Search CSRC

Abstract: This report summarizes the feedback received on the work of the NIST Cybersecurity for IoT program on device cybersecurity at a virtual workshop conducted April 22, 2021. NIST conducted the “Workshop Addressing Public Comment on NIST Cybersecurity for IoT Guidance” to discuss and gather community in...

Abstract: This project's goal is to provide HDOs with practical solutions for securing an ecosystem that incorporates consumer-owned smart home devices into an HDO-managed telehealth solution. This project will result in a freely available NIST Cybersecurity Practice Guide. While the healthcare landscape b...

Abstract: On-demand access to public safety data is critical to ensuring that public safety and first responder (PSFR) personnel can deliver the proper care and support during an emergency. This necessitates heavy reliance on mobile platforms while in the field, which may be used to access sensitive informati...

Abstract: Non-technical supporting capabilities are actions a manufacturer or third-party organization performs in support of the cybersecurity of an IoT device. This publication defines an Internet of Things (IoT) device manufacturers’ non-technical supporting capability core baseline, which is a set of non-...

Abstract: NIST Special Publication (SP) 800-140F replaces the approved non-invasive attack mitigation test metric requirements of ISO/IEC 19790 Annex F. As a validation authority, the Cryptographic Module Validation Program (CMVP) may supersede this Annex in its entirety. This document supersedes ISO/IEC 1979...

Abstract: The document highlights examples for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) in a manner that complements the use of other NIST security and privacy risk management standards, guidelines, and practices. These examples incl...

Journal: Journal of Research of the National Institute of Standards and Technology Abstract: Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encrypt...

Abstract: Multiplicative complexity is a relevant complexity measure for many advanced cryptographic protocols such as multi-party computation, fully homomorphic encryption, and zero-knowledge proofs, where processing AND gates is more expensive than processing XOR gates. For Boolean functions, multiplicative...

Conference: 30th USENIX Security Symposium Abstract: Smart home technology exposes adopters to increased risk to network security, information privacy, and physical safety. However, users may lack understanding of the privacy and security implications. Additionally, manufacturers often fail to provide transparency and configuration options, and few go...

Abstract: Deployment architecture in cloud-native applications now consists of loosely coupled components, called microservices, with all application services provided through a dedicated infrastructure, called a service mesh, independent of the application code. Two critical security requirements in this arc...

Abstract: This document intends to provide direction and guidance to those organizations – in any sector or community – seeking to improve cybersecurity risk management via utilization of the NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or the Framework). Cyberse...

Abstract: The NIST National Cybersecurity Center of Excellence (NCCoE) is initiating the development of practices to ease the migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks. These practices will take the form...

Journal: Computer (IEEE Computer) Abstract: A Deep Neural Network (DNN) based system, such as the one used for autonomous vehicle operations, is a “black box” of complex interactions resulting in a classification or prediction. An important question for any such system is how to increase the reliability of, and consequently the trust in, the...

Abstract: The field of cryptography continues to advance at a very rapid pace, leading to new insights that may impact the security properties of cryptographic algorithms. The Crypto Publication Review Board ("the Board") has been established to identify publications to be reviewed. This report subjects the f...

Abstract: As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its cha...

Abstract: The National Institute of Standards and Technology (NIST) initiated a public standardization process to select one or more Authenticated Encryption with Associated Data (AEAD) and hashing schemes suitable for constrained environments. In February 2019, 57 candidates were submitted to NIST for consid...

Abstract: An organization often has mission and business-based needs to exchange (share) information with one or more other internal or external organizations via various information exchange channels; however, it is recognized that the information being exchanged also requires the same or similar level of pr...

Abstract: The NIST NCCoE is initiating a project to demonstrate the value and practicality of automation support for the current Cryptographic Module Validation Program (CMVP). The outcome of the project is intended to be improvement in the efficiency and timeliness of CMVP operation and processes. This...

Journal: IEEE Security & Privacy Abstract: The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the `Most Dangerous Software Errors.' However, the used equation highly biases frequency and almost ignores exploitability and impact. We provide a metric to mitigate this bias and discuss the most significant...

Abstract: Structural coverage criteria are widely used tools in software engineering, useful for measuring aspects of test execution thoroughness. However in many cases structural coverage may not be applicable, either because source code is not available, or because processing is based on neural networks or...

Abstract: In today’s cloud data centers and edge computing, attack surfaces have significantly increased, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the pl...

Abstract: On-demand access to public safety data is critical to ensuring that public safety and first responder (PSFR) personnel can protect life and property during an emergency. The increasing use of cloud technologies can improve data access but also causes authentication challenges. The objective of this...

Abstract: This report provides the public safety and first responder (PSFR) community with a basic primer on identity federation—a form of trust relationship and partnership involving the verification of a claimed identity. Identity federation technologies can help public safety organizations (PSOs) to share...

Abstract: Reporting known or suspected security vulnerabilities in digital products is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This document re...

Conference: 2021 IEEE/ACM 6th International Workshop on Metamorphic Testing (MET) Abstract: Metamorphic testing has been shown to be useful in testing "non-testable" programs in many domains. Modeling & simulation is one such domain, where both verification and validation can be difficult due to lack of oracles. Although the definition of verification and validation vary slightly in mo...