This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial contro...| csrc.nist.gov
All questions regarding the implementation and/or use of any validated cryptographic module should first be directed to the appropriate VENDOR point of contact (listed for each entry). SEARCH our database of validated modules. The validated modules...| csrc.nist.gov
Official comments on the Third Round Candidate Algorithms should be submitted using the 'Submit Comment' link for the appropriate algorithm. Comments from the pqc-forum Google group subscribers will also be forwarded to the pqc-forum Google group list. We...| csrc.nist.gov
The chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data.| csrc.nist.gov
Abstract| csrc.nist.gov
CSRC provides access to NIST's cybersecurity- and information security-related projects, publications, news and events.| csrc.nist.gov
One primary objective of enterprise computing (via a data center, cloud, etc.) is the controlled delivery of data services (DSs) to its users. Typical DSs include applications such as email, workflow management, enterprise calendar, and records management,...| csrc.nist.gov
NIST has released a concept paper and proposed action plan for developing a series of NIST SP 800-53 Control Overlays for Securing AI Systems, as well as a launching a Slack channel for this community of interest.| csrc.nist.gov
NIST began investigating cryptography for constrained environments in 2013. After two workshops and discussions with stakeholders in industry, government, and academia, NIST initiated a process to solicit, evaluate, and standardize schemes providing...| csrc.nist.gov
This document augments the secure software development practices and tasks defined in Secure Software Development Framework (SSDF) version 1.1 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. These additions are documented in the form of an SSDF Community Profile to support Executive Order (EO) 14110, Safe, Secure, and Trustworthy Development and Use of Artif...| csrc.nist.gov
In April 2025, NIST finalized Special Publication (SP) 800-61 Revision 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile. NIST SP 800-61 Revision 3 seeks to assist organizations with...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
This standard shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design, implementation and operation of a cryptographic module. These areas include cryptographic module specification;...| csrc.nist.gov
In 2005 Prof. Xiaoyun Wang announced a differential attack on the SHA-1 hash function. NIST found that the attack was practical, and announced plans for transitioning to SHA-2 algorithms and development of SHA-3.| csrc.nist.gov
Transport Layer Security (TLS) provides mechanisms to protect data during electronic dissemination across the Internet. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. It requires that TLS 1.2 configured with FIPS-based cipher suites be supported by all government TLS servers and clients and requires support ...| csrc.nist.gov
A main tool of Privacy-Enhancing Cryptography (PEC) is the Zero-Knowledge Proof (ZKP). It enables proving the truthfulness of a mathematical statement, without revealing additional information that may have been useful in finding said truthfulness. For...| csrc.nist.gov
Date Published: August 21, 2024| csrc.nist.gov
Date Published: August 21, 2024| csrc.nist.gov
Date Published: August 21, 2024| csrc.nist.gov
Want to build your own cybersecurity guidance? This tool provides a simple way to access reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks– downloadable in common formats (XLSX and JSON)....| csrc.nist.gov
About| csrc.nist.gov
Short URL: https://csrc.nist.gov/pqc-standardization FIPS 203, FIPS 204 and FIPS 205, which specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+, were published August 13, 2024. Additional Digital Signature Schemes - Round 1...| csrc.nist.gov
Short URL: https://www.nist.gov/pqcrypto For a plain-language introduction to post-quantum cryptography, go to: What Is Post-Quantum Cryptography? The initial public draft of NIST SP 800-227, Recommendations for Key-Encapsulation Mechanisms, is now...| csrc.nist.gov
The NIST Cryptographic Algorithm Validation Program (CAVP) provides validation testing of Approved (i.e., FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. Cryptographic algorithm validation is a prerequisite...| csrc.nist.gov
Approved Algorithms Currently, there are two (2) Approved* block cipher algorithms that can be used for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption): AES...| csrc.nist.gov
A key-encapsulation mechanism (KEM) is a set of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel. A shared secret key that is securely established using a KEM can then be used with symmetric-key cryptographic algorithms to perform basic tasks in secure communications, such as encryption and authentication. This standard specifies a key-encapsulation mechanism called ML-KEM. The security of ML-KEM is related to the com...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.| csrc.nist.gov
The CSOR has allocated the following registration branch for cryptographic algorithm objects: nistAlgorithms OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) } The CSOR only registers...| csrc.nist.gov
Personally Identifiable Information; Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.| csrc.nist.gov
The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.| csrc.nist.gov
Current Publications | csrc.nist.gov
Authority: This work is being initiated pursuant to NIST’s responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107–347. Call for Additional Digital Signature Schemes for the Post-Quantum Cryptography...| csrc.nist.gov
Cryptography that uses two separate keys to exchange data — one to encrypt or digitally sign the data and one to decrypt the data or verify the digital signature. Also known as public-key cryptography.| csrc.nist.gov
The Secretary of Commerce has approved three Federal Information Processing Standards (FIPS) for post-quantum cryptography: FIPS 203, 204 and 205.| csrc.nist.gov
Short URL: https://csrc.nist.gov/pqc-standardization HQC was selected for standardization on March 11, 2025. NIST IR 8545, Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process is now available. FIPS 203, FIPS...| csrc.nist.gov
The security status of an enterprise’s networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.| csrc.nist.gov
Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications...| csrc.nist.gov
Abstract| csrc.nist.gov
The Online Informative Reference Catalog contains all the Reference Data—Informative References and Derived Relationship Mappings (DRMs)—for the National Online Informative References (OLIR) Program. All Reference Data in the Informative Reference Catalog...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
NIST has finalized SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. This publication augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes,...| csrc.nist.gov
A Comprehensive, Flexible, Risk-Based Approach The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach...| csrc.nist.gov
The Interoperable Randomness Beacons project at NIST intends to promote the availability of trusted public randomness as a public utility. This can be used for example for auditability and transparency of services that depend on randomized processes. The...| csrc.nist.gov
Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handl...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This document recommends the Secure Software Development Framework (SSDF) – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers r...| csrc.nist.gov
Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise’s decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the securit...| csrc.nist.gov
Abstract| csrc.nist.gov
Short URL: https://www.nist.gov/pqcrypto For a plain-language introduction to post-quantum cryptography, go to: What Is Post-Quantum Cryptography? The initial public draft of NIST SP 800-227, Recommendations for Key-Encapsulation Mechanisms, is now...| csrc.nist.gov
A security principle that a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks.| csrc.nist.gov
Short URL: https://www.nist.gov/pqcrypto FIPS 203, FIPS 204 and FIPS 205, which specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+, were published August 13, 2024. 4th Round KEMs Additional Digital Signature Schemes...| csrc.nist.gov
Date Published: August 8, 2023| csrc.nist.gov
NIST has finalized SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. This publication augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes,...| csrc.nist.gov
Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications...| csrc.nist.gov