Webinars

Rescheduled: Virtual Workshop on the Automation of the NIST Cryptographic Module Validation Program (CMVP)

Monday, October 5, 2020

This workshop was rescheduled from September 1. 

Workshop Objectives

The National Institute of Standards and Technology (NIST) will host a virtual workshop on the
Automation of the NIST Cryptographic Module Validation Program (CMVP) on Monday, October 5, 2020. The number of cryptographic module validations has outstripped the available human resources for timely validation processing. This phenomenon is affecting all stakeholders participating in the CMVP (vendors, labs, and validators alike). The purpose of the workshop is to discuss the challenges and proposed approaches associated with automating the CMVP. The approach to CMVP automation must be based on consistent and reproducible evidence generated and reported by the producers of technologies that implement cryptographic capabilities. The findings from this workshop will inform the development of a potential National Cybersecurity Center of Excellence (NCCoE) demonstration project that supports the Federal Information Processing Standards (FIPS) 140-3 Cryptographic Module Validation Program. The automated program should show a capability to process and deliver results at machine speed.

Background

The NCCoE is developing a NIST CMVP automation project that includes practice descriptions in the form of white papers, playbook generation, and implementation demonstrations. The project aims to improve the ability and efficiency of organizations. The project will examine automated testing within the scope of NIST Handbook 150-17, NVLAP Cryptographic and Security Testing as an alternative to the existing CMVP program. (NVLAP stands for National Voluntary Laboratory Accreditation Program.) The approach is similar to that of the successful development and rollout of the Automated Cryptographic Algorithm Validation scope in Annex G of NIST Handbook 150-17, and the establishment of an alternative active scope of validation testing under the NIST Cryptographic Algorithm Validation Program (CAVP).

This proposed project generally requires:

  • developing data schema that would enable the generation and validation of standardized evidence produced by the operational testing of an Implementation Under Test (IUT) executing on a Device Under Test (DUT)
  • developing protocols for submitting evidence and receiving comments and results based on that evidence
  • developing capabilities that associate the Automated Cryptographic Module Validation Protocol (AMVP) evidence with other evidence, such as the cryptographic algorithm validation data produced using the Automated Cryptography Validation Protocol (ACVP), that would enable the complete and verifiable representation of an IUT
  • leveraging the ACVP to the greatest extent possible to maintain a consistent system architecture
  • developing implementation validation tools and services to enable an end-to-end validation scope for the CMVP
  • updating the processes and procedures used by developers, implementers, validators, and consumers of validated implementations

 

The outcome of the project will support the modernization of the CMVP. The resulting program will likely be offered as an alternative to the existing program to be used in parallel for a period of time needed to allow the automated program to mature and become fully viable for all stakeholders.

Once the automated program is established, other approaches to accelerating its adoption across the stakeholder organizations could include:

  • developing a risk-based approach that takes security requirements, business operations, and mission impact into consideration
  • establishing a communication plan to be used within the organization and for external customers and partners
  • identifying a migration timeline and the necessary resources
  • updating or replacing current security standards, procedures, and recommended practice documentation
  • providing installation, configuration, and administration documentation
  • testing and validating the new processes and procedures

Call for Participation 

NIST invites industry subject matter experts and practitioners to present their views related to the challenges associated with the automation of the NIST CMVP and approaches to tackling the problem. The primary focus of the workshop is to support the development of an actionable project plan. The project would start from simple but effective initial steps. Over time, the effort would begin to tackle the more difficult tasks required to achieve full automation as part of a secure software development process. The resulting process would aim to minimize the human resources required for validation. The workshop provides an opportunity for participants to provide feedback regarding all aspects of the planned project, to include the resulting impact on:

  • organization and business practices
  • relevant standards, guidelines, and recommended practices
  • use cases and the technologies to be considered
  • automated test methodologies and integration to existing test harnesses for CAVP
  • sources of the specifications and guidance to be employed

NIST will use the resulting prioritized list of activities to help accelerate the development of an automated program for cryptographic module validation.

Requests to present at this workshop should be submitted to applied-crypto-testing@nist.gov no later than September 18, 2020.

