Search CSRC

Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 Purpose Enhanced security requirements to help protect the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI) associated with critical programs or high value assets from the advanced persistent threat (APT). Scope The enhanced security requirements in NIST SP 800-172 are supplemental and do not impact the basic and derived security requirements contained in NIST SP 800-171, nor the scope of the implementation of the NIST...

Accessing Security Requirements for Controlled Unclassified Information Purpose Assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST SP 800-171. Scope A system security plan describes how the SP 800-171 security requirements are met. The plan describes the system boundary; the environment in which the system operates; how the requirements are implemented; and the relationships with or connections to other systems. The scope of the assessments conducted using the procedures described in SP 800-171A are guided and...

Accessing Enhanced Security Requirements for Controlled Unclassified Information Purpose Assessment procedures and a methodology that can be employed to conduct assessments of the enhanced security requirements in NIST Special Publication 800-172. Scope Assessments conducted using the SP 800-172A procedures are guided and informed by the system security plans for the organizational systems processing, storing, or transmitting CUI. The assessments focus on the overall effectiveness of the security safeguards intended to satisfy the SP 800-172 enhanced security requirements. Download the SP...

Comments received in response to the pre-draft call for comments on the CUI Series. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. Date  Received From...

Examples of combinatorial coverage achieved by real-world test suites in various application domains.  Application Config t = 2 t = 3 t = 4 t = 5 t = 6 Reference Spacecraft control 132754262 0.940 0.831 0.668 0.536   Maximoff, J. R., Kuhn, D. R., Trela, M. D., & Kacker, R. A method for analyzing system state-space coverage within a t-wise testing framework. In 2010 IEEE ICST. Spacecraft component...

Call for Additional Digital Signature Schemes for the Post-Quantum Cryptography Standardization Process (PDF) NIST announced that the PQC standardization process is continuing with a fourth round, with the following KEMs still under consideration: BIKE, Classic McEliece, HQC, and SIKE. However, there are no remaining digital signature candidates under consideration. As such, NIST is calling for additional digital signature proposals to be considered in the PQC standardization process. NIST is primarily interested in additional general-purpose signature schemes that are not based on...

Authority: This work is being initiated pursuant to NIST’s responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107–347. Call for Additional Digital Signature Schemes for the Post-Quantum Cryptography Standardization Process (PDF)   Submission packages must be received by NIST by June 1, 2023. Submission packages must be received by NIST by June 1, 2023. Submission packages received before March 1, 2023, will be reviewed for completeness by NIST; the submitters will be notified of any deficiencies by March 31, 2023, allowing time for deficient...

API Notes Intermediate Values KAT Source Code Files for KATs 

Workshops Date   Fall 2023 (tentative)   Timeline *This is a tentative timeline, provided for information, and subject to change. Date   Sep 6, 2022 Call for Additional Digital Signature Schemes  June 1, 2023 Deadline for submissions

NIST has set up a pqc-forum@list.nist.gov mailing list. The mailing list will be used to discuss the standardization and adoption of secure, interoperable and efficient post-quantum algorithms.  You must be subscribed to send email to the mailing list.  Please use the instructions below to subscribe. To join: mailto:pqc-forum+subscribe@list.nist.gov You will receive a response message from jupyter+subconfirm@list.nist.gov.  Please click the "Join" link inside that email to confirm your subscription request. To unsubscribe: mailto:pqc-forum+unsubscribe@list.nist.gov   Mailing List...

[This page will automatically redirect to the main Post-Quantum Cryptography Standardization page. It does not work in the preview mode, however.]

Go to our PQC Digital Signature Schemes project.

Abstract: NIST SP 800-90 series support the generation of high-quality random bits for cryptographic and non-cryptographic use. The security of a random number generator depends on the unpredictability of its outputs, which can be measured in terms of entropy. NIST SP 800-90 series uses min-entropy to measure...

Abstract: The NIST Special Publication (SP) 800-90 series of documents supports the generation of high-quality random bits for cryptographic and non-cryptographic use. SP 800-90A specifies several deterministic random bit generator (DRBG) mechanisms based on cryptographic algorithms. SP 800-90B provides guida...

Abstract: This project's goal is to provide HDOs with practical solutions for securing an ecosystem that incorporates consumer-owned smart home devices into an HDO-managed telehealth solution. This project will result in a freely available NIST Cybersecurity Practice Guide. While the healthcare landscape b...

Abstract: Managing bias in an AI system is critical to establishing and maintaining trust in its operation. Despite its importance, bias in AI systems remains endemic across many application domains and can lead to harmful impacts regardless of intent. Bias is also context-dependent. To tackle this complex pr...

Abstract: This Recommendation specifies techniques for the derivation of additional keying material from a secret key—either established through a key establishment scheme or shared through some other manner—using pseudorandom functions HMAC, CMAC, and KMAC.

Abstract: This report considers threshold signature schemes interchangeable with respect to the verification mechanism of the Edwards-Curve Digital Signature Algorithm (EdDSA). Historically, EdDSA is known as a variant of Schnorr signatures, which are well-studied and suitable for efficient thresholdization,...

Abstract: A zero trust architecture (ZTA) focuses on protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time...

Abstract: Access to multiple cloud services, the geographic spread of enterprise IT resources (including multiple data centers), and the emergence of microservices-based applications (as opposed to monolithic ones) have significantly altered the enterprise network landscape. This document is meant to provide...

Abstract: DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing the...

Abstract: The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible us...

Abstract: All enterprises should ensure that information and communications technology (ICT) risk receives appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an enterprise improve their ICT risk management (ICTRM). Th...

Abstract: The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communication technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, bu...