Search CSRC

Why do Combinatorial Testing? Coverage Measurement Event Sequence Testing Automated Testing Formal Methods Case Studies

Autonomous systems must function correctly in an enormous range of environments.  For example, self-driving cars must deal with lighting, rain, fog, pedestrians, animals, other vehicles, road markings, signs, etc.  How do we ensure that autonomous systems are safe in such complex and rapidly changing environments, when conventional test coverage and formal verification methods cannot be applied?   Achieving assured autonomy in any environment requires methods for measuring the input space, to show that the test environment adequately covers real-world conditions that may be encountered....

Combinatorial approach Case studies

These are current NIST research to identify meaningful metrics and measures in context to understand the effectiveness and resource needs of different cybersecurity technical measures.   Measuring Security Risk in Enterprise Networks Methodology to measure the overall system risk by combining the attack graph structure with the Common Vulnerability Scoring System (CVSS).   Cyber Risk Analytics Research and prototype methods and tools to enable predictive risk analytics and identify cyber risk trends.    

These are standard publications and guidelines that provide perspectives and frameworks to inform, measure, and manage cybersecurity vulnerabilities and exposures.   SP 800-55 Rev. 1 Performance Measurement Guide for Information Security This document provides guidance on how an organization, using metrics, identifies the adequacy of in-place security controls, policies, and procedures.  NIST is planning to update this Special Publication.  https://csrc.nist.rip/publications/detail/sp/800-55/rev-2/draft-->   SP 800-30 Rev.1 Guide for Conducting Risk Assessment This guide provides a...

These are tools and utilities to assess the level of security risks and provide a mechanism to enhance automation for the cybersecurity information exchange.   Baldrige Cybersecurity Excellence Builder (BCEB) A self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identity improvement opportunities in the context of their overall organizational performance.   Common Vulnerability Scoring System (CVSS) An open framework for communicating the characteristics and severity of software vulnerabilities. CVSS is well...

These are reference sources for frameworks, algorithms validation, software assurance, testing, and other measurements related to information security.   Automated Combinatorial Testing for Software Combinatorial or t-way testing is a proven method for more effective software testing at lower cost.  The research toolkit can make sure that there are no simultaneous input combinations that might inadvertently cause a dangerous error.   Cryptographic Algorithm Validation Program (CAVP)  The NIST Cryptographic Algorithm Validation Program provides validation testing of Approved (i.e.,...

Official comments on the Third Round Candidate Algorithms should be submitted using the "Submit Comment" link for the appropriate algorithm. Comments from the pqc-forum Google group subscribers will also be forwarded to the pqc-forum Google group list. We will periodically post and update the comments received to the appropriate algorithm. All relevant comments will be posted in their entirety and should not include PII information in the body of the email message. Please refrain from using OFFICIAL COMMENT to ask administrative questions, which should be sent to pqc-comments@nist.gov...

Information about the CVP exam can be found here: https://home.pearsonvue.com/nist-cmvp The CVP exam will be unavailable after June 30, 2022. Testing is expected to resume in 2023. Candidates (FIPS 140 testers) from one of the Cryptographic and Security Testing labs (https://www-s.nist.gov/niws/index.cfm?event=directory.results select under the pull down for Program: ITST: Cryptographic and Security Testing and click on search) should have the lab’s CVP certification exam POC send email to NIST CMVP (cmvp@nist.gov) the following spreadsheet (Please remove all example data and replace with...

NIST's telework cybersecurity and privacy resources are listed in the tables below, with common topics that organizations or teleworkers might need, with relevant resources for each ("SP" is a NIST Special Publication). Work is currently underway to improve these resources. Suggestions for enhancements are welcome, as are ideas for other topics related to telework cybersecurity and privacy where additional resources would be helpful. Please send your feedback and input to us at telework@nist.gov. Organization Resources What does my organization need for telework security and...

Download: IR8278A Validation Tool (Download 17.2 MB) Latest Version: 4.9.5 Released: July 12, 2022 SHA3-256:  b13dd220de73ace63f73d9cca2fff441cae8bd00305b18f6b3c3d3c54aba0d94 The National Cybersecurity Online Informative References (OLIR) Validation Tool ensures syntactic compliance of the Focal Document templates to the instructions and definitions described within the NIST Interagency Report (IR) 8278A, National Cybersecurity Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers. Focal Document JSON Schema Focal Documents Schema (.json)This JSON schema...

If you would like to participate in the Online Informative Reference (OLIR) Program please consult the NISTIR 8278A, National Cybersecurity Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers document and become familiar with the requirements and all procedures involved during the life cycle. Developers of Informative References considering a submission are welcome to contact NIST with questions before completing the entire Informative Reference submission package. Questions and draft Informative Reference documents may be directed to olir@nist.gov. Submitting...

This page contains resources referenced in the FIPS 140-3 Management Manual Equivalency Regression Test Table It is possible, under certain conditions, for a vendor to list multiple hardware modules under the same certificate.   Some of the conditions are defined by the equivalency categories based on the technologies types and difference between the modules within the equivalency categories.  For more information regarding equivalency categories and testing level scenarios/categories and usage of the equivalency regression test table presented below, refer to the Management Manual...

