NIST Special Publications

Overview
NIST Special Publications are publications from the National Institute of Standards and Technology. These publications are developed and issued by NIST as recommendations and guidance documents. For other than national security programs and systems, federal agencies must follow those NIST Special Publications mandated in a Federal Information Processing Standard.

While federal agencies are required to follow certain specific NIST Special Publications in accordance with OMB policy, there is flexibility in how agencies apply the guidance. Federal agencies apply the security concepts and principles articulated in the NIST Special Publications in accordance with and in the context of the agency’s missions, business functions, and environment of operation. Consequently, the application of NIST guidance by federal agencies can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB definition of adequate security for federal information systems.

Given the high priority of information sharing and transparency within the federal government, agencies also consider reciprocity in developing their information security solutions. When assessing federal agency compliance with NIST Special Publications, Inspectors General, evaluators, auditors, and assessors consider the intent of the security concepts and principles articulated within the specific guidance document and how the agency applied the guidance in the context of its mission/business responsibilities, operational environment, and unique organizational conditions.

Special Publications 800 series (Computer Security) (December 1990-present)
Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Publications in this series includes:


 * NIST Special Publication 800-1: Bibliography of Selected Computer Security Publicatons, January 1980-October 1989 (Dec. 1990).
 * NIST Special Publication 800-2: Public Key Cryptography (Apr. 1991) (full-text).
 * NIST Special Publication 800-3: Establishing a Computer Security Incident Response Capability (CSIRC) (Nov. 1991) (full-text).
 * NIST Special Publication 800-4: Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials (Mar. 1992) (full-text).
 * NIST Special Publication 800-4A: Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials (Oct. 2002) (full-text).
 * NIST Special Publication 800-5: A Guide to Selection of Anti-Virus Tools and Techniques (Dec. 1992) (full-text).
 * NIST Special Publication 800-6: Automated Tools for Testing Computer System Vulnerability (Dec. 1992) (full-text).
 * NIST Special Publication 800-7: Security in Open Systems (July 1994).
 * NIST Special Publication 800-8: Security Issues in the Database Language SQL (Aug. 1993).
 * NIST Special Publication 800-9: Good Security Practices for Electronic Commerce, Including Electronic Data Interchange (Dec. 1993).
 * NIST Special Publication 800-10: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls (Dec. 1994).
 * NIST Special Publication 800-11: The Impact of the FCC’s Open Network Architecture on NS/EP Telecommunications Security (Feb. 1995).
 * NIST Special Publication 800-12: An Introduction to Computer Security: The NIST Handbook (Oct. 1995) (full-text).
 * NIST Special Publication 800-13: Telecommunications Security Guidelines for Telecommunications Management Network (Oct. 1995) (full-text).
 * NIST Special Publication 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (Sept. 1996) (full-text).
 * NIST Special Publication 800-16: Information Technology Security Training Requirements: A Role- and Performance-Based Model (Apr. 1998) (full-text).
 * NIST Special Publication 800-16 (Rev. 1) (Third Draft): A Role-Based Model for Federal Information Technology/Cyber Security Training (Mar. 14, 2014) (full-text).
 * NIST Special Publication 800-18: Guide for Developing Security Plans for Federal Information Systems (GSSP) (Rev. 1) (Feb. 2006) (full-text).
 * NIST Special Publication 800-19: Mobile Agent Security (Aug. 1999) (full-text).
 * NIST Special Publication 800-21: Guideline for Implementing Cryptography in the Federal Government (2d ed. Dec. 2005) (full-text).
 * NIST Special Publication 800-23: Guidelines to Federal Organizations on Security Assurance & Acquisition/Use of Tested/Evaluated Products (Aug. 2000). (full-text0.
 * NIST Special Publication 800-25: Federal Agency Use of Public Key Technology for Digital Signatures and Authentication (Sept. 2000) (full-text).
 * NIST Special Publication 800-26: Security Self-Assessment Guide for Information Technology Systems (Nov. 2001) (full-text).
 * NIST Special Publication 800-27 Rev A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A (June 2004) (full-text).
 * NIST Special Publication 800-27A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) (June 2004) (full-text).
 * NIST Special Publication 800-28: Guidelines on Active Content and Mobile Code (ver. 2) (Mar. 2008) (full-text).
 * NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems (July 2002) (full-text).
 * NIST Special Publication 800-30, Rev. 1: Guide for Conducting Risk Assessments (Sept. 2012) (full-text).
