HTTP/2 200 date: Sat, 04 Oct 2025 08:34:46 GMT content-type: text/xml content-encoding: gzip last-modified: Fri, 03 Oct 2025 09:05:11 GMT etag: W/"80fd99d24434dc1:0" x-frame-options: DENY x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000 cf-cache-status: DYNAMIC set-cookie: __cf_bm=T4PT8uMHJrAMYWPkacgn4pWhFXEXOMdp_fa0Vwb65GM-1759566886-1.0.1.1-SnnqUFRd1cbuJWwt3A9vlVCQWXpBCpLtSLwyS1jFMUwkI1mG04o1Vq8UF07KOeiebBYRcGsJ.SDXGgYHxw.5eWljfmi8Fr4U4OxlZBgyLk4; path=/; expires=Sat, 04-Oct-25 09:04:46 GMT; domain=.nist.gov; HttpOnly; Secure; SameSite=None set-cookie: _cfuvid=RE9WnapoGwUxxKs_0PzJskmY_vJMyvD69MpS_qBfHzM-1759566886788-0.0.1.1-604800000; path=/; domain=.nist.gov; HttpOnly; Secure; SameSite=None server: cloudflare cf-ray: 989357920fbd9d42-ORD  Many of NIST's cybersecurity and privacy publications are posted as drafts for public comment. Comment periods are still open for the following publications. Visit the links for downloads, related content, and instructions for submitting comments. Your thoughtful reviews and comments are greatly appreciated and help us to improve our standards and guidance. https://csrc.nist.gov/CSRC/media/feeds/pubs/drafts-open-for-comment.xml 2025-10-03T09:00:37Z https://csrc.nist.gov/CSRC/Media/images/CSRC-white-134-38.png https://csrc.nist.gov/pubs/ir/8536/2pd

<p>The NIST National Cybersecurity Center of Excellence (NCCoE) has released a second public draft of NIST Internal Report 8536, Supply Chain Traceability: Manufacturing Meta-Framework, for public comment. </p> <p>We thank everyone who submitted comments on the initial draft. Your thoughtful feedback prompted substantial revisions. In response, we are publishing this second draft to provide an opportunity for further review and input before finalizing the report.</p> <h5>Background</h5> <p>This paper presents a framework to improve traceability across complex and distributed manufacturing ecosystems. It enables structured recording, linking, and querying of traceability data across trusted repositories. This initial research is intended to explore approaches that may support stakeholders in verifying product provenance, meet contractual obligations, and assess supply chain integrity.</p> <p>This framework builds on previous NIST research (<a data-csrc-link="true" data-node-guid="0a5cfe6a-5342-49a0-afc2-feb48b5dc588" href="">NIST IR 8419</a>) and incorporates insights and feedback from industry, standards bodies, and academia. It is designed to enhance national security, economic resilience, and supply chain risk management, particularly across manufacturing and other critical infrastructure sectors.</p> <p>We invite and encourage those interested to review and comment on this draft.&nbsp;</p> <h5>Submit Your Comments</h5> <p>The public comment period for this draft is open through&nbsp;<s>September 1, 2025</s><strong> October 3, 2025, at 11:59 PM EST</strong>. Visit the&nbsp;<a href="https://www.nccoe.nist.gov/projects/manufacturing-supply-chain-traceability-using-blockchain-related-technologies">project page</a><strong> </strong>for a copy of the draft and instructions for submitting comments.&nbsp;We value and welcome your input and look forward to your comments.&nbsp;</p> <h5>Get Engaged&nbsp;</h5> <p>You can continue to help shape and contribute to this and future projects by joining the NCCoE&rsquo;s Blockchain Community of Interest. Visit our&nbsp;<a href="https://www.nccoe.nist.gov/projects/manufacturing-supply-chain-traceability-using-blockchain-related-technologies#join-the-coi">project page</a>&nbsp;to join.</p> <p><em>NOTE:</em> <em>A call for patent claims is included on page ii of this draft. For additional information, see the&nbsp;</em><a href="https://www.nist.gov/itl/publications-0/itl-patent-policy-inclusion-patents-itl-publications"><em><u>Information Technology Laboratory (ITL)&nbsp;Patent Policy &ndash; Inclusion of Patents in ITL Publications</u></em></a><em>.</em></p>

