This NIST AI report develops a taxonomy of concepts and defines terminology in the field of adversarial machine learning (AML). The taxonomy is built on survey of the AML literature and is arranged in a conceptual hierarchy that includes key types of ML methods and lifecycle stage of attack, attacker goals and objectives, and attacker capabilities and knowledge of the learning process. The report also provides corresponding methods for mitigating and managing the consequences of attacks an...| csrc.nist.gov
About| csrc.nist.gov
About| csrc.nist.gov
This supplement to NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management, provides agencies with additional guidance on the use of authenticators that may be synced between devices.| csrc.nist.gov
An effect of uncertainty on or within information and technology. Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other organizations, and the Nation. (Definition based on ISO Guide 73 [6] and NIST SP 800-60 Vol. 1 Rev. 1 [7])| csrc.nist.gov
In 2023, the National Institute of Standards and Technology (NIST) announced the selection of the Ascon family of algorithms designed by Dobraunig, Eichlseder, Mendel, and Schläffer to provide efficient cryptographic solutions for resource-constrained devices. This decision emerged from a rigorous, multi-round lightweight cryptography standardization process. The Ascon family includes a suite of cryptographic primitives that provide Authenticated Encryption with Associated Data (AEAD), hash ...| csrc.nist.gov
NIST began investigating cryptography for constrained environments in 2013. After two workshops and discussions with stakeholders in industry, government, and academia, NIST initiated a process to solicit, evaluate, and standardize schemes providing...| csrc.nist.gov
Click on the image to access the 2nd public draft of Special Publication (SP) 800-161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (released October 28, 2021). PRESENTATION for WORKSHOP (.PDF) Event...| csrc.nist.gov
Secure .gov websites use HTTPS| csrc.nist.gov
The MIP list contains cryptographic modules on which the CMVP is actively working on. For a module to transition from Review Pending to In Review, the lab must first pay the NIST Cost Recovery fee, and then the report will be assigned as resources become...| csrc.nist.gov
The IUT list is provided as a marketing service for vendors who have a viable contract with an accredited laboratory for the testing of a cryptographic module, and the module and required documentation is resident at the laboratory. The CMVP does not have...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
This document augments the secure software development practices and tasks defined in Secure Software Development Framework (SSDF) version 1.1 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. These additions are documented in the form of an SSDF Community Profile to support Executive Order (EO) 14110, Safe, Secure, and Trustworthy Development and Use of Artif...| csrc.nist.gov
The following are selected examples of additional resources supporting the incident response life cycle. Vulnerability and Threat Information CISA, Automated Indicator Sharing (AIS) CISA, CISA Cyber Threat Indicator and Defensive Measure...| csrc.nist.gov
Want to build your own cybersecurity guidance? This tool provides a simple way to access reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks– downloadable in common formats (XLSX and JSON)....| csrc.nist.gov
Date Published: April 24, 2023| csrc.nist.gov
Use these CSRC Topics to identify and learn more about NIST's cybersecurity Projects, Publications, News, Events and Presentations.| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications...| csrc.nist.gov
In April 2025, NIST finalized Special Publication (SP) 800-61 Revision 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile. NIST SP 800-61 Revision 3 seeks to assist organizations with...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
This standard shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design, implementation and operation of a cryptographic module. These areas include cryptographic module specification;...| csrc.nist.gov
In 2005 Prof. Xiaoyun Wang announced a differential attack on the SHA-1 hash function. NIST found that the attack was practical, and announced plans for transitioning to SHA-2 algorithms and development of SHA-3.| csrc.nist.gov
Transport Layer Security (TLS) provides mechanisms to protect data during electronic dissemination across the Internet. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. It requires that TLS 1.2 configured with FIPS-based cipher suites be supported by all government TLS servers and clients and requires support ...| csrc.nist.gov
A main tool of Privacy-Enhancing Cryptography (PEC) is the Zero-Knowledge Proof (ZKP). It enables proving the truthfulness of a mathematical statement, without revealing additional information that may have been useful in finding said truthfulness. For...| csrc.nist.gov
Date Published: August 21, 2024| csrc.nist.gov
Date Published: August 21, 2024| csrc.nist.gov
Date Published: August 21, 2024| csrc.nist.gov
Want to build your own cybersecurity guidance? This tool provides a simple way to access reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks– downloadable in common formats (XLSX and JSON)....| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
