Search CSRC

Testing PKI Components NIST/Information Technology Laboratory responds to industry and user needs for objective, neutral tests for information technology. ITL recognizes such tests as the enabling tools that help companies produce the next generation of products and services. It is a goal of the NIST PKI Program to develop such tests to help companies produce interoperable PKI components. NIST worked with CygnaCom Solutions and BAE Systems to develop a suite of tests that will enable developers and validation laboratories to determine a PKI client application's conformance to the path...

Include revised/updated text from http://csrc.nist.gov/groups/ST/toolkit/rng/index.html ?? --> Cryptography and security applications make extensive use of random numbers and random bits. However, constructing random bit generators and validating these generators are very challenging. The SP 800 90 series provides guidelines and recommendations for generating random numbers for cryptographic use, and has three parts: SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, specifies mechanisms for the generation of random bits using deterministic...

Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage compliance with software license agreements. Knowing what software is installed and used can help an...

The multi-party paradigm of threshold cryptography enables threshold schemes, for a secure distribution of trust in the operation of cryptographic primitives. Upcoming (1st semester of 2024): Revised version of NIST IR 8214C ipd: NIST First Call for Multi-Party Threshold Schemes (initial public draft). DOI: 10.6028/NIST.IR.8214C.ipd. Public comments have been received. The presentations given at MPTS 2023 are also being considered as public feedback. Upcoming (1st semester of 2024): NIST IR 8214B (final) — Notes on Threshold EdDSA/Schnorr Signatures (To publish after revising its initial...

To become a laboratory for the CST program there are a number of requirements. A lab must become accredited under the CST LAP which is part of NIST’s NVLAP. A lab must sign and enter into a Cooperative Research and Development Agreement (CRADA) with NIST. Click here for an example agreement. A lab must follow the “Principles of Proper Conduct” listed below. A lab must be US based if participating in the NPIVP scope. The following list are the Scopes maintained at NIST: Cryptographic Algorithm Validation Program (CAVP); Cryptographic Module Validation Program (CMVP); NIST Personal...

NIST has released the first-ever SSDF Community Profile for public comment! SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile, augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. The Profile supports Executive Order (EO) 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Submit your comments on SP 800-218A by June 1, 2024. To...

A main goal of circuit masking is to make more difficult the illegitimate exfiltration of secrets from a circuit evaluation. Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation. After past exploratory steps to obtain feedback, the Masked Circuits (MC) project is not considering actions toward standardization. However, there is a plan to create a Masked Circuits Library (MCL), specified at the logic level, based on public submissions to a Call for Masked...

NIST has defined cloud computing in NIST SP 800-145 document as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. For more than a decade, cloud computing has offered cost savings both in terms of capital expenses and operational expenses, while leveraging leading-edge technologies to meet the information processing needs of users in the public and...

NIST has released a new draft of Special Publication (SP) 800-61 Revision 3 for public comment! Your comments on Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile are welcome through May 20, 2024. NIST SP 800-61 Revision 3 seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incident responses, reduce...

The government-wide category consists of overlay submissions from federal, state, tribal, and local governments. Select from overlays listed below for more information and to access the overlay. Overlay Title Submitted by Overlay Description/Applicability Closed Isolated Network U.S. Army Europe A Closed Isolated Network is defined as a data communications enclave that operates in a single security domain, implements a security policy administered by a single authority, does not connect to any other network and has a single,...

The NIST Cybersecurity & Privacy Professionals Forum is co-chaired by representatives of NIST's Information Technology Laboratory, Computer Security Division (CSD) and Applied Cybersecurity Division (ACD). The Forum Secretariat provides the necessary administrative and logistical support for operations. The Forum serves as an important mechanism for NIST to: exchange information directly with cybersecurity and privacy professionals in U.S. federal, state, and local government, and higher education organizations in fulfillment of its leadership mandate under the Federal Information...

The NIST Risk Management Framework Team conducts the research and develops the suite of key cybersecurity risk management standards and guidelines, as required by Congressional legislation to support implementation of the Federal Information Security Modernization Act (FISMA) and to assist organizations better understand and manage cybersecurity risk for their systems and organizations. We collaborate with the Cyber Supply Chain Risk Management Team in the NIST Computer Security Division and Privacy Engineering Team in the NIST Applied Cybersecurity Division to develop the suite of...

Title / Topic Description Executive Order (EO) 14028 On Improving The Nation's Cybersecurity Executive Order 14028, “Improving the Nation’s Cybersecurity” marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. To keep pace with modern technological advancements and evolving threats, the Federal Government continues to migrate to the cloud. In support of these efforts, the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency...

Physical Unclonable Function (PUF) Vulnerabilities Combination frequency differencing (CFD) can be used to analyze the susceptibility of physical unclonable functions (PUFs) to machine learning attacks. Preliminary results suggest that the method may be useful for identifying bit combinations that have a disproportionately strong influence on PUF response bit values. Kuhn, D. R., Raunak, M. S., Prado, C., Patil, V. C., & Kacker, R. N. (2022, April). "Combination Frequency Differencing for Identifying Design Weaknesses in Physical Unclonable Functions". In 2022 IEEE International Conference...

Abstract: This project provides guidance on the governance and management of Transport Layer Security (TLS) server certificates in enterprise environments to reduce outages, improve security, and enable disaster recovery related to certificates. The project will be provided in a freely available NIST Cybersec...

Journal: Journal of Computer Security Abstract: Quantifying security risk is an important and yet difficult task in enterprise network security management. While metrics exist for individual software vulnerabilities, there is currently no standard way of aggregating such metrics. We present a model that can be used to aggregate vulnerability metr...

Abstract: On June 8 and 9, 2009, NIST held a Cryptographic Key Management (CKM) Workshop at its Gaithersburg, Maryland, campus that attracted approximately 80 people attending the workshop in person, with another 75 participating through video conferencing, and an additional 36 participating via audio telecon...

E-Government Act of 2002 (Public Law 107-347; December 17, 2002). This Public Law also included the original Federal Information Security Management Act (FISMA) of 2002.

Abstract: This document augments the secure software development practices and tasks defined in Secure Software Development Framework (SSDF) version 1.1 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the softw...

Abstract: Ensuring the security of routers is crucial for safeguarding not only individuals’ data but also the integrity and availability of entire networks. With the increasing prevalence of smart home IoT devices and remote work setups, the significance of consumer-grade router cybersecurity has expanded, a...

Abstract: Phishing cyber threats impact private and public sectors both in the United States and internationally. Embedded phishing awareness training programs, in which simulated phishing emails are sent to employees, are designed to prepare employees in these organizations to combat real-world phishing scen...

Abstract: This document calls for public submissions of multi-party threshold schemes, to support the National Institute of Standards and Technology (NIST) in developing future recommendations and guidelines. In a threshold scheme, an underlying key-based cryptographic primitive is executed while a private/se...

Abstract: Access to multiple cloud services, the geographic spread of enterprise Information Technology (IT) resources (including multiple data centers), and the emergence of microservices-based applications (as opposed to monolithic ones) have significantly altered the enterprise network landscape. This docu...

Abstract: While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requi...

Abstract: Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the publi...