Search CSRC

Overlay Name:   Federal Public Key Infrastructure (PKI) Systems Overlay Publication Date: April 2021 Technology or System: Federal PKI Systems Overlay Author: Federal PKI Policy Authority Comments: The Federal Public Key Infrastructure (FPKI) provides the U.S. Government with a common baseline to administer digital certificates and public-private key pairs used to support trust of some government devices and persons. This overlay was developed by the Federal Public Key Infrastructure Policy Authority (FPKIPA) to provide additional specifications and protections for PKIs participating in...

What is the NIST Cybersecurity Framework, and how can my organization use it? The NIST Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices to help organizations better manage and reduce cybersecurity risk. It fosters cybersecurity risk  management and related communications among both internal and external stakeholders, and for larger organizations, helps to better integrate and align cybersecurity risk management with broader enterprise risk management processes as described in the NISTIR 8286 series. The Framework is organized by five key...

MagicMirror is a white-box fuzzing tool written mainly in Python 3 for Solidity Smart Contracts. It supports the detection of 9 popular security vulnerabilities. It is easy to use and provides various informative reports as output. MagicMirror is fast and can generally achieve high code coverage on many contracts. MagicMirror utilizes techniques that include constraint solving, random test generation, random state exploration, coverage and data dependency guided fuzzing, and combinatorial testing.  DOWNLOADS:  https://magic-mirror.gitbook.io/magicmi/ MagicMirror works on both Linux and...

Many security research efforts have focused on adults' perceptions and practices, leaving gaps in our understanding of youth perceptions and practices. To help fill this gap, our team explores the online security and privacy perceptions and practices of youth and influencing social factors from three perspectives: youth themselves, parents/guardians, and teachers/educators. Research insights are informing NIST's contributions to the interagency Task Force on Kids Online Health & Safety.   Publications Influences on Youth Online Privacy and Security Papers Youth understandings of...

Validation Number: 145 Vendor: McAfee Product Name: McAfee Policy Auditor Product Major Version: 6 Product Version Tested: 6.5.0.263 Tested Platforms: Microsoft Windows 10 SP0 32-bit Microsoft Windows 10 SP0 64-bit Microsoft Windows Server 2012 R2 SP0 64-bit Red Hat Enterprise Linux 7 64-bit SCAP 1.3 Capabilities: Authenticated Configuration Scanner Common Vulnerabilities and Exposures (CVE) Option Validated Product   URL: Vendor Provided SCAP Information...

As of November 7, 2020, the CMVP requires that all FIPS 140-2 and FIPS 140-3 module validation submissions include documentation justifying conformance to SP 800-90B if applicable. SP 800-90B, along with FIPS 140-2 Implementation Guidance (IG) documents 7.18, 7.19, and 7.20 and corresponding FIPS 140-3 IGs D.J, D.K, and D.O, outline the requirements for an entropy source to be included in a FIPS-approved cryptographic module.  Currently entropy validations may be found within validated cryptographic modules under the "ENT" algorithm in the Validated Module Search. The CMVP is working to...

Updated April 13, 2022 Entropy Source Validations (ESV) are rolling out. Here are some key dates to remember concerning ESV submissions April 11, 2022 ESV submissions are accepted. October 1, 2022 ESV cost recovery billing initiates. ESV becomes the only method of submitting entropy sources for validation. October 1 2023 ESV submissions only accepted from testing labs who have completed the NVLAP application for the 17ESV scope.   2021 Archive With a lot happening around Entropy Validations, the CMVP offers the following roadmap to help others plan ahead....

The Entropy Validation Server Test System is the process by which a lab may submit all information around an entropy source to receive a validation. This is done by interacting with the Web API offered by the Entropy Validation Server. For information on the protocol, reporting issues, and requesting access, view the GitHub page: https://github.com/usnistgov/esv-server.  The protocol is based on ACVP. Information on that can be found here: Automated Cryptographic Validation Testing.  The Demo server is available after 1/28/21. To request access to the Demo server, please view the GitHub link...

