Search CSRC

The message authentication code (MAC) is generated from an associated message as a method for assuring the integrity of the message and the authenticity of the source of the message.  A secret key to the generation algorithm must be established between the originator of the message and its intended receiver(s). Approved Algorithms Currently, there are three (3) approved* general purpose MAC algorithms:  HMAC, KMAC and CMAC. Keyed-Hash Message Authentication Code (HMAC) FIPS 198-1, The Keyed-Hash Message Authentication Code (HMAC) (July 2008), specifies a mechanism for message...

NIST maintains the National Checklist Repository, which is a publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products. A security configuration checklist (also called a lockdown, hardening guide, or benchmark) is a series of instructions or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product. The IT product may be commercial, open source,...

Recently, what are known as “pairings” on elliptic curves have been a very active area of research in cryptography. A pairing is a function that maps a pair of points on an elliptic curve into a finite field. Their unique properties have enabled many new cryptographic protocols that had not previously been feasible. In particular, identity-based encryption (IBE) is a pairing-based scheme that has received considerable attention. IBE uses some form of a person (or entity’s) identification to generate a public key. This could be an email address, for instance. An IBE scheme allows a sender to...

The Cryptographic Technology Group (CTG) in the Computer Security Division (CSD) at NIST intends to accompany the progress of emerging technologies in the area of privacy enhancing cryptography (PEC). The PEC project seeks to promote the development of reference material that can contribute to a better understanding of PEC, namely how advanced cryptographic tools can be used to enable achieving privacy goals in myriad applications. The technical challenge is often to enable parties to interact meaningfully, toward achieving an application goal, without revealing extraneous private information...

[Redirect to https://nvd.nist.gov] The National Vulnerability Database (NVD) is the U.S. Government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.  

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing information systems. NIST will review and determine next steps to best support and potentially update the PRISMA content in 2022.  For any questions or comments, please contact sec-cert@nist.gov. The Program Review for Information Security...

This FISMA Implementation Project link will automatically redirect you to FISMA (Federal Information Security Modernization Act (FISMA)) background information under the NIST Risk Management Framework project.

Modern computing devices consist of various hardware, firmware, and software components at multiple layers of abstraction. Many security and protection mechanisms are currently rooted in software that, along with all underlying components, must be trustworthy. A vulnerability in any of those components could compromise the trustworthiness of the security mechanisms that rely upon those components. Stronger security assurances may be possible by grounding security mechanisms in roots of trust. Roots of trust are highly reliable hardware, firmware, and software components that perform specific,...

In January 1988, the Congress enacted the Computer Security Act of 1987 (Public Law 100-235). A provision of that law called for the establishment of the Computer System Security and Privacy Advisory Board (CSSPAB) within the Department of Commerce. In accordance with the Federal Advisory Committee Act, as amended, 5 U.S.C., App., the Board was chartered in May 1988. In December 2002, Public Law 107-347, The E-Government Act of 2002, Title III, the Federal Information Security Management Act of 2002, Section 21 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4)...

Mobile Forensics Mobile devices, such as Personal Digital Assistants (PDAs), Blackberry, and cell phones have become essential tools in our personal and professional lives. The capabilities of these devices are continually evolving, providing users with greater storage capacities, better Internet connectivity, and enhanced Personal Information Management (PIM) capabilities. Devices with cellular capabilities provide users with the ability to perform additional tasks such as SNS (Short Message Service) messaging, Multi-Media Messaging Service (MMS) messaging, IM (Instant Messaging), electronic...

There is an increasing demand for robust capabilities of programmatically detecting intrusions and errors of computer programs in real time. This demand is growing rapidly as our society relies more on the ever-increasing number, variety, complexity, and interplay of computer programs. We experience this demand everyday – the performance of our email servers and other cloud services, recent glitches of Healthcare.gov, Internet banking services, and the variety and complexity of cyber-security concerns at personal, organizational, national, and international levels. Anomaly-based intrusion...

[Redirect to https://www.nist.gov/nice] The mission of NICE is to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development. NICE fulfills this mission by coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation, and bring leadership and vision to increase the number of skilled cybersecurity professionals helping to keep our Nation secure.

In 2013, news reports about leaked classified documents caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines. NIST is also deeply concerned by these reports, some of which have questioned the integrity of the NIST standards development process. NIST has a proud history in open cryptographic standards, beginning in the 1970s with the Data Encryption Standard. We strive for a consistently open and transparent process that enlists the worldwide cryptography community to help us develop and vet algorithms included in our cryptographic...

