Special Publication 800-73-3, Interfaces for Personal Identity Verification It introduces new, optional features including:
(1) on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;
(2) use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-2; and
(3) provisions for Non-Federal Issuer (NFI) credentials. SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities.
Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV) The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in SP 800-78-2:
The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in SP800-78-2 as a key agreement scheme for the PIV card.
The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
For symmetric authentication purposes (challenge and response), the Cipher Block Chaining (CBC) mode of encryption is redundant to the Electronic Code Bock (ECB) mode of encryption. To remove the redundant implementation, CBC has been discontinued in SP 800-78-2.
Draft Special Publication 800-119, Guidelines for the Secure Deployment of IPv6
This is the next generation Internet Protocol, accommodating vastly increased address space. This document describes and analyzes IPv6's new and expanded protocols, services, and capabilities, including addressing, DNS, routing, mobility, quality of service, multihoming, and IPsec. For each component, there is a detailed analysis of the differences between IPv4 and IPv6, the security ramifications and any unknown aspects. It characterizes new security threats posed by the transition to IPv6 and provides guidelines on IPv6 deployment, including transition, integration, configuration, and testing. It also addresses more recent significant changes in the approach to IPv6 transition.
Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
This publication represents the second in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative. For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The initial publication produced by the task force, NIST Special Publication 800-53, Revision 3, created a common security control catalog reflecting the information security requirements of the national security community and the nonnational security community. NIST Special Publication 800-37, Revision 1, continues the transformation by changing the traditional process employed by the federal government to certify and accredit federal information systems. The revised process provides greater emphasis on: (i) building information security capabilities into information systems through the application of state-of-the-practice management, operational, and technical security controls; (ii) maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes; and (iii) understanding and accepting the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use of information systems.
NIST Special Publication 800-37, Revision 1, is the full transformation of the Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The RMF-based process has the following characteristics:
Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
Integrates information security more closely into the enterprise architecture and system development life cycle;
Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls); and
Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive (function);
The risk management process described in this publication changes the focus from the traditional stovepiped, static approaches to C&A and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions. In addition to the above changes, NIST Special Publication 800-37 revises information system authorization guidance for federal agencies and extends the current approach to include joint and leveraged authorizations.