If you are interested in presenting at the workshop, please submit a description of your interest in one or more of the following topics in one page or less to applied-crypto-testing@nist.gov:

  • the data formats and application programming interfaces of the cryptographic modules needed to support the development of the necessary schemas and protocols for evidence submission and validation
  • architecture and development of an infrastructure required to support a new automated validation program
  • positive and negative impacts that the new automation program may have on your organization
  • development of new or updated policies and recommended practices for the automated validation scope in NIST Handbook 150-17
  • development of a roadmap for migrating your organization or your customers from the current human-effort-centric CMVP to the new automated program

 

Submissions should be made by September 18, 2020. NIST may accept late submission based on the merits of the proposal no later than September 21, 2020.

The workshop will be recorded and the content will be made available after the event. Please join the community-of-interest by sending an email to applied-crypto-testing@nist.gov to get the latest updates on the activities related to the Automation of the NIST Cryptographic Module Validation Program (CMVP).


Agenda

 11:00 – 11:10 EDT

 NIST and NCCoE Overview

 11:10 – 11:25 EDT

 Workshop Overview & Background

 11:25 – 11:45 EDT

 Status of the Automation of NIST Cryptographic Validation Programs

 11:45 – 11:55 EDT

 Moderated Q&A

 11:55 – 12:00 EDT

 Break

 12:00 – 13:00 EDT

 Challenges Session

  • Schema and protocols for evidence submission for module validation
  • Requirements for establishing a new automated module validation scope in NIST Handbook 150-17
  • Integration challenges of the new validation program with the existing automated algorithm validation program
  • Challenges to your organization

 13:00 – 13:10 EDT

 Moderated Q & A

 13:10 – 13:15 EDT

 Break

 13:15 – 14:15 EDT

 Ten Minute Participant Lightning Talk Session

 14:15 – 14:30 EDT

 Moderated Q & A

 14:30 – 14:45 EDT

 Next Steps/Wrap-up (NCCoE)

Questions? 

Please send an email to applied-crypto-testing@nist.gov

 

RESCHEDULED: Virtual Workshop on Challenges with Compliance, Operations, and Security with Encrypted Protocols, in Particular TLS 1.3

Friday, September 25, 2020

This workshop was rescheduled from August 13. 

Workshop Objectives

The National Institute of Standards and Technology (NIST) will host a virtual workshop to discuss compliance, operations, and security challenges with modern encrypted protocols on Friday, September 25, 2020. Deployment of these protocols, in particular TLS 1.3, can impact some organizations ability to meet their regulatory, security, and operational requirements. The workshop will investigate the practical and implementable approaches to help those industries adopt them in their private data centers and the hybrid cloud without impacting regulatory compliance, security, or operations. Invitations will be extended to parties that submit brief descriptions of their interest in this topic.

The workshop will identify various approaches and practices to meet common compliance, operations, and security requirements. The findings from this workshop will inform the development of a potential National Cybersecurity Center of Excellence (NCCoE) demonstration project to implement one or more of the proposed approaches while meeting the business use cases, the security capabilities, and supporting technologies. 

Background

The workshop will focus on enterprise data center environments which include on-premise data center and hybrid cloud deployment hosted by a third-party data center or a public cloud provider. The public Internet is out of scope. When enterprises deploy network security protocols within the data center to provide integrity and confidentiality, the amount of encrypted data in the enterprise data center increases, and visibility decreases. Enterprises have traditionally depended upon visibility into data in transit within their networks to implement critical cybersecurity and operational controls (e.g., intrusion detection, malware detection, fraud monitoring, and troubleshooting). These cybersecurity controls support both enterprise security and regulatory requirements. For example, some industries are required to monitor transactions for fraud, a task made more difficult if network traffic cannot be decrypted. In particular, enterprise architectures facilitate comprehensive inspection, collection, and analysis of data (i.e., both enterprise and personal data) through a small number of passive or active monitoring devices. To maintain visibility, these cybersecurity controls are provided with cryptographic keying material needed to decrypt the traffic. However, in many widely deployed protocols, this deviates from the original trust model because the keys needed to decrypt traffic are also used to authenticate the server, making the control devices indistinguishable from the authentic server.

Recent enhancements to these security protocols have made visibility in the enterprise data center more challenging—TLS 1.3 and QUIC are examples. While these protocol enhancements increase performance and address security concerns on the public internet, they also reduce visibility. In addition, emerging deployment models leverage encrypted transport to protect protocols that were previously in the clear (e.g., DoT (DNS over TLS) and DoH (DNS over HTTPS)). DoT and DoH are out of scope for the current project, but may be the subject of future NCCoE work. Enhanced security protocols and deployment models were not designed to accommodate decryption of traffic flows by passive monitoring devices, creating potential compliance, security and operational impacts in enterprises.

