Search CSRC

Abstract: Homeland Security Presidential Directive 12 (HSPD-12), entitled Policy for a Common Identification Standard for Federal Employees and Contractors, established a policy for all Federal departments and agencies to create and use a government-wide secure and reliable form of identification for their Fe...

Abstract: The selective application of technological and related procedural safeguards is an important responsibility of every Federal organization in providing adequate security to its electronic data systems. This publication specifies the Triple Data Encryption Algorithm (TDEA), including its primary compo...

Abstract: Web servers maintained for public use are normally the most targeted and attacked hosts on an organization's network. Thus, it is essential to secure Web servers and the network infrastructure that supports them. This document has been developed to assist federal departments and agencies, state agen...

Abstract: This National Institute of Standards and Technology Interagency Report (NISTIR) presents the Methodology for Certifying Sensitive Computer Applications developed by the U.S. Department of Commerce, Office of Information Resources Management. The National Institute of Standards and Technology (NIST)...

Abstract: This Workshop was conducted at the National Bureau of Standards (NBS), Gaithersburg, Maryland, on August 30-31, 1976, to provide the NBS Institute for Computer Sciences and Technology (ICST) with current scientific and technical information on advances in computer technology which could signifi...

The concept of Attribute Based Access Control (ABAC) has existed for many years. It represents a point on the spectrum of logical access control from simple access control lists to more capable role-based access, and finally to a highly flexible method for providing access based on the evaluation of attributes. In November 2009, the Federal Chief Information Officers Council (Federal CIO Council) published the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0, which provided guidance to federal organizations to evolve their logical access control...

Combinatorial methods reduce costs for testing, and have important applications in software engineering: Combinatorial or t-way testing is a proven method for better testing at lower cost. The key insight underlying its effectiveness resulted from a series of studies by NIST from 1999 to 2004. NIST research showed that most software bugs and failures are caused by one or two parameters, with progressively fewer by three or more, which means that combinatorial testing can provide more efficient fault detection than conventional methods. Multiple studies have shown fault detection equal to...

The Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP) were established on July 17, 1995 by NIST to validate cryptographic modules conforming to the Federal Information Processing Standards (FIPS) 140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1. The current implementation of the CMVP is shown in Figure 1 below. The CAVP is a prerequisite for CMVP. The CAVP and CMVP leverage NVLAP-accredited Cryptographic and Security...

Users of the former "Crypto Toolkit" can now find that content under this project. It includes cryptographic primitives, algorithms and schemes are described in some of NIST's Federal Information Processing Standards (FIPS), Special Publications (SPs) and NIST Internal/Interagency Reports (NISTIRs). Crypto Standards and Guidelines Activities Block Cipher Techniques Crypto Publications Review Digital Signatures Hash Functions Interoperable Randomness Beacons Key Management Lightweight Cryptography (LWC) Message Authentication Codes (MACs) Multi-Party Threshold Cryptography...

Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. Each Cryptographic and Security Testing Laboratories (CSTL) is an independent laboratory accredited by NVLAP....

Every organization wants maximum effect and value for its finite cybersecurity-related investments, including managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make decisions by comparing projected costs with potential benefits and risk reduction scenarios. Senior executives need accurate and quantitative methods to portray and assess these factors, their effectiveness and efficiency, and their effect on risk exposure. Providing reliable answers to these questions requires organizations to employ a...

Elliptic curve cryptography is critical to the adoption of strong cryptography as we migrate to higher security strengths. NIST has standardized elliptic curve cryptography for digital signature algorithms in FIPS 186 and for key establishment schemes in SP 800-56A. In FIPS 186-4, NIST recommends fifteen elliptic curves of varying security levels for use in these elliptic curve cryptographic standards. However, more than fifteen years have passed since these curves were first developed, and the community now knows more about the security of elliptic curve cryptography and practical...

Privacy Enhancing Distributed Ledger Technology When is blockchain a problem for privacy? Immutability can be a problem because private information stored in a blockchain cannot be deleted. Laws and regulations may require that users be allowed to remove private information at their request. Thus there is a need for redactable blockchain and redactable distributed ledger technology. When is blockchain a problem for security? Immutability can be a problem because security sensitive information stored in a blockchain cannot be deleted. Security policies may require deleting data that is...

