Search CSRC

Papers Covering Array Library Seminars & Talks & Tutorial Combinatorial Methods For Modeling & Simulation Workshop Papers DOs and DON'Ts of testing

Through quarterly meetings and email list, the Forum provides our members: a venue to exchange information, share ideas and best practices, resources, and knowledge; an ongoing opportunity to leverage the work done in other organizations to reduce possible duplication of effort; and access to a community and network of cybersecurity and privacy professionals across the U.S. federal, state, and local government and higher education organizations.  Quarterly Meetings Refer to the CSRC Events Page for upcoming Forum meetings and registration information.   Forum meetings are open to...

Steven Lipner, Chairperson  Executive Director  SAFECode Term Expires 5/30/2026 Dr. Brett Baker Inspector General for the National Archives U.S. National Archives and Records Administration Term Expires 3/14/2026 Michael Duffy Associate Director for Capacity Building CISA Cybersecurity Division, Department of Homeland Security Term Expires 3/13/2028 Giulia Fanti Assistant Professor Carnegie Mellon University Term Expires 7/8/2025 Jessica Fitzgerald-McKay Co-Lead, Center for Cyber Security Standards (CCSS) National Security Agency Term Expires 3/3/2027 Alex Gantman Vice President,...

Below is the schedule for upcoming ISPAB Meetings: May 21, 2024 (Virtual)  Federal Register Notice Announcing Meeting Agenda Link to May 2024 Event Page: https://csrc.nist.gov/Events/2024/ispab-may-meeting  July 17-18, 2024 November 6-7, 2024   Meetings Held in 2024 March 20-21, 2024 Federal Register Notice Announcing Meeting Agenda Meeting Minutes Link to March 2024 Event Page: https://csrc.nist.gov/Events/2024/ispab-march-2024-meeting   Meetings Held in 2023 October 25-26, 2023 Federal Register Notice Announcing Meeting Agenda Meeting Minutes Link to July 2023 Event...

In accordance with 15 U.S.C. 278g-4, the duties of Information Security and Privacy Advisory Board is to identify emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy. The focus of the Board's work for FY 2015-2016 includes the following areas: Quantum (physics, pre-shared keys, quantum key distribution, block chains) Cybersecurity Office of Management and Budget OMB Circular A-130 Revised Cyber-marathon CyberStats Measuring outcomes for cybersecurity Cybersecurity protections in Federal acquisitions...

ISPAB Charter for 2024-2026. ISPAB Annual Report for Fiscal Year 2023 ISPAB Annual Report for Fiscal Year 2022 ISPAB Annual Report for Fiscal Year 2021 ISPAB Annual Report for Fiscal Year 2020 ISPAB Annual Report for Fiscal Year 2019 Annual reports for 1995 - 2018 are found on the GSA web page at: Federal Advisory Committee Act (FACA) . When you reach the site, please select “The Annual Report of the President on Federal Advisory Committees – 1972-1998.” (http://www.facadatabase.gov/rpt/printedannualreports.asp) To view reports and information, please select “SEARCH” the third tab...

Sample Certificates and CRL from RFC 5280 certificate/CRL Corresponding section of RFC5280 RSA self-signed certificate C.1 RSA Self-Signed Certificate Section C.1 contains an annotated hex dump of a "self-signed" certificate issued by a CA whose distinguished name is cn=Example CA,dc=example,dc=com. The certificate contains an RSA public key, and is signed by the corresponding RSA private key. End Entity Certificate Using RSA C.2 End Entity Certificate Using RSA Section C.2 contains an annotated hex dump of an end...

Version 1.07 enabling tools for PKI client software developers This page contains conformance tests for relying parties that validate X.509 certification paths.  Each test consists of a set of X.509 certificates and CRLs.  The tests are fully described in the Conformance Testing of Relying Party Client Certificate Path Processing Logic document.  The goal for the first release of these tests was to address the X.509 features used in the DoD Class 3 PKI.  While this test suite remains available for use, it has been superseded by the Public Key Interoperability Test Suite (PKITS), which...

Posted September 27, 2023 Personal Identity Verification (PIV) Interfaces, Cryptographic Algorithms, and Key Sizes: Drafts of SP 800-73-5 and SP 800-78-5 Available for Public Comment In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) Credentials – including the credentials on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201 and are now available for public comment. SP 800-73-5: Parts 1–3 ipd (Initial...

FIPS 201-3 - Personal Identity Verification (PIV) of Federal Employees and Contractors January 2022     Federal Register Notice    2020 Draft comments and dispositions FIPS 201-2 has been withdrawn and is superseded by FIPS 201-3 PIV Card Specifications: SP 800-78-4 - Cryptographic Algorithms and Key Sizes for Personal Identity Verification  May 2015 SP 800-76-2 - Biometric Data Specification for Personal Identity Verification July 2013 SP 800-73-4 - Interfaces for Personal Identity Verification (3 Parts)    Part 1- PIV Card Application Namespace, Data Model and...

Test Runner Software (updated February 13, 2020) SP 800-73-4 Test Runner for PIV Card Applications, Middleware and Data Model Please send an e-mail to piv-dmtester@nist.gov to request for a password to unzip the Test Runner file and/or for any questions you may have. DISCLAIMER: This software is released by NIST as a service and is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST DOES NOT REPRESENT OR...

Test PKI Info  |  Sample Messages  |  Version 1 Test Cards  |  Email List In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, the National Institute of Standards and Technology (NIST) has developed a set of test PIV Cards, which are available for purchase as a NIST Special Database. An overview of the test PIV Cards is provided in NIST 8347, NIST Test Personal Identity Verification (PIV) Cards Version 2.  NISTIR 8347 also contains technical details about the contents of each of the test cards in the set....

