requests public comments on the initial public draft (ipd) of NIST IR 8214B, Notes on Threshold EdDSA/Schnorr Signatures. This report considers signature schemes that are compatible with the verification phase of the Edwards Curve Digital Signature Algorithm (EdDSA) specified in Draft Federal Information Processing Standards (FIPS) publication 186-5. The report analyzes threshold schemes, where the private signing key is secret-shared across multiple parties, and signatures can be produced without the parties reconstructing the key. Security holds even if up to a threshold number of parties has been compromised.
The report reviews the properties of EdDSA/Schnorr deterministic and probabilistic signatures schemes, both in the conventional (non-threshold) and threshold setting, summarizing various known properties and approaches. These threshold signatures can allow for a drop-in replacement of conventional signatures without changing the legacy code used for verification. This work is useful to advance the NIST Multi-Party Threshold Cryptography project, which is also interested in other primitives. The document suggests that it is beneficial to further consult with the community of experts for security formulations, technical descriptions, and reference implementations.
The report includes a section for each of the following:
The public comment period is open through October 24, 2022. See the publication details for a copy of the draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) invites public comments on volumes C-D of a preliminary draft practice guide “Implementing a Zero Trust Architecture”. This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. As the project progresses, the preliminary draft will be updated, and additional volumes will also be released for comment.
As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general purpose enterprise IT infrastructure on premises and in the cloud.
We Want to Hear from You!
The NCCoE is making volumes C-D available as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments online on or before September 9, 2022.
We welcome your input and look forward to your comments. We invite you to join nccoe-zta-coi@list.nist.gov to receive news and updates about this project.
- Zero Trust Architecture Project Team
The PNT cybersecurity profile is part of NIST’s response to the February 12, 2020, Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. The EO notes that “the widespread adoption of PNT services means disruption or manipulation of these services could adversely affect U.S. national and economic security. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators.” The Order also calls for updates to the profile every two years or on an as needed basis.
Based on NIST’s interaction with public and private sector stakeholders and their efforts to create “sector specific” profiles, it was decided to create Revision 1. No substantive changes were made to the original Foundational Profile; NIST is only seeking comments on the changes made in this Revision. Among the most noteworthy are: the addition of five new Cybersecurity Framework (CSF) Subcategories, and the addition of two appendices; Appendix D; Applying the PNT Profile to Cybersecurity Risk Management, and Appendix E; Organization Specific PNT Profiles.
All changes are captured in Table 26: “Change Log” for easy reference to reviewers.
The PNT Profile was created by applying the NIST CSF to help organizations:
Organizations may continue to use this profile as a starting point to apply their own unique mission, business environment, and technologies to create or refine a security program that will include the responsible use of PNT services.
The National Cybersecurity Center of Excellence (NCCoE) has released a new draft project description, Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps. Publication of this project description begins a process to solicit public comments for the project requirements, scope, and hardware and software components for use in a laboratory environment.
We want your feedback on this draft to help refine the project. The comment period is now open and will close on August 22, 2022.
The project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these practices in proof-of-concept use case scenarios that are each specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.
We Want to Hear from You!
Review the project description and submit comments online on or before August 22, 2022. You can also help shape and contribute to this project by joining the NCCoE’s DevSecOps Community of Interest. Send an email to devsecops-nist@nist.gov detailing your interest.
We value and welcome your input and look forward to your comments.
The initial public draft of NIST Special Publication (SP) 800-66r2 (Revision 2), Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, is now available for public comment.
The HIPAA Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI), as defined by the Security Rule. All HIPAA-regulated entities must comply with the requirements of the Security Rule.
This draft update:
A public comment period is open through September 21, 2022. See the publication details for a copy of the draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
Comment Period Extended for NIST SP 1800-34, Validating the Integrity of Computing Devices
The National Cybersecurity Center of Excellence (NCCoE) has published, for public comment, a draft of NIST SP 1800-34, Validating the Integrity of Computing Devices. Please download the document and share your expertise with us to strengthen the draft practice guide. The public comment period for this draft has been extended and will now close on August 8th, 2022.
