-----Original Message-----
From: compsecpubs@... [mailto:compsecpubs@...] On Behalf Of
Patrick O'Reilly
Sent: Friday, February 27, 2009 5:33 PM
To: Multiple recipients of list
Subject: NIST Releases 2 Draft Documents and Mark-up Copy of SP 800-53 Rev.
3


NIST Computer Security Division released 2 draft publications
(Special Publication & NIST Interagency Report) today and 1 Mark-up
Copy of Draft SP --

1. Mark-up copy of Draft Special Publication (SP) 800-53 Revision 3
2. Draft Special Publication 800-81 Revision 1
3. Draft NIST Interagency Report (IR) 7517

1. Draft SP 800-53 Rev. 3: Recommended Security Controls for Federal
Information Systems and Organizations
The following document provides a line-by-line (mark-up copy)
comparison between SP 800-53, Revision 2 and Draft SP 800-53,
Revision 3. It should also be noted that the section of the
publication addressing scoping considerations for scalability, was
inadvertently omitted from the public draft and will be reinstated in
the final publication.

URL: http://csrc.nist.gov/publications/PubsDrafts.html#800-53_Rev3

******

2. Draft SP 800-81 Rev. 1: Secure Domain Name System (DNS) Deployment Guide
NIST has drafted a new version of the document "Secure Domain Name
System (DNS) Deployment Guide (SP 800-81)". This document, after a
review and comment cycle will be published as NIST SP 800-81r1. There
will be two rounds of public comments and this is our posting for the
first one. Federal agencies and private organizations as well as
individuals are invited to review the draft Guidelines and submit
comments to NIST by sending them to SecureDNS@... before March
31, 2009. Comments will be reviewed and posted on the CSRC website.
All comments will be analyzed, consolidated, and used in revising the
draft Guidelines before final publication.

Reviewers of the draft revised Guidelines should note the following
differences and additions:
(1) Updated Recommendations for all cryptographic operations
relating to digital signing of DNS records, verification of the
signatures, Zone Transfer, Dynamic Updates, key Management and
Authenticated Denial of Existence.
(2) The additional IETF RFC documents that have formed the basis
for the updated recommendations include: DNNSEC Operational Practices
(RFC 4641), Automated Updates for DNS Security (DNSSEC) Trust Anchors
(RFC 5011), DNS Security (DNSSEC) Hashed Authenticated Denial of
Existence (RFC 5155) and HMAC SHA TSIG Algorithm Identifiers (RFC 4635).
(3) The FIPS standards and NIST guidelines incorporated into the
updated recommendations include: The Keyed-Hash Message
Authentication Code (HMAC) (FIPS 198-1), Digital Signature Standard
(FIPS 186-3) and Recommendations for Key Management (SP 800-57P1 & SP
800-57P3).
(4) Illustration of Secure configuration examples using DNS
Software offering NSD, in addition to BIND.

URL: http://csrc.nist.gov/publications/PubsDrafts.html#800-81-rev1

******

3: DRAFT The Common Misuse Scoring System (CMSS): Metrics for
Software Feature Misuse Vulnerabilities
Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring
System (CMSS), is now available for public comment. This report
proposes a specification for CMSS, a set of standardized measures for
the severity of software feature misuse vulnerabilities. NISTIR 7517
also provides examples of how CMSS measures and scores would be
determined. Once CMSS is finalized, CMSS data can assist
organizations in making security decisions based on standardized,
quantitative vulnerability data.

NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please
submit comments to IR7517comments@... with "Comments IR 7517" in
the subject line.

URL: http://csrc.nist.gov/publications/PubsDrafts.html#nistir-7517