Search Publications

Displaying 651 - 675 of 1509

Guidelines for Derived Personal Identity Verification (PIV) Credentials

December 19, 2014

Author(s)

Hildegard Ferraiolo, David A. Cooper, Salvatore Francomacaro, Andrew R. Regenscheid, Jason Mohler, Sarbari Gupta, William E. Burr

This recommendation provides technical guidelines for the implementation of standards-based, secure, reliable, interoperable PKI-based identity credentials that are issued by Federal departments and agencies to individuals who possess and prove control

Guidelines for Media Sanitization

December 17, 2014

Author(s)

Richard L. Kissel, Andrew R. Regenscheid, Matthew A. Scholl, Kevin M. Stine

Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. This guide will assist organizations and system owners in making practical sanitization decisions based on the categorization of

Metrics of Security

December 15, 2014

Author(s)

Yi Cheng, Julia Deng, Jason Li, Scott DeLoach, Anoop Singhal, Xinming Ou

Discussion of challenges and ways of improving Cyber Situational Awareness dominated our previous chapters. However, we have not yet touched on how to quantify any improvement we might achieve. Indeed, to get an accurate assessment of network security and

Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

December 10, 2014

Author(s)

Ronald S. Ross

[Superseded by SP 800-53A Rev. 5 (January 2022): https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=933932] This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal

Formalizing Software Bugs

December 8, 2014

Author(s)

Irena Bojanova

Knowing what makes a software systems vulnerable to attacks is critical, as software vulnerabilities hurt security, reliability, and availability of the system as a whole. In addition, understanding how an adversary operates is essential to effective cyber

Cryptographic Module Validation Program (CMVP)

December 1, 2014

Author(s)

Apostol T. Vassilev, Larry Feldman, Gregory A. Witte

The Cryptographic Module Validation Program (CMVP) validates cryptographic modules for compliance with Federal Information Processing Standard (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules, and other cryptography based standards

Static Analysis is not enough: The Role of Architecture and Design in Software Assurance

December 1, 2014

Author(s)

Walter R. Houser

Static analysis testing of software source code is necessary but not sufficient. Over 40 percent of the Common Weakness Enumeration (CWE) are likely to be introduced in the architecture and design phase of the development life cycle. By their very nature

An Access Control Scheme for Big Data Processing

November 11, 2014

Author(s)

Chung Tong Hu, Timothy Grance, David F. Ferraiolo, David R. Kuhn

Access Control (AC) systems are among the most critical of network security components. A system's privacy and security controls are more likely to be compromised due to the misconfiguration of access control policies rather than the failure of

Release of NIST SP 800-147B, BIOS Protection Guidelines for Servers

October 29, 2014

Author(s)

Andrew R. Regenscheid, Larry Feldman, Gregory A. Witte

Modern computers rely on fundamental system firmware, commonly known as the Basic Input/Output System (BIOS), to enable system components to communicate and work together. The BIOS is typically developed by both original equipment manufacturers (OEMs) and

Avoiding Catastrophes in Cyberspace through Smarter Testing: How to prevent Heartbleed-like disasters using readily available testing technologies

October 16, 2014

Author(s)

Apostol T. Vassilev, Christopher Celi

The recently discovered Heartbleed bug in OpenSSLs implementation of Internet security protocols and the aftermath from dealing with its consequences highlights a critical problem in the software industry. Software is routinely, inadequately tested

A Cybersecurity Testbed for Industrial Control Systems

October 9, 2014

Author(s)

Richard Candell, Keith A. Stouffer, Dhananjay Anand

The National Institute of Standards and Technology (NIST) is developing a cybersecurity testbed for industrial control systems (ICS). The goal of this testbed is to measure the performance of an ICS when instrumented with cybersecurity protections in

Lightweight Packing of Log Files for Improved Compression in Mobile Tactical Networks

October 8, 2014

Author(s)

Peter M. Mell, Richard Harang

Devices in mobile tactical edge networks are often resource constrained due to their lightweight and mobile nature, and often have limited access to bandwidth. In order to maintain situational awareness in the cyber domain, security logs from these devices

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

October 3, 2014

Author(s)

