Projects

National Online Informative References Program OLIR

The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Interagency or Internal Report (IR) 8278 - National Online Informative References (OLIR) Program:...

National Software Reference Library NSRL

[Redirect to: https://nsrl.nist.gov] The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on...

National Vulnerability Database NVD

[Redirect to https://nvd.nist.gov] The National Vulnerability Database (NVD) is the U.S. Government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

NIST Cybersecurity for IoT Program

[Redirect to https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program] NIST’s Cybersecurity for the Internet of Things (IoT) program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, and academia, the program aims to cultivate trust and foster an environment that...

NIST Personal Identity Verification Program NPIVP

NIST has established the NIST Personal Identity Verification Validation Program (NPIVP) to validate Personal Identity Verification (PIV) components required by Federal Information Processing Standard (FIPS) 201. The objectives of the NPIVP program are: to validate the compliance/conformance of two PIV components --PIV middleware and PIV card application with the specifications in NIST SP 800-73; and to provides the assurance that the set of PIV middleware and PIV card applications that have...

NIST Risk Management Framework RMF

The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA). This site provides an overview, explains each RMF step, and offers...

Open Security Controls Assessment Language OSCAL

NIST is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, formatted, XML- and JSON-based formats that provide a standardized representation for different categories of information pertaining to the publication, implementation, and assessment of security controls. OSCAL is being developed through a collaborative approach with the public. The OSCAL website provides an overview of the OSCAL project, including an XML and JSON schema reference and examples. The...

Pairing-Based Cryptography

Recently, what are known as “pairings” on elliptic curves have been a very active area of research in cryptography. A pairing is a function that maps a pair of points on an elliptic curve into a finite field. Their unique properties have enabled many new cryptographic protocols that had not previously been feasible. In particular, identity-based encryption (IBE) is a pairing-based scheme that has received considerable attention. IBE uses some form of a person (or entity’s) identification to...

Personal Identity Verification of Federal Employees and Contractors PIV

FIPS 201, Personal Identity Verification (PIV) for Federal Employees and Contractors, is going through a third revision and is currently available for public review at https://pages.nist.gov/FIPS201/. Public commenting period ends 2/1/2021. The public workshop presenting Draft FIPS 201-3 will be held on December 9th, 2020. Please visit the https://www.nist.gov/news-events/events/2020/12/draft-fips-201-3-virtual-public-workshop to view the agenda and register for the event. In response...

Policy Machine PM

One primary objective of enterprise computing (via a data center, cloud, etc.) is the controlled delivery of data services (DSs) to its users. Typical DSs include applications such as email, workflow management, enterprise calendar, and records management, as well as system level features, such as file, access control and identity management. Although access control (AC) currently plays an important role in securing DSs, if properly designed, AC can be more fundamental to computing than one...

Post-Quantum Cryptography PQC

Round 3 Seminars Presentations & Videos NIST has initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. Full details can be found in the Post-Quantum Cryptography Standardization page. The Round 3 candidates were announced July 22, 2020. NISTIR 8309, Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process is now available. NIST has developed Guidelines for Submitting Tweaks for...

Privacy Engineering

[Redirect to https://www.nist.gov/programs-projects/privacy-engineering] The NIST Privacy Engineering Program’s (PEP) mission is to support the development of trustworthy information systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and, by extension, civil liberties.

Privacy Framework

[Redirect to https://www.nist.gov/privacy-framework] The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.

Privacy-Enhancing Cryptography PEC

The Cryptographic Technology Group (CTG) in the Computer Security Division (CSD) at NIST intends to accompany the progress of emerging technologies in the area of privacy enhancing cryptography (PEC). The PEC project seeks to promote the use of cryptographic protocols that enable achieving privacy goals. The technical challenge is often to enable parties to interact meaningfully, toward achieving an application goal, without revealing extraneous private information to one another or to third...

Program Review for Information Security Assistance PRISMA

The Program Review for Information Security Management Assistance (PRISMA) includes many review options and incorporates guidelines contained in Special Publication 800-53 (Revision 3), Recommended Security Controls for Federal Information Systems. The PRISMA is based upon existing federal directives including Federal Information Security Management Act (FISMA), NIST guidelines and other proven techniques and recognized best practices in the area of information security. PRISMA Has Three...

Protecting Controlled Unclassified Information (CUI) CUI

The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, and SP 800-172) focuses on protecting the confidentiality of CUI, and recommends specific security requirements to achieve that objective. It...

Public Key Infrastructure Testing PKI

Testing PKI Components NIST/Information Technology Laboratory responds to industry and user needs for objective, neutral tests for information technology. ITL recognizes such tests as the enabling tools that help companies produce the next generation of products and services. It is a goal of the NIST PKI Program to develop such tests to help companies produce interoperable PKI components. NIST worked with CygnaCom Solutions and BAE Systems to develop a suite of tests that will enable...

Random Bit Generation RBG

Include revised/updated text from http://csrc.nist.rip/groups/ST/toolkit/rng/index.html ?? --> The following publications specify the design and implementation of random bit generators (RBGs), in two classes: Deterministic Random Bit Generators (pseudo RBGs); and Non-Deterministic Random bit Generators (True RBGs). SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 25, 2015: This Recommendation specifies mechanisms for the...

Role Based Access Control RBAC

One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (RBAC) (also called "role based security"), as formalized in 1992 by David Ferraiolo and Rick Kuhn, has become the predominant model for advanced access control because it reduces this cost. This project site explains RBAC concepts, costs and benefits, the economic impact of RBAC, design and implementation issues, the RBAC standard, and advanced research...

Roots of Trust RoT

Modern computing devices consist of various hardware, firmware, and software components at multiple layers of abstraction. Many security and protection mechanisms are currently rooted in software that, along with all underlying components, must be trustworthy. A vulnerability in any of those components could compromise the trustworthiness of the security mechanisms that rely upon those components. Stronger security assurances may be possible by grounding security mechanisms in roots of trust....

SAMATE: Software Assurance Metrics And Tool Evaluation SAMATE

[Redirect to https://samate.nist.gov] The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. The scope of the SAMATE project is broad: ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to correct-by-construction methods.

SARD: Software Assurance Reference Dataset SARD

[Redirect to: https://samate.nist.gov/SARD/] The purpose of the Software Assurance Reference Dataset (SARD) is to provide users, researchers, and software security assurance tool developers with a set of known security flaws. This will allow end users to evaluate tools and tool developers to test their methods. You will be redirected to the SARD homepage.

SATE: Static Analysis Tool Exposition SATE

[Redirect to: https://samate.nist.gov/SATE.html] SATE is a non-competitive study of static analysis tool effectiveness, aiming at improving tools and increasing public awareness and adoption. Briefly, participating tool makers run their static analyzer on a set of programs, then researchers led by NIST analyze the tool reports. Everyone shares results and experiences at a workshop. The analysis report is made publicly available later. SATE's purpose is NOT to evaluate nor choose the "best"...

Secure Software Development Framework SSDF

The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation. Key practices in the SSDF include: Define criteria...

Security Aspects of Electronic Voting

The Help America Vote Act (HAVA) of 2002 was passed by Congress to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. Researchers in the...

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

Computer Security Resource Center