NIST has established the NIST Personal Identity Verification Validation Program (NPIVP) to validate Personal Identity Verification (PIV) components required by Federal Information Processing Standard (FIPS) 201. The objectives of the NPIVP program are: to validate the compliance/conformance of two PIV components --PIV middleware and PIV card application with the specifications in NIST SP 800-73; and to provides the assurance that the set of PIV middleware and PIV card applications that have been validated by NPIVP are interoperable. All of the tests under NPIVP are handled by...

FIPS 201-3  Personal Identity Verification (PIV) for Federal Employees and  Contractors  is available at https://csrc.nist.rip/publications/detail/fips/201/3/final.  A chronical of changes since the initial issuance of FIPS 201 is available in FIPS 201-3, Appendix E, Revision History.   Federal Information Processing Standard (FIPS) 201 entitled Personal Identity Verification of Federal Employees and Contractors establishes a standard for a Personal Identity Verification (PIV) system (Standard) that meets the control and security objectives of Homeland Security Presidential Directive-12...

One primary objective of enterprise computing (via a data center, cloud, etc.) is the controlled delivery of data services (DSs) to its users. Typical DSs include applications such as email, workflow management, enterprise calendar, and records management, as well as system level features, such as file, access control and identity management. Although access control (AC) currently plays an important role in securing DSs, if properly designed, AC can be more fundamental to computing than one might expect. That is, the program logic that deals with implementation, distribution, and control over...

[Redirect to https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering] The NIST Privacy Engineering Program’s (PEP) mission is to support the development of trustworthy information systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and, by extension, civil liberties.

Testing PKI Components NIST/Information Technology Laboratory responds to industry and user needs for objective, neutral tests for information technology. ITL recognizes such tests as the enabling tools that help companies produce the next generation of products and services. It is a goal of the NIST PKI Program to develop such tests to help companies produce interoperable PKI components. NIST worked with CygnaCom Solutions and BAE Systems to develop a suite of tests that will enable developers and validation laboratories to determine a PKI client application's conformance to the path...

Include revised/updated text from  http://csrc.nist.rip/groups/ST/toolkit/rng/index.html ??   --> The following publications specify the design and implementation of random bit generators (RBGs), in two classes: Deterministic Random Bit Generators (pseudo RBGs); and Non-Deterministic Random bit Generators (True RBGs). SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 25, 2015:  This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. In this revision, the specification of the...

The Help America Vote Act (HAVA) of 2002 was passed by Congress to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. Researchers in the Computer Security Division conduct research into security issues in voting systems and identify...

[Redirect to https://www.nist.gov/itl/smallbusinesscyber]  The vast majority of smaller businesses rely on information technology to run their businesses and to store, process, and transmit information. Protecting this information from unauthorized disclosure, modification, use, or deletion is essential for those companies  and their customers. With limited resources and budgets, these companies need cybersecurity guidance, solutions, and training that is practical, actionable, and enables them to cost-effectively address and manage their cybersecurity risks. This NIST Small Business...

NEW! Request for Information | Evaluating and Improving NIST Cybersecurity Resources: The NIST Cybersecurity Framework and Cybersecurity Supply Chain Risk Management  --> Latest updates: NIST Cybersecurity SCRM Fact Sheet (05/12/22) NIST updates Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations guidance in NIST SP 800-161r1, which also helps fulfill NIST's responsibilities under E.O. 14028. (05/05/22) See the comments received from 132 organizations and individuals in response to a recent RFI (2/22/22) on Evaluating and Improving NIST Cybersecurity...

Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage compliance with software license agreements. Knowing what software is installed and used can help an...

In Special Publication 800-208, Recommendation for Stateful Hash-Based Signature Schemes NIST approves two schemes for stateful hash-based signatures (HBS) as part of the post-quantum cryptography development effort.  The two schemes were developed through the Internet Engineering Task Force: 1) XMSS, specified in Request for Comments (RFC) 8391 in May 2018, and 2) LMS, in RFC 8554 in April 2019. Background HBS schemes were the topic for a session of talks during the first public workshop on post-quantum security, as well as the panel discussion that followed it. Participants expressed...

The multi-party paradigm of threshold cryptography enables a secure distribution of trust in the operation of cryptographic primitives. This can apply, for example, to the operations of key generation, signing, encryption and decryption. This project focuses on threshold schemes for cryptographic primitives: using a “secret sharing” mechanism, the secret key is split across multiple "parties"; if some (up to a threshold f out of n) of these parties are corrupted, the key secrecy remains uncompromised; the secret-sharing remains even during the cryptographic operation that depends on the key....