While FIPS 140-2 continues on through 2026, development to support and validate FIPS 140-3 modules must be in place by September 2020. This project addresses questions concerning the process of migrating from FIPS 140-2 to FIPS 140-3. The transition process includes organizational, documentation and procedural changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments. Changes also support the migration of internally developed security standards towards a set of standards developed and maintained...

THIS PAGE IS FOR HISTORICAL PURPOSES ONLY SEE FIPS 140-3 TRANSITION EFFORT FOR THE CURRENT STATUS Approval of FIPS 140-3 | SP 800-140x Development | Implementation Schedule | 2015 RFI FIPS 140-3 approved On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019. FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to the Cryptographic...

Approved Algorithms | SHA-3 Derived Functions | Security Strengths | Testing Implementations Approved Algorithms A hash algorithm is used to map a message of arbitrary length to a fixed-length message digest. Approved hash algorithms for generating a condensed representation of a message (message digest) are specified in two Federal Information Processing Standards: FIPS 180-4, Secure Hash Standard and FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. FIPS 180-4 specifies seven hash algorithms: SHA-1 (Secure Hash Algorithm-1), and the SHA-2...

Publications that discuss the generation, establishment, storage, use and destruction of the keys used NIST’s cryptographic algorithms Project Areas: Key Management Guidelines Key Establishment Cryptographic Key Management Systems Generally-speaking, there are two types of key establishment techniques: 1) techniques based on asymmetric (public key) algorithms, and 2) techniques based on symmetric (secret key) algorithms. However, hybrid techniques are also commonly used, whereby public key techniques are used to establish symmetric (secret) key encryption keys, which are then used to...

NIST maintains the National Checklist Repository, which is a publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products. A security configuration checklist (also called a lockdown, hardening guide, or benchmark) is a series of instructions or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product. The IT product may be commercial, open source,...

Public comments are available for Draft FIPS 203, Draft FIPS 204 and Draft FIPS 205, which specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+. The public comment period closed November 22, 2023. PQC Seminars Next Talk: May 21, 2024 4th Round KEMs Additional Digital Signature Schemes - Round 1 Submissions PQC License Summary & Excerpts Background NIST initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. Full details can be found in the Post-Quantum Cryptography Standardization...

NIST has established the NIST Personal Identity Verification Validation Program (NPIVP) to validate Personal Identity Verification (PIV) components required by Federal Information Processing Standard (FIPS) 201. The objectives of the NPIVP program are: to validate the compliance/conformance of two PIV components --PIV middleware and PIV card application with the specifications in NIST SP 800-73; and to provides the assurance that the set of PIV middleware and PIV card applications that have been validated by NPIVP are interoperable. All of the tests under NPIVP are handled by...

NEW! Request for Information | Evaluating and Improving NIST Cybersecurity Resources: The NIST Cybersecurity Framework and Cybersecurity Supply Chain Risk Management --> Latest updates: NIST Cybersecurity SCRM Fact Sheet (05/12/22) NIST updates Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations guidance in NIST SP 800-161r1, which also helps fulfill NIST's responsibilities under E.O. 14028. (05/05/22) See the comments received from 132 organizations and individuals in response to a recent RFI (2/22/22) on Evaluating and Improving NIST Cybersecurity...

The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal Government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.

Mappings to NIST Documents The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Interagency or Internal Report (IR) 8278 - National Online Informative References (OLIR) Program: Program Overview and OLIR Uses focuses on explaining what OLIRs are,...

NCCoE DevSecOps project has launched! The NIST NCCoE has launched a new project, Software Supply Chain and DevOps Security Practices. In early 2023, the project team will be publishing a Federal Register Notice based on the final project description to solicit collaborators to work with the NCCoE on the project. DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are...

NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving​ information about security vulnerabilities​, as part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and 30111 whenever practical. The guidelines address: Establishing a federal vulnerability disclosure framework, including the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs) Receiving information about a potential security vulnerability in an information system owned or...