The IT Law Wiki


NIST Special Publications are publications from the National Institute of Standards and Technology. These publications are developed and issued by NIST as recommendations and guidance documents. For other than national security programs and systems, federal agencies must follow those NIST Special Publications mandated in a Federal Information Processing Standard.

While federal agencies are required to follow certain specific NIST Special Publications in accordance with OMB policy, there is flexibility in how agencies apply the guidance. Federal agencies apply the security concepts and principles articulated in the NIST Special Publications in accordance with and in the context of the agency’s missions, business functions, and environment of operation. Consequently, the application of NIST guidance by federal agencies can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB definition of adequate security for federal information systems.

Given the high priority of information sharing and transparency within the federal government, agencies also consider reciprocity in developing their information security solutions. When assessing federal agency compliance with NIST Special Publications, Inspectors General, evaluators, auditors, and assessors consider the intent of the security concepts and principles articulated within the specific guidance document and how the agency applied the guidance in the context of its mission/business responsibilities, operational environment, and unique organizational conditions.

Special Publications 800 series (Computer Security) (December 1990-present)[]

Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Publications in this series includes:

Special Publications 500 series (Information Technology) (January 1977-present)[]

These publications are a general IT subseries used more broadly by NIST's Information Technology Laboratory (ITL). Publications in this series include:

  • NIST Special Publication 500-087: Management Guide for Software Documentation (Jan. 1982).
  • NIST Special Publication 500-090: Guide to Contracting for Software Conversion Services (May 1982).
  • NIST Special Publication 500-105: Guide to Software Conversion Management
  • NIST Special Publication 500-106: Guide on Software Maintenance.
  • NIST Special Publication 500-109: Overview of Computer Security Certification andAccreditation.
  • NIST Special Publication 500-120: Security of Personal Computer Systems-A Management Guide (Jan. 1985).
  • NIST Special Publication 500-121: Guidance on Planning and Implementing Computer Systems Reliability (Jan. 1985).
  • NIST Special Publication 500-125: Issues in the Management of Microcomputer Systems (Sept. 1985).
  • NIST Special Publication 500-128: Starting and Operating a Microcomputer Support Center (Oct. 1985).
  • NIST Special Publication 500-148: Application Software Prototyping and Fourth Generation Languages.
  • NIST Special Publication 500-153: Guide to Auditing for Controls and Security: A Svstem Develonment Life Cvcle Annroach.
  • NIST Special Publication 500-154: Guide to Distributed Database Management.
  • NIST Special Publication 500-155: Management Guide to Software Reuse.
  • NIST Special Publication 500-157: Smart Card Technology: New Methods for Computer Access Control (Sept. 1988).
  • NIST Special Publication 500-158: Accuracy, Integrity, and Security in Computerized Vote-Tallying (Aug. 1988).
  • NIST Special Publication 500-166: Computer Viruses and Related Threats: A Management Guide (Aug. 1989).
  • NIST Special Publication 500-169: Executive Guide to the Protection of Information Resources (1989).
  • NIST Special Publication 500-170: Management Guide to the Protection of Information Resources (1989).
  • NIST Special Publication 500-171: Computer Users' Guide to the Protection of Information Resources (1989).
  • NIST Special Publication 500-180: Guide to Software Acceptance.
  • NIST Special Publication 500-218: Analyzing Electronic Commerce (June 1, 1994)
  • NIST Special Publication 500-245: Standard Data Format for the Interchange of Fingerprint, Facial, & Scar Mark & Tattoo (SMT) Information (Sept. 2000).
  • NIST Special Publication 500-271: American National Standard for Information Systems-Data Format for the Interchange of Fingerprint, Facial, & Other Biometric Information-Part 1 (ANSI/NIST-ITL 1-2007) (May 2007) (full-text).
  • NIST Special Publication 500-291: NIST Cloud Computing Standards Roadmap (July 2011) (full-text).
  • NIST Special Publication 500-292: NIST Cloud Computing Reference Architecture (Sept. 2011) (full-text).
  • NIST Special Publication 500-293: US Government Cloud Computing Technology Roadmap
    • Vol. I, Rel. 1.0 (Draft) (High-Priority Requirements to Further USG Agency Cloud Computing Adoption) (Dec. 1, 2011) (full-text)
    • Vol. II, Rel. 1.0 (Draft) (Useful Information for Cloud Adopters) (Dec. 1, 2011) (full-text).
    • Vol. III, Rel. 1.0 (Draft) (Technical Considerations for USG Cloud Computer Deployment Decisions) (Nov. 3, 2011) (full-text).

