NIST

Random Bit Generation (RBG).

• URL: https://csrc.nist.gov/projects/random-bit-generation 

The NIST SP 800 90 Series: Provides guidelines and recommendations for generating random numbers for cryptographic use, and has three parts:

• SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, specifies mechanisms for the generation of random bits using deterministic methods. 

• SP 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation, specifies the design principles and requirements for the entropy sources used by RBGs, and the tests for the validation of entropy sources. 

• SP 800-90C, Recommendation for Random Bit Generator (RBG) Constructions (3rd DRAFT), specifies constructions for the implementation of RBGs.

National Institute of Standards and Technology (NIST).

• BLUF: National Bureau of Standards from the Department of Commerce (DoC)

• URL: https://www.nist.gov/

• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework  

Publications & Special Publications (SP):

• Publications -- FIPS, SP, AI, etc, -- https://csrc.nist.gov/publications 

  1. NIST Releases First 3 Finalized Post-Quantum Encryption (PQE) Standards. (13Aug2024)

• AI Risk Management Framework (AI RMF v1.0, 100-1).

  1. -- BLUF: A guide that helps organizations manage the risks associated with designing, developing, and using artificial intelligence systems. 

  2. -- URL: https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf -- (48p)

• Cloud (Security Guidelines)--

  1. NIST SP 800-144, "Guidelines on Security and Privacy in Public Cloud Computing" -- 

     • BLUF: NIST SP 800-144 specifically addresses key technical challenges in public clouds, focusing on data isolation, encryption, and identity and access management. It also emphasizes the importance of clearly defined security roles between cloud providers and their clients.  

     • URL-1: https://csrc.nist.gov/pubs/sp/800/144/final 

     • URL-2: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf ; (80p)

• TIC 3.0 (This is by CISA, not NIST)-- 

  1. Go to CISA, click here. -- BLUF: TIC 3.0 works well with NIST CSF v2.0.

• Supply Chain Risk Management--

  1. NIST SP 800-161 rev 1 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations).

  2. URL: https://csrc.nist.gov/pubs/sp/800/161/r1/upd1/final (Published: May 2022 > Updated: Dec 2024...)

• Zero Trust -- (2)

  1. NIST SP 800-207: ZTA 101 -- 

     • OV-1s 

     • PDF: NIST SP 800-207 (ZTA).

     • Description: This is the core document defining Zero Trust. It lays out a ZTA's fundamental concepts, principles, and logical components. It's your "bible" for understanding what Zero Trust is all about.

     • Value: It provides the "why" and "what" behind Zero Trust, giving you the essential knowledge to build your strategy.

  2. NIST SP 800-35r5: Implement ZTA (see below) --

     • Link: https://csrc.nist.gov/pubs/sp/1800/35/2prd 

     • NIST PM-7: Enterprise Architecture.

• PQC --

  1. NIST SP 800-38 (B): Migrate to PQC (see below) -- https://www.nccoe.nist.gov/sites/default/files/2023-12/pqc-migration-nist-sp-1800-38b-preliminary-draft.pdf 

  2. NIST SP 800-131A Rev.2: Transitioning the Use of Cryptographic Algorithms and Key Lengths. URL: https://csrc.nist.gov/pubs/sp/800/131/a/r2/final 

  3. PQC Migration Project Description (Date: Aug 2021): Migrate to PQC. https://www.nccoe.nist.gov/sites/default/files/2022-07/pqc-migration-project-description-final.pdf 

  4. PQC Encryption Standards:

     • NIST Rel 3 PQE Standards, Date: 13Aug2024 -- (3)

       1. ML-KEM FIPS 203 (derived from CRYSTALS-Kyber) — a key encapsulation mechanism selected for general encryption for accessing secured websites.

       2. ML-DSA FIPS 204 (derived from CRYSTALS-Dilithium) — a lattice-based algorithm chosen for general-purpose digital signature protocols

       3. SLH-DSA FIPS 205 (derived from SPHINCS+) — a stateless hash-based digital signature scheme

Seminars:

• PQC Seminars: Via NIST with Dates, Speaker, Title, and Media. https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline/pqc-seminars 

  1. https://classic.mceliece.org/index.html 

NIST Cybersecurity Practice Guide: Implementing ZTA.