Short URL: https://csrc.nist.gov/pqc-standardization FIPS 203, FIPS 204 and FIPS 205, which specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+, were published August 13, 2024. Additional Digital Signature Schemes - Round 1...| csrc.nist.gov
Short URL: https://www.nist.gov/pqcrypto For a plain-language introduction to post-quantum cryptography, go to: What Is Post-Quantum Cryptography? The initial public draft of NIST SP 800-227, Recommendations for Key-Encapsulation Mechanisms, is now...| csrc.nist.gov
The NIST Cryptographic Algorithm Validation Program (CAVP) provides validation testing of Approved (i.e., FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. Cryptographic algorithm validation is a prerequisite...| csrc.nist.gov
Approved Algorithms Currently, there are two (2) Approved* block cipher algorithms that can be used for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption): AES...| csrc.nist.gov
A key-encapsulation mechanism (KEM) is a set of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel. A shared secret key that is securely established using a KEM can then be used with symmetric-key cryptographic algorithms to perform basic tasks in secure communications, such as encryption and authentication. This standard specifies a key-encapsulation mechanism called ML-KEM. The security of ML-KEM is related to the com...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.| csrc.nist.gov
The CSOR has allocated the following registration branch for cryptographic algorithm objects: nistAlgorithms OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) } The CSOR only registers...| csrc.nist.gov
Personally Identifiable Information; Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.| csrc.nist.gov
The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.| csrc.nist.gov
Current Publications | csrc.nist.gov
Authority: This work is being initiated pursuant to NIST’s responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107–347. Call for Additional Digital Signature Schemes for the Post-Quantum Cryptography...| csrc.nist.gov
Cryptography that uses two separate keys to exchange data — one to encrypt or digitally sign the data and one to decrypt the data or verify the digital signature. Also known as public-key cryptography.| csrc.nist.gov
The Secretary of Commerce has approved three Federal Information Processing Standards (FIPS) for post-quantum cryptography: FIPS 203, 204 and 205.| csrc.nist.gov
Short URL: https://csrc.nist.gov/pqc-standardization FIPS 203, FIPS 204 and FIPS 205, which specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+, were published August 13, 2024. Additional Digital Signature Schemes - Round 1...| csrc.nist.gov
A module validation caveat may warn a user of specific stipulations, conditions, or limitations of a module, to assist in making a risk determination on its usage. The examples below list the potential caveats for a FIPS 140-3 validation (for a list of...| csrc.nist.gov
The security status of an enterprise’s networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.| csrc.nist.gov
Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications...| csrc.nist.gov
Abstract| csrc.nist.gov
The Online Informative Reference Catalog contains all the Reference Data—Informative References and Derived Relationship Mappings (DRMs)—for the National Online Informative References (OLIR) Program. All Reference Data in the Informative Reference Catalog...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
NIST has finalized SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. This publication augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes,...| csrc.nist.gov
A Comprehensive, Flexible, Risk-Based Approach The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach...| csrc.nist.gov
The Interoperable Randomness Beacons project at NIST intends to promote the availability of trusted public randomness as a public utility. This can be used for example for auditability and transparency of services that depend on randomized processes. The...| csrc.nist.gov
Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handl...| csrc.nist.gov
You are viewing this page in an unauthorized frame window.| csrc.nist.gov
Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This document recommends the Secure Software Development Framework (SSDF) – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers r...| csrc.nist.gov
Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise’s decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the securit...| csrc.nist.gov
Abstract| csrc.nist.gov
Short URL: https://www.nist.gov/pqcrypto For a plain-language introduction to post-quantum cryptography, go to: What Is Post-Quantum Cryptography? The initial public draft of NIST SP 800-227, Recommendations for Key-Encapsulation Mechanisms, is now...| csrc.nist.gov
A security principle that a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks.| csrc.nist.gov
Short URL: https://www.nist.gov/pqcrypto FIPS 203, FIPS 204 and FIPS 205, which specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+, were published August 13, 2024. 4th Round KEMs Additional Digital Signature Schemes...| csrc.nist.gov
Date Published: August 8, 2023| csrc.nist.gov
NIST has finalized SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. This publication augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes,...| csrc.nist.gov
Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications...| csrc.nist.gov