Projects

Cybersecurity Risk Analytics CRA

NIST is working with stakeholders from across government, industry, and academia to research and prototype methods and tools to enable predictive risk analytics and identify cyber risk trends. NIST’s goal is to enable information sharing among risk owners about historical, current and future cyber risk conditions and is intended to help not only enhance existing cyber risk mitigation strategies but also improve and expand upon existing cybersecurity risk metrology efforts. We will be leveraging...

DevSecOps

DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. Value | NIST Plans | Proposed Applied Risk-Based Approach |...

Digital Signatures

As an electronic analogue of a written signature, a digital signature provides assurance that: the claimed signatory signed the information, and the information was not modified after signature generation. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved digital signature algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures, in conjunction with an approved hash function specified...

Elliptic Curve Cryptography ECC

Elliptic curve cryptography is critical to the adoption of strong cryptography as we migrate to higher security strengths. NIST has standardized elliptic curve cryptography for digital signature algorithms in FIPS 186 and for key establishment schemes in SP 800-56A. In FIPS 186-4, NIST recommends fifteen elliptic curves of varying security levels for use in these elliptic curve cryptographic standards. However, more than fifteen years have passed since these curves were first developed, and...

Enhanced Distributed Ledger Technology

Blockchains provide a strong mechanism to ensure that data blocks have not been altered, but this feature conflicts with many privacy requirements, such as those in GDPR, which allow users to have private data deleted at their request. The immutability property makes a blockchain solution impractical for many such privacy rules, leading to the need for "editable blockchains". The blockchain immutability property was designed to solve the problem of double spending in cryptocurrencies. But...

Entropy as a Service EaaS

Cryptography is critical for securing data at rest or in transit over the IoT. But cryptography fails when a device uses easy-to-guess (weak) keys generated from low-entropy random data. Standard deterministic computers have trouble producing good randomness, especially resource-constrained IoT-class devices that have little opportunity to collect local entropy before they begin network communications. The best sources of true randomness are based on unpredictable physical phenomena, such as...

Federal Cybersecurity and Privacy Professionals Forum

Click the image above to download the slides from Virtual Forum Meeting focused on Quantifying Risk in Federal Organizations and Programs. The Federal Cybersecurity and Privacy Professionals Forum (formerly the Federal Computer Security Managers Forum or FCSM) is an informal group sponsored by the National Institute of Standards and Technology (NIST) to promote the sharing of cybersecurity and privacy knowledge, best practices, and resources among U.S. federal, state, and local...

FIPS 140-3 Development

THIS PAGE IS FOR HISTORICAL PURPOSES ONLY SEE FIPS 140-3 TRANSITION EFFORT FOR THE CURRENT STATUS Approval of FIPS 140-3 | SP 800-140x Development | Implementation Schedule | 2015 RFI FIPS 140-3 approved On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019. FIPS 140-3 aligns with...

FIPS 140-3 Transition Effort FIPS 140-3

While FIPS 140-2 continues on through 2026, development to support and validate FIPS 140-3 modules must be in place by September 2020. This project addresses questions concerning the process of migrating from FIPS 140-2 to FIPS 140-3. The transition process includes organizational, documentation and procedural changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments. Changes also support the...

FISMA Implementation Project

This FISMA Implementation Project link will automatically redirect you to FISMA (Federal Information Security Modernization Act (FISMA)) background information under the NIST Risk Management Framework project.

FISSEA - Federal Information Security Educators

FISSEA, founded in 1987, is an organization run by and for Federal government information security professionals to assist Federal agencies in strengthening their employee cybersecurity awareness and training programs. FISSEA conducts an annual fee-based conference. SAVE THE DATE for FISSEA 2022 May 18-19, 2022 ►►Summer Series 2020 taught us a lot, go here to learn more about it. About FISSEA FISSEA, founded in 1987, is an organization run by and for Federal government...

Hash Functions

Approved Algorithms Approved hash algorithms for generating a condensed representation of a message (message digest) are specified in two Federal Information Processing Standards: FIPS 180-4, Secure Hash Standard and FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. FIPS 180-4 specifies seven hash algorithms: SHA-1 (Secure Hash Algorithm-1), and the SHA-2 family of hash algorithms: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. FIPS 202...

High-Performance Computing Security HPCS

High-Performance Computing Security Overview: In July of 2015, the President of the United States issued Executive Order 13702 to create a National Strategic Computing Initiative (NSCI). The goal of the NSCI is to maximize the benefits of High-Performance Computing (HPC) for economic competitiveness and scientific discovery. Security for HPC systems is essential for HPC systems to provide the anticipated benefits.

