The IT Law Wiki

Overview[]

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) provides technical leadership for the United States' measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than classified national security information in federal information systems.

The Special Publication 800-series from the NIST reports on ITL's research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

ITL Security Bulletins[]

Each ITL Security Bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are issued on an as-needed basis. The ITL Security Bulletins are listed below in reverse chronological order. Those ITL Security Bulletins that have already been summarized are in blue; those that have not yet been summarized are in red.

  • NIST Privacy Framework: An Overview (June 24, 2020).
  • Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions (Mar. 18, 2020).
  • FIPS 140-3 Adopts ISO/IEC Standards (May 20, 2019).
  • Time to Standardize Threshold Schemes for Cryptographic Primitives (Apr. 9, 2019).
  • The Next Generation Risk Management Framework (RMF 2.0): A Holistic Methodology to Manage Information Security, Privacy and Supply Chain Risk (Feb. 28, 2019).
  • Securing Wireless Infusion Pumps (Dec. 19, 2018).
  • One Block at a Time – Helping to Build Blockchain Knowledge (Oct. 25, 2018).
  • Automated Cryptographic Validation (ACV) Testing (Sept. 20, 2018).
  • Assessing Implementation of Controlled Unclassified Information (CUI) Security Requirements (July 26, 2018).
  • Putting First Things First – A Model Process for Criticality Analysis (June 26, 2018)
  • Protecting Software Integrity Through Code Signing (May 23, 2018).
  • Improving the Trustworthiness of Email, and Beyond! (Apr. 25, 2018)
  • Safeguards for Securing Virtualized Servers (Mar. 27, 2018).
  • Securing Tomorrow's Information Through Post-Quantum Cryptography (Feb. 27, 2018).
  • Guidance for Improving LTE-Based Mobile Communications Security (Jan. 2018).
  • [[Guidance on TDEA Block Ciphers] (Nov. 27, 2017).
  • NIST Guidance on Application Container Security (Oct. 24, 2017).
  • Updating the Keys for DNS Security (Sept. 27, 2017).
  • Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines (Aug. 29, 2017).
  • Updated NIST Guidance for Bluetooth Security (July 25, 2017).
  • Toward Standardizing Lightweight Cryptography (June 20, 2017).
  • Cyber-Threat Intelligence and Information Sharing (May 8, 2017).
  • Building the Bridge Between Privacy and Cybersecurity for Federal Systems (Apr. 18, 2017).
  • Fundamentals of Small Business Information Security (Mar. 13, 2017).
  • Guide for Cybersecurity Incident Recovery (Feb. 17, 2017).
  • Dramatically Reducing Software Vulnerabilities (Jan. 11, 2017).
  • Rethinking Security Through Systems Security Engineering (Dec. 21, 2016).
  • Exploring the Next Generation of Access Control Methodologies (Nov. 21, 2016).
  • Making Email Trustworthy (Oct. 24, 2016).
  • Demystifying the Internet of Things (Sept. 23, 2016).
  • NIST Updates Personal Identity Verification (PIV) Guidelines (Aug. 9, 2016).
  • Improving Security and Software Management Through the Use of SWID Tags (July 13, 2016).
  • Extending Network Security into Virtualized Infrastructure (June 3, 2016).
  • New NIST Security Standard Can Protect Credit Cards, Health Information (Apr. 12, 2016)
  • Updates to the NIST SCAP Validation Program and Associated Test Requirements (Mar. 14, 2016)
  • Implementing Trusted Geolocation Services in the Cloud (Feb. 2016).
  • Stopping Malware and Unauthorized Software Through Application Whitelisting (Dec. 2015).
  • Tailoring Security Controls for Industrial Control Systems (Nov. 16, 2015).
  • Protection of Controlled Unclassified Information (Oct. 19, 2015).
  • Additional Secure Hash Algorithm Standards Offer New Opportunities for Data Protection (Sept. 24, 2015).
  • Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Aug. 13, 2015).
  • Improved Security and Mobility Through Updated Interfaces for PIV Cards (July 21, 2015).
  • Increasing Visibility and Control of Your ICT Supply Chain (June 15, 2015).
  • Authentication Considerations for Public Safety Mobile Networks (May 14, 2015).
  • Is Your Replication Device Making an Extra Copy for Someone Else? (Apr. 16, 2015).
  • Guidance for Secure Authorization of Mobile Applications in the Corporate Environment (Mar. 19, 2015).