Consequently, enterprises have raised questions about how to implement critical services, meet enterprise security, operational, and regulatory requirements, use the enhanced security protocols, and leverage new deployment models all at the same time. Such enterprises may need to consider applying new architectures and novel techniques to augment or replace traditional monitoring devices while satisfying their business, regulatory, and network operations requirements.

NIST invites industry subject matter experts and practitioners to present their views related to challenges to compliance, operations, and security with the modern encrypted protocols, in particular TLS 1.3, as well as proposed solutions. The workshop provides an opportunity for participants to provide feedback on all aspects of the planned activities to include: challenges, impacted protocols, relevant standards, guidelines, recommended practices, use cases and technologies to be considered, and sources of specifications and guidance. NIST will use the resulting prioritized list of activities to develop an NCCoE project to help accelerate the investigation and demonstration of proposed approaches along with their supporting technologies that can be deployed and operated securely by default.

To register for this free workshop by September 25, 2020, please follow this link .

The workshop will be recorded and the content will be made available after the event. Please join the community of interest by sending an email to applied-crypto-visibility@nist.gov to get the latest updates on the activities related to Challenges with Compliance, Operations, and Security with Encrypted Protocols.

Agenda

 12:00 – 12:10

 NIST and NCCoE Overview

 Jeff Greene

 12:10 – 12:25

 Workshop Overview & Background

 Tim Polk

 12:25 – 12:45

 IETF Principles for Encrypted Protocols

 Sean Turner

 12:45 – 12:55

 Moderated Q&A

 Tim Polk

 12:55 – 13:00

 Break

 13:00 – 13:15

 Compliance Challenges

 Ralph Poore

 13:15 – 13:30

 Operations Challenges

 Steve Fenter

 13:30 – 13:45

 Security Challenges

 John Banghart

 13:45 – 14:00

 Instructive Scenarios for Demonstration Projects

 Paul Turner

 14:00 – 14:10

 Moderated Q & A

 John Banghart

 14:10 – 14:15

 Break

 14:15 – 15:00

 Proposed Approaches

  • Paul Barret
  • Steve Perkins
  • Nancy Cam-Winget

 15:00 – 15:15

 Moderated Q & A

 Russ Housley

 15:15 – 15:30

 Next Steps/Wrap-up

 Curt Barker

Additional Resources

In Fall 2019, NIST participated in an invitational workshop on Enterprise visibility hosted by the Center for Cybersecurity Policy and Law at Venable. The workshop report is available here (https://centerforcybersecuritypolicy.org/enterprise-data-center-transparency-and-security-initiative).

 
Questions? 

Please send an email to applied-crypto-visibility@nist.gov .

 

Rescheduled: Virtual Workshop on Considerations in Migrating to Post-Quantum Cryptographic Algorithms

Wednesday, October 7, 2020

This workshop was rescheduled from August 24. 

Workshop Objectives

The National Institute of Standards and Technology (NIST) will host a virtual workshop on Wednesday, October 7, 2020. The purpose of the workshop is to discuss the challenges and investigate the practical and implementable approaches to ease the migration from the current set of public key cryptographic algorithms to replacement algorithms that are resistant to quantum computer based attacks. This effort complements the NIST post-quantum cryptography (PQC) standardization activities (https://csrc.nist.gov/projects/post-quantum-cryptography).

Background

The National Cybersecurity Center of Excellence (NCCoE) is initiating the development of practices in the form of white papers, playbooks, and demonstrable implementations for organizations to ease the migration from the current set of public key cryptographic algorithms to replacement algorithms that are resistant to quantum computer based attacks. From time to time, the discovery of a cryptographic weakness or advances in the technologies leads to the need to replace a legacy cryptographic algorithm. The advent of quantum computing technology will compromise many of the current cryptographic algorithms in particular public-key cryptography used widely to protect digital information. Algorithm replacement can be extremely disruptive and often takes decades to accomplish. The replacement of algorithms generally requires:

  • identifying the presence of the legacy algorithms,
  • understanding the data formats and application programing interfaces of cryptographic libraries to support necessary changes and replacements,
  • developing implementation validation tools,
  • discovering the hardware that implements or accelerates algorithm performance,
  • determining operating system and applications code that use the algorithm,
  • identifying all communications protocols with quantum-vulnerable crypto algorithms, and
  • updating the processes and procedures of developers, implementers, and users.

