NIST Cryptographic Standards and Guidelines Development Process

NISTIR 7977

NIST Cryptographic Standards and

Guidelines Development Process

Cryptographic Technology Group

This publication is available free of charge from:

http://dx.doi.org/10.6028/NIST.IR.7977

NISTIR 7977

NIST Cryptographic Standards and

Guidelines Development Process

Cryptographic Technology Group

Computer Security Division

Information Technology Laboratory

This publication is available free of charge from:

http://dx.doi.org/10.6028/NIST.IR.7977

March 2016

U.S. Department of Commerce

Penny Pritzker, Secretary

National Institute of Standards and Technology

Willie May, Under Secretary of Commerce for Standards and Technology and Director

National Institute of Standards and Technology Internal Report 7977

27 pages (March 2016)

This publication is available free of charge from:

http://dx.doi.org/10.6028/NIST.IR.7977

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an

experimental procedure or concept adequately. Such identification is not intended to imply recommendation or

endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best

available for the purpose.

There may be references in this publication to other publications currently under development by NIST in accordance

with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies,

may be used by federal agencies even before the completion of such companion publications. Thus, until each

publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For

planning and transition purposes, federal agencies may wish to closely follow the development of these new

publications by NIST.

Organizations are encouraged to review all draft publications during public comment periods and provide feedback to

NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at

http://csrc.nist.gov/publications.

Comments on this publication may be submitted to:

All comments are subject to release under the Freedom of Information Act (FOIA).

National Institute of Standards and Technology

Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

Email: crypto-rev[email protected]

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology

(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s

measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of

concept implementations, and technical analyses to advance the development and productive use of

information technology. ITL’s responsibilities include the development of management, administrative,

technical, and physical standards and guidelines for the cost-effective security and privacy of other than

national security-related information in federal information systems.

Abstract

This document describes the principles, processes and procedures that drive cryptographic standards and

guidelines development efforts at the National Institute of Standards and Technology (NIST). This

document reflects public comments received on two earlier versions, and will serve as the basis to guide

NIST’s future cryptographic standards and guidelines development efforts. It will be reviewed and

updated every five years, or more frequently if a need arises, to help ensure that NIST fulfills its role and

responsibilities for producing robust, effective cryptographic standards and guidelines.

Keywords

Cryptographic standards; cryptographic guidelines; cryptographic research

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

iii

Table of Contents

1. Introduction and Overview ..................................................................................................... 1

2. Principles................................................................................................................................. 2

3. Publications for NIST’s Cryptographic Standards and Guidelines ........................................ 5

4. Stakeholders for NIST’s Cryptographic Standards and Guidelines ....................................... 7

5. Engaging the Cryptographic Community ............................................................................... 8

6. Public Notice and Review of Proposed and Final Standards and Guidelines....................... 14

7. Policies and Processes for the Life Cycle Management of Cryptographic Standards and

Guidelines ..................................................................................................................................... 16

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

1. Introduction and Overview

The National Institute of Standards and Technology (NIST) is responsible for developing

standards (Federal Information Processing Standards, or “FIPS”) and guidelines to protect non-

national security federal information systems. Outside the Federal Government, these

publications are voluntarily relied upon across many sectors to promote economic development

and protect sensitive personal and corporate information. NIST has a dual role in this regard: 1)

as a developer of standards and guidelines under federal law, and 2) as a technical contributor

and stakeholder in connection with voluntary, global standards development. NIST has authority

to conduct these activities under 15 U.S.C. 278g-3 and 15 U.S.C. 272(b)(3) and (b)(10).

The Computer Security Division (CSD), a part of the NIST Information Technology Laboratory

(ITL), is charged with carrying out these responsibilities. Cryptographic standards and guidelines

for the protection of federal information systems have always been a key component of this

effort. They must be robust and have the confidence of the cryptographic community in order to

be widely adopted and effective at securing information systems worldwide.

To ensure these standards and guidelines provide high quality, cost-effective security

mechanisms, NIST works closely with a broad stakeholder community to identify areas of need

and develop standards and guidelines. That community has expanded in recent years and now is

global in nature, as is the interest in having systems in place that will appropriately protect and

ensure the security of digitized information. That community includes experts from academia,

government agencies, and organizations that choose to adopt NIST cryptographic standards and

guidelines. Open and transparent processes are critical to developing the most secure and trusted

cryptographic standards possible. NIST strives to engage all of its stakeholders in these

processes, and continually works to strengthen its efforts in this area. This document sets forth

the principles and processes NIST will use for future cryptographic standards and guidelines,

based on discussions and input from stakeholders.