  • NIST Special Publication 800-88 Revision 1, Guidelines For Media Sanitization (Feb. 5, 2015).
  • Release of NIST Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations (Jan. 29, 2015).
  • Release of NIST Special Publication 800-157, Guidelines For Derived Personal Identity Verification (PIV) Credentials (Dec. 2014).
  • Cryptographic Module Validation Program (CMVP) (Nov. 2014).
  • Release of NIST SP 800-147B, BIOS Protection Guidelines for Servers (Oct. 2014).
  • Release of NIST Interagency Report 7628 Revision 1, Guidelines for Smart Grid Cybersecurity (Sept. 2014).
  • Policy Machine: Towards A General-Purpose, Enterprise-Wide Operating Environment (Aug. 2014).
  • Release of NIST Interagency Report 7946, CVSS Implementation Guidance (July 2014).
  • ITL Forensic Science Program (June 2014).
  • Small and Medium-Size Business Information Security Outreach Program (May 2014).
  • Release of NIST Special Publication 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Apr. 2014).
  • Attribute Based Access Control (ABAC) Definition and Considerations (Mar. 2014).
  • Framework for Improving Critical Infrastructure Cybersecurity (ITL Security Bulletin) (Feb. 2014).
  • A Profile of the Key Management Framework for the Federal Government (Jan. 2014).
  • The National Vulnerability Database (NVD): Overview (Dec. 2013).
  • ITL Releases Preliminary Cybersecurity Framework (Nov. 2013).
  • ITL Updates Federal Information Processing Standard (FIPS) for Personal Identity Verification (PIV) of Federal Employees and Contractors (Oct. 2013).
  • NIST Opens Draft Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, For Review and Comment (Sept. 2013).
  • ITL Publishes Guidance on Enterprise Patch Management Technologies (Aug. 2013).
  • ITL Issues Guidelines for Managing the Security of Mobile Devices (July 2013).
  • ITL Publishes Security And Privacy Controls For Federal Agencies (May 2013).
  • Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements (Apr. 2013).
  • NIST to Develop a Cybersecurity Framework to Protect Critical Infrastructure (Mar. 2013).
  • Managing Identity Requirements for Remote Users of Information Systems to Protect System Security and Information Privacy (Jan. 2013).
  • Generating Secure Cryptographic Keys: A Critical Component of Cryptographic Key Management and the Protection of Sensitive Information (Dec. 2012).
  • Practices for Managing Supply Chain Risks to Protect Federal Information Systems (Nov. 2012).
  • Conducting Information Security-Related Risk Assessments: Updated Guidelines for Comprehensive Risk Management Programs (Oct. 2012).
  • Revised Guide Helps Organizations Handle Security Related Incidents (Sept. 2012).
  • Security of Bluetooth Systems and Devices: Updated Guide Issued by the National Institute of Standards and Technology (NIST) (Aug. 2012).
  • Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance (July 2012).
  • Cloud Computing: A Review of Features, Benefits, and Risks, and Recommendations for Secure, Efficient Implementations (June 2012).
  • Secure Hash Standard: Updated Specifications Approved and Issued as Federal Information Processing Standard (FIPS) 180-4 (May 2012).
  • Guidelines for Improving Security and Privacy in Public Cloud Computing (Mar. 2012).
  • Guidelines for Securing Wireless Local Area Networks (WLANs) (Feb. 2012).
  • Advancing Security Automation and Standardization: Revised Technical Specifications Issued for the Security Content Automation Protocol (SCAP) (Jan. 2012).
  • Revised Guideline for Electronic Authentication of Users Helps Organizations Protect the Security of Their Information Systems (Dec. 2011).
  • Continuous Monitoring of Information Security: An Essential Component of Risk Management (Oct. 2011).
  • Managing the Configuration of Information Systems with a Focus on Security (Sept. 2011).
  • Protecting Industrial Control Systems – Key Components of Our Nation's Critical Infrastructures (Aug. 2011).
  • Guidelines for Protecting Basic Input/Output System (BIOS) Firmware (June 2011).
  • Using Security Configuration Checklists and the National Checklist Program (May 2011).
  • Full Virtualization Technologies: Guidelines for Secure Implementation and Management (Apr. 2011).
  • Managing Information Security Risk: Organization, Mission and Information System View (Mar. 2011).
