Search CSRC

Cryptographic Key Management (CKM) is a fundamental part of cryptographic technology and is considered one of the most difficult aspects associated with its use. Of particular concern are the scalability of the methods used to distribute keys and the usability of these methods. NIST has undertaken an effort to improve the overall key management strategies used by the public and private sectors in order to enhance the usability of cryptographic technology, provide scalability across cryptographic technologies, and support a global cryptographic key management infrastructure. CKMS Publications...

At the beginning of each fiscal year (FY), NIST CMVP prepares a budget justification for the NIST Cost Recovery fees for the following fiscal year. The NIST Budget office reviews the information and is the approver for the final NIST Cost Recovery fees for the following fiscal year. FY17: begins October 1, 2016; ends September 30, 2017. FY18: begins October 1, 2017; ends September 30, 2018. The NIST Cost Recovery fees for FY17 and FY18 are (see Implementation Guidance (IG) G.8 for an explanation of the different scenarios):     FY17 FY18 CR...

The following table summarizes the first several years of FIPS 140-3 development. Date Activity 2/12/2005 Federal Register Notice: Announcing Development of Federal Information Processing Standard (FIPS) 140-3, a Revision of FIPS 140-2, Security Requirements for Cryptographic Modules.   2/28/2005 Public comment period ended for new and revised requirements for FIPS 140-3. 9/26/2005-9/29/2005 Physical Security Testing Workshop 3/31/2007 NIST completed preparing the first public draft of FIPS 140-3 and began the NIST /...

A whole bunch of text   Apple macOS Security Configuration

NIST has set up a hpc-security@nist.gov mail listserve. The listserve will be used to discuss the standardization and adoption of secure, interoperable and efficient High Performance Computing Security working draft & other items related to this project. You must be subscribed to send email to the listserve. For those outside of NIST, please use the instructions below to subscribe. To join: hpc-security-request@nist.gov You will receive a response message from hpc-security-request@nist.gov . Please reply to that message to confirm your subscription request. To unsubscribe:...

High-Performance Computing (HPC) Security Draft NIST SP 800-223 is available for public comment.   Old draft: Microsoft Word PDF

Security Content Automation Protocol (SCAP) Version 1.3 Validation Program Test Requirements (NIST IR 7511 rev. 5)  released April 2018 includes updates pertaining to platforms, component specification test requirements, and introduces module validation as well as the SCAP Inside labeling program. Please see the Summary of Changes table for a complete list of changes between NISTIR 7511 Revision 4 and NISTIR 7511 Revision 5. SCAP Capabilities Authenticated Configuration Scanner The capability to audit and assess a target system to determine its compliance with a defined set of configuration...

Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements (NIST IR 7511 Rev. 4) released January 2016 includes updates pertaining to platforms, component specification test requirements, and introduces module validation as well as the SCAP Inside labeling program. Please see the Summary of Changes table for a complete list of changes between NISTIR 7511 Revision 3 and NISTIR 7511 Revision 4. SCAP Capabilities Authenticated Configuration Scanner The capability to audit and assess a target system to determine its compliance with a defined set of...

Security Content Automation Protocol Validated Products and Modules This webpage contains a list of products and modules that have been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) and its component standards. SCAP validated products and modules have completed formal testing at an NVLAP accredited laboratory and meet all requirements as defined in NIST IR 7511. A module is defined as a software component that may be embedded in another product. If an SCAP module is a component of another product, contact the module vendor to identify products that...

SCAP 1.3 Documents SCAP Version 1.3 Validation Program Derived Test Requirements Revision: 5 Status: Final Specification: Security Content Automation Protocol (SCAP) Version 1.3 Validation Program Test Requirements SCAP: Security Content Automation Protocol Version: 1.3 Status: Final Specification: The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3 SCAP: Annex to NIST Special Publication 800-126 Revision 3 Version: 1.3 Status: Final Specification: SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126...

Laboratories Accredited to do SCAP Testing The labs listed below have been accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) to perform SCAP validation testing. AEGISOLVE, Inc. Atsec Information Security Corporation Leidos Accredited Testing & Evaluation (AT&E) Lab To locate more information about a specific Laboratory: Navigate to the NVLAP Search page by going to https://www-s.nist.gov/niws/index.cfm?event=directory.search From the Program dropdown box select ITST: "Cryptographic and Security Testing" Click in the Area of Accreditation box to...

Completed Specifications and Guidelines The SWID Tag format, defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard ISO/IEC 19770-2, is a structured metadata format for describing a software product. NIST recommends use of the latest version of this standard, ISO/IEC 19770-2:2015. A SWID Tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, identify the organizations and individuals that had a role in the production and distribution of...

The following is an excerpt from NIST Internal Report (NISTIR) 8060: Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. The SWID specification defines four types of SWID tags: primary, patch, corpus, and supplemental. Primary Tag: A SWID Tag that identifies and describes a software product is installed on a computing device. Patch Tag: A SWID Tag that identifies and describes an installed patch which has made incremental changes to a software product installed on a computing device. Corpus Tag: A SWID Tag that identifies and describes an installable...

