Search CSRC

The National Institute of Standards and Technology hosted on Tuesday, March 1st, and Wednesday, March 2nd, 2022, the third workshop in the series focusing on the Open Security Controls Assessment Language (OSCAL). Setting the foundation for security automation, with particular focus on the continuous authorization to operate (ATO) processes and continuous monitoring, OSCAL provides machine-readable representations of control catalogs, control baselines or profiles, system security plans, assessment plans, assessment results, and plan of actions and milestones, in a set of formats expressed in...

Genomic data are central to basic science research, pharmaceutical drug and vaccine development, disease diagnosis and prediction, ancestry tracing, and forensic investigations. These applications require information fidelity and appropriate availability as bad actors may wish to misuse genomic data to invade privacy, gain an unfair competitive advantage, or inflict harm with devastating impacts on individuals, companies, and nations. The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) is seeking to identify genomic data...

The Information Security and Privacy Advisory Board (ISPAB) is authorized by 15 U.S.C. 278g-4, as amended, and advises the National Institute of Standards and Technology (NIST), the Secretary of Homeland Security (DHS), and the Director of the Office of Management and Budget (OMB) on information security and privacy issues pertaining to Federal government information systems, including through review of proposed standards and guidelines developed by NIST. The Federal Register Notice for this meeting can be viewed here. Meeting Minutes for this meeting can be viewed here. Contact Jeff...

Presentations & Speakers at a Glance: GSA’s Approach to Identifying Requirements: FISMA, FedRAMP or Controlled Unclassified Information,  Pranjali Desai and Bo Berlas, GSA Growth in the NVD: API Keys, Documentation, and More!, Andrew Artz, NIST What's New in SP 800-53A, Revision 5, Jessica Dickson & Victoria Pillitteri, NIST Multi-Factor Authentication and Key Updates for NIST Special Publication 800-63, Revision 4, David Temoshok, NIST SP 800-63 and Privacy, Naomi Lefkovitz, NIST NOTE:  FORUM MEETINGS ARE OPEN TO ONLY FEDERAL/STATE EMPLOYEES, HIGHER EDUCATION EMPLOYEES, AND...

NIST recently issued a Request for Information (RFI) asking for information that would improve the effectiveness of the Cybersecurity Framework (CSF) for a potential update.  As a part of this initiative, NIST wants to better understand how the CSF is being used today and to learn what’s working and what’s not.  NIST also wants to explore better ways to align the CSF with other NIST guidance, such as the Privacy Framework, Secure Software Development Framework, Risk Management Framework, NICE Workforce Framework, and its series on IoT cybersecurity.  NIST wants to know what would help use...

On July 2015, the National Strategic Computing Initiative (NSCI) was established to maximize the benefits of High-Performance Computing (HPC) for economic competitiveness and scientific discovery. For HPC systems to deliver their anticipated benefits, their security requirements must be adequately addressed. To that effect, NIST hosted a workshop in September 2016 that brought together stakeholders from industry, academia, and government to gather their perspectives on the state of technology and future directions. As part of that continuing mission, NIST will host a workshop on March 27-28,...

The Federal Cybersecurity and Privacy Professionals Forum (formerly the Federal Computer Security Program Managers Forum) is an informal group sponsored by the National Institute of Standards and Technology (NIST) to promote the sharing of system security and privacy information among federal, state, and local government, and higher education employees. The Forum maintains an extensive e-mail list and holds quarterly meetings to discuss current issues and items of interest to those responsible for protecting non-national security systems. For more information about the Forum and instructions...

Presentations & Speakers at a Glance: Update on NIST SP 800-63, David Temoshok, NIST VA's Cyber NexGen Developmental Program, Clarence Williams and Sharon McPherson, Department of Veterans Affairs Facilitated Discussion: Agency Use of NIST Cybersecurity Framework and NIST Risk Management Framework, Victoria Pillitteri and Katherine Schroeder, NIST Update to (Draft) NIST SP 800-50, Rev. 1: Building a Cybersecurity and Privacy Awareness and Training Program, Don Walden, IRS and Marian Merritt, NIST                         The Federal Cybersecurity and Privacy Professionals...

