CSRC Homepage
 
 CSRC Site Map

 CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Assistance

 General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - National Vulnerability
        Database

Information Technology (IT) vendors may be particularly interested in the following NIST security programs and services. These are grouped by: 1) security specifications, 2) security testing 3) marketing and education and 4) research.

Security Specifications

• Cryptographic Standards - NIST is involved in the development, maintenance, and promotion of a number of standards and guidance that cover a wide range of cryptographic technology. As NIST develops new standards, recommendations, and guidance, they are included in a comprehensive Cryptographic Standards Toolkit to protect the data, communications, and operations. The toolkit currently includes a wide variety of cryptographic algorithms and techniques, and more will be added in the future. The standards included have been approved and are recommended to protect sensitive Federal information, but may also be used by anyone else on a voluntary basis. The Cryptographic Standards Toolkit includes the following categories: Guidance, Encryption, Modes of Operation, Digital Signatures, Secure Hashing, Key Management, Random Number Generation, Message Authentication, Entity Authentication, and Password Usage and Generation. Contact: Elaine Barker.
  
  
• Cryptographic Module Security - In addition to specific cryptographic security specifications, a wider range of security specifications for cryptographic modules and IT products are available. Security Requirements for Cryptographic Modules covers 11 areas related to the design and implementation of a cryptographic module. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. Cryptographic modules can then be tested to verify that they conform to these specifications under the Cryptographic Module Validation Program, discussed below: Ray Snouffer.
  
  
• PKI - The National Institute of Standards and Technology (NIST) is taking a leadership role in the development of a Federal Public Key Infrastructure that supports digital signatures and other public key-enabled security services. NIST is coordinating with industry and technical groups developing PKI technology to foster interoperability of PKI products and projects. In support of digital signatures, NIST has worked with the Federal PKI Steering Committee to produce digital signature guidance. NIST is currently concentrating on PKI architectures, security requirements for PKI components, and PKI-enabled applications. The PKI architecture work is divided between development of complex PKIs based on the bridge CA concept and theoretical modeling of PKI performance. The goal of NIST's security requirements work is a Common Criteria Protection Profile. Contact: Tim Polk

Security Testing

• The Cryptographic Module Validation Program (CMVP) - CMVP, jointly led by NIST and the Government of Canada's Communications Security Establishment, provides for the voluntary testing of cryptographic modules (both hardware and software). Private-sector laboratories, which have been accredited as competent under NVLAP, conduct these validations. Testing is conducted against the security specifications detailed in Security Requirements for Cryptographic Modules. Testing is also conducted to help assure the correct implementation of specific cryptographic algorithms approved to protect sensitive information in the Federal government. Once the validation is successfully completed, a certificate is issued and the product is placed on the Cryptographic Module Validation List. Contact: Ray Snouffer
  
  
• IPsec Interoperability Testing - Following a need expressed in the IETF for an Interoperability Test System for the Internet Security Protocol (IPsec) and its associated key negotiation protocol (Internet Key Exchange, or IKE), NIST developed an interactive Web-based IPsec tester. The tester, IPsec-WIT, is based on Cerberus and PlutoPlus, NIST's reference implementations of IPsec and IKE. It enables vendors to spontaneously test their IPsec and IKE implementations at any time and from any location. The implementations, and the tester, currently exploit IPV4, but the intention is to provide an IPV6 version soon, at which time both versions of the tester will be available in parallel. Contact: Sheila Frankel

Security Education

• Computer Security Resource Center - This site contains information about a variety of computer security issues, products, and research of concern to Federal agencies, industry, and users. This site is operated and maintained by NIST's Computer Security Division as a service to the computer security and IT community. Contact: William Barker

Research

• Critical Infrastructure Protection Research Grants Program - This grants program, administered by NIST, funds research in high priority areas, which are not being adequately addressed elsewhere. NIST publishes a call for proposals annually. Grants may be for multi-year work. Contact: Dave Ferraiolo
  
  
• Guest research internships at NIST - Opportunities are available at NIST for 6 to 24 month long internships at NIST in the security program. Qualified individuals should contact the Computer Security Division and provide a statement of qualifications and indicate the area of work that is of interest. Generally speaking, the salary costs are borne by the sponsoring institution; however, in some cases, these guest research internships carry a small monthly stipend paid by NIST. Contact: William Barker