 * NIST Special Publication 800-31, Intrusion Detection Systems (Nov. 2001) (full-text).
 * NIST Special Publication 800-32: Introduction to Public Key Technology and the Federal PKI Infrastructure (Feb. 26, 2001) (full-text).
 * NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security (Dec. 2001) (full-text).
 * NIST Special Publication 800-34: Contingency Planning Guide for Federal Information Systems (Rev. 1) (May 2010) (full-text).
 * NIST Special Publication 800-35: Guide to Information Technology Security Services (Oct. 2003) (full-text).
 * NIST Special Publication 800-36: Guide to Selecting Information Technology Security Products (Oct. 2003) (full-text).
 * NIST Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Rev. 1) (Feb. 2010) (full-text).
 * NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation Methods and Techniques (2001 ed.) (full-text).
 * NIST Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View (Dec. 14, 2010) (full-text).
 * NIST Special Publication 800-40: Guide to Enterprise Patch Management Technologies (Draft) (Rev. 3) (Sept. 2012) (full-text).
 * NIST Special Publication 800-41: Guidelines on Firewalls and Firewall Policy (Rev. 1) (Sept. 2009) (full-text).
 * NIST Special Publication 800-44: Guidelines on Securing Public Web Servers (Sept. 2007) (full-text).
 * NIST Special Publication 800-45: Guidelines on Electronic Mail Security (Ver. 2) (Feb. 2007) (full-text).
 * NIST Special Publication 800-46: Guide to Enterprise Telework and Remote Access Security (June 2009) (full-text).
 * NIST Special Publication 800-47: Security Guide for Interconnecting Information Technology Systems (Aug. 2002) (full-text).
 * NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks (July 2008) (full-text).
 * NIST Special Publication 800-49: Federal S/MIME V3 Client Profile (Nov. 2002) (full-text).
 * NIST Special Publication 800-50, Building Information Technology Security Awareness and Training Program (Oct. 2003) (full-text).
 * NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations (Rev. 4) (Apr. 2013) (full-text).
 * NIST Special Publications 800-53, Appendix J: Privacy Control Catalog (Draft) (July 19, 2011) (full-text).
 * NIST Special Publication 800-53A: Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans (Rev. 1) (Jun. 2010) (full-text).
 * NIST Special Publication 800-55: Security Metrics Guide for Information Technology System (July 2003) (full-text).
 * NIST Special Publication 800-57: Recommendation for Key Management (Mar. 2007) (full-text).
 * NIST Special Publication 800-58: Security Considerations for Voice Over IP Systems (Jan. 2005) (full-text).
 * NIST Special Publication 800-59: Guideline for Identifying an Information System as a National Security System (Aug. 2003) (full-text).
 * NIST Special Publication 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories (Aug. 2008) (full-text).
 * NIST Special Publication 800-61: Computer Security Incident Handling Guide (rev. 1) (Mar. 2008) (full-text); (rev. 2) (Jan. 2012) (full-text).
 * NIST Special Publication 800-63: Electronic Authentication Guideline (Apr. 2006) (full-text).
 * NIST Special Publications 800-63-2: DRAFT Electronic Authentication Guideline (Feb. 1, 2013) (full-text).
 * NIST Special Publication 800-64: Security Considerations in the Information System Development Life Cycle {Rev. 2) (Oct. 2008) (full-text).
 * NIST Special Publication 800-65: Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC) (Ver. 1) (Jan. 2005) (full-text).
 * NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Oct. 2008) (full-text).
 * NIST Special Publication 800-67: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher (Ver. 1.1) (May 19, 2008) (full-text).
 * NIST Special Publication 800-69: Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist (Sept. 2006) (full-text).
 * NIST Special Publication 800-70, Rev. 3: (DRAFT) National Checklist Program for IT Products—Guidelines for Checklist Users and Developers (Mar. 26, 2015) (full-text).
 * NIST Special Publication 800-72: Guidelines on PDA Forensics (Nov. 2004) (full-text).
 * NIST Special Publication 800-73-4: Interfaces for Personal Identity Verification – Part 1: End-Point PIV Card Application Namespace, Data Model and Representation (May 13, 2013) (full-text); Part 2: PIV Card Application Card Command Interface (May 13, 2013) (full-text); Part 3: PIV Client Application Programming Interface (May 13, 2013) (full-text).
 * NIST Special Publications 800-76-2: (Draft) Biometric Data Specification for Personal Identity Verification (Apr. 11, 2011) (full-text).
 * NIST Special Publication 800-77: Guide to IPsec VPNs (Dec. 2005) (full-text).
 * NIST Special Publications 800-81: Secure Domain Name System (DNS) Deployment Guide (Rev. 2) (Sept. 18, 2013) (full-text).
 * NIST Special Publication 800-82, Rev. 2: {Draft) Guide to Industrial Control Systems (ICS) Security (Feb. 9, 2015) (full-text).
 * NIST Special Publication 800-83, Rev. 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops (July 2013) (full-text).
 * NIST Special Publication 800-84: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities (Sept. 2006) (full-text).
 * NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response (Aug. 2006) (full-text).
 * NIST Special Publication 800-88 (Rev. 1): Guidelines for Media Sanitization (Sept. 6, 2012) (full-text).
 * NIST Special Publication 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Mar. 2007 rev.).(full-text).
 * NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Rev. 1) (June 25, 2015).(full-text).
 * NIST Special Publication 800-92: Guide to Computer Security Log Management (Sept. 2006) (full-text).
 * NIST Special Publication 800-94: Guide to Intrusion Detection and Prevention Systems (Feb. 2007) (full-text); (Rev. 1) (July 25, 2012) (full-text).
 * NIST Special Publication 800-95: Guide to Secure Web Services (Aug. 2007) (full-text).
 * NIST Special Publication 800-97: Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i (Feb. 2007) (full-text).
 * NIST Special Publication 800-98: Guidelines for Securing Radio Frequency Identification (RFID) Systems (Apr. 2007) (full-text).
 * NIST Special Publication 800-100, Information Security Handbook: A Guide for Managers (Oct. 2006) (full-text).
 * NIST Special Publication 800-101: Guidelines on Cell Phone Forensics (May 2007) (full-text).
 * NIST Special Publication 800-111: Guide to Storage Encryption Technologies for End User Devices (Nov. 2007) (full-text).
 * NIST Special Publication 800-114: User’s Guide to Securing External Devices for Telework and Remote Access (Nov. 2007) (full-text).
 * NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment (Sept. 2008) (full-text).
 * NIST Special Publication 800-116: A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) (Nov. 2008) (full-text).
 * NIST Special Publication 800-118: Guide to Enterprise Password Management (Draft) (Apr. 2009) (full-text).
 * NIST Special Publication 800-121: Guide to Bluetooth Security (Sept. 2008) (full-text); (Rev. 1) (June 2012) (full-text).
 * NIST Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (April 2010) (full-text).
 * NIST Special Publication 800-123: Guide to General Server Security (July 2008) (full-text).
 * NIST Special Publication 800-124: Guidelines on Cell Phone and PDA Security (Oct. 2008) (full-text) (superseded by NIST Special Publication 800-124r1).
 * NIST Special Publication 800-124r1: Guidelines for Managing the Security of Mobile Devices in the Enterprise (June 2013) (full-text).
 * NIST Special Publication 800-125: Guide to Security for Full Virtualization Technologies (Jan. 2011) (full-text).
 * NIST Special Publication 800-127: Guide to Securing WiMAX Wireless Communications (Sept. 2010) (full-text).
 * NIST Special Publication 800-128: Guide for Security Configuration Management of Information Systems (Initial Public Draft) (Mar. 2010) (full-text).
 * NIST Special Publication 800-130: (Draft) A Framework for Designing Cryptographic Key Management Systems (June 16, 2010) (full-text).
 * NIST Special Publication 800-131A: (Draft) Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (Jan. 2011) (full-text).
 * NIST Special Publication 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations (Sept. 2011) (full-text).
 * NIST Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing (Dec. 2011) (full-text).
 * NIST Special Publication 800-145: (Draft) A NIST Definition of Cloud Computing (Sept. 2011) (full-text).
 * NIST Special Publication 800-146: Cloud Computing Synopsis and Recommendations (May 2012) (full-text).
 * NIST Special Publication 800-147: Basic Input/Output System (BIOS) Protection Guidelines (Apr. 2011) (full-text).
 * NIST Special Publication 800-147B: BIOS Protection Guidelines for Servers (July 30, 2012) (full-text).
 * NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing (Oct. 29, 2014) (full-text).
 * NIST Special Publication 800-152: (DRAFT) A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS) (Third Draft) (Dec. 18, 2014) (full-text).
 * NIST Special Publication 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs) (Feb. 2012) (full-text).
 * NIST Special Publication 800-155:	(DRAFT) BIOS Integrity Measurement Guidelines (Dec. 8, 2011) (full-text).
 * NIST Special Publication 800-160:	(DRAFT) Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems (May 2014) (full-text).
 * NIST Special Publication 800-161:	(DRAFT) Supply Chain Risk Management Practices for Federal Information Systems and Organizations (Second Draft) (June 3, 2014) (full-text).
 * NIST Special Publication 800-162:	(DRAFT) Guide to Attribute Based Access Control (ABAC) Definition and Considerations (Apr. 22, 2013)(full-text).
 * NIST Special Publication 800-164:	(DRAFT) Guidelines on Hardware-Rooted Security in Mobile Devices (Oct. 31, 2012) (full-text).
 * NIST Special Publication 800-165: 2012 Computer Security Division Annual Report (June 2013) (full-text).
 * NIST Special Publication 800-168: Approximate Matching: Definition and Terminology (May 2014) (full-text).
 * NIST Special Publication 800-170: Computer Security Division 2013 Annual Report (June 2014) (full-text).
 * NIST Special Publication SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (June 25, 2015) (full-text).

