You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to https://csrc.nist.gov.
An official website of the United States government
Here’s how you know
Official websites use .gov A
.gov website belongs to an official government
organization in the United States.
Secure .gov websites use HTTPS A
lock (
) or https:// means you’ve safely connected to
the .gov website. Share sensitive information only on official,
secure websites.
AppVet is a web application for managing and automating the app vetting process. AppVet facilitates the app vetting workflow by providing an intuitive user interface for submitting and testing apps, managing reports, and assessing risk. Through the specification of APIs, schemas and requirements, AppVet is designed to easily and seamlessly integrate with a wide variety of clients including users, apps stores, and continuous integration environments as well as third-party tools including...
The Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP) were established on July 17, 1995 by NIST to validate cryptographic modules conforming to the Federal Information Processing Standards (FIPS) 140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1. The current implementation of the CMVP is shown in Figure 1 below. The CAVP is a...
Combinatorial methods reduce costs for testing, and have important applications in software engineering: Combinatorial or t-way testing is a proven method for better testing at lower cost. The key insight underlying its effectiveness resulted from a series of studies by NIST from 1999 to 2004. NIST research showed that most software bugs and failures are caused by one or two parameters, with progressively fewer by three or more, which means that combinatorial testing can provide more...
The NIST Cryptographic Algorithm Validation Program (CAVP) provides validation testing of Approved (i.e., FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. Cryptographic algorithm validation is a prerequisite of cryptographic module validation. The list of FIPS-approved algorithms can be found in SP 800-140C and SP 800-140D. Vendors may use any of the NVLAP-accredited Cryptographic and Security Testing (CST) Laboratories to test algorithm...
Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. CMVP has over...
Every organization wants maximum effect and value for its finite cybersecurity-related investments, including managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make decisions by comparing projected costs with potential benefits and risk reduction scenarios. Senior executives need accurate and quantitative methods to portray and assess these factors, their effectiveness and efficiency, and their effect...
Cryptography is critical for securing data at rest or in transit over the IoT. But cryptography fails when a device uses easy-to-guess (weak) keys generated from low-entropy random data. Standard deterministic computers have trouble producing good randomness, especially resource-constrained IoT-class devices that have little opportunity to collect local entropy before they begin network communications. The best sources of true randomness are based on unpredictable physical phenomena, such as...
THIS PAGE IS FOR HISTORICAL PURPOSES ONLY SEE FIPS 140-3 TRANSITION EFFORT FOR THE CURRENT STATUS Approval of FIPS 140-3 | SP 800-140x Development | Implementation Schedule | 2015 RFI FIPS 140-3 approved On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019. FIPS 140-3 aligns with...
While FIPS 140-2 continues on through 2026, development to support and validate FIPS 140-3 modules must be in place by September 2020. This project addresses questions concerning the process of migrating from FIPS 140-2 to FIPS 140-3. The transition process includes organizational, documentation and procedural changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments. Changes also support the...
Proposed Activities | Previous and Current Activities | Contact Us Semiconductor-based hardware is the foundation of modern-day electronics. Electronics are ubiquitous in our daily lives: from smartphones, computers, and telecommunication to transportation and critical infrastructure like power grids and waterways. The semiconductor hardware supply chain is a complex network consisting of many companies that collectively provide intellectual property, create designs, provide raw materials,...
[Redirect to: https://www.nist.gov/cybersecurity/measurements-information-security] Every organization wants to gain maximum value and effect for its finite cybersecurity-related investments. This includes managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make go-ahead decisions by comparing scenarios that differ in projected cost with associated likely benefits and risk reduction. However, these...
Mappings to NIST Documents The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Interagency or Internal Report (IR) 8278 - National Online...
NIST has established the NIST Personal Identity Verification Validation Program (NPIVP) to validate Personal Identity Verification (PIV) components required by Federal Information Processing Standard (FIPS) 201. The objectives of the NPIVP program are: to validate the compliance/conformance of PIV card applications with the specifications in NIST SP 800-73; and to provides the assurance that PIV card applications that have been validated by NPIVP are interoperable. All of the tests under...
Recent Updates July 24, 2024: NIST releases SP 1314, NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide, designed to introduce the RMF to small, under-resourced entities. April 10, 2024: NIST releases introductory courses for SP 800-53, SP 800-53A, and SP 800-53B. Each 45-60 minute course provides a high-level overview of the SP 800-53 controls, SP 800-53A assessment procedures, and SP 800-53B control baselines. January 31, 2024: NIST seeks to update and improve...
NIST, in collaboration with the industry, is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, formatted, XML- JSON- and YAML-based formats that provide a standardized representation for different categories of security information pertaining to the publication, implementation, and assessment of security controls. The OSCAL website provides an overview of the OSCAL project, including tutorials, concepts, references, downloads, and much more. OSCAL is...
The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics and Measurement project, and research to support...
Testing PKI Components NIST/Information Technology Laboratory responds to industry and user needs for objective, neutral tests for information technology. ITL recognizes such tests as the enabling tools that help companies produce the next generation of products and services. It is a goal of the NIST PKI Program to develop such tests to help companies produce interoperable PKI components. NIST worked with CygnaCom Solutions and BAE Systems to develop a suite of tests that will enable...
Modern computing devices consist of various hardware, firmware, and software components at multiple layers of abstraction. Many security and protection mechanisms are currently rooted in software that, along with all underlying components, must be trustworthy. A vulnerability in any of those components could compromise the trustworthiness of the security mechanisms that rely upon those components. Stronger security assurances may be possible by grounding security mechanisms in roots of trust....
[Redirect to https://www.nist.gov/itl/ssd/software-quality-group/samate] The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. The scope of the SAMATE project is broad: ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to...
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/software-assurance-reference-dataset-sard] The purpose of the Software Assurance Reference Dataset (SARD) is to provide users, researchers, and software security assurance tool developers with a set of known security flaws. This will allow end users to evaluate tools and tool developers to test their methods. You will be redirected to the SARD homepage.
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/static-analysis-tool-exposition-sate] SATE is a non-competitive study of static analysis tool effectiveness, aiming at improving tools and increasing public awareness and adoption. Briefly, participating tool makers run their static analyzer on a set of programs, then researchers led by NIST analyze the tool reports. Everyone shares results and experiences at a workshop. The analysis report is made publicly available...
The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality. This Web site is provided to support continued community involvement. From this site, you will find information about both existing SCAP specifications and emerging specifications relevant to...
The SCAP Validation Program is designed to test the ability of products to use the features and functionality available through SCAP and its component standards. Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Accreditation requirements are defined in NIST Handbook 150, and NIST Handbook 150-17. Independent laboratories conduct the tests contained in the SCAP Validation Program Derived Test...
Security Content Automation Protocol Version 2 (SCAP v2) is a major update to the SCAP 1.x publications. SCAP v2 covers a broader scope in an attempt to further improve enterprise security through standardization and automation. This project page will be used to provide information on the SCAP v2 effort, as well as updates on ongoing work, and directions on how to get involved. Important Links: SCAPv2 Community - Get involved in the SCAP effort by joining our mailing lists. SCAPv2...