Information Security and Privacy Advisory Board ISPAB

In January 1988, the Congress enacted the Computer Security Act of 1987 (Public Law 100-235). A provision of that law called for the establishment of the Computer System Security and Privacy Advisory Board (CSSPAB) within the Department of Commerce. In accordance with the Federal Advisory Committee Act, as amended, 5 U.S.C., App., the Board was chartered in May 1988. In December 2002, Public Law 107-347, The E-Government Act of 2002, Title III, the Federal Information Security Management Act of...

Interoperable Randomness Beacons

The Randomness Beacons project at NIST intends to promote the availability of trusted public randomness as a public utility. Such utility can be used for example to promote auditability and transparency of services that depend on randomized processes. The project is spearheaded by the Cryptographic Technology Group in the Computer Security Division of the Information Technology Laboratory (ITL), and has counted with the participation of many collaborators over the years (see historical note...

Key Management

Publications that discuss the generation, establishment, storage, use and destruction of the keys used NIST’s cryptographic algorithms Project Areas: Key Management Guidelines Key Establishment Cryptographic Key Management Systems Generally-speaking, there are two types of key establishment techniques: 1) techniques based on asymmetric (public key) algorithms, and 2) techniques based on symmetric (secret key) algorithms. However, hybrid techniques are also commonly used, whereby public...

Lightweight Cryptography

There are several emerging areas (e.g. sensor networks, healthcare, distributed control systems, the Internet of Things, cyber physical systems) in which highly-constrained devices are interconnected, typically communicating wirelessly with one another, and working in concert to accomplish some task. Because the majority of current cryptographic algorithms were designed for desktop/server environments, many of these algorithms do not fit into constrained devices. NIST has initiated a process...

Low Power Wide Area IoT

Developing an IoT Laboratory based on LPWAN using LoRaWAN This project is developing a LoRaWAN infrastructure in order to study the security of communications based on Low Power Wide Area Networks, with the objective of Identifying and evaluating security vulnerabilities and countermeasures. Recent Accomplishments Wired IoT prototype for multiple IoT devices (temp sensors, others TBD). Survey of low power wide area networking. Architecture formulated for LPWAN-IoT at NIST. Preliminary...

Measurements for Information Security

[Redirect to: https://www.nist.gov/cybersecurity/measurements-information-security] Every organization wants to gain maximum value and effect for its finite cybersecurity-related investments. This includes managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make go-ahead decisions by comparing scenarios that differ in projected cost with associated likely benefits and risk reduction. However, these...

Measuring Security Risk in Enterprise Networks

Enterprise networks have become essential to the operation of companies, laboratories, universities, and government agencies. As they continue to grow both in size and complexity, their security has become a critical concern. Vulnerabilities are regularly discovered in software applications which are exploited to stage cyber attacks. There is no objective way to measure the security of an enterprise network. As a result it is difficult to answer such objective questions as "are we more secure...

Message Authentication Codes MAC

The message authentication code (MAC) is generated from an associated message as a method for assuring the integrity of the message and the authenticity of the source of the message. A secret key to the generation algorithm must be established between the originator of the message and its intended receiver(s). Approved Algorithms Currently, there are three (3) approved* general purpose MAC algorithms: HMAC, KMAC and CMAC. Keyed-Hash Message Authentication Code (HMAC) FIPS 198-1, The...

Mobile Security and Forensics

Mobile Forensics Mobile devices, such as Personal Digital Assistants (PDAs), Blackberry, and cell phones have become essential tools in our personal and professional lives. The capabilities of these devices are continually evolving, providing users with greater storage capacities, better Internet connectivity, and enhanced Personal Information Management (PIM) capabilities. Devices with cellular capabilities provide users with the ability to perform additional tasks such as SNS (Short Message...

Multidimensional Cybersecurity Analytics MCA

There is an increasing demand for robust capabilities of programmatically detecting intrusions and errors of computer programs in real time. This demand is growing rapidly as our society relies more on the ever-increasing number, variety, complexity, and interplay of computer programs. We experience this demand everyday – the performance of our email servers and other cloud services, recent glitches of Healthcare.gov, Internet banking services, and the variety and complexity of cyber-security...

National Checklist Program NCP

NIST maintains the National Checklist Repository, which is a publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products. A security configuration checklist (also called a lockdown, hardening guide, or benchmark) is a series of instructions or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and/or for...

National Initiative for Cybersecurity Education NICE

[Redirect to https://www.nist.gov/nice] The mission of NICE is to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development. NICE fulfills this mission by coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation, and bring leadership and vision to increase the number of skilled cybersecurity professionals helping to keep our Nation secure.

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

Computer Security Resource Center