Top Level  Special Publications Process Flow Abstracts   Documentation and Governance for the FIPS 140-3 Cryptographic Module Validation Program Federal Information Processing Standards Publication (FIPS) 140-3 became effective September 22, 2019, permitting CMVP to begin accepting validation submissions under the new scheme beginning September 2020. The FIPS 140-3 standard introduces some significant changes in the management over the previous standard. Rather than encompassing the module requirements directly, FIPS 140-3...

FIPS 140-2 (ending Sept-22-2021) Security Requirements for Cryptographic Modules NVLAP accredited Cryptographic and Security Testing (CST) Laboratories perform conformance testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for Cryptographic Modules [ PDF ]. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met. An overall...

NEW! Draft FIPS 140-3 CMVP Management Manual (updated 07-13-2022) A new draft FIPS 140-3 CMVP Management Manual has been released for comment. This is a major revision, including incorporating implementation guidance addressing issues that were formally found in FIPS 140-2 IG section G.x. Please send any comments using the Comments Template to CMVPcomments@list.nist.gov. Comments for the FIPS 140-3 CMVP Management Manual are due August 10, 2022.    The purpose of the CMVP Management Manual is to provide effective lab management and coordination  with the management of the CMVP. The CMVP...

FIPS 140-3 IG - Latest version   [05-16-2022] New Guidance:   D.Q Transition of the TLS 1.2 KDF to Support the Extended Master Secret D.R Hash Functions Acceptable for Use in the SP 800-90A DRBGs Updated Guidance:     3.4.A Trusted Channel – Removed Additional Comment #2 as this is appropriate for FIPS 140-2, but does not align with requirements of ISO/IEC 19790:2012 Section 7.9.5 and IG 9.5.A. 9.5.A SSP Establishment and SSP Entry and Output – Added parenthesis in Resolution to highlight the fact that there are differences in requirements between CSPs...

Algorithm Related Transitions Algorithm Testing and CMVP Submission Dates Algorithm/Scheme Standard Relevant IG(s)[1] ACVTS Prod Date[2] Submission Date[3] AES-CBC-CS Addendum to SP 800-38A FIPS 140-2: A.12 Prior to June 30, 2020 September 1, 2020 AES FF1 SP 800-38G FIPS 140-2: A.10 Prior to June 30, 2020 September 1, 2020 cSHAKE, TupleHash, ParallelHash, KMAC SP 800-185...

2022 Fees [Updated 12-6-2021] Cost recovery fees are collected for NIST CMVP report review of new module submissions, modified module submissions, and for report reviews that require additional time due to complexity or quality. These fees are referred to as Cost Recovery (CR) and Extended Cost Recovery (ECR). Modules are not validated unless all applicable fees have been collected by NIST Billing. Please see the CMVP FIPS 140-2 Management Manual or CMVP FIPS 140-3 Management Manual for further information. For FIPS 140-2 Currently the CR fee is applicable for IG G.8 Scenarios 1A,...

The below table provides all National Online Informative Reference (OLIR) Program Focal Documents in multiple downloadable formats (.XLSX, JSON, & .CSV). If you would like to participate in the OLIR Program please consult NISTIR 8278A, National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers and become familiar with the requirements procedures. Developers of Informative References considering a submission are welcome to contact NIST with questions before completing the entire Informative Reference submission package. Questions and draft Informative...

The NIST PQC team will host talks -- open to the public -- relating to the 3rd Round of the NIST PQC standardization process. Date Speaker Title Media March 26, 2021 11:00am - 12:00pm* Prasanna Ravi  Temasek Labs, Nanyang Technological University Sujoy Sinha Roy Graz University of Technology Side-Channel Analysis of Lattice-based PQC Candidates Presentation Video February 23, 2021 11:00am - 12:00pm David Jao University of Waterloo Implementation of isogeny-based cryptography Presentation Video...

Go to our Stateful Hash-Based Signatures project.

NIST will leverage existing guidance, practices, and recommendations that may be applicable to DevSecOps. They have been and are being developed by NIST and other US government (USG) agencies, standards development organizations (SDOs), industry, and academia. NIST will also develop mappings to existing informative references to ensure the relationships among frameworks, guidance, practices, and recommendations are clear. NIST held a virtual workshop in January 2021 on improving the security of DevOps practices; you can access the workshop recording and materials here. Potential work that...

Combinatorial coverage measures are used in industry for high assurance software used in critical applications.  Industry examples include the following: Kuhn, D. R., Raunak, M. S., & Kacker, R. N. (2021). Combinatorial Frequency Differencing. NIST Cybersecurity Whitepaper. - Describes measures of the frequency of combination coverage and difference between Class and Non-class elements in machine learning classification problems.  Illustrates application of these methods for identifying weaknesses in physical unclonable function implementations.  Kuhn, D. R., Raunak, M. S., & Kacker, R. N....

NEW:  Combinatorial Coverage Difference Measurement for assurance of autonomous systems and other critical software.  Combinatorial coverage is a way of finding the rare cases that may lead to security vulnerabilities or system failures, with application to both testing and assured autonomy. Achieving sound testing or assured autonomy in any environment requires methods for measuring the input space, to show that the test environment adequately covers real-world conditions that may be encountered.  NIST is developing new combinatorial measurement methods and tools for input space coverage,...