Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Projects

Showing 1 through 25 of 69 matching records.
Access Control Policy and Implementation Guides ACP&IG
Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access (authorization) control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after s successful authentication of the user, but most...
Access Control Policy Testing ACPT
Access control systems are among the most critical security components. Faulty policies, misconfigurations, or flaws in software implementation can result in serious vulnerabilities. The specification of access control policies is often a challenging problem. Often a system’s privacy and security are compromised due to the misconfiguration of access control policies instead of the failure of cryptographic primitives or protocols. This problem becomes increasingly severe as software systems...
Algorithms for Intrusion Measurement AIM
The Algorithms for Intrusion Measurement (AIM) project furthers measurement science in the area of algorithms used in the field of intrusion detection. The team focuses on both new detection metrics and measurements of scalability (more formally algorithmic complexity). This analysis is applied to different phases of the detection lifecycle to include pre-emptive vulnerability analysis, initial attack detection, alert impact, alert aggregation/correlation, and compact log storage. In...
Apple macOS Security Configuration APPLE-OS
CSD’s macOS security configuration team is working to develop secure system configuration baselines supporting different operational environments for Apple macOS version 10.12, “Sierra.” These configuration guidelines will assist organizations with hardening macOS technologies and provide a basis for unified controls and settings for federal macOS workstation and mobile system security configurations. The configurations are based on a collection of resources, including the existing NIST macOS...
AppVet Mobile App Vetting System AppVet
 AppVet is a web application for managing and automating the app vetting process. AppVet facilitates the app vetting workflow by providing an intuitive user interface for submitting and testing apps, managing reports, and assessing risk. Through the specification of APIs, schemas and requirements, AppVet is designed to easily and seamlessly integrate with a wide variety of clients including users, apps stores, and continuous integration environments as well as third-party tools including...
Attribute Based Access Control ABAC
The concept of Attribute Based Access Control (ABAC) has existed for many years. It represents a point on the spectrum of logical access control from simple access control lists to more capable role-based access, and finally to a highly flexible method for providing access based on the evaluation of attributes.In November 2009, the Federal Chief Information Officers Council (Federal CIO Council) published the Federal Identity, Credential, and Access Management (FICAM) Roadmap and...
Automated Combinatorial Testing for Software ACTS
Combinatorial testing is a proven method for more effective software testing at lower cost. The key insight underlying combinatorial testing’s effectiveness resulted from a series of studies by NIST from 1999 to 2004. NIST research showed that most software bugs and failures are caused by one or two parameters, with progressively fewer by three or more. This finding, referred to as the interaction rule, has important implications for software testing because it means that testing parameter...
Automated Cryptographic Validation Testing ACVT
The Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP) were established on July 17, 1995 by NIST to validate cryptographic modules conforming to the Federal Information Processing Standards (FIPS) 140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1.The current implementation of the CMVP is shown in Figure 1 below. The CAVP is...
Awareness, Training, & Education ATE
Public Law 100-235, "The Computer Security Act of 1987," mandated NIST and OPM to create guidelines on computer security awareness and training based on functional organizational roles. Guidelines were produced in the form of NIST Special Publication 800-16 titled, "Information Technology Security Training Requirements: A Role- and Performance-Based Model." The learning continuum modeled in this guideline provides the relationship between awareness, training, and education. The publication...
Biometric Conformance Test Software BioCTS
The Computer Security Division (CSD) supports the development of national and international biometric standards and promotes conformity assessment through: Participation in the development of biometric standardsSponsorship of conformance testing methodology standard projectsDevelopment of associated conformance test architectures and test suitesLeadership in national (link is external) and international (link is external) standards development bodiesVisit the Biometric Conformance...
Block Cipher Techniques
Approved AlgorithmsCurrently, there are two (2) Approved* block cipher algorithms that can be used for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption): AES and Triple DES. Two (2) other block cipher algorithms were previously approved: DES and Skipjack; however, their approval has been withdrawn. See the discussions below for further information; also see SP 800-131A Rev. 1, Transitions...
Circuit Complexity
Boolean functions for a wide class of applications (such as encryption, digital signatures, hashing, and error correction codes) can be implemented as electronic circuits. In practice, it is important to be able to minimize the size and depth of these circuits. The Circuit Complexity Project aims at finding combinational circuits—over the basis AND, XOR, NOT—for boolean functions.The problem, even for functions on very few inputs, is computationally intractable. This means that optimal...