• The guide outlines a standards-based ZTA reference design and provides information for replicating one or more ZTA implementations.

• The reference design is modular and can be deployed in whole or in part, allowing organizations to gradually incorporate ZTA into their legacy environments.

• NIST is adopting an agile process to publish the content, with each volume being made available as soon as possible.

• 5 volumes:

  1. NIST SP 800-35 (A): Executive Summary

  2. NIST SP 800-35 (B): Approach, Architecture, and Security Characteristics -- [Flipbook]

  3. NIST SP 800-35 (C): How-To Guides.  SV-5a (System Map), Pg. 27, Figure 1-1.

  4. NIST SP 800-35 (D): Functional Demonstrations

  5. NIST SP 800-35 (E): Risk and Compliance Management.

• The guide can be used by business decision-makers, technology or security program managers,  and IT professionals to understand the importance of migrating toward standards-based ZTA implementations.

• The guide is a second preliminary draft guide, and feedback on the publication’s contents is welcome.

• Typographic conventions used in the guide include italics, bold, monospace, service sshd start, and blue text, and all publications from NIST’s NCCoE (National Cybersecurity Center of Excellence) are available at https://www.nccoe.nist.gov. 

Migrate to PQC (NIST 800-38B): "Summary"

• URLs:

  1. Migration to PQC.

  2. Q&A: Why did NCCoE Start This Project? To update or replace cryptographic algorithms in hardware, firmware, OS, communication protocols, cryptographic libraries, and applications employed in data centers on-premises or in the cloud and distributed computing, storage, and network infrastructures has taken many years. 

  3. Project Description: https://www.nccoe.nist.gov/sites/default/files/2022-07/pqc-migration-project-description-final.pdf 

• NIST published CSWP-15 in 2021 to explore challenges associated with adopting and using Post-Quantum Cryptographic Algorithms.

• The Migration to Post Quantum Cryptography project was initiated to develop practices and demonstrate capabilities for easing migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum-computer-based attacks.

• The White House issued a National Security Memorandum on May 4, 2022, reinforcing the NCCoE's project priority for promoting US leadership in quantum computing while mitigating risks to vulnerable systems.

• Replacement of cryptographic algorithms is both technically and logistically challenging and can take years or even decades to complete, making it necessary to adopt quantum-resistant algorithms to address cybersecurity challenges.

• Cryptographic inventory is needed to apply cryptographic policies across an organization's digital infrastructures, react quickly to security issues, and deploy post-quantum cryptography for security functions and protocols that are currently reliant on quantum-vulnerable algorithms.

• A preliminary draft of the document, NIST SP 1800-38B is available for organizations to start or improve their cryptographic inventories, and organizations can experiment with guidelines and guidelines to identify gaps and challenges.

NIST to Standardize Encryption Algorithms That Can Resist Attack by Quantum Computers:

• Three new algorithms are expected to be ready for use in 2024. Others will follow.

• URL: https://www.nist.gov/news-events/news/2023/08/nist-standardize-encryption-algorithms-can-resist-attack-quantum-computers 

NIST Cybersecurity Framework (CSF) -- Summary.

• PDF: NIST Cybersecurity Framework v2.0. 

• BLUF: The NIST CSF 2.0 is a comprehensive guide designed to help organizations manage and reduce cybersecurity risks. It provides a structured approach to understanding, assessing, prioritizing, and communicating cybersecurity efforts. The framework is organized into three main levels: Functions, Categories, and Subcategories, each offering detailed security outcomes and guidance on how to achieve them. 

• Functions (6)

  1. Govern (GV): Establish and manage a cybersecurity risk management strategy, expectations, and policy. This function ensures that cybersecurity is integrated into the organization's overall risk management processes.

  2. Identify (ID): Understand the organization’s current cybersecurity risks by identifying assets and understanding the risk environment. This function helps in prioritizing efforts based on the organization's risk management strategy.

  3. Protect (PR): Implement safeguards to manage and protect against cybersecurity risks. This includes measures like access control, awareness and training, and data security.

  4. Detect (DE): Identify and analyze potential cybersecurity attacks and compromises. This function supports the timely discovery of anomalies and indicators of compromise.

