Search CSRC

NIST hosted the third Lightweight Cryptography Workshop on November 4-6, 2019 to discuss candidate algorithms, including design strategies, implementations, performance, cryptanalysis, and target applications and to obtain valuable feedback from the crypto community. On-Demand Webcast Accepted Papers (papers included) Cryptography in Industrial Embedded Systems: our experience of needs and constraints Jean-Philippe Aumasson, Antony Vennard FELICS-AE: a framework to benchmark lightweight authenticated block ciphers Kevin Le Gouguec Does gate count matter? Hardware efficiency...

The National Institute of Standards and Technology is hosting the first of a new series of workshops focusing on the Open Security Controls Assessment Language (OSCAL). OSCAL provides a standardized set of XML-, JSON- and YAML-based formats for use by authors and maintainers of security and privacy control catalogs, control baselines, and system security plans. These formats provide for the automated exchange of control-related information between tools and facilitates the automated assessment of security and privacy controls implemented in an information system. We are seeking attendees who...

STPPA Event #3: Featured topics: private information retrieval (PIR); searchable encryption; fully homomorphic encryption (FHE). Structure: welcome; three invited talks; panel conversation. Date, time, location/format: July 06, 2021, 13:30–16:30 EDT @ virtual event over Webex video conference Attendance: open and free to the public, upon registration Schedule 13:30--13:40: STPPA#3 intro 13:40--14:20: Private Information Retrieval with Near-Optimal Online Bandwidth and Time, by Elaine Shi (Carnegie Mellon University) 14:20--15:00: An Overview of Encrypted Databases, by Seny...

The National Institute of Standards and Technology hosted on Tuesday, March 1st, and Wednesday, March 2nd, 2022, the third workshop in the series focusing on the Open Security Controls Assessment Language (OSCAL). Setting the foundation for security automation, with particular focus on the continuous authorization to operate (ATO) processes and continuous monitoring, OSCAL provides machine-readable representations of control catalogs, control baselines or profiles, system security plans, assessment plans, assessment results, and plan of actions and milestones, in a set of formats expressed in...

NIST recently issued a Request for Information (RFI) asking for information that would improve the effectiveness of the Cybersecurity Framework (CSF) for a potential update. As a part of this initiative, NIST wants to better understand how the CSF is being used today and to learn what’s working and what’s not. NIST also wants to explore better ways to align the CSF with other NIST guidance, such as the Privacy Framework, Secure Software Development Framework, Risk Management Framework, NICE Workforce Framework, and its series on IoT cybersecurity. NIST wants to know what would help use...

The National Institute of Standards and Technology (NIST) is co-hosting with the Department of Commerce on Tuesday, May 23rd, 2023, the fourth annual conference in the series focusing on the Open Security Controls Assessment Language (OSCAL). The conference will be in person at the Herbert C. Hoover Federal Building (HCHB) in Washington DC (see address) in Washington DC, and will be followed by a half-day educational workshop on May 24. The conference and the workshop are free to attend. OSCAL is a standardized, flexible, open-source language that allows security controls and their...

***Disclaimer: Items in the following lists are provided for research purposes, and do not imply endorsement by NIST.*** U.S. Government Activities / Initiatives Related Standards / Best Practices C-SCRM Research / References Involved Standards Organizations / Associations U.S. Government Activities / Initiatives Committee on National Security Systems Directive (CNSSD) 505 - "...provides the guidance for organizations that own, operate, or maintain [National Security Systems (NSS)] to address supply chain risk and implement and sustain SCRM capabilities". Comprehensive National...

Self-driving cars and autonomous systems of all types are notoriously difficult challenges for software assurance. Both traditional testing and formal methods are even harder to apply for autonomous systems than in ordinary cases. The key problem is that these systems must be able to function correctly in a vast space of possible input conditions. For example, autonomous vehicles must deal with lighting, rain, fog, pedestrians, animals, other vehicles, road markings, signs, etc. Combinatorial methods are uniquely well suited to analysis and testing for this enormous input space, because by...