Cloud Computing
NIST Cloud Computing ProgramCloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid...
Computer Security Objects Register CSOR
Information objects that convey information used to maintain the security of resources in computerized environments are known as Computer Security Objects (CSOs). The Computer Security Objects Register (CSOR) specifies names that uniquely identify CSOs. These unique names are used to reference these objects in abstract specifications and during the negotiation of security services for a transaction or application. The CSOR is also a repository of parameters associated with the registered...
Continuous Monitoring ConMon
To advance the state of the art in continuous monitoring capabilities and to further interoperability within commercially available tools, the Computer Security Division is working within the international standards development community to establish working groups and to author and comment on emerging technical standards in this area. The CAESARS-FE reference architecture will evolve as greater consensus is developed around interoperable, standards-based approaches that enable continuous...
Crypto Reading Club
The Computer Security Division hosts Crypto Reading Club talks to foster research and collaboration in cryptography.When:Wednesday (bi-weekly), 10:00am-12:00pm (Eastern Time), unless noted otherwise.Where:NIST Building 222, Room B341 Gaithersburg, MD 20899NIST Visitor InformationEmail List:Meeting reminders will be sent to subscribers of the Crypto Reading Club List.To be added to the list and/or give a talk, please contact Morris J. Dworkin or Meltem Sonmez Turan. Upcoming Talks...
Cryptographic Algorithm Validation Program CAVP
The Cryptographic Algorithm Validation Program (CAVP) provides validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components. Cryptographic algorithm validation is a prerequisite of cryptographic module validation.Vendors may use any of the NVLAP-accredited Cryptographic and Security Testing (CST) Laboratories to test algorithm implementations.An algorithm implementation successfully tested by a lab and validated by NIST is added to an...
Cryptographic Module Validation Program CMVP
What Is The Purpose Of The CMVP?On July 17, 1995, NIST established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS)140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001 and supersedes FIPS 140-1. The CMVP is a joint effort between NIST and the Canadian Centre for...
Cryptographic Research
NIST continues to develop cryptographic expertise in several research areas:Circuit ComplexityElliptic Curve CryptographyLightweight CryptographyPairing-Based CryptographyPost-Quantum Cryptography (PQC)Privacy-Enhancing CryptographyWe also host a Crypto Reading Club that meets biweekly to foster research and collaboration in cryptography.
Cryptographic Standards and Guidelines
Users of the former "Crypto Toolkit" can now find that content under this project. It includes cryptographic primitives, algorithms and schemes are described in some of NIST's Federal Information Processing Standards (FIPS), Special Publications (SPs) and NIST Internal/Interagency Reports (NISTIRs). Crypto Standards and Guidelines, by Project AreaBlock Cipher TechniquesDigital SignaturesHash FunctionsKey ManagementMessage Authentication Codes (MACs)Post-quantum TechniquesRandom Bit...
Cryptographic Standards and Guidelines Development Process
In 2013, news reports about leaked classified documents caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines. NIST is also deeply concerned by these reports, some of which have questioned the integrity of the NIST standards development process.NIST has a proud history in open cryptographic standards, beginning in the 1970s with the Data Encryption Standard. We strive for a consistently open and transparent process that enlists the...
Cyber Supply Chain Risk Management C-SCRM
Information and operational technology (IT/OT) relies on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions. This ecosystem is composed of various entities with multiple tiers of outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices, all of which interact to design, manufacture, distribute, deploy, use, maintain, and manage IT/OT products and services...
Cyber Threat Information Sharing CTIS
The Computer Security Division is working with the Department of Homeland Security (DHS) to develop guidance on Computer Security Incident Coordination (CSIC). The goal of CSIC is to help diverse collections of organizations to effectively collaborate in the handling of computer security incidents. Effective collaboration raises numerous issues on how and when to share information between organizations, and in what form information should be shared. Because different organizations may have...
Cybersecurity Framework
The Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders. *Federal agencies do have requirements to implement the Cybersecurity Framework; see the U.S...
Cybersecurity Risk Analytics CRA
NIST is working with stakeholders from across government, industry, and academia to research and prototype methods and tools to enable predictive risk analytics and identify cyber risk trends. NIST’s goal is to enable information sharing among risk owners about historical, current and future cyber risk conditions and is intended to help not only enhance existing cyber risk mitigation strategies but also improve and expand upon existing cybersecurity risk metrology efforts.We will be...

1     2     3  next >  last >>