Search CSRC

Fireside Chat: Complexity is the new Cyber Adversary The cascading risk that made Lehman Brothers infamous for accelerating the global financial crisis or the Northeast Power Outage that disabled parts of US and Canada in 2003 exemplify how counterparty risk could turn a single breach into a disastrous systemic failure. Cyber risks face similar consequences. They are not enabled simply by individual cyber vulnerabilities, but by the Complex Systems-of-Systems they inhabit. Composed of legacy and new HW, SW and IoT elements connected by myriad channels, haphazardly integrated over many years,...

Fundamental background papers: Empirical justification for combinatorial testing:  D.R. Kuhn, D.R. Wallace, A.M. Gallo, Jr., Software Fault Interactions and Implications for Software Testing, IEEE Transactions on Software Engineering, vol. 30, no. 6, June 2004, pp. 418-421.Abstract; DOI: 10.1109/TSE.2004.24  Preprint.  Comment: Investigates interaction level required to trigger faults in a large distributed database system. IPOG algorithm used in construction of covering arrays:  Y.Lei, R. Kacker, D.R. Kuhn, V. Okun and J. Lawrence, IPOG: a General Strategy for T-way Software Testing, 14th...

Our conference and journal papers on assured autonomy and explainable AI.  We try to include links to the full papers, but for those not yet linked, please contact us for a copy:  kuhn@nist.gov.  Papers 2022 Freeman, L. Batarseh, F., Kuhn, D. R., Raunak, M. S., & Kacker, R. N.,  The Path to Consensus on Artificial Intelligence Assurance, IEEE Computer (to appear, 2022) Kuhn, D. R., Raunak, M. S., Prado, C., Patil, V, & Kacker, R. N.,  Combination Frequency Differencing for Identifying Design Weaknesses in Physical Unclonable Functions, (submitted for publication) 2021 Chandrasekaran, J.,...

Blockmatrix functions have been integrated with Hyperledger Fabric, making it possible to use Hyperledger in a broader range of applications.  Applications that currently use Hyperledger Fabric will be able to function without change, with blockmatrix components providing distributed ledger functions in a transparent manner.  To support privacy requirements for deleting private user information, data blocks containing PII can be deleted offline, or functions can be added to the application with appropriate access control for administrators or users as determined by the organization.  -...

See full details on our NIICS home page.

Credits: Annie Sokol ANNIE SOKOL IT Specialist NIST ITL/CSD/SSA Ms. Annie Sokol is an IT Specialist in the Information Technology Laboratory's Computer Security Division at the National Institute of Standards and Technology (NIST).  Annie represents NIST in several subcommittees of the International Standards Organization, and she is the editor and co-editor of several ISO/IEC standards.  As a member of the NIST Cloud Computing Program, she chaired NIST Cloud Computing Interoperability and Portability Working Group and NIST Cloud Computing...

MCSPWF subscribers to the MCSPWG (see the Overview page for subscribing to the mailing list) have access to documents uploaded on the PWG’s Google Drive (Public directory) when logged into Google with the subscribed email. MCSPWF subscribers to the MCSPWG (see the Overview page for subscribing to the mailing list) have access to documents uploaded on the PWG’s Google Drive (Public directory) when logged in with the subscribed email. Google Drive's URL is: https://drive.google.com/drive/folders/1c9OV10sAQGFRMplsQALSrKNMtjqKx1CQ?usp=sharing...

I. Introduction NIST scientific or technical Public Working Groups bring together organizations actively engaged in the specific field of interest and consist of subject-matter experts who collaborate to determine best practices and to develop consensus standards. During the past decade, NIST has convened multi-disciplinary cloud computing working groups to take on specific challenges that impact the broad US Government adoption of complex cloud-based solutions that combine services from more than one cloud service provider (CSP). The change in technical operations and control dynamics for...

Title / Topic  Description Executive Order (EO) 14028 On Improving The Nation's Cybersecurity Executive Order 14028, “Improving the Nation’s Cybersecurity” marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. To keep pace with modern technological advancements and evolving threats, the Federal Government continues to migrate to the cloud. In support of these efforts, the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency...

Note: The following is archived information related to NIST SP 800-179. CSD’s macOS security configuration team is working to develop secure system configuration baselines supporting different operational environments for Apple macOS version 10.12, “Sierra.” These configuration guidelines will assist organizations with hardening macOS technologies and provide a basis for unified controls and settings for federal macOS workstation and mobile system security configurations. The configurations are based on a collection of resources, including the existing NIST macOS configuration guidance, the...

PEC tools include a variety of cryptographic primitives, protocols and techniques useful for enabling privacy. This page uses simplified illustrations of "ideal functionalities" to convey a brief intuition about some representative PEC tools. It should be noted that real protocols for these PEC tools use cryptographic techniques in place of the trusted party (\(\mathcal{F}\)) represented in the figures. Zero Knowledge Proof of Knowledge (ZKPoK) A ZKPoK allows a prover to prove knowledge of a secret \(\color{red}w\) (also called witness), without disclosing it to the verifier. The secret is...

The following NIST-authored publications are directly related to this project. NISTIR 8369, Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process (July 21, 2021) NISTIR 8268, Status Report on the First Round of the NIST Lightweight Cryptography Standardization Process (October 7, 2019) Call for Algorithms:  Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process (August 27, 2018) Retired White Paper, Profiles for the Lightweight Cryptography Standardization Process (retired August 27, 2018) NISTIR...