While SWID Tags demonstrate a possible standards-based way of tracking the state of installed software products, their fitness to support patch management processes depends on the availability and accuracy of deployed tags. Unfortunately, today most vendors never update a tag after it is installed on the endpoint. As a result, these tags fall out of date as soon as that product is updated. Once this happens, these tags are no longer usable for patch or update management as the state of the associated software product will differ from that reported by the tag. To address this issue, vendors...

Additional resources are available for the following SWID Tag specification revisions: ISO/IEC 19770-2:2015 Revision ISO/IEC 19770-2:2015 Resources SWID Tag Validation Tool NIST has developed a SWID Tag validation tool that can be used to verify that a produced SWID has properly implemented the requirements defined in NISTIR 8060. This tool can validate different types of SWID Tags that are used in different stages of the software lifecycle: SWID Tags that pass this validation tool provide support for license management as well as multiple cybersecurity use cases including:...

This page holds links to download old presentations and recordings of SCAPv2 meetings.   SCAPv2 April Developer Days Face to Face (Download Presentation Archive Here)

SCAP Discussion List (View and Subscribe) The SCAP team at NIST maintains a moderated discussion list that users can post to, regarding the Security Content Automation Protocol (SCAP). This is the primary discussion list for on-going development of SCAP v2.This list is moderate in volume.   SCAPv2 Subgroup Lists There are a number of existing SCAPv2 community subgroups that are working on more specific areas of work:   SCAPv2 Content Metadata and Repositories (View and Subscribe)   SCAPv2 Applicability Language (View and Subscribe)   SCAPv2 OVAL and Checking Languages (View and...

This page holds links to compiled minutes from SCAPv2 teleconferences. 2019 4-30-2019 SCAP v2 Developer Days Face-To-Face 3-20-2019 Teleconference Minutes 2-27-2019 Teleconference Minutes 2-06-2019 Teleconference Minutes 2018 12-13-2018 Teleconference Minutes 12-11-2018 Teleconference Minutes 12-06-2018 Teleconferences Minutes 12-04-2018 Teleconference Minutes      

Comments Received on Draft SP 800-171B Below are comments received on Draft Special Publication 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – Enhanced Security Requirements for Critical Programs and High Value Assets.  The public comment period closed on August 2, 2019. Please note that comments on the Public Cost Analysis are submitted and posted to www.regulations.gov/docket?D=DOD-2019-OS-0072 (Regulations.gov docket no. DOD-2019-OS-0072).  All comments submitted during the public comment period for Draft NIST SP 800-171B will be posted...

This page focuses on the progress of transitioning cryptographic module security standards and associated documents from FIPS 140-2 to FIPS 140-3.  The process includes organizational, procedural and the resultant automated processing changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments.  The procedural changes include the migration from internally developed security standards to the additional activities of working with a set of standards developed and maintained by an international body,...

Overview of the Documentation and Governance for the FIPS 140-3 Cryptographic Module Validation Program Federal Information Processing Standards Publication (FIPS) 140-3 became effective September 22, 2019, permitting CMVP to begin accepting validation submissions under the new scheme beginning September 2020. The FIPS 140-3 standard introduces some significant changes in the management over the previous standard. Rather than encompassing the module requirements directly, FIPS 140-3 references  International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)...

The FISSEA Contest will begin on May 3rd, 2021. Submissions are due June 30th, 2021 View the list of previous contest winners from the past conferences. Contest Entry Form Showcase one or all of the following awareness, training, and/or education items you use as a part of your Security program. Please do not use this contest as a project assignment for a class. There will be one winner selected for each category listed below. Categories: Awareness Poster. Innovative Solutions – A cutting-edge solution to help solve current cybersecurity training and awareness challenges that DOES NOT...

Nomination Information: Each year at the annual conference, FISSEA recognizes an individual who has made significant contributions in inspiring the strategic planning, building, and management of innovative cybersecurity awareness and training programs. Nominees may be involved in any aspect of cybersecurity awareness and training, including, but not limited to; cyber instructional curriculum developers, cybersecurity instructors, cybersecurity program managers, workforce development managers, and practitioners who further awareness and training activities or programs. Nominees can come...

Contest Winners for 2020: Winners (selected by impartial judging committee prior to conference): Poster: Deborah Coleman, U.S. Department of Education Motivational Item: United States Postal Service, CISO Website: IHS OIT Division of Information Security Newsletter: National Institutes of Health – Cyber Safety Awareness Campaign Video: CMS/OIT Information Security & Privacy Group (ISPG) Blog: Cofense Podcast: CMS/OIT Information Security & Privacy Group (ISPG) Security Training Scenarios: Media Pro Contest Winners for 2019: Winners (selected by impartial judging...

2019: Shehzad Mirza, Director of Operations – Global Cyber Alliance 2018: Earl “Fred” Bisel Jr, Cybersecurity Education and Certification Readiness Facilities (CERF) Manager Nomination Letter for 2018 EOY Award 2017: Mike Petock, All Native Group (ANG) Nomination Letter for 2017 EOY Award 2016: Sushil Jajodia, George Mason University Nomination Letter for 2016 EOY Award 2015: Gretchen Ann Morris, DB Consulting/NASA John H. Glenn Research Center Nomination Letter for 2015 EOY Award 2014: Shon Harris, Logical Security, presented posthumously  Nomination Letters for 2014 EOY Award...