No, we’re not talking about the NFL Supplemental draft… Instead it just looks like NIST has just had a busy July with seven new infosec-relevant drafts being released. This activity is quite an increase as compared to no drafts in June and one draft in May. While most of these releases are the tried and true Special Publications (SP) we are all familiar with, they intersperse some FIPS and NISTIR documents in as well. Some of the many topics addressed include identity, smart meters, mobile, malware, intrusion detection/prevention, and BIOS. For each we’ve also highlighted the date that comments are due. Unfortunately the ones released in early July are due about nowish. Anyway there’s still four more open for commenting.
FIPS-201 -2 Personal Identity Verification (PIV) of Federal Employees and Contractors (REVISED DRAFT): “The Revised Draft FIPS 201-2 reflects the disposition of comments received from the first public comment Draft FIPS 201-2 (the 2011 Draft) published on March 8, 2011. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the Revised Draft. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD, to present the Revised Draft FIPS 201-2.” Comments are due by August 10, 2012. (released July 9th)
SP 800-76 -2 Biometric Data Specification for Personal Identity Verification: “NIST is releasing a revised draft of Special Publication 800-76-2 Biometric Specifications for Personal Identity Verification, supporting the Revised Draft FIPS 201-2.” Comments are due by August 10, 2012. (released July 9th)
NISTIR-7823 Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework: “This draft proposes an example test framework and conformance test requirements for the firmware upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters.” Comments are due by August 9, 2012. (released July 10th)
SP 800-124 Rev 1 Guidelines for Managing and Securing Mobile Devices in the Enterprise: “The purpose of this publication is to help organizations centrally manage and secure mobile devices against a variety of threats. This publication provides recommendations for selecting, implementing, and using centralized management technologies, and it explains the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices.” Comments are due by August 17, 2012. (released July 10th)
SP 800-83 Rev. 1 Guide to Malware Incident Prevention and Handling for Desktops and Laptops: “This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Draft SP 800-83 Revision 1 updates the original SP 800-83, which was released in 2005.” Comments are due by August 31, 2012. (released July 25th)
SP 800-94 Rev. 1 Guide to Intrusion Detection and Prevention Systems (IDPS): “This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007.” Comments are due by August 31, 2012. (released July 25th)
SP 800-147 B BIOS Protection Guidelines for Servers: “This guide is intended to mitigate threats to the integrity of fundamental system firmware, commonly known as the Basic Input/Output System (BIOS), in server-class systems. This guide identifies security requirements and guidelines for a secure BIOS update process, using digital signatures to authenticate updates. The intended audience for this document includes BIOS and platform vendors of server-class systems, and information system security professionals who are responsible for procuring, deploying, and managing servers.” Comments are due by September 14th, 2012. (released July 30th)
For more information on how to submit your comments, please refer to the NIST draft publications site.
Are the NIST drafts helpful to you? Post your comments below. Today’s post pic is from ComputerServiceNow.com.