The National Institute of Standards and Technology (NIST) has released the final version of a document outlining its process for developing cryptographic standards and guidelines. NIST Cryptographic Standards and Guidelines Development Process (NISTIR 7977) is an integral part of NIST's effort to ensure a robust, widely understood and participatory process for developing cryptography, which is the technology used to store and transmit data in a particular form so it can only be read or processed by the intended recipient.
"Our goal is to develop strong and effective cryptographic standards and guidelines that are broadly accepted and trusted by our stakeholders," said Donna Dodson, NIST's chief cybersecurity advisor and its Information Technology Laboratory's associate director for cybersecurity. "While our primary stakeholder is the federal government, our work has global reach across the public and private sectors. We want a process that results in standards and guidelines that can be used to secure information systems worldwide."
Dodson first announced that NIST would review its processes for developing cryptographic standards and guidelines in November 2013, following news reports calling the process into question. The document includes nine principles that guide NIST's efforts in creating strong cryptography, including transparency, openness, balance, technical merit and global acceptability.
The "global acceptability" principle was added to this final draft in response to public comments and reflects the global nature of today's commerce. The document also explains the different types of cryptographic publications NIST releases and how they are made available for public review, as well as how they are managed over their lifecycle.
The document describes NIST's primary cryptographic stakeholders as the federal agencies and their suppliers, but states that NIST "considers its stakeholder community for cryptographic standards, guidelines, tools and metrics to be much broader."
NIST acknowledges the "possibility for tension between NIST's mission to promulgate the use of strong cryptography, and the law enforcement and national security missions of other agencies," and affirms that it makes independent decisions and is committed to using open and transparent processes.
NISTIR 7977 also emphasizes the importance of NIST having "access to the most recent and relevant expertise regarding cryptography," as well as its commitment to ensuring that its internal capabilities are strong and effective and that it collaborates with the broader cryptographic research community.
In February 2014, NIST released the first draft of NISTIR 7977 for public comment and a few months later, convened an independent panel of experts to review the process. The panel's report was released in July 2014. The public comments and panel report informed a new draft document, which was released for public comment in January 2015. The final document can be found on NIST's website.