NIST to Withdraw 11 Outdated Cybersecurity Publications

The U.S. National Institute of Standards and Technology (NIST) announced on Tuesday that its Computer Security Division has decided to withdraw eleven outdated SP 800 publications.

NIST’s 800 series Special Publications (SP) focus on cybersecurity and include guidelines, technical specifications, recommendations, and annual reports. These publications are meant to address and support the security and privacy needs of government agencies, but they are often used and referenced by private sector companies.

NIST’s website currently lists over 180 SP 800 publications, including drafts and final versions. Eleven of them, which are now considered out of date, will be withdrawn on August 1, 2018, and will not be revised or superseded.

The documents will still be available for historical reference, but their status will be changed from “final” to “withdrawn.”

The following SP 800 publications will be withdrawn, with the reason for withdrawal listed for each document:

● SP 800-13 (October 1995): Telecommunications Security Guidelines for Telecommunications Management Network – describes outdated technologies;

● SP 800-17 (February 1998): Modes of Operation Validation System (MOVS): Requirements and Procedures – validation system is for deprecated algorithms, such as DES and Skipjack;

SP 800-19 (October 1999): Mobile Agent Security – environments and technologies far less complex than what is used today;

SP 800-23 (August 2000): Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products – based on outdated laws, regulations and executive directives;

● SP 800-24 (April 2001): PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does – does not address newer technologies, such as VOIP;

● SP 800-33 (December 2001): Underlying Technical Models for Information Technology Security – describes a model that pre-dates the Risk Management Framework and Cybersecurity Framework;

● SP 800-36 (October 2003): Guide to Selecting Information Technology Security Products – outdated references and it does not reflect current types of security products;

● SP 800-43 (November 2002): Systems Administration Guidance for Securing Windows 2000 Professional System – Windows 2000 no longer supported;

● SP 800-65 (January 2005): Integrating IT Security into the Capital Planning and Investment Control Process – pre-dates the Cybersecurity Framework and other important SP 800 guidance;

● SP 800-68 Rev. 1 (October 2008): Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist – Windows XP no longer supported;

● SP 800-69 (September 2006): Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist – Windows XP no longer supported.

Related: NIST Working on Global IoT Cybersecurity Standards

Related: NIST Publishes Second Draft of Cybersecurity Framework