  • Internet Protocol Version 6 (IPv6): NIST Guidelines Help Organizations Manage the Secure Deployment of the New Network Protocol (Jan. 2011).
  • Securing WiMAX Wireless Communications (Dec. 2010).
  • The Exchange of Health Information: Designing a Security Architecture to Provide Information Security and Privacy (Nov. 2010).
  • Cyber Security Strategies for the Smart Grid: Protecting the Advanced Digital Infrastructure for Electric Power (Oct. 2010).
  • Security Content Automation Protocol (SCAP) Helping Organizations Maintain and Verify The Security of Their Information Systems (Sept. 2010).
  • Assessing The Effectiveness of Security Controls in Federal Information Systems (Aug. 2010).
  • Contingency Planning For Information Systems: Updated Guide For Federal Organizations (July 2010).
  • How To Identify Personnel With Significant Responsibilities For Information Security (June 2010).
  • Guide To Protecting Personally Identifiable Information (Apr. 2010).
  • Revised Guide Helps Federal Organizations Improve Their Risk Management Practices and Information System Security (Mar. 2010).
  • Secure Management Of Keys in Cryptographic Applications: Guidance For Organizations (Feb. 2010).
  • Security Metrics: Measurements To Support The Continued Development of Information Security Technology (Jan. 2010).
  • Cybersecurity Fundamentals For Small Business Owners (Nov. 2009).
  • Protecting Information Systems With Firewalls: Revised Guidelines On Firewall Technologies and Policies (Oct. 2009).
  • Updated Digital Signature Standard (DSS) Approved as Federal Information Processing Standard (FIPS) 186-3 (Sept. 2009).
  • Revised Catalog of Security Controls for Federal Information Systems and Organizations: For Use in Both National Security and Nonnational Security Systems (Aug. 2009).
  • Risk Management Framework: Helping Organizations Implement Effective Information Security Programs (July 2009).
  • Security for Enterprise Telework and Remote Access Solutions (June 2009).
  • The System Development Life Cycle (SDLC) (Apr. 2009).
  • The Cryptographic Hash Algorithm Family: Revision of the Secure Hash Standard and Ongoing Competition for New Hash Algorithms (Mar. 2009).
  • Using Personal Identity Verification (Piv) Credentials in Physical Access Control Systems (PACS) (Feb. 2009).
  • Security of Cell Phones and PDAs (Jan. 2009).
  • Guide to Information Security Testing and Assessment (Dec. 2008).
  • Bluetooth Security: Protecting Wireless Networks and Devices (Nov. 2008).
  • Keeping Information Technology (IT) System Servers Secure: A General Guide to Good Practices (Oct. 2008).
  • Using Performance Measurements to Evaluate and Strengthen Information System Security (Sept. 2008).
  • Security Assessments: Tools for Measuring the Effectiveness of Security Controls (Aug. 2008).
  • Guidelines on Implementing A Secure Sockets Layer (SSL) Virtual Private Network (VPN) (July 2008).
  • New Cryptographic Hash Algorithm Family: NIST Holds a Public Competition to Find New Algorithms (May 2008).
  • Using Active Content and Mobile Code and Safeguarding the Security of Information Technology Systems (Apr. 2008).
  • Handling Computer Security Incidents: NIST Issues Updated Guidelines (Mar. 2008).
  • Federal Desktop Core Configuration (FDCC): Improving Security for Windows Desktop Operating Systems (Feb. 2008).
  • Secure Web Servers Protecting Web Sites that are Accessed by the Public (Jan. 2008).
  • Securing External Computers and Other Devices Used by Teleworkers (Dec. 2007).
  • Using Storage Encryption Technologies to Protect End User Devices (Nov. 2007).
  • The Common Vulnerability Scoring System (CVSS) (Oct. 2007).
  • Secure Web Services (Aug. 2007).
  • Border Gateway Protocol (BGP) Security (July 2007).
  • Forensic Techniques for Cell Phones (June 2007).
  • Securing Radio Frequency Identification (RFID) Systems (May 2007).
  • Securing Wireless Networks (ITL Security Bulletin) (Apr. 2007).
  • Improving The Security of Electronic Mail: Updated Guidelines Issued by NIST (Mar. 2007).
  • Intrusion Detection and Prevention Systems (Feb. 2007).
  • Security Controls for Information Systems: Revised Guidelines Issued by NIST (Jan. 2007).
