Search CSRC

Cryptographic Key Management What kind of keys are we talking about? This FAQ is about the keys used with cryptographic algorithms employed during communications and/or storage that are used, for example, to encrypt and decrypt data (providing confidentiality protection for that data) or to detect any modifications to the data, What is Cryptographic Key Management (CKM)? Cryptographic key management involves the handling of cryptographic keys and other related security parameters during the entire lifecycle of the keys, including their generation, storage, distribution/establishment, use and...

Frequently Asked Questions What is combinatorial testing? Combinatorial testing is the use of tests that cover t-way combinations of parameter values, up to some specified criterion of coverage.  For example, if we have three boolean parameters, P1, P2, and P3, then 2-way coverage can be achieved if we cover all four combinations of values (00, 01, 10, 11) for every pair of these parameters.  There are three pairs in this example:  (P1, P2), (P1, P3), and (P2, P3).  A structure called a covering array can compress all t-way combinations of values into an amazingly small set of tests. For...

Standardization Process What are NIST’s plans regarding stateful hash-based signatures? (old Q2) NIST plans to coordinate with other standards organizations, such as the IETF, to develop standards for stateful hash-based signatures. As stateful hash-based signatures do not meet the API requested for signatures, this standardization effort will be a separate process from the one outlined in the call for proposals. It is expected that NIST will only approve a stateful hash-based signature standard for use in a limited range of signature applications, such as code signing, where most...

Background - Controlled Unclassified Information What is Controlled Unclassified Information (CUI)? Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526,Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the...

General Each Risk Management Framework Step "Resources For Implementers" Now Has A FAQ! Please see: About the Risk Management Framework for a FAQ for each RMF Step and RMF Roles & Responsibilities  What Is FISMA? FISMA is the Federal Information Security Modernization Act of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by...

General What Is Role Based Access Control? Roles with different privileges and responsibilities have long been recognized in business organizations, and commercial computer applications dating back to at least the 1970s implemented limited forms of access constraints based on the user’s role within an organization. These role-based systems were relatively simple and application-specific. That is, there was no general-purpose model defining how access control could be based on roles, and little formal analysis of the security of these systems. The systems were developed by a variety of...

SCAP v2 What is the Security Content Automation Protocol (SCAP)? SCAP is a suite of specifications for exchanging security automation content used to assess configuration compliance and to detect the presence of vulnerable versions of software. The same SCAP content can be used by multiple tools to perform a given assessment described by the content. How will SCAP v2 improve SCAP v1 capabilities? SCAP v2 will allow software installation and configuration posture to be monitored and reported as changes to that posture occur. Event-driven reporting will be used in SCAP to support software...

Introduction What is the Security Content Automation Protocol (SCAP)? SCAP is a suite of specifications for exchanging security automation content used to assess configuration compliance and to detect the presence of vulnerable versions of software. The same SCAP content can be used by multiple tools to perform a given assessment described by the content. How will SCAP v2 improve SCAP v1 capabilities? SCAP v2 will allow software installation and configuration posture to be monitored and reported as changes to that posture occur. Event-driven reporting will be used in SCAP to support software...

SCAP Validation Program What is Security Content Automation Protocol (SCAP) validation? To enable the goals set forth in OMB Memorandum M-08-22, it is necessary to have security configuration scanning tools that can use official SCAP content. In response, NIST established the SCAP validation program. Implemented through the NIST National Voluntary Laboratory Accreditation Program (NVLAP), independent laboratories can be accredited to perform the testing necessary to validate that security tools can accurately parse the SCAP content required for their specific functionality. Additional details...

USGCB What is the USGCB? The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration (FDCC)mandate. While not addressed specifically as the FDCC, the process (now termed the USGCB process) for creating, vetting, and providing baseline configurations settings was originally described in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a...

Scope What is the scope of the cybersecurity metrics program? We are pursuing an iterative approach, initially focusing on achieving a better understanding of – and finding consensus on – the definition of the term measurements related to cybersecurity.  Working closely with collaborators from the private and public sectors as well as academia, NIST will explore foundational components to facilitate and advance the dialogue on measurements such as common taxonomy and nomenclature.  The intent is to develop a foundation for improved communications necessary to enable inclusive participation in...

Basic What are Informative References? Informative References show relationships between any number and combination of organizational concepts (e.g., Functions, Categories, Subcategories, Controls, Control Enhancements) of the Focal Document and specific sections, sentences, or phrases of Reference Documents. The discrete concepts of the Focal Document are called Focal Document elements, and the specific sections, sentences, or phrases of the Reference Document are called Reference Document elements. What is the National Online Informative References (OLIR) Program? The National Online...

Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access (authorization) control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after s successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as...

Access control systems are among the most critical security components. Faulty policies, misconfigurations, or flaws in software implementation can result in serious vulnerabilities. The specification of access control policies is often a challenging problem. Often a system’s privacy and security are compromised due to the misconfiguration of access control policies instead of the failure of cryptographic primitives or protocols. This problem becomes increasingly severe as software systems become more complex, and are deployed to manage a large amount of sensitive information and resources...

Society recognizes cryptography’s important role in protecting sensitive information from unauthorized disclosure or modification. However, the correct and bug-free implementation of a cryptographic algorithm and the environment in which it executes are critical for security.  To assess the security aspects related to real hardware and software cryptographic implementations, NIST established the Cryptographic Module Validation Program (CMVP) in 1995 to validate cryptographic modules against the security requirements in FIPS 140-2. The CMVP is run jointly with the Government of Canada for the...

The Algorithms for Intrusion Measurement (AIM) project furthers measurement science in the area of algorithms used in the field of intrusion detection. The team focuses on both new detection metrics and measurements of scalability (more formally algorithmic complexity). This analysis is applied to different phases of the detection lifecycle to include pre-emptive vulnerability analysis, initial attack detection, alert impact, alert aggregation/correlation, and compact log storage. In performing this work, the AIM project seeks to enhance our nation’s ability to defend itself from network-borne...

NIST has traditionally published secure configuration guides for Apple operating systems, e.g., NIST SP 800-179. The macOS Security Compliance Project (mSCP) seeks to simplify the macOS security development cycle by reducing the amount of effort required to implement security baselines. This collaboration between federal organizations minimizes the duplicate effort that would be required to administer individual security baselines. Additionally, the secure baseline content provided is easily extensible by other parties to implement their own security requirements. The latest recommended...

AppVet is a web application for managing and automating the app vetting process. AppVet facilitates the app vetting workflow by providing an intuitive user interface for submitting and testing apps, managing reports, and assessing risk. Through the specification of APIs, schemas and requirements, AppVet is designed to easily and seamlessly integrate with a wide variety of clients including users, apps stores, and continuous integration environments as well as third-party tools including static and dynamic analyzers, anti-virus scanners, and vulnerability repositories. The AppVet project...

The concept of Attribute Based Access Control (ABAC) has existed for many years. It represents a point on the spectrum of logical access control from simple access control lists to more capable role-based access, and finally to a highly flexible method for providing access based on the evaluation of attributes. In November 2009, the Federal Chief Information Officers Council (Federal CIO Council) published the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0, which provided guidance to federal organizations to evolve their logical access control...

The Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP) were established on July 17, 1995 by NIST to validate cryptographic modules conforming to the Federal Information Processing Standards (FIPS) 140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1. The current implementation of the CMVP is shown in Figure 1 below. The CAVP is a prerequisite for CMVP. The CAVP and CMVP leverage NVLAP-accredited Cryptographic and Security...

Public Law 100-235, "The Computer Security Act of 1987," mandated NIST and OPM to create guidelines on computer security awareness and training based on functional organizational roles. Guidelines were produced in the form of NIST Special Publication 800-16 titled, "Information Technology Security Training Requirements: A Role- and Performance-Based Model." The learning continuum modeled in this guideline provides the relationship between awareness, training, and education. The publication also contains a methodology that can be used to develop training courses for a number of audiences which...

The Computer Security Division (CSD) supports the development of national and international biometric standards and promotes conformity assessment through:  Participation in the development of biometric standards Sponsorship of conformance testing methodology standard projects Development of associated conformance test architectures and test suites Leadership in national (link is external) and international (link is external) standards development bodies Visit the Biometric Conformance Test Software (BioCTS) homepage for full details.

Approved Algorithms Currently, there are two (2) Approved* block cipher algorithms that can be used for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption): AES and Triple DES. Two (2) other block cipher algorithms were previously approved: DES and Skipjack; however, their approval has been withdrawn. See the discussions below for further information; also see SP 800-131A Rev. 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, for additional...

Circuit complexity is a topic of great relevance to cryptography. Optimization of circuits leads to efficiency improvement in a wide range of algorithms and protocols, such as for symmetric-key and public-key cryptography, zero-knowledge proofs and secure multi-party computation. The circuit complexity project has two main goals: improve our understanding of the circuit complexity of Boolean functions and vectorial Boolean functions; develop new techniques for constructing better circuits for use by academia and industry.  Our...

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured Service); three service models (Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS), Cloud...