April 26, 2022 ESV Documents Guidelines and templates are now available on the Entropy Validation Documents webpage.  Entropy Assessment Report Template v1.0 Entropy Validation Submission Guidelines Module Submission Guidelines When Including an ESV Entropy Validation Certificate Public Use Document Template April 13, 2022 ESV Program Rollout The Entropy Source Validation (ESV) is now online! Check out the Entropy Validations Roadmap for key dates as CMVP transitions from ENT to ESV. March 24, 2022 Entropy Source Validation Test Server The Entropy Source...

A workshop was held on April 27-29th, 2021 to discuss entropy validations. The slides and recording from the workshop are available on the NIST Events page: https://www.nist.gov/news-events/events/2021/04/sp-800-90b-entropy-source-validation-workshop.

ESV Guidelines and Templates Entropy Assessment Report Template v1.1 is a document to aid in writing entropy assessment reports for all entropy sources. The template is not required, but is recommended to ensure that all requirements from SP 800-90B and associated IGs are covered in the report. The template is available for edits, so labs may customize the colors, branding, or content if desired. Entropy Validation Submission Guidelines outlines the steps required to submit an entropy source to the CMVP through the Entropy Source Validation Test Server. Credentials must be requested...

The mc-forum@list.nist.gov mailing list is used for announcements and questions about the "Masked Circuits" project (formerly known as the single-device track of the threshold cryptography project). To subscribe: send an mail to mc-forum+subscribe@list.nist.gov. Upon receiving an automatic response message, click the "Join" link inside that email to confirm your subscription request. If having difficulty, send a request instead to "masked-circuits (at) nist (dot) gov". We will then manually add your email address. To unsubscribe: send an email to: mc-forum+unsubscribe@list.nist.gov. The...

Subscribing to the PEC-Forum The pec-forum@list.nist.gov mailing list was created to share announcements and questions about the "Privacy-Enhancing Cryptography" (PEC) project. Only subscribed members can send email to the mailing list. To subscribe, please send an mail to pec-forum+subscribe@list.nist.gov. You will receive a response message. Click the "Join" link inside that email to confirm your subscription request. To unsubscribe, please send an email to: pec-forum+unsubscribe@list.nist.gov. To reach only the PEC team, send email instead to crypto-privacy (at) nist (dot) gov. Mailing...

New address (MPTC-forum) for publicly accessible messages: The mptc-forum@list.nist.gov mailing list was created for public announcements and public conversation about the NIST Multi-Party Threshold Cryptography project. Messages: The MPTC-forum is an unmoderated mailing list; messages sent to this list are immediately distributed to all the addresses on the list, and are by default made publicly available via the email archive. Only members are allowed to post messages to the list, by sending an email to mptc-forum@list.nist.gov, but anyone can subscribe to become a member of the list....

/CSRC/media/Projects/olir/documents/submissions/WIP_Framework_v_1_1_to_800_53_Rev5.xlsx /CSRC/media/Projects/olir/documents/submissions/WIP_Framework_v_1_1_to_800_53_Rev5.xlsx /CSRC/media/Projects/olir/documents/submissions/SP800-82-Rev-2-to-SP800-53-Rev-4.xlsx /CSRC/media/Projects/olir/documents/submissions/WIP_Framework_v_1_1_to_800_53_Rev5.xlsx /CSRC/media/Projects/olir/documents/submissions/SP800-177-Rev-1-to-SP800-53-Rev-4.xlsx...

This page uses Google Forms; if the speaker request form does not load, please complete the RMF Team Speaker Request (pdf) and submit to sec-cert@nist.gov. Loading…

Fireside Chat: Complexity is the new Cyber Adversary The cascading risk that made Lehman Brothers infamous for accelerating the global financial crisis or the Northeast Power Outage that disabled parts of US and Canada in 2003 exemplify how counterparty risk could turn a single breach into a disastrous systemic failure. Cyber risks face similar consequences. They are not enabled simply by individual cyber vulnerabilities, but by the Complex Systems-of-Systems they inhabit. Composed of legacy and new HW, SW and IoT elements connected by myriad channels, haphazardly integrated over many years,...