A generic application (app, for short) of beacon randomness is enabling public-verifiability of randomized procedures. For example, when randomly sampling for audits, auditors are prevented from biasing the selections (or being accused of it), and auditees are prevented from knowing the selections in advance (or being accused of it). An interesting randomness/determinism duality: although beacon applications relate to the use of randomness, their public auditability requires a well specified deterministic operation (which then uses as input the needed random values). The remainder of this...

Official comments on the Fourth Round Candidate Algorithms should be submitted using the "Submit Comment" link for the appropriate algorithm. Comments from the pqc-forum Google group subscribers will also be forwarded to the pqc-forum Google group list. We will periodically post and update the comments received to the appropriate algorithm. All relevant comments will be posted in their entirety and should not include PII information in the body of the email message. Please refrain from using OFFICIAL COMMENT to ask administrative questions, which should be sent to pqc-comments@nist.gov...

Official comments on the Selected Algorithms should be submitted using the "Submit Comment" link for the appropriate algorithm. Comments from the  pqc-forum Google group subscribers will also be forwarded to the pqc-forum Google group list. We will periodically post and update the comments received to the appropriate algorithm. All relevant comments will be posted in their entirety and should not include PII information in the body of the email message. Please refrain from using OFFICIAL COMMENT to ask administrative questions, which should be sent to pqc-comments@nist.gov By selecting the...

Why are we doing this? NIST seeks to : Accelerate the adoption of our cybersecurity and privacy standards, guidelines, and frameworks by making it much easier for users of NIST products to identify, locate, compare, and customize content across NIST’s standards, guidelines, and practices. Add value to our existing reference datasets by delivering human- and machine-consumable reference datasets. The CPRT provides a centralized, standardized, and modernized mechanism for managing reference datasets, eventually creating the opportunity to correlate and establish relationships...

XLSX: All CPRT data and queries can be downloaded in XLSX format. This is the common format used by Microsoft Excel. JSON: All CPRT data uses a common format. Therefore, every document, and query, within the CPRT can use the same JSON schema. This schema provides a machine readable view into the CPRT for users to interact with the data in a repeatable and predictable way. The schema is flat, containing only 4 top level elements (documents, elements, relationships, relationship_types). This structure allows users to quickly iterate through the data and build any data structure that suits...

Our initial planning for the CPRT project comprises three phases: Phase 1: Free the Data We are currently in Phase 1, which involves developing the data format and freeing the data from a selection of our guidelines and frameworks with broad impact. This data is typically locked into publications. By moving it into a shared repository using a newly-developed unified data format, we will now be able to offer new ways to interact with and download the data. Phase 1 offers only basic tools for interacting within each reference datasets. Phase 2: Manage the Data Phase 2 in late 2022 will...

In January 2022, the George Mason University Cryptographic Engineering Research Group (CERG) team published three calls to assist in evaluating protected implementations of the finalists: Call for Protected Hardware Implementations, targeting low-cost modern FPGAs Call for Protected Software Implementations, targeting low-cost modern embedded processors Call for Side-Channel Security Evaluation Labs The NIST team encourages submitters and third parties to contribute to this initiative.  Performance benchmarking results are provided in the following pages: Microcontroller...

Date Event July 20-21, 2015  First Lightweight Cryptography Workshop at NIST  August 11, 2016  (Draft) NISTIR 8114 is published.  October 17-18, 2016 Second Lightweight Cryptography Workshop at NIST    October 31, 2016  End of public comment period to Draft NISTIR 8114  Public comments received (August 11 - October 31,2016)  March 28, 2017  NISTIR 8114, Report on Lightweight Cryptography is published.  April 26, 2017 (Draft) Profiles for Lightweight cryptography standardization process is...

Lightweight Cryptography Workshop 2015, July 20 – 21, 2015 Lightweight Cryptography Workshop 2016, October 17 – 18, 2016 Lightweight Cryptography Workshop 2019, November 4 – 6, 2019 Lightweight Cryptography Workshop 2020, October 19 – 21, 2020 Lightweight Cryptography Workshop 2022, May 9 – 11, 2022

Validation Number: 146 Vendor: BMC Product Name: BMC Client Management Product Major Version: 21 Product Version Tested: 21.02.03 Tested Platforms: Microsoft Windows 7 SP1 64-bit Microsoft Windows 8.1 SP0 64-bit Microsoft Windows 10 SP0 64-bit Microsoft Windows Server 2012 R2 SP0 64-bit Red Hat Enterprise Linux 6 64-bit Red Hat Enterprise Linux 7 64-bit SCAP 1.3 Capabilities: Authenticated Configuration Scanner Common Vulnerabilities and Exposures (CVE) Option Validated...

Security Requirements for Protecting CUI Purpose Recommended security requirements for protecting the confidentiality of CUI:      (1) when the CUI is resident in a nonfederal system and organization;      (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and      (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI...

Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 Purpose Enhanced security requirements to help protect the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI) associated with critical programs or high value assets from the advanced persistent threat (APT). Scope The enhanced security requirements in NIST SP 800-172 are supplemental and do not impact the basic and derived security requirements contained in NIST SP 800-171, nor the scope of the implementation of the NIST...