The Information Security and Privacy Advisory Board (ISPAB) is authorized by 15 U.S.C. 278g-4, as amended, and advises the National Institute of Standards and Technology (NIST), the Secretary of Homeland Security (DHS), and the Director of the Office of Management and Budget (OMB) on information security and privacy issues pertaining to Federal government information systems, including through review of proposed standards and guidelines developed by NIST. The Federal Register Notice for this meeting is available here. Meeting Minutes will be posted approximately 30 days after the event....

At this conference, we will discuss various aspects of the candidate algorithms and obtain valuable feedback for informing decisions on standardization. NIST will invite the submission teams for both the selected algorithms, as well as the algorithms advancing to the fourth round, to give an update on their algorithms. Submission deadline: September 15, 2022 Call for Papers More details will be provided soon.

The Information Security and Privacy Advisory Board (ISPAB) is authorized by 15 U.S.C. 278g-4, as amended, and advises the National Institute of Standards and Technology (NIST), the Secretary of Homeland Security (DHS), and the Director of the Office of Management and Budget (OMB) on information security and privacy issues pertaining to Federal government information systems, including through review of proposed standards and guidelines developed by NIST. The Federal Register Notice for this meeting will be posted closer to the event date. An Agenda will be posted closer to the event date....

The following NIST documents were created to brief a blue ribbon Committee of Visitors (COV) charged with reviewing the agency’s cryptographic standards and guidelines program by NIST’s primary independent advisory panel, the Visiting Committee on Advanced Technology (VCAT).  The VCAT held a public meeting on July 14, 2014 to discuss the recommendations from the COV members and finalize a report detailing recommendations to NIST on steps to strengthen its cryptographic standards and guidelines program. The VCAT's report, along with the individual recommendations of the COV members, are...

07/01/2018 The CMVP's symmetric key wrapping transition plan to comply to NIST SP 800-38F (as specified in SP 800-131A) has been completed (see 12/20/17 Notice)  As a result, the NIST PIV Validation Program has updated its PIV Card Application Validation List by moving affected modules with PIV Card Applications to the Removed Product’s List. 06/30/2018 The two 1-year extensions to continue issue PIV Cards with RNG rather than with DRBG ended June 30th 2018. As a result, the NIST PIV Validation Program has removed listings of PIV Card with RNG implementation from the PIV Card Application...

NPIVP maintains validation lists for validated PIV Card Applications and PIV Middleware. The following lists are updated as new PIV Card Applications and PIV Middleware receive validation certificates from the NPIVP. To be listed on the NPIVP validated product list, a product must be tested in a NPIVP Test Facility using approved test methods and test tools.   PIV Card Application Validation Lists: PIV Card Application Validation List REMOVED Product Validation List - Card Application PIV Middleware Validation Lists: PIV Middleware Validation Lists REMOVED Product...

NPIVP maintains pre-validation lists for PIV Card Applications and PIV Middleware. Participation on the lists is voluntary and is a joint decision by the vendor and the NPIVP test facility. Products are listed alphabetically by vendor name. Posting on the list does not imply guarantee of final validation. PIV Card Application Pre-Validation List PIV Middleware Pre-Validation List

All NPIVP test facilities are third-party laboratories accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) to conduct testing for PIV card application and PIV middleware test methods. atsec information security corporation  9130 Jollyville Road Suite 260 Austin, TX 78759 USA  Lab Director: Yi Mao TEL: 512-615-7300 FAX: 512-615-7301 NVLAP Lab Code 200658-0 EWA - Canada IT Security Evaluation & Test Facility 55 Metcalfe Street, Suite 1600 Ottawa, Ontario K1P 6L5 Canada Lab...