Special Publications 500 series (Information Technology)
These publications are a general IT subseries used more broadly by NIST's Information Technology Laboratory (ITL). Publications in this series include:


 * NIST Special Publication 500-120: Security of Personal Computer Systems-A Management Guide (Jan. 1985).
 * NIST Special Publication 500-121:Guidance on Planning and Implementing Computer Systems Reliability (Jan. 1985).
 * NIST Special Publication 500-125: Issues in the Management of Microcomputer Systems (Sept. 1985).
 * NIST Special Publication 500-128: Starting and Operating a Microcomputer Support Center (Oct. 1985).
 * NIST Special Publication 500-157: Smart Card Technology: New Methods for Computer Access Control (Sept. 1988).
 * NIST Special Publication 500-158: Accuracy, Integrity, and Security in Computerized Vote-Tallying (Aug. 1988).
 * NIST Special Publication 500-166: Computer Viruses and Related Threats: A Management Guide (Aug. 1989).
 * NIST Special Publication 500-169: Executive Guide to the Protection of Information Resources (1989).
 * NIST Special Publication 500-170: Management Guide to the Protection of Information Resources (1989).
 * NIST Special Publication 500-171: Computer Users' Guide to the Protection of Information Resources (1989).
 * NIST Special Publication 500-218: Analyzing Electronic Commerce (June 1, 1994)
 * NIST Special Publication 500-245: Standard Data Format for the Interchange of Fingerprint, Facial, & Scar Mark & Tattoo (SMT) Information (Sept. 2000).
 * NIST Special Publication 500-271: American National Standard for Information Systems-Data Format for the Interchange of Fingerprint, Facial, & Other Biometric Information-Part 1 (ANSI/NIST-ITL 1-2007) (May 2007) (full-text).
 * NIST Special Publication 500-291: NIST Cloud Computing Standards Roadmap (July 2011) (full-text).
 * NIST Special Publication 500-292: NIST Cloud Computing Reference Architecture (Sept. 2011) (full-text).
 * NIST Special Publication 500-293: US Government Cloud Computing Technology Roadmap
 * Vol. I, Rel. 1.0 (Draft) (High-Priority Requirements to Further USG Agency Cloud Computing Adoption) (Dec. 1, 2011) (full-text)
 * Vol. II, Rel. 1.0 (Draft) (Useful Information for Cloud Adopters) (Dec. 1, 2011) (full-text).
 * Vol. III, Rel. 1.0 (Draft) (Technical Considerations for USG Cloud Computer Deployment Decisions) (Nov. 3, 2011) (full-text).

