Search CSRC

NIST has collaborated with the ZKProof initiative since 2019, as a way of supporting the development of open reference material on zero-knowledge proofs. This page lists some outputs of this interaction: 2022-July: ZkpComRef 0.3 — ZKProof Community Reference draft 0.3 NIST-PEC documentation on ZKProof: 2019-April-06: NIST comments on the initial ZKProof documentation 2019-Oct-10: NIST-PEC contributions to advance the draft ZKProof Community Reference from version 0.1 to 0.2 contributions 2020-April-17: NIST-PEC comments on the ZkpComRef 0.2 Past talks with PEC members:...

A block cipher mode, or mode, for short, is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication. Currently, NIST has approved fourteen modes of the approved block ciphers in a series of special publications. As summarized on the Current Modes page, there are eight confidentiality modes (ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, and FF3), one authentication mode (CMAC), and five combined modes for confidentiality and authentication (CCM, GCM, KW, KWP, and TKW). Several other modes have been...

August 5, 2015 SHA-1: Federal agencies should stop using SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance. Federal agencies may use SHA-1 for the following applications: verifying old digital signatures and time stamps, generating and verifying hash-based message authentication codes (HMACs), key derivation functions (KDFs), and random bit/number generation. Further guidance on the use of SHA-1 is provided in SP 800-131A. SHA-2 (i.e., SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256): Federal agencies...

A cryptographic hash algorithm (alternatively, hash "function") is designed to provide a random mapping from a string of binary data to a fixed-size “message digest” and achieve certain security properties. Hash algorithms can be used for digital signatures, message authentication codes, key derivation functions, pseudo random functions, and many other security applications. The Federal Information Processing Standard (FIPS 180-4), Secure Hash Standard, specifies seven cryptographic hash algorithms for Federal use, and is widely adopted by the information technology industry as well. In...

The following publications provide general key management guidance: Recommendation for Key Management SP 800-57 Part 1 Revision 5 - General This Recommendation provides cryptographic key-management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material, including definitions of the security services that may be provided when using cryptography and the algorithms and key types that may be employed, specifications of the protection that each type of key and other cryptographic information requires and...

The following publications specify methods for establishing cryptographic keys.   Symmetric Block Ciphers SP 800-71, Key Establishment Using Symmetric Block Ciphers (DRAFT) July 2, 2018:  NIST requests public comments on NIST SP 800-71.  Most current key management systems are based on public key cryptography. However, with the emergence of quantum computing technology—which can break many public key algorithms currently in use—symmetric key cryptography may offer alternatives for key establishment. Symmetric key cryptography is more computationally efficient than public key...

Cryptographic Key Management (CKM) is a fundamental part of cryptographic technology and is considered one of the most difficult aspects associated with its use. Of particular concern are the scalability of the methods used to distribute keys and the usability of these methods. NIST has undertaken an effort to improve the overall key management strategies used by the public and private sectors in order to enhance the usability of cryptographic technology, provide scalability across cryptographic technologies, and support a global cryptographic key management infrastructure. CKMS Publications...

At the beginning of each fiscal year (FY), NIST CMVP prepares a budget justification for the NIST Cost Recovery fees for the following fiscal year. The NIST Budget office reviews the information and is the approver for the final NIST Cost Recovery fees for the following fiscal year. FY17: begins October 1, 2016; ends September 30, 2017. FY18: begins October 1, 2017; ends September 30, 2018. The NIST Cost Recovery fees for FY17 and FY18 are (see Implementation Guidance (IG) G.8 for an explanation of the different scenarios):     FY17 FY18 CR...

The following table summarizes the first several years of FIPS 140-3 development. Date Activity 2/12/2005 Federal Register Notice: Announcing Development of Federal Information Processing Standard (FIPS) 140-3, a Revision of FIPS 140-2, Security Requirements for Cryptographic Modules.   2/28/2005 Public comment period ended for new and revised requirements for FIPS 140-3. 9/26/2005-9/29/2005 Physical Security Testing Workshop 3/31/2007 NIST completed preparing the first public draft of FIPS 140-3 and began the NIST /...

A whole bunch of text   Apple macOS Security Configuration

NIST has set up a hpc-security@nist.gov mail listserve. The listserve will be used to discuss the standardization and adoption of secure, interoperable and efficient High Performance Computing Security working draft & other items related to this project. You must be subscribed to send email to the listserve. For those outside of NIST, please use the instructions below to subscribe. To join: hpc-security-request@nist.gov You will receive a response message from hpc-security-request@nist.gov . Please reply to that message to confirm your subscription request. To unsubscribe:...

We are working on a new draft that will become available soon. Please check back.    Old draft: Microsoft Word PDF

Security Content Automation Protocol (SCAP) Version 1.3 Validation Program Test Requirements (NIST IR 7511 rev. 5)  released April 2018 includes updates pertaining to platforms, component specification test requirements, and introduces module validation as well as the SCAP Inside labeling program. Please see the Summary of Changes table for a complete list of changes between NISTIR 7511 Revision 4 and NISTIR 7511 Revision 5. SCAP Capabilities Authenticated Configuration Scanner The capability to audit and assess a target system to determine its compliance with a defined set of configuration...

Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements (NIST IR 7511 Rev. 4) released January 2016 includes updates pertaining to platforms, component specification test requirements, and introduces module validation as well as the SCAP Inside labeling program. Please see the Summary of Changes table for a complete list of changes between NISTIR 7511 Revision 3 and NISTIR 7511 Revision 4. SCAP Capabilities Authenticated Configuration Scanner The capability to audit and assess a target system to determine its compliance with a defined set of...

Security Content Automation Protocol Validated Products and Modules This webpage contains a list of products and modules that have been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) and its component standards. SCAP validated products and modules have completed formal testing at an NVLAP accredited laboratory and meet all requirements as defined in NIST IR 7511. A module is defined as a software component that may be embedded in another product. If an SCAP module is a component of another product, contact the module vendor to identify products that...

SCAP 1.3 Documents SCAP Version 1.3 Validation Program Derived Test Requirements Revision: 5 Status: Final Specification: Security Content Automation Protocol (SCAP) Version 1.3 Validation Program Test Requirements SCAP: Security Content Automation Protocol Version: 1.3 Status: Final Specification: The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3 SCAP: Annex to NIST Special Publication 800-126 Revision 3 Version: 1.3 Status: Final Specification: SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126...

Laboratories Accredited to do SCAP Testing The labs listed below have been accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) to perform SCAP validation testing. AEGISOLVE, Inc. Atsec Information Security Corporation  COACT, Inc. Labs Leidos Accredited Testing & Evaluation (AT&E) Lab To locate more information about a specific Laboratory: Navigate to the NVLAP Search page by going to https://www-s.nist.gov/niws/index.cfm?event=directory.search From the Program dropdown box select ITST: "Cryptographic and Security Testing" Click in the Area of...

Completed Specifications and Guidelines The SWID Tag format, defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard ISO/IEC 19770-2, is a structured metadata format for describing a software product. NIST recommends use of the latest version of this standard, ISO/IEC 19770-2:2015. A SWID Tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, identify the organizations and individuals that had a role in the production and distribution of...

The following is an excerpt from NIST Internal Report (NISTIR) 8060: Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. The SWID specification defines four types of SWID tags: primary, patch, corpus, and supplemental. Primary Tag: A SWID Tag that identifies and describes a software product is installed on a computing device. Patch Tag: A SWID Tag that identifies and describes an installed patch which has made incremental changes to a software product installed on a computing device. Corpus Tag: A SWID Tag that identifies and describes an installable...

While SWID Tags demonstrate a possible standards-based way of tracking the state of installed software products, their fitness to support patch management processes depends on the availability and accuracy of deployed tags. Unfortunately, today most vendors never update a tag after it is installed on the endpoint. As a result, these tags fall out of date as soon as that product is updated. Once this happens, these tags are no longer usable for patch or update management as the state of the associated software product will differ from that reported by the tag. To address this issue, vendors...

Additional resources are available for the following SWID Tag specification revisions: ISO/IEC 19770-2:2015 Revision ISO/IEC 19770-2:2015 Resources SWID Tag Validation Tool NIST has developed a SWID Tag validation tool that can be used to verify that a produced SWID has properly implemented the requirements defined in NISTIR 8060. This tool can validate different types of SWID Tags that are used in different stages of the software lifecycle: SWID Tags that pass this validation tool provide support for license management as well as multiple cybersecurity use cases including:...

This page holds links to download old presentations and recordings of SCAPv2 meetings.   SCAPv2 April Developer Days Face to Face (Download Presentation Archive Here)

SCAP Discussion List (View and Subscribe) The SCAP team at NIST maintains a moderated discussion list that users can post to, regarding the Security Content Automation Protocol (SCAP). This is the primary discussion list for on-going development of SCAP v2.This list is moderate in volume.   SCAPv2 Subgroup Lists There are a number of existing SCAPv2 community subgroups that are working on more specific areas of work:   SCAPv2 Content Metadata and Repositories (View and Subscribe)   SCAPv2 Applicability Language (View and Subscribe)   SCAPv2 OVAL and Checking Languages (View and...

This page holds links to compiled minutes from SCAPv2 teleconferences. 2019 4-30-2019 SCAP v2 Developer Days Face-To-Face 3-20-2019 Teleconference Minutes 2-27-2019 Teleconference Minutes 2-06-2019 Teleconference Minutes 2018 12-13-2018 Teleconference Minutes 12-11-2018 Teleconference Minutes 12-06-2018 Teleconferences Minutes 12-04-2018 Teleconference Minutes      

Comments Received on Draft SP 800-171B Below are comments received on Draft Special Publication 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – Enhanced Security Requirements for Critical Programs and High Value Assets.  The public comment period closed on August 2, 2019. Please note that comments on the Public Cost Analysis are submitted and posted to www.regulations.gov/docket?D=DOD-2019-OS-0072 (Regulations.gov docket no. DOD-2019-OS-0072).  All comments submitted during the public comment period for Draft NIST SP 800-171B will be posted...