Use this form to search content on CSRC pages.
NEW: Combinatorial Coverage Difference Measurement for assurance of autonomous systems and other critical software. Combinatorial coverage is a way of finding the rare cases that may lead to security vulnerabilities or system failures, with application to both testing and assured autonomy. Achieving sound testing or assured autonomy in any environment requires methods for measuring the input space, to show that the test environment adequately covers real-world conditions that may be encountered. NIST is developing new combinatorial measurement methods and tools for input space coverage,...
Validation Number: 144 Vendor: Joval Continuous Monitoring Product Name: Joval SCAP 1.3 Module Product Major Version: 6 Product Version Tested: 6.3.5 Tested Platforms: Microsoft Windows 7, SP1, 32-bit Microsoft Windows 7, SP1, 64-bit Microsoft Windows Vista, SP2 Microsoft Windows 8.1 SP0 32-bit Microsoft Windows 8.1 SP0 64-bit Microsoft Windows 10 SP0 32-bit Microsoft Windows 10 SP0 64-bit Microsoft Windows Server 2012 R2 SP0 64-bit Red Hat Enterprise Linux 6 32-bit Red Hat Enterprise...
The Federal C-SCRM Forum fosters collaboration and the exchange of cybersecurity supply chain risk management (C-SCRM) information among federal organizations to improve the security of federal supply chains. Through periodic meetings and informal exchanges, the Forum offers all agencies that depend upon or guide C-SCRM an opportunity to discuss issues of interest with – and to inform – many of those leading C-SCRM efforts in the federal ecosystem, including the Office of Management and Budget (OMB), the Department of Defense (DOD), the Cybersecurity and Infrastructure Security Agency (CISA),...
Participation in the Forum, including events and online exchanges, is open to federal C-SCRM program managers or other federal personnel who have a dedicated and recurring responsibility for performing one or more C-SCRM functions. Federal contractors who provide direct C-SCRM programmatic support may also participate upon request by their federal sponsor and approval by the Forum co-hosts. The Forum may establish working groups or study groups and welcomes all suggestions to the co-hosts. NIST is hosting the Forum as part of its mandate under the SECURE Technology Act and the Federal...
Application in distributed systems J.F. DeFranco, D.F. Ferraiolo, D. R. Kuhn, and J.D. Roberts, "A Trusted Federated System to Share Granular Data Among Disparate Database Resources", IEEE Computer, Mar, 2021. D.F. Ferraiolo, J.F. DeFranco, D. R. Kuhn, and J.D. Roberts, "A New Approach to Data Sharing and Distributed Ledger Technology: A Clinical Trial Use Case", IEEE Network, Jan, 2021. Foundations and background Kuhn, R., Yaga, D., & Voas, J. (2019). Rethinking Distributed Ledger Technology. Computer, 52(2), 68-72. Stavrou, A., & Voas, J. (2017). Verified Time. Computer, 50(3),...
Rethinking Distributed Ledger Technology and Using it for Access Control, IEEE 5G World Forum, 2020 Aggregating Atomic Clocks for Time-Stamps (for Internet of Things (IoT), Blockchain, and Beyond) Naval Postgraduate School, 2020 Rethinking Distributed Ledger Technology IEEE Morocco Blockchain Summit, 2019 Verified Timestamping NIST Student Undergraduate Research Fellowship presentation, 2019
https://github.com/usnistgov/blockmatrix - implementations in Java and in Go https://github.com/PM-Master/blockmatrix - Java API to manage users and attributes using a blockmatrix. https://github.com/PM-Master/NDAC - implementation as a component of Next Gen Database Access Control (NDAC)
The preliminary draft "Toward a PEC use-case suite (Draft)" remains open to public comments. Abstract: This document motivates the development of a privacy-enhancing cryptography (PEC) use-case suite. This would constitute a set of proofs of concepts, showcasing the use of cryptographic tools for enabling privacy in various applications. This is not a proposal, but rather a sketch idea to motivate initial public feedback, which can be useful to determine a potential process towards a PEC use-case suite. Keywords: cryptography, privacy; privacy-enhancing cryptography (PEC); reference...
View the protocol, report issues and more on GitHub: https://github.com/usnistgov/esv-server. Entropy Source Validation is in the works as a new scope under the CMVP provisioned by NIST Handbook 150-17. 17ESV will allow third-party labs to submit SP800-90B compliance reports for review and perform a set of automated tests on data collected from the entropy source. The Demo server is available after 1/28/21. The Prod server will be available when the 17ESV scope is finalized and available.
Focusing on federal agencies but also engaging with and providing resources useful to government at other levels as well as the private sector, NIST: Guidance on Software Supply Chain Security, under Executive Order 14028 Sections 4(c) and (d), focuses on the critical sub-discipline of Cybersecurity Supply Chain Risk Management (C-SCRM) from the lens of federal acquirers. It covers both existing and evolving standards, tools, and recommended practices. The guidance is co-located with related EO guidance under NIST’s purview and will be maintained online to more easily update guidance on...
Combinatorial Testing Quick Start – two short readings make it easy to learn the basics: Understanding how it works: Read sections 2, 3, and 4 (pp. 4 to 18) of Practical Combinatorial Testing. Two example testing use cases are included, illustrating how to apply the combinatorial approach. Using the tool: See the ACTS User Guide, which explains how to use the ACTS tool. The user guide contains illustrations and screen shots showing how to use the tool for practical testing. Now try it on your own testing project!