  5. Respond (RS): Take action regarding detected cybersecurity incidents. This function involves incident response and mitigation activities to contain the impact of incidents.

  6. Recover (RC): Restore capabilities and services that were impaired due to a cybersecurity incident. This function focuses on returning to normal operations and ensuring that recovery efforts are communicated effectively.

• Summary:

  1. BLUF: The NIST Cybersecurity Framework (CSF) 2.0 is a comprehensive guide designed to help organizations manage and reduce cybersecurity risks. -- The CSF 2.0 serves as a foundational resource for organizations to enhance their cybersecurity posture and manage risks effectively.

  2. Purpose: The CSF provides a taxonomy (a system of classifications) of high-level cybersecurity outcomes to help organizations understand, assess, prioritize, and communicate their cybersecurity efforts. It is designed to be flexible and applicable to organizations of all sizes and sectors.

  3. Components: (3)

     • CSF Core: A set of cybersecurity outcomes organized into Functions (Govern, Identify, Protect, Detect, Respond, Recover), Categories, and Subcategories.

     • CSF Profiles: Mechanisms for describing an organization's current and target cybersecurity posture.

     • CSF Tiers: Characterizations of the rigor of an organization's cybersecurity risk governance and management practices.

  4. Integration and Communication: The CSF is designed to integrate with other risk management programs and improve communication about cybersecurity risks within an organization and with external stakeholders.

  5. Flexibility and Adaptability: The CSF is sector-, country-, and technology-neutral, providing organizations with the flexibility to address their unique risks and technologies. It is intended to be a living framework that evolves with the changing threat landscape and technological advancements.

NIST | NCCoE: Implementing a ZTA.

• BLUF: The goal of this NCCoE (National Cybersecurity Center of Excellence) project is to demonstrate several example ZTA solutions—applied to a conventional, general-purpose enterprise IT infrastructure—designed and deployed according to the concepts and tenets documented in NIST SP 800-207, ZTA.

• Intro: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture

• 2-Page Fact Sheet. https://www.nccoe.nist.gov/sites/default/files/legacy-files/zt-arch-fact-sheet.pdf

• NIST SP 1800-35 (Implementing a ZTA). https://pages.nist.gov/zero-trust-architecture/index.html 

  1. Description: While not solely focused on Zero Trust, this guide is relevant because it emphasizes the importance of forensic techniques in incident response, which is crucial in a Zero Trust environment.

  2. Value: It helps you understand how to investigate and respond to security incidents within a Zero Trust framework, ensuring you can effectively detect and contain breaches.

NIST | NCCoE: Migration to PQC.

• BLUF: (5)

  1. The National Institute of Standards and Technology (NIST) webpage about migrating to post-quantum cryptography.

  2. Quantum computers will be able to break many of the encryption algorithms currently used to protect information. 

  3. This page provides information about a project to develop tools and methods to help organizations identify where cryptography is being used and migrate to new, quantum-resistant algorithms (to be crypto-agile). 

  4. The NIST is working with industry to develop these tools. 

  5. The initial focus is developing tools to identify where public-key cryptography is used. Once these tools are developed, the next step will be to develop methods for migrating to quantum-resistant algorithms.

• NIST | NCCoE (National Cybersecurity Center of Excellence)

  1. Homepage: https://www.nccoe.nist.gov/ 

  2. Framework Resource Center: https://www.nccoe.nist.gov/framework-resource-center 

  3. Migrate to PQC: https://www.nccoe.nist.gov/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms 

• NIST:

  1. PQC Overview: https://csrc.nist.gov/Projects/post-quantum-cryptography 

  2. PQC Standardization: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization 

NICE ( . . .)

• BLUF: The NICE Framework establishes a common language that describes cybersecurity work and the knowledge and skills needed to complete that work. It is used in the public and private sectors and across industries for career discovery, education and training, and hiring and workforce development.

• NICE Website: https://www.nist.gov/itl/applied-cybersecurity/nice 

• NICE Framework v1.0 (OV-1). 

• Workforce Framework for Cybersecurity (NICE Framework) NIST Special Publication 800-181, Revision 1 (PDF)