The tools distributed here are used extensively in testing for security vulnerabilities. Survey article: Simos, D. E., Kuhn, R., Voyiatzis, A. G., & Kacker, R. (2016). Combinatorial Methods in Security Testing. IEEE Computer, 49(10), 80-83. Introduces CT-based approaches for security testing and presents our case studies and experiences so far. The success of the presented research program motivates further intensive research on the field of combinatorial security testing. In particular, security testing for the Internet of Things (IoT) is an area where these approaches may prove...

Combinatorial methods improve security assurance in two ways: Reducing vulnerabilities - Multiple studies show that about two-thirds of security vulnerabilities result from ordinary coding errors that can be exploited (for example, lack of input validation). By identifying errors more efficiently, combinatorial testing can reduce vulnerabilities as well. Specialized security testing - We have been able to achieve huge improvements in fault detection for cryptographic software, hardware Trojan horse and malware, web server security, access control systems, and others. Below are some...

This research grew out of our 2001 paper on failures in medical device software, which found that the failures were triggered by only 1 to 4 variables interacting. Surprisingly, although "pairwise" testing had been popular for many years, no one had looked at the actual distribution of failures by number of interacting factors. We continued this work and published other papers finding that all, or nearly all, software failures involve interactions among a small number of variables, no more than 6, in thousands of failure reports. Below are some of our research areas. If you'd like to find out...

Many organizations are in the process of moving to role based access control. The process of developing an RBAC structure for an organization has become known as "role engineering.". Role engineering can be a complex undertaking, For example, in implementing RBAC for a large European bank with over 50,000 employees and 1400 branches serving more than 6 million customers, approximately 1300 roles were discovered. In view of the complexities, RBAC is best implemented by applying a structured framework that breaks down each task into its component parts. The resources on this page can help...

NIST S/MIME Activities NIST has developed a NIST SP 800-49, Federal S/MIME V3 Client Profile for security and interoperability based on IETF specifications. The profile includes all mandatory features of the (S/MIME V3) IETF RFCs (RFCs 2630 through 2634) with the EXCEPTION that implementation of RFC 2631 Diffie-Hellman Key Agreement cryptographic algorithm mandated in IETF RFC 2630 is NOT required. In addition, the profile mandates certain optional features required for interoperability and security in secure email products. The primary audience is federal agencies, but the profile may be...

The UMBC Agent Web has information and resources about intelligent information agents, intentional agents, software agents, softbots, knowbots, infobots, etc. The Mobile Agent Security Bibliography contains a good collection of reference manuscripts on mobile agent security maintained by the developers of Mole. The Annotated Bibliography on Mobile Agent Security contains another collection of references and links to mobile agent security documents organized under various themes. The Mobility Mailing list has been set up to discuss all things pertaining to mobile code, objects, agents and...

Quick introductions to Combinatorial Testing: Practical Applications of Combinatorial Testing, East Carolina University, March 22, 2012. Combinatorial Testing and Design of Experiments, TU Berlin, June 28, 2011. Combinatorial Testing, Institute for Defense Analyses, April 6, 2011. (approx. 2 hours) Combinatorial Testing Seminar, US Army Test & Evaluation Command, Aberdeen Proving Ground, May 17, 2010. (approx. 3 hours). Combinatorial Testing, Carnegie-Mellon University Jan 26, 2010. (approx. 60 min.) Combinatorial Testing Tutorial, National Defense Industrial Association, Reston, VA,...

In 2012, we co-founded the International Workshop on Combinatorial Testing, focused on theory and application of CT. Papers from previous workshops are listed below. IWCT 2023 Applying CT-FLA for AEB Function Testing: A Virtual Driving Case Study Ludwig Kampel, Michael Wagner, Dimitris Simos, Mihai Nica, Dino Dodig, David Kaufmann, Franz Wotawa Combinatorial Methods for HTML Sanitizer Security Testing Jovan Zivanovic, Manuel Leithner, Dimitris Simos, Michael Pitzer, Peter J. Slanina Hints in Unified Combinatorial Interaction Testing Cemal Yilmaz, Hanefi Mercan Incremental...