Software Download (last updated February 13, 2020): SP 800-73-4 Test Runner for PIV Card Applications, Middleware and Data Model       Note: File is a zipped (.zip) file & is 12.4 MB in size.       Depending on Internet speed, this software download may take little time to download to several minutes.   Please send an e-mail to piv-dmtester@nist.gov to request for a password to unzip the Test Runner file and/or for any questions you may have.

Phone: 301-975-8897 E-mail: fissea@nist.gov  

FISSEA is for: Information systems security professionals Professional trainers and educators Managers responsible for information systems awareness and security training programs in federal agencies Contractors providing awareness and training support to federal agencies Faculty members of accredited educational institutions who are involved in information security training and education. Subscribe to FISSEA Updates For FISSEA email announcements, send a subscription request to  FISSEAUPDATES+subscribe@list.nist.gov  with the Subject as “Subscribe”. Announcements will be sent...

FISSEA Security Awareness and Training Contest Showcase one or all of the awareness and training items you use as a part of your Security program. There will be one winner selected and announced at the annual conference for each of the following categories: poster, motivational item, website, newsletter, video, blog, podcast and technical training scenario or exercise. Visit the FISSEA Security Awareness and Training Contest page for more information. View the previous winners here. FISSEA Cybersecurity Awareness and Training Innovator Award Each year at the annual conference, FISSEA...

The CSOR has allocated the following registration branch for cryptographic algorithm objects: nistAlgorithms OBJECT IDENTIFIER ::= { csor nistAlgorithm(4) } The CSOR only registers NIST-approved cryptographic algorithms. When an algorithm has already been externally assigned an object identifier (e.g., for RSA PKCS#1 digital signature), no new OID will be assigned in the CSOR arc. Information about externally assigned OIDs is provided toward the end of the page. Registered Objects ASN.1 Modules AES Secure Hash Algorithms with HMAC Digital Signature Algorithms Externally-assigned...

The CSOR has allocated the following registration branch for objects defined under the ARPA/Air Force-sponsored Information Object Security (IOS) project: {joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) iosp(3)}. The IOS project was a multi-year effort to investigate and develop advanced security services to the Internet sponsored by the Advanced Research Project Agency (ARPA) and the Air Force. The architecture developed consists of sequences of components specified in ASN.1. Each component, and subsequent sub-type, carries an object identifier. Most of the...

The CSOR has allocated the following registration branch for Public Key Infrastructure (PKI) objects: csor-pki ::= {joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) pki(2)} Policies OIDs are allocated in the following arc: csor-certpolicy ::= { csor-pki 1 } For agencies requesting a new OID, please send email with OID name, associated document and point of contact information. Additional information on Federal PKI activities is available from the NIST PKI Testing project. ACES Registered Objects August 2020: The ACES project is no longer active. There...

The NIST Framework for Improving Critical Infrastructure Cybersecurity ("the Framework") released in February 2014 was published simultaneously with the companion Roadmap for Improving Critical Infrastructure Cybersecurity. The Roadmap identified Cyber Supply Chain Risk Management (Cyber SCRM) as an area for future focus. Since the release of the Framework and in support of the companion Roadmap, NIST has researched industry best practices in cyber supply chain risk management through engagement with industry leaders.  In 2014 and 2015, NIST interviewed a diverse set of organizations and...

NIST regularly conducts and awards contracts, grants, or cooperative agreements to conduct research into cybersecurity supply chain risk management (C-SCRM) and related topics. The following are relevant research activities:   Cyber Risk Analytics: A NIST and GSA-Sponsored grant from 2015-2017 examining the relationship between various risk management practices and publicly disclosed breaches. The Cyber Risk Predictive Analytics Project Cyber Risk Analytics Project Review Workshop (with video) Industry C-SCRM Best Practices: Ongoing work developing case studies exploring effective risk...