The NCCoE relies on developers, providers, and users of cybersecurity technology and information to provide comments on our practice guides. The public is encouraged to review the draft and provide feedback for possible incorporation into the final version before the public comment period closes.
If you have any questions or would like to join our Supply Chain Community of Interest, please email us at supplychain-nccoe@nist.gov.
Today, NIST is seeking public comments on NIST IR 8409 ipd (initial public draft), Measuring the Common Vulnerability Scoring System Base Score Equation.
Calculating the severity of information technology vulnerabilities is important for prioritizing vulnerability remediation and helping to understand the risk of a vulnerability. The Common Vulnerability Scoring System (CVSS) is a widely used approach to evaluating properties that lead to a successful attack and the effects of a successful exploitation. CVSS is managed under the auspices of the Forum of Incident Response and Security Teams (FIRST) and is maintained by the CVSS Special Interest Group (SIG). Unfortunately, ground truth upon which to base the CVSS measurements has not been available. Thus, CVSS SIG incident response experts maintain the equations by leveraging CVSS SIG human expert opinion.
This work evaluates the accuracy of the CVSS “base score” equations and shows that they represent the CVSS maintainers' expert opinion to the extent described by these measurements. NIST requests feedback on the approach, the significance of the results, and any CVSS measurements that should have been conducted but were not included within the initial scope of this work. Finally, NIST requests comments on sources of data that could provide ground truth for these types of measurements.
The public comment review period for this draft is open through July 29, 2022. See the publication details for instructions on how to submit comments.
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
NIST is in the process of a periodic review and maintenance of its cryptography standards and guidelines.
This announcement initiates the review of Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS), 2015.
NIST requests public comments on all aspects of FIPS 180-4. Additionally, NIST would appreciate feedback on the following two areas of particular concern:
* How will this plan impact fielded and planned SHA-1 implementations?
* What should NIST consider in establishing the timeline for disallowing SHA-1?
The public comment period is open through September 9, 2022. Comments may address the concerns raised in this announcement or other issues around security, implementation, clarity, risk, or relevance to current applications.
Send comments to cryptopubreviewboard@nist.gov with “Comments on FIPS 180-4” in the Subject.
For more information about the review process, visit the Crypto Publication Review Project page.
Traditional business impact analyses (BIAs) have been successfully used for business continuity and disaster recovery (BC/DR) by triaging damaged infrastructure recovery actions that are primarily based on the duration and cost of system outages (i.e., availability compromise). However, BIA analyses can be easily expanded to consider other cyber-risk compromises and remedies.
This initial public draft of NIST IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response, provides comprehensive asset confidentiality and integrity impact analyses to accurately identify and manage asset risk propagation from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. This document adds expanded BIA protocols to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.
The public comment period for this draft is open through July 18, 2022. See the publication details for a copy of the draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
NIST is leveraging the new Special Publication (SP) 800-53 Public Comment Site for its first round of public comments. Participate in the inaugural 30-day public comment period for a minor (errata) release of SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations. The minor release will result in corrections to the current publication but will not introduce new technical information or requirements. Submit your comments on proposed changes using the Public Comment Site through August 12, 2022.
All proposed changes to SP 800-53 ("candidates") for review and comment are available online. Candidates can be filtered by control family, control name, and submission date. To view the specific changes for each control or control enhancement and provide your feedback, select the Tracking Number on the Candidates page.
The SP 800-53 Public Comment Site is designed to:
Learn more about the SP 800-53 Comment Site, and leverage the online User Guide for step-by-step instructions on how to participate in the public comment process, available under "View Candidates" and "Provide comments on candidates."
NIST looks forward to stakeholder feedback on the proposed changes ("candidates") for the first minor release using the online platform. The end result of this effort will be the second update of SP 800-53 Rev. 5. Please direct your questions to 800-53comments@list.nist.gov.