Projects

Public Key Infrastructure Testing PKI

Testing PKI Components NIST/Information Technology Laboratory responds to industry and user needs for objective, neutral tests for information technology. ITL recognizes such tests as the enabling tools that help companies produce the next generation of products and services. It is a goal of the NIST PKI Program to develop such tests to help companies produce interoperable PKI components. NIST worked with CygnaCom Solutions and BAE Systems to develop a suite of tests that will enable...

Random Bit Generation RBG

Include revised/updated text from http://csrc.nist.rip/groups/ST/toolkit/rng/index.html ?? --> The following publications specify the design and implementation of random bit generators (RBGs), in two classes: Deterministic Random Bit Generators (pseudo RBGs); and Non-Deterministic Random bit Generators (True RBGs). SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 25, 2015: This Recommendation specifies mechanisms for the...

Ransomware Protection and Response

Thanks for helping shape our ransomware guidance! We've published the final NISTIR 8374, Ransomware Risk Management: A Cybersecurity Framework Profile and the Quick Start Guide: Getting Started with Cybersecurity Risk Management | Ransomware. Thanks for attending our July 14th Virtual Workshop on Preventing and Recovering from Ransomware and Other Destructive Cyber Events. Please watch the recording HERE. Our new resources on tips and tactics for preparing your organization for ransomware...

Role Based Access Control RBAC

One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (RBAC) (also called "role based security"), as formalized in 1992 by David Ferraiolo and Rick Kuhn, has become the predominant model for advanced access control because it reduces this cost. This project site explains RBAC concepts, costs and benefits, the economic impact of RBAC, design and implementation issues, the RBAC standard, and advanced research...

Roots of Trust RoT

Modern computing devices consist of various hardware, firmware, and software components at multiple layers of abstraction. Many security and protection mechanisms are currently rooted in software that, along with all underlying components, must be trustworthy. A vulnerability in any of those components could compromise the trustworthiness of the security mechanisms that rely upon those components. Stronger security assurances may be possible by grounding security mechanisms in roots of trust....

SAMATE: Software Assurance Metrics And Tool Evaluation SAMATE

[Redirect to https://www.nist.gov/itl/ssd/software-quality-group/samate] The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. The scope of the SAMATE project is broad: ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to...

SARD: Software Assurance Reference Dataset SARD

[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/software-assurance-reference-dataset-sard] The purpose of the Software Assurance Reference Dataset (SARD) is to provide users, researchers, and software security assurance tool developers with a set of known security flaws. This will allow end users to evaluate tools and tool developers to test their methods. You will be redirected to the SARD homepage.

SATE: Static Analysis Tool Exposition SATE

[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/static-analysis-tool-exposition-sate] SATE is a non-competitive study of static analysis tool effectiveness, aiming at improving tools and increasing public awareness and adoption. Briefly, participating tool makers run their static analyzer on a set of programs, then researchers led by NIST analyze the tool reports. Everyone shares results and experiences at a workshop. The analysis report is made publicly available...

Secure Software Development Framework SSDF

SSDF version 1.1 is published! NIST Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities has been posted as final, along with a Microsoft Excel version of the SSDF 1.1 table. SP 800-218 includes mappings from Executive Order (EO) 14028 Section 4e clauses to the SSDF practices and tasks that help address each clause. Also, see a summary of changes from version 1.1 and plans for the SSDF....

Security Aspects of Electronic Voting

The Help America Vote Act (HAVA) of 2002 was passed by Congress to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. Researchers in the...

Security Content Automation Protocol SCAP

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality. This Web site is provided to support continued community involvement. From this site, you will find information about both existing SCAP specifications and emerging specifications relevant to...

Security Content Automation Protocol Validation Program SCAPVP

The SCAP Validation Program is designed to test the ability of products to use the features and functionality available through SCAP and its component standards. Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Accreditation requirements are defined in NIST Handbook 150, and NIST Handbook 150-17. Independent laboratories conduct the tests contained in the SCAP Validation Program Derived Test...

Security Content Automation Protocol Version 2 (SCAP v2) SCAP v2

Security Content Automation Protocol Version 2 (SCAP v2) is a major update to the SCAP 1.x publications. SCAP v2 covers a broader scope in an attempt to further improve enterprise security through standardization and automation. This project page will be used to provide information on the SCAP v2 effort, as well as updates on ongoing work, and directions on how to get involved. Important Links: SCAPv2 Community - Get involved in the SCAP effort by joining our mailing lists. SCAPv2...

Small Business Cybersecurity Corner

[Redirect to https://www.nist.gov/itl/smallbusinesscyber] The vast majority of smaller businesses rely on information technology to run their businesses and to store, process, and transmit information. Protecting this information from unauthorized disclosure, modification, use, or deletion is essential for those companies and their customers. With limited resources and budgets, these companies need cybersecurity guidance, solutions, and training that is practical, actionable, and enables them...

Software Identification (SWID) Tagging SWID

Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage...

Stateful Hash-Based Signatures HBS

In Special Publication 800-208, Recommendation for Stateful Hash-Based Signature Schemes NIST approves two schemes for stateful hash-based signatures (HBS) as part of the post-quantum cryptography development effort. The two schemes were developed through the Internet Engineering Task Force: 1) XMSS, specified in Request for Comments (RFC) 8391 in May 2018, and 2) LMS, in RFC 8554 in April 2019. Background HBS schemes were the topic for a session of talks during the first public workshop on...

Systems Security Engineering (SSE) Project SSE

Systems security engineering contributes to a broad-based and holistic security perspective and focus within the systems engineering effort. This ensures that stakeholder protection needs and security concerns associated with the system are properly identified and addressed in all systems engineering tasks throughout the system life cycle. Mission Statement... To provide a basis to formalize a discipline for systems security engineering in terms of its principles, concepts, and activities....

Telework: Working Anytime, Anywhere

Today, many employees telework (also known as “telecommuting,” “work from home,” or “work from anywhere”). Teleworking is the ability of an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. Telework has been on the rise for some time, but sharply increased in 2020 because of the COVID-19 pandemic. For many, telework is now the only way to get work done, and the original concept of “telework”...

Testing Laboratories

To become a laboratory for the CST program there are a number of requirements. A lab must become accredited under the CST LAP which is part of NIST’s NVLAP. A lab must sign and enter into a Cooperative Research and Development Agreement (CRADA) with NIST. Click here for an example agreement. A lab must follow the “Principles of Proper Conduct” listed below. A lab must be US based if participating in the NPIVP scope. The following list are the Scopes maintained at NIST: Cryptographic...

United States Government Configuration Baseline USGCB

The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal Government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.

Usable Cybersecurity

The National Institute of Standards and Technology (NIST) Usable Cybersecurity team brings together experts in diverse disciplines to work on projects aimed at understanding and improving the usability of cybersecurity software, hardware, systems, and processes. Our goal is to provide actionable guidance for policymakers, system engineers and security professionals so that they can make better decisions that enhance the usability of cybersecurity in their organizations. Recent Media...

Vulnerability Disclosure Guidance

NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving information about security vulnerabilities, as part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and 30111 whenever practical. The guidelines address: Establishing a federal vulnerability disclosure framework, including the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs)...

Information Technology Laboratory

Computer Security Resource Center