Search CSRC

At A Glance   Purpose: Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions   Outcomes:  system and environment of operation monitored in accordance with continuous monitoring strategy ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy output of continuous monitoring activities analyzed and responded to process in place to report security and privacy posture to management ongoing authorizations conducted using results of continuous...

A total of fifteen statistical tests were developed, implemented and evaluated. The following describes each of the tests. Frequency (Monobits) Test Description: The focus of the test is the proportion of zeroes and ones for the entire sequence. The purpose of this test is to determine whether that number of ones and zeros in a sequence are approximately the same as would be expected for a truly random sequence. The test assesses the closeness of the fraction of ones to ½, that is, the number of ones and zeroes in a sequence should be about the same. Test For Frequency Within A...

November 21, 2014: NIST requests comments on the latest revision of NIST SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, which is dated November 2014. This document specifies Deterministic Random Bit Generators based on approved hash functions (as specified in FIPS 180-4), HMAC (as specified in FIPS 198-1) and block ciphers (as specified in FIPS 197 for AES, and SP 800-67 for TDEA). This revision removes the previously approved Dual_EC_DRBG that was based on the use of elliptic curves and includes a number of other changes that are listed in...

SP 800-38A: Five Confidentiality Modes In Special Publication 800-38A, five confidentiality modes are specified for use with any approved block cipher, such as the AES algorithm. The modes in SP 800-38A are updated versions of the ECB, CBC, CFB, and OFB modes that are specified in FIPS Pub. 81; in addition, SP 800-38A specifies the CTR mode. In the Addendum to SP 800-38A, NIST has specified three variants for extending the domain of the CBC mode using "ciphertext stealing." SP 800-38B: An Authentication Mode The CMAC authentication mode is specified in Special Publication...

Submissions should specify a mode of operation for a symmetric (secret) key block cipher algorithm.  At a minimum, the mode should support underlying block ciphers with key-block combinations of 128-128, 192-128, and 256-128 bits.  However, the specification should be generic – i.e., written to handle other key-block combinations, if they can be supported.  Example modes include, but are not limited to, techniques for performing encryption, message authentication, hashing, and random bit generation.  It will be helpful to receive variations of Counter mode arising from alternative...

Proposed Modes This page contains links to the proposals for block cipher modes of operation (modes, for short) that have been submitted to NIST for consideration. NIST maintains this page in order to facilitate public review of the modes; comments may be submitted to EncryptionModes@nist.gov. Appearance of a mode in this list does not constitute endorsement or approval by NIST. See the Current Modes page for descriptions of the modes that are currently approved. For each proposal below, links are given to the available documentation, as described in the following list of abbreviations:...

NIST continues to accept public comments on modes of operation, including comments on: Properties of individual modes (security, performance, etc.) Comparisons of proposed modes Recommendations for standardization Other related issues, such as padding. Comments may be submitted to EncryptionModes@nist.gov Comments on the Draft Specification of FPE Modes On February 28, 2019, NIST announced a public comment period, ending April 15, 2019, on Draft Special Publication 800-38G Revision 1, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption.  In...

All questions regarding the implementation and/or use of any validated cryptographic module should first be directed to the appropriate VENDOR point of contact (listed for each entry). General CMVP questions should be directed to cmvp@nist.gov. Use this form to search for information on validated cryptographic modules.  Select the basic search type to search modules on the active validation list.  Select the advanced search type to to search modules on the historical and revoked module lists.

The following listing represents specifications for emerging security automation capabilities: Languages Asset Summary Reporting (ASR) Open Checklist Reporting Language (OCRL) Metrics Common Misuse Scoring System (CMSS) Specification Descriptions Asset Summary Reporting (ASR) The Asset Summary Reporting (ASR) is a data model to express the transport format of summary information about one or more sets of assets. The standardized data model facilitates the interchange of aggregate asset information throughout and between organizations. ASR is vendor and technology neutral,...

The Asset Summary Reporting (ASR) is a data model to express the transport format of summary information about one or more sets of assets. The standardized data model facilitates the interchange of aggregate asset information throughout and between organizations. ASR is vendor and technology neutral, flexible, and suited for a wide variety of reporting applications. The Emerging Specifications Discussion List is available for developers interested in ASR and other emerging security automation standards. Please subscribe to this list through the SCAP Community page. ASR Resources Release...

The following specifications comprise SCAP version 1.3. Protocol SCAP: Security Content Automation Protocol Version: 1.3 Status: Final Specification: NIST Special Publication (SP) 800-126 rev 3 Specification Annex: NIST Special Publication (SP) 800-126 rev 3 Annex XML Schema: Source Data Stream, Constructs Example: Source Data Stream Example Schematron: Instructions and Download Tools SCAP Content Validation Tool Version: 1.3.6 Release Candidate 3 Released: 1/6/2022 Download: SCAP Content Validation Tool (Download 49 MB) SHA-256:...

The following specifications comprise SCAP version 1.2. Protocol SCAP: Security Content Automation Protocol Version: 1.2 Status: Final Specification: NIST Special Publication (SP) 800-126 rev 2 XML Schema: Source Data Stream, Constructs Example: Source Data Stream Example Schematron: Instructions and Download Errata: NIST Special Publication (SP) 800-126 Rev 2 Errata Change Proposals: Summer 2011 Developer Days (May 31, 2011) Tools SCAP Content Validation Tool Version: 1.2.1.16 Released: 12/16/2016 Download: SCAP Content Validation Tool (Download 25 MB) sha-256:...