Special Publications 1800 series (NIST Cybersecurity Practice Guides (2015-present))
This subseries was created to complement the Special Publications 800 series. It targets specific cybersecurity challenges in the public and private sectors. It provides practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity.

NIST Cloud Computing Research Papers

 * NIST Cloud Computing Public Security Working Group, White Paper "Challenging Security Requirements for US Government Cloud Computing Adoption", December 2012
 * C. Dabrowski and K. Mills, "VM Leakage and Orphan Control in Open-Source Clouds", Proceedings of IEEE CloudCom 2011, Nov. 29-Dec. 1, Athens, Greece, pp. 554-559.
 * K. Mills, J. Filliben and C. Dabrowski, "Comparing VM-Placement Algorithms for On-Demand Clouds", Proceedings of IEEE CloudCom 2011, Nov. 29-Dec. 1, Athens, Greece, pp. 91-98.
 * C. Dabrowski and K. Mills, "Extended Version of VM Leakage and Ophan Control in Open-Source Clouds", NIST Publication 909325; an abbreviated version of this paper was published in the Proceedings of IEEE CloudCom 2011, Nov. 29-Dec. 1, Athens, Greece.
 * C. Dabrowski and F. Hunt, "Identifying Failure Scenarios in Complex Systems by Perturbing Markov Chain Models", Proceedings of ASME 2011 Conference on Pressure Vessels & Piping, Baltimore, MD, July 17-22, 2011.
 * K. Mills, J. Filliben and C. Dabrowski, "An Efficient Sensitivity Analysis Method for Large Cloud Simulations", Proceedings of the 4th International Cloud Computing Conference, IEEE, Washington, D.C., July 5-9, 2011.

NiST Grant/Contract Reports (GCR)

 * NIST GCR 93-635, Private Branch Exchange (PBX) Security Guideline (PB94-100880) (Sept. 1993).
 * NIST GCR 94-654, Federal Certification Authority Liability and Policy-Law and Policy of Certificate-Based Public Key and Digital Signatures (PB94-191202) (June 1994).
 * NIST GCR 95-670, Standards Policy and Information Infrastructure (May 1995) (PB95-231882).

Other Special Publications

 * NIST Special Publication 1191: Research Roadmap for Smart Fire Fighting (Summary Report) (June 11, 2015) (full-text).
 * NIST Special Publication 1163: Economics of the U.S. Additive Manufacturing Industry (August 2013).
 * NIST Special Publication 1108, Rel. 1: NIST Framework and Roadmap for Smart Grid Interoperability Standards (Jan. 2010) (full-text).
 * NIST Special Publication 868: The Information Infrastructure: Reaching Society's Goals (Sept. 1994) (not available online).
 * NIST Special Publication 857: Putting the Information Infrastructure to Work: Report of the Information Infrastructure Task Force Committee on Applications and Technology (May 1994).