  • Maintaining Effective Information Technology (IT) Security Through Test, Training, and Exercise Programs (Dec. 2006).
  • Guide to Securing Computers Using Windows XP Home Edition (Nov. 2006).
  • Log Management: Using Computer and Network Records to Improve Information Security (Oct. 2006).
  • Forensic Techniques: Helping Organizations Improve Their Responses to Information Security Incidents (Sept. 2006).
  • Protecting Sensitive Information Processed and Stored in Information Technology (IT) Systems (Aug. 2006).
  • Domain Name System (DNS) Services: NIST Recommendations for Secure Deployment (June 2006).
  • An Update on Cryptographic Standards, Guidelines, and Testing Requirements (May 2006).
  • Protecting Sensitive Information Transmitted in Public Networks (Apr. 2006).
  • Minimum Security Requirements for Federal Information and Information Systems: Federal Information Processing Standard (FIPS) 200 Approved by the Secretary of Commerce (Mar. 2006).
  • Creating a Program to Manage Security Patches and Vulnerabilities: NIST Recommendations for Improving System Security (Feb. 2006).
  • Testing and Validation of Personal Identity Verification (PIV) Components and Subsystems for Conformance to Federal Information Processing Standard 201 (Jan. 2006).
  • Preventing and Handling Malware Incidents: How to Protect Information Technology Systems from Malicious Code and Software (Dec. 2005).
  • Securing Microsoft Windows XP Systems: NIST Recommendations for Using a Security Configuration Checklist (Nov. 2005).
  • National Vulnerability Database (NVD): Helping Information Technology System Users and Developers Find Current Information About Cyber Security Vulnerabilities (Oct. 2005).
  • Biometric Technologies: Helping to Protect Information and Automated Transactions in Information Technology Systems (Sept, 2005).
  • Implementation of FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors (Aug. 2005).
  • Protecting Sensitive Information that is Transmitted Across Networks: NIST Guidance for Selecting and Using Transport Layer Security Implementations (July 2005).
  • NIST's Security Configuration Checklists Program for Information Technology (IT) Products (June 2005).
  • Recommended Security Controls for Federal Information Systems: Guidance for Selecting Cost-Effective Controls Using a Risk-Based Process (May 2005).
  • Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Apr. 2005).
  • Personal Identity Verification (PIV) of Federal Employees and Contractors: Federal Information Processing Standard (FIPS) 201 Approved by the Secretary of Commerce (Mar. 2005).
  • Integrating Information Technology (IT) Security into the Capital Planning and Investment Control Process (Jan. 2005).
  • Understanding the New NIST Standards and Guidelines Required by FISMA: How Three Mandated Documents are Changing the Dynamic of Information Security for the Federal Government (Nov. 2004).
  • Securing Voice Over Internet Protocol (IP) Networks (Oct. 2004).
  • Information Security Within the System Development Life Cycle (SDLC) (Sept. 2004).
  • Electronic Authentication: Guidance for Selecting Secure Techniques (Aug. 2004).
  • Guide for Mapping Types of Information and Information Systems to Security Categories (July 2004).
  • Information Technology Security Services: How to Select, Implement, and Manage (June 2004).
  • Guide for the Security Certification and Accreditation of Federal Information Systems (May 2004).
  • Selecting Information Technology Security Products (Apr. 2004).
  • Federal Information Processing Standard (FIPS) 199, Standards for Security (Mar. 2004).
  • Categorization of Federal Information and Information Systems (Mar. 2004).
  • Computer Security Incidents: Assessing, Managing, and Controlling the Risks (Jan. 2004.
  • Security Considerations in the Information System Development Life Cycle (Dec. 2003).
  • Network Security Testing (Nov. 2003).
  • Information Technology Security Awareness, Training, Education, and Certification (Oct. 2003).
  • IT Security Metrics (Aug. 2003).
  • Testing Intrusion Detection Systems (July 2003).
  • ASSET: Security Assessment Tool for Federal Agencies (June 2003).
  • Security for Wireless Networks and Devices (Mar. 2003).
  • Secure Interconnections for Information Technology Systems (Feb. 2003).
  • Security of Electronic Mail (Jan. 2003).
  • Security of Public Web Servers (Dec. 2002).
  • Security for Telecommuting and Broadband Communication (Nov. 2002).
  • Security Patches and the CVE Vulnerability Naming Scheme: Tools to Address Computer System Vulnerabilities (Oct. 2002).