The following specifications comprise SCAP version 1.1. Protocol SCAP: Security Content Automation Protocol Version: 1.1 Status: Final Specification: NIST SP 800-126 Rev. 1 Tools SCAP Content Validation Tool Version: 1.1.2.9 Released: 04/28/2011 Download: SCAP Content Validation Tool for SCAP 1.0 and 1.1 (Download 20.9 MB) [Note: A new version is available here that supports SCAP 1.2.] sha-1: E327A3477E4B6E9CD313B021E88572244967C4F8 sha-256: E9A49AF8DDC4E4A79785174969BD644ECDFF4C91E690625E9E9933FB9E2E33E5 Description: The SCAP Content Validation Tool is designed to validate the...

The following specifications comprise SCAP version 1.0. Please note that this version of SCAP is no longer supported by NIST. Protocol SCAP: Security Content Automation Protocol Version: 1.0 Status: Final (Support Withdrawn) Specification: NIST SP800-126 Tools SCAP Content Validation Tool Version: 1.1.2.9 Released: 04/28/2011 Download: SCAP Content Validation Tool for SCAP 1.0 and 1.1 (Download 20.9 MB) [Note: A new version is available here that supports SCAP 1.2.] sha-1: E327A3477E4B6E9CD313B021E88572244967C4F8 sha-256:...

Asset identification plays an important role in an organization's ability to quickly correlate different sets of information about assets. This specification provides the necessary constructs to uniquely identify assets based on known identifiers and/or known information about the assets. This specification describes the purpose of asset identification, a data model for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies a number of known use cases for asset identification. The Asset Specifications Development List is...

The Asset Reporting Format (ARF) is a data model to express the transport format of information about assets, and the relationships between assets and reports. The standardized data model facilitates the reporting, correlating, and fusing of asset information throughout and between organizations. ARF is vendor and technology neutral, flexible, and suited for a wide variety of reporting applications. The Emerging Specifications Discussion List is available for developers interested in ARF and other emerging security automation standards. Please subscribe to this list through the SCAP...

The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers are included for the settings in Microsoft Corporation’s Windows Server 2008 Security Guide and 2007 Microsoft Office Security Guide; are the main identifiers used for the settings in the U.S. Federal Desktop Core Configuration (FDCC) data file downloads; and provide a mapping between the elements in configuration best-practice...

Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. CPE does not identify unique instantiations of products on systems, such as the installation of XYZ Visualizer Enterprise Suite 4.2.3 with serial number Q472B987P113. Rather, CPE identifies abstract classes of products, such as XYZ Visualizer Enterprise Suite 4.2.3, XYZ Visualizer Enterprise Suite (all versions), or XYZ Visualizer (all variations). IT management tools can collect information...

The Open Checklist Interactive Language (OCIL) defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions. Although the OCIL specification was developed for use with IT security checklists, the uses of OCIL are by no means confined to IT security. Other possible use cases include research surveys, academic course exams, and instructional walkthroughs. In IT security, organizations work with security policies that detail the information that needs to be secured and the security requirements that must be...

TMSAD describes a common trust model that can be applied to specifications within the security automation domain, such as Security Content Automation Protocol (SCAP). Since information in the security automation domain is primarily exchanged using Extensible Markup Language (XML), the focus of this model is on the processing of XML documents. The trust model is composed of recommendations on how to use existing specifications to represent signatures, hashes, key information, and identity information in the context of an XML document within the security automation domain. TMSAD Resources...

XCCDF - The Extensible Configuration Checklist Description Format XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent...

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) publishes, ISO/IEC 19770-2, a standard for software identification (SWID) tags that defines a structured metadata format for describing a software product. A SWID tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, the organizations and individuals that had a role in the production and distribution of the product, information about the artifacts that comprise a software product, relationships between...

Validation Number: 143 Vendor: Rapid7 Product Name: Nexpose Product Major Version: 6 Product Version Tested: 6.4.16 Tested Platforms: Microsoft Windows 7, SP1, 64 bit Microsoft Windows Vista, SP2, 32 bit Red Hat Enterprise Linux 5, 64 bit Red Hat Enterprise Linux 5, 32 bit SCAP 1.2 Capabilities: Authenticated Configuration Scanner Common Vulnerabilities and Exposures (CVE) Validated Product Vendor Provided SCAP Information Dates Tested: 7/1/2016 - 2/2/2017...

Validation Number: 142 Vendor: Red Hat®, Inc. Product Name: OpenSCAP Product Major Version: 1 Product Version Tested: 1.2.13 Tested Platforms: Red Hat Enterprise Linux 6, 32 bit Red Hat Enterprise Linux 6, 32 bit Red Hat Enterprise Linux 7, 64 bit SCAP 1.2 Capabilities: Authenticated Configuration Scanner Common Vulnerabilities and Exposures (CVE) Validated Product Vendor Provided SCAP Information Dates Tested: 11/22/2016 - 2/7/2017 Report Submitted:...