Search CSRC

Information about the CVP exam can be found here: https://home.pearsonvue.com/nist-cmvp The CVP exam will be unavailable after June 30, 2022. Testing is expected to resume in 2023. Candidates (FIPS 140 testers) from one of the Cryptographic and Security Testing labs (https://www-s.nist.gov/niws/index.cfm?event=directory.results select under the pull down for Program: ITST: Cryptographic and Security Testing and click on search) should have the lab’s CVP certification exam POC send email to NIST CMVP (cmvp@nist.gov) the following spreadsheet (Please remove all example data and replace with...

NIST's telework cybersecurity and privacy resources are listed in the tables below, with common topics that organizations or teleworkers might need, with relevant resources for each ("SP" is a NIST Special Publication). Work is currently underway to improve these resources. Suggestions for enhancements are welcome, as are ideas for other topics related to telework cybersecurity and privacy where additional resources would be helpful. Please send your feedback and input to us at telework@nist.gov. Organization Resources What does my organization need for telework security and...

Download: IR8278A Validation Tool (Download 17.2 MB) Latest Version: 4.9.9 Released: May 18, 2023 SHA3-256:  5809e7d93dc243fa2cf2e495bd7117404c9f9ba6df254a4b8be738f58176f074 The National Cybersecurity Online Informative References (OLIR) Validation Tool ensures syntactic compliance of the Focal Document templates to the instructions and definitions described within NISTIR 8278A Rev. 1 (Draft) National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers. Focal Document JSON Schema Focal Documents Schema (.json)This JSON schema is intended for use...

If you would like to participate in the Online Informative Reference (OLIR) Program please consult NISTIR 8278A Rev. 1 (Draft) National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers document and become familiar with the requirements and all procedures involved during the life cycle. Developers of Informative References considering a submission are welcome to contact NIST with questions before completing the entire Informative Reference submission package. Questions and draft Informative Reference documents may be directed to olir@nist.gov. Submitting...

This page contains resources referenced in the FIPS 140-3 Management Manual Equivalency Regression Test Table It is possible, under certain conditions, for a vendor to list multiple hardware modules under the same certificate.   Some of the conditions are defined by the equivalency categories based on the technologies types and difference between the modules within the equivalency categories.  For more information regarding equivalency categories and testing level scenarios/categories and usage of the equivalency regression test table presented below, refer to the Management Manual...

Top Level  Special Publications Process Flow Abstracts   Documentation and Governance for the FIPS 140-3 Cryptographic Module Validation Program Federal Information Processing Standards Publication (FIPS) 140-3 became effective September 22, 2019, permitting CMVP to begin accepting validation submissions under the new scheme beginning September 2020. The FIPS 140-3 standard introduces some significant changes in the management over the previous standard. Rather than encompassing the module requirements directly, FIPS 140-3...

FIPS 140-2 (ending Sept-22-2021) Security Requirements for Cryptographic Modules NVLAP accredited Cryptographic and Security Testing (CST) Laboratories perform conformance testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for Cryptographic Modules [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met. An overall...

FIPS 140-3 Management Manual - Latest Version (04-19-2024) The purpose of the CMVP Management Manual is to provide effective lab management and coordination with the management of the CMVP. The CMVP Management Manual (MM) includes a description of the CMVP process and is applicable to the Validation Authority, the CST Laboratories, and the vendors who participate in the program. Consumers who procure validated cryptographic modules may also be interested in the contents of this manual. This manual outlines the management activities and specific responsibilities which have...

FIPS 140-3 IG - Latest version   [03-26-2024] Updated Guidance: 2.3.B Sub-Chip Cryptographic Subsystems – Small correction to the paragraph that references IG 9.5.A. 4.1.A Authorised Roles – Updated Additional Comment #8 to address certain module designs that claim Security Level 2 for section 7.4. 9.5.A SSP Establishment and SSP Entry and Output – Added footnote 6 to clarify sub-chip SSP establishment requirements. C.A Use of non-Approved Elliptic Curves – Removed erroneous reference to EdDSA from Resolution 5.   [01-29-2024] Updated Guidance: 10.3.A...