  • Cryptographic Standards and Guidelines: A Status Report (Sept. 2002).
  • Overview: The Government Smart Card Interoperability Specification (July 2002).
  • Contingency Planning Guide for Information Technology Systems (June 2002).
  • Techniques for System and Data Recovery (Apr. 2002).
  • Risk Management Guidance for Information Technology Systems (Feb. 2002).
  • Guidelines on Firewalls and Firewall Policy (Jan. 2002).
  • Computer Forensics Guidance (Nov. 2001).
  • Security Self-Assessment Guide for Information Technology Systems (Sept. 2001).
  • A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2 (July 2001).
  • Engineering Principles for Information Technology Security (ITL Security Bulletin) (June 2001).
  • Biometrics-Technologies for Highly Secure Personal Authentication (May 2001).
  • An Introduction to IPsec (Internet Protocol Security) (Mar. 2001).
  • A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications (Dec. 2000).
  • An Overview of the Common Criteria Evaluation and Validation Scheme (Oct. 2000).
  • Security for Private Branch Exchange Systems (Aug. 2000).
  • Mitigating Emerging Hacker Threats (June 2000).
  • Security Implications of Active Content (Mar. 2000).
  • Guideline for Implementing Cryptography in the Federal Government (Feb. 2000).
  • Operating System Security: Adding to the Arsenal of Security Techniques (Dec. 1999).
  • Acquiring and Deploying Intrusion Detection Systems (Nov. 1999).
  • Securing Web Servers (Sept. 1999).
  • The Advanced Encryption Standard (AES): A Status Report (Aug. 1999).
  • Computer Attacks: What They are and how to Defend Against Them (May 1999).
  • Guide for Developing Security Plans for Information Technology Systems (Apr. 1999).
  • Enhancements to Data Encryption and Digital Signature Federal Standards (Feb. 1999).
  • Secure Web-Based Access to High Performance Computing Resources (Jan. 1999).
  • Common Criteria: Launching the International Standard (Nov. 1998).
  • Cryptography Standards and Infrastructures for the Twenty-First Century (ITL Security Bulletin) (Sept. 1998).
  • Training for Information Technology Security: Evaluating the Effectiveness of Results-Based Learning (June 1998).
  • A Comparison of Year 2000 Solutions (May 1998).
  • Training Requirements for Information Technology Security: An Introduction to Results-Based Learning (Apr. 1998).
  • Management of Risks in Information Systems: Practices of Successful Organizations (Mar. 1998).
  • Information Security and the World Wide Web (WWW) (Feb. 1998).
  • Internet Electronic Mail (Nov. 1997).
  • Public Key Infrastructure Technology (July 1997).
  • Security Considerations in Computer Support and Operations (Apr. 1997).
  • Audit Trails (Mar. 1997).
  • Advanced Encryption Standard (AES) (Feb. 1997).
  • Security Issues for Telecommuting (Jan. 1997).
  • Federal Computer Incident Response Capability (FEDCIRC) (Nov. 1996).
  • Generally Accepted System Security Principles (GSSPs): Guidance on Securing Information Technology (IT) Systems (Oct. 1996).
  • Implementation Issues for Cryptography (Aug. 1996).
  • Information Security Policies for Changing Information Technology Environments (June 1996).
  • The World Wide Web: Managing Security Risks (May 1996).
  • Human/Computer Interface Security Issues (Feb. 1996).
  • An Introduction to Role-Based Access Control (Dec. 1995).
  • FIPS 140-1: A Framework for Cryptographic Standards (Aug. 1995).
  • The Data Encryption Standard (DES): an Update (Feb. 1995).
  • Digital Signature Standard (DSS) (Nov. 1994).
  • Reducing the Risks of Internet Connection and Use (May 1994).
  • Threats to Computer Systems: an Overview (Mar. 1994).
  • Security Program Management (Aug. 1993).
  • Connecting to the Internet: Security Considerations (July 1993).
  • Guidance on the Legality of Keystroke Monitoring (Mar. 1993).
  • Sensitivity of Information (Nov. 1992).
  • An Introduction to Secure Telephone Terminals (Mar. 1992).
  • Establishing a Computer Security Incident Handling Capability (Feb. 1992).
  • Advanced Authentication Technology (Nov. 1991).
  • Computer Security Roles of NIST and NSA (Feb. 1991).
  • Computer Virus Attacks (Aug. 1990).