Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Review of NIST Crypto Standards and Development Process Kicks Off

The National Institute of Standards and Technology (NIST) announced May 14 that its primary advisory committee, the Visiting Committee on Advanced Technology (VCAT), has started a review of the institute’s cryptographic standards and guidelines program.

The National Institute of Standards and Technology (NIST) announced May 14 that its primary advisory committee, the Visiting Committee on Advanced Technology (VCAT), has started a review of the institute’s cryptographic standards and guidelines program.

The review was born out of several months of controversy caused by reports of efforts by the NSA to subvert crypto standards and technology in an operation known as ‘Bullrun.’ The revelations became public as a result of the fallout surrounding the leaks by Edward Snowden.

To support its review of the institute’s guidelines, the committee has formed a panel of experts to assess NIST’s existing cryptographic standards and guidelines and the process through which they have been developed. The panel members are: Vint Cerf of Google; Edward Felten of Princeton University; Steve Lipner of Microsoft Corporation; Bart Preneel of Katholieke Universiteit Leuven; Ellen Richey of Visa; Ron Rivest of the Massachusetts Institute of Technology (MIT); and Fran Schrotter of the American National Standards Institute (ANSI).

“Our mission is to protect the nation’s IT infrastructure and information by promoting strong cryptography,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher in a statement. “We look forward to the VCAT’s review to help ensure we have the most transparent and effective process for doing that.”

In November, NIST began an internal review of its development process and announced it would seek public input and an independent review due to concerns in the security community about the integrity of the institute’s activities. In February, NIST released a draft document called ‘NIST IR 7977: NIST Cryptographic Standards and Guidelines Development Process’ for a two-month public comment period.

The panel will review NIST’s current processes as described in NIST IR 7977 as well as the public comments and NIST cryptographic standards and guidelines. The committee may also seek input from other experts.

Panel members will provide individual assessments to the VCAT Subcommittee on Cybersecurity, which will report its findings and any recommendations to the full VCAT. The subcommittee will provide an update on its progress on June 11, 2014, at the next VCAT meeting. Upon reviewing the expert assessments and the proposed recommendations of the subcommittee, the VCAT will issue its recommendations to NIST.

“Most of the crypto we trust was shepherded into standards by the US government,” said Dan Kaminsky, chief scientist of White Ops. “The feds employ and fund a huge amount of cryptographic talent, and use these standards in agencies all across the country. So the assumption was that the standards themselves would only receive attention that would improve their quality, not degrade. Recent disclosures destroyed that assumption.”

Advertisement. Scroll to continue reading.

“I’m genuinely impressed with who NIST has brought in as an outside committee,” he added. “I know many of these engineers – this is a distinguished group, to say the least – and they’re the right people to begin this journey. But bureaucracy is complicated and the question is always going to be how much influence will they be given. Still, this is a critical first step.”

The reports from the panel members, subcommittee and VCAT will be available at www.nist.gov/director/vcat/.

*This story was updated with additional commentary.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.