Special thanks to those who have participated in the workshops and provided valuable technical comments in shaping this standard. The commentators represented a wide range of government and industry organizations, including the following (ALL files are in .PDF format). 2011 Draft comments and Dispositions 2012 Draft Comments and Dispositions

Special thanks to those who have participated in the workshops and provided valuable technical comments in shaping this standard. The commentators represented a wide range of government and industry organizations, including the following (ALL files are in .PDF format). ERRATA for FIPS 201 Aerospace Industries Association AMAG Technology Anteon Corporation Argonne National Laboratory (File 1 of 3)  (File 2 of 3)  (File 3 of 3) Authsec Aware, Inc. (File 1 of 2)  (File 2 of 2) Biometric Associates Inc. Booz Allen Hamilton...

Hildegard Ferraiolo Computer Security Division Information Technology Laboratory NIST TEL (301) 975-6972  

Draft FIPS 201-3 Virtual Public Workshop December 9, 2020 Presentations, Recording and Q&A chat transcript    Business Requirements Meeting of FIPS 201-3 (Government only)  March 19, 2019 Agenda with Presentations Workshop on Upcoming Special Publications Supporting FIPS 201-2 March 3-4, 2015 Agenda with Presentations Revised Draft FIPS 201-2 Workshop  August 26, 2012  Presentations Draft FIPS 201-2 Workshop April 18-19, 2011 Presentations: Overview (Goals of the workshop, purpose of the revision, overall revision process, summary of proposed changes) Hildegard Ferraiolo, NIST...

The Online Informative Reference Catalog contains all the Reference Data—Informative References and Derived Relationship Mappings (DRMs)—for the National Online Informative References (OLIR) Program. All Reference Data in the Informative Reference Catalog has been validated against the requirements of NIST Interagency Report (IR) 8278A Rev. 1 (Draft), National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers. If interested in participating in the OLIR program, please refer to the Informative Reference submission page. The OLIR Catalog provides an interface...

The Derived Relationship Mapping (DRMs) Analysis Tool provides Users the ability to generate DRMs for Reference Documents with a Focal Document of the Users’ choice. The DRMs are non-authoritative and represent a starting point when attempting to compare Reference Documents. Refer to Sections 3.3 – 3.6 of NISTIR 8278, National Online Informative References (OLIR) Program: Program Overview, Benefits and Uses  for additional guidance around understanding and utilizing the tool.  After creating a Display Report, Users can download the report in either a comma-separated value (CSV) file format or...

Primary Policy Machine References/Background: This paper provides a good overview of the Policy Machine's ability to express and enforce policies and policy combinations. However, unlike Policy Machine's most recent specification, this paper activates attributes prior to mediating an access request and does not recognize obligations or prohibitions. D. Ferraiolo, S. Gavrila, V. Hu, R. Kuhn, “Composing and combining policies under the policy machine, in: Proceedings of ACM Symposium on Access Control Models and Technologies”, 2005, pp. 11–20. These papers describe the benefits and...

For the most up to date macOS security recommendations, please visit the mSCP GitHub page listed below, which is supported by SP-800-219r1, Apple Security Guidance: macOS Security Compliance Project. https://github.com/usnistgov/macos_security  

Base EaaS Architecture Without A Decentralized Root Of Trust In this example, the client system is equipped with a Hardware Root of Trust (HRT) device. Examples of HRT devices are the Trusted Platform Module, Intel® Identity Protection Technology, and the ARM® TrustZone technology. The client system runs a dedicated software application capable of interfacing with the local HRT device on the one end and with the EaaS on the other end. The application communicates with the entropy server using standard plaintext protocols, such as HTTP. The dedicated application initiates the procedure for...

Florida Institute for Cybersecurity Research, University of Florida Intrinsic ID, Inc. 710 Lakeway Drive,  Suite 100,  Sunnyvale, CA 94085  Crypto4A, 1550A Laperriere Avenue, Ottawa, Ontario, Canada   2 Keys Corporation, 20 Eglinton Ave. W., Suite 1500,, Toronto, Ontario, Canada Real Random, LLC.     DISCLAIMER: Any mention of commercial products or organizations is for informational purposes only; it is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the products identified are necessarily...

Our work on EaaS will be (or has been) presented at the following events:   Upcoming Events   Past Events Live Demonstration at The 2015 Cybersecurity Innovation Form  (September 9-11, 2015)    Invited Talk at Workshop on Cryptography and Hardware Security for the Internet of Things IoT Security Workshop in College Park Maryland  October 8-9, 2015    Publication: Entropy as a Service: Unlocking Cryptoraphy's Full Potential,  IEEE Computer, 49(9): 98-102, September 2016   Invited Talk: Entropy as a Service: Unlocking Cryptoraphy's Full Potential,  2017 IEEE SOSE Workshop,...

The Automated Cryptographic Validation Testing System (ACVTS) comprises two main environments that support the Automated Cryptographic Validation Protocol (ACVP): the demonstration environment (ACVTS Demo aka “Demo”) and the production environment (ACVTS Prod aka “Prod”). Demo is a sandbox-style environment in which users may test their algorithm implementations and ACVP client applications. The Demo environment should be considered semi-volatile, meaning that any information stored in it is subject to loss at any time, though we do strive to keep the environment as stable and intact as...

FY 2020 Transition from CAVS to ACVTS Testing Transition Summary NIST CAVP sent the email “CAVS retirement and transition to ACVTS in FY2020” to all accredited CST laboratories on 18 October 2019: UPDATE 09 March 2020: There is a change to 5.a. below.  NIST CAVP will not do any cost recovery billing for ACVTS in FY 2020.  Algorithm validations using ACVTS will be free of charge until 01 October 2020.   Dear CSTLs, In response to questions and requests from some of you, as well as a further review of our internal transition process, NIST CAVP have decided on the...