The new algorithms will likely not be drop-in replacement and they may not have the same performance or reliability characteristics as the legacy algorithms due to the differences in characteristics such as key size, signature size, error handling properties, number of execution steps required to perform the algorithm, and key establishment process complexity.

Once the replacement algorithms are selected, other operational considerations to accelerate the adoption and implementation across the organization include:

  • developing a risk-based approach, taking into consideration security requirements, business operations, and mission impact;
  • establishing a communication plan to be used within the organization and for external customers and partners;
  • identifying a migration timeline and the necessary resources;
  • updating or replacing security standards, procedures, and recommended practice documentation;
  • providing installation, configuration, and administration documentation, and
  • testing and validating the new processes and procedures.

See the NIST Cybersecurity White Paper Getting Ready for Post-Quantum Cryptography: Explore Challenges Associated with Adoption and Use of Post-Quantum Cryptographic Algorithms for additional background.

The NCCoE will publish a summary of these contributions (without attribution) before the workshop to maximize the exchange of ideas. 

Registration for the workshop will close on October 2. The workshop will be limited to 1000 participants.

The workshop will be recorded and the content will be made available after the event. Please join the community of interest by sending an email to applied-crypto-pqc@nist.gov to get the latest updates on the activities related to Migrating to Post-Quantum Cryptographic Algorithms.

Agenda

 11:00 – 11:10 EDT  

 NIST and NCCoE Overview

 11:10 – 11:25 EDT   

 Workshop Overview & Background

 11:25 – 11:45 EDT      

 Status of NIST PQC Activity

 11:45 – 11:55 EDT   

 Moderated Q&A

 11:55 – 12:00 EDT

 Break

 12:00 – 13:00 EDT 

 Challenges Session

  • Standard Developing Organizations (SDOs)
  • Hardware/Software Development and Production
  • Integration Challenges
  • Customer Challenges

 13:00 – 13:10 EDT

 Moderated Q & A

 13:10 – 13:15 EDT     

 Break

 13:15 – 14:15 EDT 

 Five Minute Participant Lightning Talk Session

 14:15 – 14:30 EDT   

 Moderated Q & A

 14:30 – 14:45 EDT

 Next Steps/Wrap-up (NCCoE)

Questions? 

Please send an email to applied-crypto-pqc@nist.gov

 

De-mystifying Secure Software Development Webinar

Tuesday, June 23, 2020

Background

Once seen as only tangential to cybersecurity planning, software security has recently emerged as a top priority for policymakers, businesses, and users around the world. As our collective understanding of cybersecurity has grown, we have come to recognize the central role secure design and development plays in protecting the software that powers our world. Unfortunately, software security discussions have long been hampered by inconsistent terminology, lack of clarity around best practices, and a sense that only the most technically inclined could ever really make sense of the process. A new software development framework from NIST is poised to change all that.

Much like it did with its Cybersecurity Framework, NIST has brought together what we have learned about software security over the past two decades and created a secure software development framework (SSDF) that can get us all talking from the same playbook. The framework builds on SAFECode’s publications on secure development best practices, the BSA Framework for Secure Software, and other industry contributions to deliver a core set of high-level secure software development practices that help ensure that software is secure by design. Software producers who follow these practices can reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to achieve continuous improvement of software security. Software consumers can use the framework to confidently build their security requirements and apply them as applicable to their software acquisition processes.

Event Details

Please register here to join BSA and SAFECode along with government and industry panelists in a virtual roundtable discussion on Tuesday, June 23 from 11 a.m. to 1 p.m. to learn about the SSDF and hear about its practical applications for product developers, public and private sector customers, and the future of product certifications and labeling.

Questions about this session should be directed to BSA’s Tommy Ross (thomasr@bsa.org) or SAFECode’s Steve Lipner (lipner@safecode.org). 

Agenda

Slides from this session can be found here
 
11:00 - 11:05 a.m.
Welcome remarks
Kevin Stine, NIST
 
11:05 - 11:20 a.m.
Introduction and overview of the NIST Secure Software Development Framework
Karen Scarfone, NIST Associate
 
11:20 - 11:30 a.m.
BSA’s perspective
Tommy Ross, BSA
 
11:30 - 11:40 a.m.
SAFECode’s perspective
Steve Lipner, SAFECode
  
11:40 - 11:55 a.m.
Q&As
BSA/NIST/SAFECode
Tommy Ross, Karen Scarfone, Kevin Stine, and Steve Lipner
 