Dustin Moody, Ray A. Perlner, Daniel C. Smith-Tone

Historically, multivariate public key cryptography has been less than successful at offering encryption schemes which are both secure and efficient. At PQCRYPTO '13 in Limoges, Tao, Diene, Tang, and Ding introduced a promising new multivariate encryption

Optimizing Information Set Decoding Algorithms to Attack Cyclosymetric MDPC Codes

October 3, 2014

Author(s)

Ray A. Perlner

The most important drawback to code-based cryptography has historically been its large key sizes. Recently, several promising approaches have been proposed to reduce keysizes. In particular, significant keysize reduction has been achieved by using

Differential Properties of the HFE Cryptosystem

October 1, 2014

Author(s)

Taylor Daniels, Daniel Smith-Tone

Multivariate Public Key Cryptography (MPKC) has been put forth as a possible post-quantum family of cryptographic schemes. These schemes lack provable security in the reduction theoretic sense, and so their security against yet undiscovered attacks remains

Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography

October 1, 2014

Author(s)

Elaine B. Barker, Lidong Chen, Dustin Moody

This Recommendation specifies key-establishment schemes using integer factorization cryptography, based on ANS X9.44, Key-establishment using Integer Factorization Cryptography [ANS X9.44], which was developed by the Accredited Standards Committee (ASC) X9

Reducing the Cognitive Load on Analysts Through Hamming Distance Based Alert Aggregation

September 30, 2014

Author(s)

Peter M. Mell, Richard Harang

Previous work introduced the idea of grouping alerts at a Hamming distance of 1 to achieve alert aggregation; such aggregated meta-alerts were shown to increase alert interpret-ability. However, a mean of 84,023 daily Snort alerts were reduced to a still

Release of NIST Interagency Report 7628 Revision 1, Guidelines for Smart Grid Cybersecurity

September 29, 2014

Author(s)

Victoria Y. Pillitteri, Tanya L. Brewer, Larry Feldman, Gregory A. Witte

The United States has embarked on a major transformation of its electric power infrastructure. This vast infrastructure upgrade--extending from homes and businesses to fossil-fuel-powered generating plants and wind farms--is central to national efforts to

Guidelines for Smart Grid Cybersecurity

September 25, 2014

Author(s)

Victoria Y. Pillitteri, Tanya L. Brewer

This three-volume report, Guidelines for Smart Grid Cybersecurity, presents an analytical framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of Smart Grid-related characteristics

Modeling Network Diversity for Evaluating the Robustness of Networks against Zero-Day Attacks

September 11, 2014

Author(s)

Lingyu Wang, Meng Zhang, Sushil Jajodia, Anoop Singhal, M. Albanese

The interest in diversity as a security mechanism has recently been revived in various applications, such as Moving Target Defense (MTD), resisting worms in sensor networks, and improving the robustness of network routing. However, most existing efforts on

Computer Security Division 2013 Annual Report

September 4, 2014

Author(s)

Patrick D. O'Reilly, Gregory A. Witte, Chris Johnson, Doug Rike

Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002, requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry

BIOS Protection Guidelines for Servers

August 28, 2014

Author(s)

Andrew R. Regenscheid

Modern computers rely on fundamental system firmware, commonly known as the Basic Input/Output System (BIOS), to facilitate the hardware initialization process and transition control to the hypervisor or operating system. Unauthorized modification of BIOS

Policy Machine: Towards a General Purpose Enterprise-Wide Operating Environment

August 28, 2014

Author(s)

David F. Ferraiolo, Larry Feldman, Gregory A. Witte

The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to enforce a

Single-shot security for one-time memories in the isolated qubits model

August 21, 2014

Author(s)

Yi-Kai Liu

One-time memories (OTM's) are simple, tamper-resistant cryptographic devices, which can be used to implement sophisticated functionalities such as one-time programs. OTM's cannot exist in a fully-classical world, or in a fully-quantum world, but there is

The Future of Cybersecurity Education

August 19, 2014

Author(s)

Ernest L. McDuffie, V. P. Piotrowski

By fostering public-private partnerships in cybersecurity education, the US government is motivating federal agencies, industry, and academia to work more closely together to defend cyberspace.