Algorithm Related Transitions Algorithm Testing and CMVP Submission Dates Table updated Jan 30, 2024 Algorithm/Scheme Standard Relevant IG(s)[1] ACVTS Prod Date[2] Submission Date[3] AES-CBC-CS Addendum to SP 800-38A FIPS 140-2: A.12 Prior to Jun 30, 2020 Sep 1, 2020 AES FF1 SP 800-38G FIPS 140-2: A.10 Prior to Jun 30, 2020 Sep 1, 2020 cSHAKE, TupleHash, ParallelHash, KMAC SP...

2024 Fees [Updated 12-13-2023] Cost recovery fees are collected for NIST CMVP report review of new module submissions, modified module submissions, and for report reviews that require additional time due to complexity or quality. These fees are referred to as Cost Recovery (CR) and Extended Cost Recovery (ECR). Modules are not validated unless all applicable fees have been collected by NIST Billing. Please see the CMVP FIPS 140-2 Management Manual or CMVP FIPS 140-3 Management Manual for further information. For FIPS 140-2 Currently the CR fee is applicable for IG G.8 Scenarios 1A,...

If you would like to participate in the Online Informative Reference (OLIR) Program please consult NISTIR 8278A Rev. 1 (Draft) National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers document and become familiar with the requirements and all procedures involved during the life cycle. Developers of Informative References considering a submission are welcome to contact NIST with questions before completing the entire Informative Reference submission package. Questions and draft Informative Reference documents may be directed to olir@nist.gov. Submitting...

The NIST PQC team will host talks -- open to the public -- relating to the 3rd Round of the NIST PQC standardization process. Date Speaker Title Media March 26, 2021 11:00am - 12:00pm* Prasanna Ravi  Temasek Labs, Nanyang Technological University Sujoy Sinha Roy Graz University of Technology Side-Channel Analysis of Lattice-based PQC Candidates Presentation Video February 23, 2021 11:00am - 12:00pm David Jao University of Waterloo Implementation of isogeny-based cryptography Presentation Video...

Go to our Stateful Hash-Based Signatures project.

The NIST NCCoE has launched a new project, Software Supply Chain and DevOps Security Practices. In early 2023, the project team will be publishing a Federal Register Notice based on the final project description to solicit collaborators to work with the NCCoE on the project. NIST held a virtual workshop in January 2021 on improving the security of DevOps practices; you can access the workshop recording and materials here. A second virtual workshop was held in September 2022 on the planned NCCoE DevSecOps project; the workshop recording and presentations are posted. NIST will leverage existing...

Combinatorial coverage measures are used in industry for high assurance software used in critical applications.  Industry examples include the following: Kuhn, D. R., Raunak, M. S., & Kacker, R. N. (2021). Combinatorial Frequency Differencing. NIST Cybersecurity Whitepaper. - Describes measures of the frequency of combination coverage and difference between Class and Non-class elements in machine learning classification problems.  Illustrates application of these methods for identifying weaknesses in physical unclonable function implementations.  Kuhn, D. R., Raunak, M. S., & Kacker, R. N....

NEW:  Combinatorial Coverage Difference Measurement for assurance of autonomous systems and other critical software.  Combinatorial coverage is a way of finding the rare cases that may lead to security vulnerabilities or system failures, with application to both testing and assured autonomy. Achieving sound testing or assured autonomy in any environment requires methods for measuring the input space, to show that the test environment adequately covers real-world conditions that may be encountered.  NIST is developing new combinatorial measurement methods and tools for input space coverage,...

Validation Number: 144 Vendor: Arctic Wolf Product Name: Arctic Wolf Risk Scan Engine Product Major Version: 6 Product Version Tested: 6.3.5 Tested Platforms: Microsoft Windows 7, SP1, 32-bit Microsoft Windows 7, SP1, 64-bit Microsoft Windows Vista, SP2 Microsoft Windows 8.1 SP0 32-bit Microsoft Windows 8.1 SP0 64-bit Microsoft Windows 10 SP0 32-bit Microsoft Windows 10 SP0 64-bit Microsoft Windows Server 2012 R2 SP0 64-bit Red Hat Enterprise Linux 6 32-bit Red Hat Enterprise Linux 6...

The Federal C-SCRM Forum fosters collaboration and the exchange of cybersecurity supply chain risk management (C-SCRM) information among federal organizations to improve the security of federal supply chains. Through periodic meetings and informal exchanges, the Forum offers all agencies that depend upon or guide C-SCRM an opportunity to discuss issues of interest with – and to inform – many of those leading C-SCRM efforts in the federal ecosystem, including the Office of Management and Budget (OMB), the Department of Defense (DOD), the Cybersecurity and Infrastructure Security Agency (CISA),...

Participation in the Forum, including events and online exchanges, is open to federal C-SCRM program managers or other federal personnel who have a dedicated and recurring responsibility for performing one or more C-SCRM functions. Federal contractors who provide direct C-SCRM programmatic support may also participate upon request by their federal sponsor and approval by the Forum co-hosts. The Forum may establish working groups or study groups and welcomes all suggestions to the co-hosts. NIST is hosting the Forum as part of its mandate under the SECURE Technology Act and the Federal...

Application in distributed systems J.F. DeFranco, D.F. Ferraiolo, D. R. Kuhn, and J.D. Roberts, "A Trusted Federated System to Share Granular Data Among Disparate Database Resources", IEEE Computer, Mar, 2021.   D.F. Ferraiolo, J.F. DeFranco, D. R. Kuhn, and J.D. Roberts, "A New Approach to Data Sharing and Distributed Ledger Technology: A Clinical Trial Use Case", IEEE Network, Jan, 2021.  Foundations and background Kuhn, D. R. (2022). A Data Structure for Integrity Protection with Erasure Capability. NIST CSWP 25 (final version of Kuhn 2018 paper below) Kuhn, R., Yaga, D., & Voas,...

Privacy Enhanced Distributed Ledger Technology and Hyperledger Implementation, IEEE Morocco Blockchain Summit, 2024 Privacy Enhanced Distributed Ledger Technology with Hyperledger Fabric, IEEE International Conference on Artificial Intelligence, Blockchain, and Internet of Things, Sept 17, 2023 Redactable Distributed Ledger Technology with Hyperledger Fabric, IEEE Privacy Symposium, Venice, Italy, 2023.  Redactable Distributed Ledger Technology for Hyperledger Fabric, International Blockchain Summit, Istanbul, 2022 Rethinking Distributed Ledger Technology and Using it for Access...

Data block matrix examples and code: https://github.com/usnistgov/blockmatrix - implementations in Java and in Go https://github.com/PM-Master/blockmatrix - Java API to manage users and attributes using a blockmatrix. https://github.com/PM-Master/NDAC - implementation as a component of Next Gen Database Access Control (NDAC) Hyperledger Fabric drop-in component coming Dec. 5, 2022  For more, see here  

The preliminary draft "Toward a PEC use-case suite (Draft)" remains open to public comments. Abstract: This document motivates the development of a privacy-enhancing cryptography (PEC) use-case suite. This would constitute a set of proofs of concepts, showcasing the use of cryptographic tools for enabling privacy in various applications. This is not a proposal, but rather a sketch idea to motivate initial public feedback, which can be useful to determine a potential process towards a PEC use-case suite. Keywords: cryptography, privacy; privacy-enhancing cryptography (PEC); reference...

Focusing on federal agencies but also engaging with and providing resources useful to government at other levels as well as the private sector, NIST: Guidance on Software Supply Chain Security, under Executive Order 14028 Sections 4(c) and (d), focuses on the critical sub-discipline of Cybersecurity Supply Chain Risk Management (C-SCRM) from the lens of federal acquirers. It covers both existing and evolving standards, tools, and recommended practices.  The guidance is co-located with related EO guidance under NIST’s purview and will be maintained online to more easily update guidance on...