The NIST Cybersecurity & Privacy Professionals Forum is co-chaired by representatives of NIST's Information Technology Laboratory, Computer Security Division (CSD) and Applied Cybersecurity Division (ACD). The Forum Secretariat provides the necessary administrative and logistical support for operations. The Forum serves as an important mechanism for NIST to: exchange information directly with cybersecurity and privacy professionals in U.S. federal, state, and local government, and higher education organizations in fulfillment of its leadership mandate under the Federal Information...
Please use the Google Form below to submit a Speaker/Topic suggestion. Speaker and topic suggestions for future Forum meetings can also be sent as an email to: sec-forum@nist.gov Speaker and Topic submissions will be used by the NIST Forum Team and not shared outside of NIST. Loading…
Process from Vendor to Validation The figure below illustrates the interactions that happen between Vendor, CST Lab, and CMVP. The MIP list indicates one of fives steps in the process for each validation. Each step is addressed in the figure and the legend below. For more information, please refer to Section 4 of the Management Manual. The steps for the cryptographic module validation life cycle include: Step 1 - IUT. The vendor submits the cryptographic module for testing to an accredited CST laboratory under a contractual agreement. Cryptographic module validation testing is performed...
The SSDF uses these established secure development practice documents as references. Note that these references were current at the time SSDF version 1.1 was published, and may no longer be current. NIST Publications General Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (SP 800-181) Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5) Software Development Cybersecurity Supply Chain Risk Management Practices for Systems and...
References ISO/IEC 29147 International Organization for Standardization/International Electrotechnical Commission (2018) ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/72311.html ISO/IEC 30111 International Organization for Standardization/International Electrotechnical Commission (2019) ISO/IEC 30111:2019 – Information technology – Security techniques – Vulnerability handling processes (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/69725.html ISO/IEC...
The NIST Risk Management Framework Team conducts the research and develops the suite of key cybersecurity risk management standards and guidelines, as required by Congressional legislation to support implementation of the Federal Information Security Modernization Act (FISMA) and to assist organizations better understand and manage cybersecurity risk for their systems and organizations. We collaborate with the Cyber Supply Chain Risk Management Team in the NIST Computer Security Division and Privacy Engineering Team in the NIST Applied Cybersecurity Division to develop the suite of...
At A Glance Purpose: Implement the controls in the security and privacy plans for the system and organization Outcomes: controls specified in security and privacy plans implemented security and privacy plans updated to reflect controls as implemented Resources for Implementers RMF Quick Start Guide (QSG): Implement Step FAQs Security Configuration Settings Multiple Supporting NIST Publications include templates Examples include: SP 800-88, Guidelines for Media Sanitization, SP 800-34 Revision 1, Contingency Planning Guide for Federal Information...
At A Glance Purpose: Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization. Outcomes: assessor/assessment team selected security and privacy assessment plans developed assessment plans are reviewed and approved control assessments conducted in accordance with assessment plans security and privacy assessment reports developed remediation actions to address deficiencies in controls are taken security and privacy plans are...
At A Glance Purpose: Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. Outcomes: authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones) risk determination rendered risk responses provided authorization for the system or common controls is approved or denied Resources for Implementers RMF Quick Start Guide (QSG): Authorize Step FAQs Supporting NIST...
Overlay Name: Closed Isolated Network Overlay Publication Date: October 2020 Technology or System: Closed Isolated Network Overlay Author: US Army Europe Comments: A Closed Isolated Network is defined as a data communications enclave that operates in a single security domain, implements a security policy administered by a single authority, does not connect to any other network and has a single, common, continuous security perimeter. Overlay Point of Contact: Michael Naya Download Overlay Return to Control Overlay Repository Overview Disclaimer Statement The National...
Welcome to the NIST SP 800-53 Public Comment Website The NIST SP 800-53 Public Comment Site was developed to ensure that the SP 800-53 control catalog provides the most comprehensive and up-to-date set of controls/countermeasures to manage security, privacy, and supply chain risk. By modernizing the NIST comment process and moving to an online dataset instead of following a document-based update process, NIST can provide its stakeholders the most up-to-date controls in multiple data formats to manage risk while encouraging use of automation. Stakeholders can provide feedback on...
The NIST SP 800-53 Controls Public Comment Site was developed to ensure that the SP 800-53 control catalog provides the most comprehensive and up-to-date set of controls/countermeasures to manage security, privacy, and supply chain risk. By modernizing the NIST comment process and moving to an online dataset instead of following a document-based update process, NIST can provide its stakeholders the most up-to-date controls in multiple data formats to manage risk while encouraging use of automation. Stakeholders can provide feedback on controls by: submitting a "proposal" for a new...
General Questions and Background What is the purpose of the SP 800-53 Public Comment Website? NIST believes that robust, widely understood, and participatory development processes produce the strongest, most effective, most trusted, and broadly accepted standards and guidelines. The following principles guide NIST's standards and guidelines development: Transparency: All interested and affected parties have access to essential information regarding standards and guidelines-related activities throughout the development process. Openness: Participation is open to all interested...
Each topic area below includes a step-by-step guide demonstrating how to: Navigate to the SP 800-53 Public Comment Site Users can reach the SP 800-53 Public Comment Site directly, or by browsing from the NIST Risk Management Framework (RMF) project page. Option 1: Access by Direct Link Access the SP 800-53 Public Comment Site directly: https://csrc.nist.rip/Projects/risk-management/sp800-53-controls/public-comments. Figure 1 below shows the SP 800-53 Public Comments: Submit and View Site. Option 2: Browse from NIST RMF Project Page There are two ways to access the SP 800-53...