Special Publications 1800 series (NIST Cybersecurity Practice Guides (2015-present))[]

This subseries was created to complement the Special Publications 800 series. It targets specific cybersecurity challenges in the public and private sectors. It provides practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity.

They show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices and provide users with the materials lists, configuration files, and other information they need to implement a similar approach.

The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

  • NIST Special Publication 1800-34: (Preliminary Draft) Validating the Integrity of Computing Devices (Aug. 31, 2021).
  • NIST Special Publication 1800-33: (Preliminary Draft) 5G Cybersecurity (Feb. 1, 2021).
  • NIST Special Publication 1800-30: (Draft) Securing Telehealth Remote Patient Monitoring Ecosystem (Nov. 2020).
  • NIST Special Publication 1800-26: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events (Dec. 8, 2020).
  • NIST Special Publication 1800-25: Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events (Dec. 8, 2020).
  • NIST Special Publication 1800-21: Mobile Device Security: Corporate-Owned Personally-Enabled (COPE) (Sept. 15, 2020).
  • NIST Special Publication 1800-17: (DRAFT) Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers (July 19, 2019).
  • NIST Special Publication 1800-15, (Draft) Securing Small Business and Home Internet of Things Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (Sept. 16, 2020).
  • NIST Special Publication 1800-11: (DRAFT) Data Integrity: Recovering from Ransomware and Other Destructive Events (Sept. 6, 2017).
  • NIST Special Publication 1800-9: (DRAFT) Access Rights Management for the Financial Services Sector (Aug. 31, 2017).
  • NIST Special Publication 1800-8: (DRAFT) Securing Wireless Infusion Pumps in Healthcare Delivery Organizations (May 8, 2017).
  • NIST Special Publication 1800-7: (DRAFT) Situational Awareness for Electric Utilities (Feb. 16, 2017).
  • NIST Special Publication 1800-6: (DRAFT) Domain Name Systems-Based Electronic Mail Security (Nov. 2016).
  • NIST Special Publication 1800-5: (DRAFT) IT Asset Management (Oct. 29, 2015).
  • NIST Special Publication 1800-4: (DRAFT) Mobile Device Security: Cloud & Hybrid Builds (Nov. 5, 2015).
  • NIST Special Publication 1800-3: (DRAFT) Attribute Based Access Control (Sep. 29, 2015).
  • NIST Special Publication 1800-2: (DRAFT) Identity and Access Management for Electric Utilities (Aug. 25, 2015).
  • NIST Special Publication 1800-1: Securing Electronic Health Records on Mobile Devices (July 2018).

NIST Cloud Computing Research Papers[]

  • NIST Cloud Computing Public Security Working Group, White Paper "Challenging Security Requirements for US Government Cloud Computing Adoption", December 2012
  • C. Dabrowski and K. Mills, "VM Leakage and Orphan Control in Open-Source Clouds", Proceedings of IEEE CloudCom 2011, Nov. 29-Dec. 1, Athens, Greece, pp. 554-559.
  • K. Mills, J. Filliben and C. Dabrowski, "Comparing VM-Placement Algorithms for On-Demand Clouds", Proceedings of IEEE CloudCom 2011, Nov. 29-Dec. 1, Athens, Greece, pp. 91-98.
  • C. Dabrowski and K. Mills, "Extended Version of VM Leakage and Ophan Control in Open-Source Clouds", NIST Publication 909325; an abbreviated version of this paper was published in the Proceedings of IEEE CloudCom 2011, Nov. 29-Dec. 1, Athens, Greece.
  • C. Dabrowski and F. Hunt, "Identifying Failure Scenarios in Complex Systems by Perturbing Markov Chain Models", Proceedings of ASME 2011 Conference on Pressure Vessels & Piping, Baltimore, MD, July 17-22, 2011.
  • K. Mills, J. Filliben and C. Dabrowski, "An Efficient Sensitivity Analysis Method for Large Cloud Simulations", Proceedings of the 4th International Cloud Computing Conference, IEEE, Washington, D.C., July 5-9, 2011.

NiST Grant/Contract Reports (GCR)[]

  • NIST GCR 93-635, Private Branch Exchange (PBX) Security Guideline (PB94-100880) (Sept. 1993).
  • NIST GCR 94-654, Federal Certification Authority Liability and Policy-Law and Policy of Certificate-Based Public Key and Digital Signatures (PB94-191202) (June 1994).
  • NIST GCR 95-670, Standards Policy and Information Infrastructure (May 1995) (PB95-231882).

Other Special Publications[]

See also[]