2025-07-31T00:00:00-04:00 2025-07-31T00:00:00-04:00 Comments Due 10/03/2025 https://csrc.nist.gov/pubs/cswp/37/b/automation-of-the-nist-cmvp-april-2025/ipd

<p>The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The NIST National Cybersecurity Center of Excellence (NCCoE) has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to support improvement in the efficiency and timeliness of CMVP operations and processes. The goal is to demonstrate a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols.</p> <p>This is a status report of progress made since October 2024 with the ACMVP and the planned next steps for the project.</p>

2025-09-10T00:00:00-04:00 2025-09-10T00:00:00-04:00 Comments Due 10/10/2025 https://csrc.nist.gov/pubs/cswp/48/mapping-migration-to-pqc-project-capabilities-to-r/ipd

<p>The project is designed to support and align with key NIST cybersecurity frameworks and security controls. Specifically, the project&rsquo;s capabilities are informed by and mapped to the security objectives and controls outlined in two important NIST documents:<o></o></p> <ul> <li style="list-style-type: none;"> <ul> <li><a href="https://doi.org/10.6028/NIST.CSWP.29"><strong>NIST Cybersecurity Framework 2.0</strong></a> (CSF 2.0). A widely adopted framework that helps organizations manage and reduce cybersecurity risk.<o></o></li> <li><a data-csrc-link="true" data-node-guid="e59fdf2a-e753-42d7-b733-69c0e3c12364" href="/pubs/sp/800/53/r5/upd1/final"><strong>Security and Privacy Controls for Information Systems and Organizations</strong></a> (SP 800-53). A comprehensive catalog of security controls that organizations can use to protect their information systems.<o></o></li> </ul> </li> </ul> <p>This white paper provides a mapping of the project&rsquo;s capabilities to these two resources. This helps organizations align their PQC migration efforts with established security outcomes (and broader cybersecurity risk management practices) and identify specific security controls and objectives needed to successfully implement PQC migration.<o></o></p> <h6><strong>Your Feedback Matters</strong><o></o></h6> <p>We invite you to review this document and provide comments by October 20, 2025. You can submit comments by visiting the&nbsp;<a href="https://www.nccoe.nist.gov/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms#project-promo">NCCoE project page</a>.<o></o></p> <p>If you have any questions or need further information, please don&rsquo;t hesitate to contact the team at <a href="mailto:applied-crypto-pqc@nist.gov">applied-crypto-pqc@nist.gov</a>. We encourage you to join the NCCoE PQC Community of Interest (COI) to receive project updates and stay involved!<o></o></p>

2025-09-18T00:00:00-04:00 2025-09-18T00:00:00-04:00 Comments Due 10/20/2025 https://csrc.nist.gov/pubs/ir/8259/r1/2pd

<p>This document describes recommended activities related to cybersecurity for manufacturers, spanning pre-market and post-market, to help them develop products that meet their customers&rsquo; needs and expectations for cybersecurity. This second public draft builds on changes made in the first draft and responds to feedback primarily in:<o></o></p> <ul> <li>Splitting and adding activities to better focus attention on each separate critical activities<o></o></li> <li>Expanding emphasis on risk assessment and threat modeling as key parts of the development process <o></o></li> <li>Expanding the connection to other references and make connection of this document to other work more explicit<o></o></li> </ul> <p>We encourage sending emailed comments to <a href="mailto:IoTSecurity@nist.gov">IoTSecurity@nist.gov</a> and look forward to hearing from you.</p>

2025-09-30T00:00:00-04:00 2025-09-30T00:00:00-04:00 Comments Due 10/31/2025 https://csrc.nist.gov/pubs/sp/800/90/a/r2/iprd

<p>NIST Special Publication (SP) 800-90Ar1 (Revision 1), <em><a data-csrc-link="true" data-node-guid="15c37698-7494-4d4e-906b-69a96ac5fa39" href="/pubs/sp/800/90/a/r1/final">Recommendation for Random Number Generation Using Deterministic Random Bit Generators (DRBGs)</a></em>, provides guidelines for generating cryptographically secure random numbers using deterministic methods. This recommendation specifies approved DRBG mechanisms based on hash functions and block ciphers.<o></o></p> <p>NIST is planning a second revision of SP 800-90A to reflect advancements in cryptographic research and maintain consistency across related standards. This will involve:<o></o></p> <ul> <li>Improving alignment with the upcoming revision of SP 800-90C<o></o></li> <li>Introducing a new DRBG construction based on eXtendable-Output Functions (XOFs), specifically using the SHAKE algorithms defined in Federal Information Processing Standards (FIPS) publication 202<o></o></li> <li>Addressing technical comments and feedback received since the previous publication<o></o></li> </ul> <p><strong>NIST invites public comments on all aspects of the current SP 800-90A until November 4, 2025.</strong> Send comments to <a href="mailto:rbg_comments@nist.gov">rbg_comments@nist.gov</a> with &ldquo;Comments on SP 800-90A&rdquo; in the subject line.<o></o></p> <p>All comments received will be posted on&nbsp;this page after the closing date. Submitters&rsquo; names and affiliations (when provided) will be included, while contact information will be removed.</p>

2025-09-04T00:00:00-04:00 2025-09-04T00:00:00-04:00 Comments Due 11/04/2025 https://csrc.nist.gov/pubs/ir/8588/ipd

<p>This draft proposes a NIST-hosted database of community-contributed descriptions of differential privacy (DP) deployments.</p> <p>DP is a mathematical definition of privacy, and DP deployments are computer systems that add calibrated noise to data to protect the privacy of individuals. Since DP is being used at scale in many contexts, a database of implementation descriptions is an important step to establish guidelines and best practices for its application.</p> <p>The quality of the NIST-hosted repository proposed in IR 8588 is maintained through a public working group. This draft describes the data schema, working group function, and other important considerations.<o></o></p> <p>The public comment period is open through November 14, 2025. NIST invites the public to comment on the plan and especially welcomes contributions that will help maximize the value of the DP Registry. NIST encourages you to use <a href="/files/pubs/ir/8588/ipd/docs/ir8588-ipd-comment-template.xlsx">this template</a> when preparing your comments--thank you.</p> <p><em>NOTE:</em>&nbsp;<em>A call for patent claims is included this draft. For additional information, see the </em><a href="https://www.nist.gov/itl/publications-0/itl-patent-policy-inclusion-patents-itl-publications"><em>Information Technology Laboratory (ITL)&nbsp;Patent Policy &ndash; Inclusion of Patents in ITL Publications</em></a><em>.</em></p>

2025-09-17T00:00:00-04:00 2025-09-17T00:00:00-04:00 Comments Due 11/14/2025 https://csrc.nist.gov/pubs/sp/800/172/r3/fpd

<p>As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following drafts for comment:<o></o></p> <ul> <li><strong>SP 800-172r3 (Revision 3) fpd (final public draft)</strong>,&nbsp;<i>Enhanced Security Requirements for Protecting Controlled Unclassified Information</i>, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.</li> <li><a href="/pubs/sp/800/172/a/r3/ipd" data-csrc-link="true" data-node-guid="efc3bf9d-e108-4c1f-afd5-8febae808911">SP 800-172Ar3 ipd (initial public draft)</a>,&nbsp; <i>Assessing Enhanced Security Requirements for Controlled Unclassified Information</i>, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.</li> </ul> <p>Both drafts implement a one-time &ldquo;revision number&rdquo; change for consistency with SP 800-171r3 and SP 800-171Ar3.&nbsp;<o></o></p> <p>NIST seeks feedback on both drafts during a 45-day public comment period, from September 29 through November 14, 2025. NIST is specifically interested in comments, feedback, and recommendations on the following topics:<o></o></p> <ul> <li>The additional enhanced security requirements to protect critical systems and high value assets<o></o></li> <li>The mappings between the enhanced security requirements to the SP 800-160 protect strategies and adversary effects<o></o></li> <li>The usefulness of the information in the supplementary Appendices<o></o></li> </ul> <p>Learn More about the <a data-csrc-link="true" data-node-guid="aa10858d-d2ff-42d2-8885-d991142d62c3" href="/Projects/protecting-controlled-unclassified-information">Protecting CUI Project</a>.<o></o></p>

2025-09-29T00:00:00-04:00 2025-09-29T00:00:00-04:00 Comments Due 11/14/2025 https://csrc.nist.gov/pubs/sp/800/172/a/r3/ipd

<p>As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following drafts for comment:<o></o></p> <ul> <li><a href="/pubs/sp/800/172/r3/fpd" data-csrc-link="true" data-node-guid="bec17b47-a89f-4cab-86be-04096f58d58d">SP 800-172r3 (Revision 3) fpd (final public draft)</a>, <i>Enhanced Security Requirements for Protecting Controlled Unclassified Information</i>, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.</li> <li><strong>SP 800-172Ar3 ipd (initial public draft)</strong>,&nbsp; <i>Assessing Enhanced Security Requirements for Controlled Unclassified Information</i>, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.</li> </ul> <p>Both drafts implement a one-time &ldquo;revision number&rdquo; change for consistency with SP 800-171r3 and SP 800-171Ar3.&nbsp;<o></o></p> <p>NIST seeks feedback on both drafts during a 45-day public comment period, from September 29 through November 14, 2025. NIST is specifically interested in comments, feedback, and recommendations on the following topics:<o></o></p> <ul> <li>The additional enhanced security requirements to protect critical systems and high value assets<o></o></li> <li>The mappings between the enhanced security requirements to the SP 800-160 protect strategies and adversary effects<o></o></li> <li>The usefulness of the information in the supplementary Appendices<o></o></li> </ul> <p>Learn More about the <a data-csrc-link="true" data-node-guid="aa10858d-d2ff-42d2-8885-d991142d62c3" href="/Projects/protecting-controlled-unclassified-information">Protecting CUI Project</a>.<o></o></p>

2025-09-29T00:00:00-04:00 2025-09-29T00:00:00-04:00 Comments Due 11/14/2025 https://csrc.nist.gov/pubs/ir/8183/r2/ipd

<p>The Manufacturing Profile is aligned with manufacturing sector goals and industry best practices and can be used as a roadmap for reducing cybersecurity risk for manufacturers. The Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems and is meant to enhance but not replace current cybersecurity standards and industry guidelines.<o></o></p> <p>This revision of the CSF Manufacturing Profile provides the following updates:<o></o></p> <ul> <li>Realigned guidance to CSF 2.0 Functions, including guidance for the new Govern Function<o></o></li> <li>Realigned guidance to CSF 2.0 Categories (changed from 23 in CSF 1.1 to 22 in CSF 2.0)<o></o></li> <li>Realigned guidance to CSF 2.0 Subcategories (changed from 108 in CSF 1.1 to 106 in CSF 2.0)<o></o></li> <li>Added guidance for CSF 2.0 supply chain risk management, platform security, and technology infrastructure resilience Categories</li> </ul> <p><o></o>We invite you to review this document and provide comments by November 17, 2025.<o></o></p>

2025-09-29T00:00:00-04:00 2025-09-29T00:00:00-04:00 Comments Due 11/17/2025