Kerrianne Buchanan is a Social Scientist in the Visualization and Usability Group at the National Institute of Standards and Technology (NIST). She works on projects seeking to improve human-system interaction by leveraging her background in cognitive and social psychology. Currently she conducts research to support NIST’s Public Safety Communications Research (PSCR) and Human-Centered Cybersecurity programs. She has a master’s degree in Applied Cognition in Neuroscience and a Ph.D. in Psychological Sciences from the University of Texas at Dallas. Yee-Yin Choong is a Human Factors...

What is a Control Overlay? An overlay offers organizations additional customization options for control baselines and may be a fully specified set of controls, control enhancements, and other supporting information (e.g., parameter values) derived from the application of tailoring guidance to SP 800-53B control baselines, or derived independently of control baselines. Overlays also provide an opportunity to build consensus across communities of interest and develop a starting point of controls that have broad-based support for very specific circumstances, situations, and/or conditions....

NIST developed category consists of submissions developed by NIST staff or contractors. Select from overlays listed below for more information and to access the overlay. Overlay Name / Version Author / Point of Contact Technology or System Comment SP 800-82 v1 / Version 2 Author: Keith Stouffer PoC: Keith Stouffer x1234 Industrial Control System The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include...

These are standard publications and guidelines that provide perspectives and frameworks to inform, measure, and manage cybersecurity vulnerabilities and exposures. NIST SP 800-55 Vol. 1 (Initial Public Draft) Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures Volume 1 — Identifying and Selecting Measures is a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and...

Combinatorial coverage measures are used in industry for high assurance software used in critical applications. Industry examples include the following: Kuhn, D. R., Raunak, M. S., & Kacker, R. N. (2021). Combinatorial Frequency Differencing. NIST Cybersecurity Whitepaper. - Describes measures of the frequency of combination coverage and difference between Class and Non-class elements in machine learning classification problems. Illustrates application of these methods for identifying weaknesses in physical unclonable function implementations. Kuhn, D. R., Raunak, M. S., & Kacker, R. N....

The SSDF uses these established secure development practice documents as references. Note that these references were current at the time SSDF version 1.1 was published, and may no longer be current. NIST Publications General Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (SP 800-181) Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5) Software Development Cybersecurity Supply Chain Risk Management Practices for Systems and...

General Questions and Background What is the purpose of the SP 800-53 Public Comment Website? NIST believes that robust, widely understood, and participatory development processes produce the strongest, most effective, most trusted, and broadly accepted standards and guidelines. The following principles guide NIST's standards and guidelines development: Transparency: All interested and affected parties have access to essential information regarding standards and guidelines-related activities throughout the development process. Openness: Participation is open to all interested...

Fireside Chat: Complexity is the new Cyber Adversary The cascading risk that made Lehman Brothers infamous for accelerating the global financial crisis or the Northeast Power Outage that disabled parts of US and Canada in 2003 exemplify how counterparty risk could turn a single breach into a disastrous systemic failure. Cyber risks face similar consequences. They are not enabled simply by individual cyber vulnerabilities, but by the Complex Systems-of-Systems they inhabit. Composed of legacy and new HW, SW and IoT elements connected by myriad channels, haphazardly integrated over many years,...

Examples of combinatorial coverage achieved by real-world test suites in various application domains. The test suites studied in these examples were designed using conventional methods, i.e., they were not developed using ACTS or another covering array tool. Application Config t = 2 t = 3 t = 4 t = 5 t = 6 Reference Spacecraft control 132754262 0.940 0.831 0.668 0.536 Maximoff, J. R., Kuhn, D. R., Trela, M. D., &...