Fundamental background papers: Empirical justification for combinatorial testing:  D.R. Kuhn, D.R. Wallace, A.M. Gallo, Jr., Software Fault Interactions and Implications for Software Testing, IEEE Transactions on Software Engineering, vol. 30, no. 6, June 2004, pp. 418-421.Abstract; DOI: 10.1109/TSE.2004.24  Preprint.  Comment: Investigates interaction level required to trigger faults in a large distributed database system. IPOG algorithm used in construction of covering arrays:  Y.Lei, R. Kacker, D.R. Kuhn, V. Okun and J. Lawrence, IPOG: a General Strategy for T-way Software Testing, 14th...

Our conference and journal papers on assured autonomy and explainable AI.  We try to include links to the full papers, but for those not yet linked, please contact us for a copy:  kuhn@nist.gov.  Papers 2023 Chandrasekaran, J., Lanus, E., Cody, T., Freeman, L.J., Kacker, R., Raunak, M., Kuhn, D.R.  From Scoping to Re-engineering:  Leveraging Combinatorial Coverage in ML Product Lifecycle (submitted). Olsen, M., Raunak, M. S., & Kuhn, D. R. (2023, June). Predicting ABM Results with Covering Arrays and Random Forests. In International Conference on Computational Science (pp. 237-252). Cham:...

Blockmatrix functions have been integrated with Hyperledger Fabric, making it possible to use Hyperledger in a broader range of applications.  Applications that currently use Hyperledger Fabric will be able to function without change, with blockmatrix components providing distributed ledger functions in a transparent manner.  To support privacy requirements for deleting private user information, data blocks containing PII can be deleted offline, or functions can be added to the application with appropriate access control for administrators or users as determined by the organization.  -...

See full details on our NIICS home page.

Credits: Ned Goren NED GOREN IT Specialist ITL/CSD/SSA NIST Ned Goren is a security researcher and a member of the Secure System and Applications Group at NIST. Prior to joining NIST, he served as a control assessor and an Information Systems Security Officer (ISSO) at the U.S. Census Bureau. Ned also served as a control assessor and an ISSO at NIST.  Credits: Brian Ruf BRIAN RUF Director of Cybersecurity Easy Dynamics Mr. Brian Ruf contributed substantially to NIST’s planning and creation of OSCAL,...

MCSPWF subscribers to the MCSPWG (see the Overview page for subscribing to the mailing list) have access to documents uploaded on the PWG’s Google Drive (Public directory) when logged in with the subscribed email. PWG Google Drive: https://drive.google.com/drive/folders/1c9OV10sAQGFRMplsQALSrKNMtjqKx1CQ?usp=sharing 2024 - Plenary meetings: every 2 weeks Date Meeting Brief Agenda /Notes   01/11/2024 3 PM ET MCSPWG ZTA and ATO Focus Groups Merged Meeting Cancelled   01/25/2024 3 PM ET MCSPWG ZTA and ATO Focus Groups Merged Meeting Cancelled...

I. Introduction NIST scientific or technical Public Working Groups bring together organizations actively engaged in the specific field of interest and consist of subject-matter experts who collaborate to determine best practices and to develop consensus standards. During the past decade, NIST has convened multi-disciplinary cloud computing working groups to take on specific challenges that impact the broad US Government adoption of complex cloud-based solutions that combine services from more than one cloud service provider (CSP). The change in technical operations and control dynamics for...

Title / Topic  Description Executive Order (EO) 14028 On Improving The Nation's Cybersecurity Executive Order 14028, “Improving the Nation’s Cybersecurity” marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. To keep pace with modern technological advancements and evolving threats, the Federal Government continues to migrate to the cloud. In support of these efforts, the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency...