NIST Issues Slew of New GuidanceIT Products Checklist, SCAP Specs, Vulnerability Naming Schemes Guide
Among the new guidance from the National Institute of Standards and Technology:
SP 800-70 Revision 2: National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program to find and retrieve checklists.
SP 800-126 Revision 1: The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations.
SP 800-51 Revision 1: Guide to Using Vulnerability Naming Schemes. This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and Exposures and Common Configuration Enumeration. The revised publication gives an introduction to naming schemes and makes recommendations for end-user organizations on using the names produced by these schemes. The publication also presents recommendations for software and service vendors on how they should use vulnerability names and naming schemes in their product and service offerings.
NIST also issued Interagency Report 7764: Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition. This report summarizes the evaluation of 14, second-round candidates, and the selection of five SHA-3 finalists that are to advance to the third and final round of the competition.