12:05 - 12:45 p.m.
Perspectives on Applying the SSDF
  • Guiding Product Development:  Valecia Maclin, Microsoft
  • Supporting private sector software acquisition:  John Banghart, Venable
  • Improving government acquisition: Melinda Reed, DoD
  • Shaping interoperability, synergies, and evaluation: Prokopios Drogkaris and Apostolos Malatras, ENISA
 
12:45 - 12:55 p.m.
Q&As
Invited speakers
Valecia Maclin, John Banghart, Melinda Reed, Prokopios Drogkaris and Apostolos Malatras
 
12:55 - 13:00 p.m.
Closing remarks and next steps
BSA/NIST/SAFECode
Tommy Ross, Kevin Stine, and Steve Lipner

Energy Analytic Security Exchange Meeting

Tuesday, May 7, 2019

NCCoE Engineer Jim McCarthy will be speaking to Energy Analytic Security Exchange (EASE) members on their biweekly member analyst call on May 7. 

Attendees will incude EASE staff analysts and energy companies’ cyber and physical security analysts and managers and will cover how the NCCoE can be used as a resource to the community.

For more information, please visit or email membership@energy-ase.com

IoTSSA Podcast

Thursday, February 14, 2019

Join Brian (of IoTSSA) in a discussion on the NIST Cybersecurity Framework with Karen Waltermire, Cybersecurity Engineer with NIST and Harry Perper Dept Chief Engineer with The MITRE Corporation.

Under the parent organization NIST, the NCCOE (National Cybersecurity Center of Excellence) accelerates businesses’ adoption of standards-based, advanced security technologies. They consult with IT security professionals and other leaders to identify their most pressing cybersecurity issues so they may develop new and evolve current support programs for SMB’.

Making Mobile Access Secure and Convenient Using Derived PIV Credentials

Wednesday, December 12, 2018

The government workplace is already using tablets and/or smartphones to access secure data, but the existing technology available to reach this data securely can be unwieldy and somewhat outdated. In this webinar, scheduled for December 12 at 11:00 am, Intercede and the NCCoE will share how your organization can leverage derived PIV credentials to access important information securely and without it being a hassle.

Register for this webinar to learn:

  • What derived PIV credentials (DPC) are
  • How DPCs can help make access to mobile devices secure and convenient
  • What to consider in selecting a DPC solution

National Cybersecurity Awareness Month Webinar: Energy Sector

Tuesday, October 23, 2018

In support of National Cybersecurity Awareness Month, The National Cybersecurity Center of Excellence (NCCoE) invites you to join us on Wednesday, October 23, 2018 from 3-4 p.m. (ET). This webinar will provide an overview of NCCoE Energy Sector projects as well as a discussion lead by BlackRidge Technology on the Industrial Internet of Things (IIoT).

What to expect:

  • Information on NCCoE's past and current Energy Sector projects
  • Discussion on current and future cybersecurity challenges as they relate to IIoT
  • Question and Answer from the virtual audience

Hosts:

Jim McCarthy, Energy Program Lead, National Cybersecurity Center of Excellence

Michael Murray, Senior Vice President and General Manager of Cyber Physical Systems, BlackRidge Technology

John Walsh, Chief Strategy and Technology Officer, BlackRidge Technology

Radiant Logic Webinar

Thursday, August 30, 2018

Join us for a new webinar on Thursday, August 30 featuring Harry Perper, Chief Engineer on the project, to learn how the National Cybersecurity Center of Excellence (NCCoE) addressed these challenges and discover the role Radiant Logic played in the resulting reference architecture. Under the auspices of the National Institute of Standards and Technology (NIST), NCCoE, worked with experts from the financial services sector and technology partners to develop an ARM reference architecture.

R-CISC's Cyber Thursday

Thursday, September 6, 2018

With fraudulent online purchases on the rise, organizations need to protect their customers without overburdening the shopping experience. In this webinar, engineers from the National Cybersecurity Center of Excellence (NCCoE) will discuss the recently released NIST Cybersecurity Practice Guide SP 1800-17, Multifactor Authentication for E-Commerce, which demonstrates how an organization can use standards-based technologies to help prevent account takeovers and reduce online fraudulent purchases. Join us, along with R-CISC, to explore the MFA options used in the draft NIST Special Publication which are available to retailers today and see video demonstrations of these scenarios to select the option that best matches your organization’s goals and customer needs.

This webinar is open to R-CISC Members and eligible retail cybersecurity practitioners. Email events@r-cisc.org to RSVP today.