NIST must have access to the most recent and relevant expertise regarding cryptography

wherever this expertise resides. NIST must employ staff capable of soliciting, analyzing, and

putting this cryptographic knowledge to use in developing standards and guidelines, tests, and

metrics. In order to carry out its mission of protecting information and information systems,

NIST also needs to be actively involved in advancing the field of cryptography. NIST is

committed to achieving these goals by ensuring that its internal capabilities are strong and

effective, and that it has access to highly-capable external cryptographers. The agency’s research

investment in the cryptographic arena helps to ensure that the algorithms and schemes in its

standards and guidelines are secure. This research also aids in building the foundation for

standards and guidelines, whether they are developed by NIST or by other organizations.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

2. Principles

NIST believes that robust, widely understood, and participatory development processes produce

the strongest, most effective, most trusted, and broadly accepted cryptographic standards and

guidelines. The following principles guide NIST’s cryptographic standards and guidelines

development processes.

Transparency: All interested and affected parties have access to essential information regarding

standards and guidelines-related activities throughout the development process. NIST is

committed to transparency in the development and documentation of its cryptographic standards

with respect to the areas of focus, selection and evaluation criteria, specifications, security and

other performance characteristics, and provenance.

Openness: Participation is open to all interested parties. All stakeholders – including security

professionals, researchers, standards developing organizations (SDOs), and users – have an

opportunity to be meaningfully involved in the standards and guidelines development process.

Balance: NIST strives to achieve a balance of interests among stakeholders, weighing these

interests to develop cryptographic standards and guidelines that are secure and efficient, and that

promote interoperability. NIST solicits input and evidence from a wide range of stakeholders

representing government, industry and academia to ensure that its standards are strong and

practical, and meet the needs of the Federal Government as well as the broader user community.

Integrity: NIST serves as an impartial technical authority when it is developing cryptographic

standards and guidelines. When evaluating, selecting, and standardizing cryptographic

algorithms, NIST strives to maintain objectivity as it forms and documents its decisions. NIST

will conduct its standards selection and development processes with clear criteria, and guard

against undue or improper influence while considering the legitimate interests of stakeholders.

As part of the standards development process, NIST will avoid or appropriately manage conflicts

of interest, following procedures to manage the risk presented by those conflicts, and ensure

appropriate training for its staff. NIST will not knowingly misrepresent or conceal security

properties, and will make every effort to ensure that contributions to NIST’s work from any

organizations do not compromise the security of any mechanism recommended by NIST.

Technical Merit: NIST’s decisions during the development of cryptographic standards and

guidelines are based on the technical merit of a proposal while being mindful of security,

privacy, policy and business considerations. NIST strives to standardize secure cryptographic

algorithms, schemes, and modes of operation whose security properties are well understood, and

are efficient, robust against accidental misuse, and promote interoperability. The review of

technical merit includes a precise, formal statement of security claims, based on minimal security

assumptions and supported as far as possible by documented cryptanalysis and security reduction

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

proofs. In solicitations for proposed algorithms, NIST will ask for these proofs and, when

available, include them in the public record when standards and guidelines are developed.

Global Acceptability: While the statutory basis for NIST’s work in cryptography is the need for

protection of non-national security federal information systems, NIST standards are the

foundation of many information technology products and services that are developed by U.S.

suppliers and sold globally. NIST recognizes the role of its cryptographic standards in assuring

the competitiveness of U.S. industry in delivering these products and services, and is committed

to ensuring that its standards and guidelines are accepted internationally.

Usability: NIST aims to develop cryptographic standards and guidelines that help implementers

create secure and usable systems for their customers that support business needs and workflows,

and can be readily integrated with existing and future schemes and systems. Cryptographic

standards and guidelines should be chosen to minimize the demands on users and implementers

as well as the adverse consequences of human mistakes and equipment failures.

Continuous Improvement: As cryptographic algorithms are developed, and for the duration of

their use, the cryptographic community is encouraged to identify weaknesses, vulnerabilities, or

other deficiencies in the algorithms specified in NIST publications. When serious problems are

identified, NIST engages with the broader cryptographic community to address them. NIST

conducts research in order to stay current, to enable new cryptographic advances that may affect

the suitability of standards and guidelines, and so that NIST and others can take advantage of

those advances to strengthen standards and guidelines.

Innovation and Intellectual Property (IP): While developing its cryptographic standards and

guidelines for non-national security systems, NIST has noted a strong preference among its users

for solutions that are unencumbered by royalty-bearing patented technologies. NIST has

observed that widespread adoption of cryptographic solutions that it has developed has been

facilitated by royalty-free licensing terms. While NIST prefers to select algorithms that are

unencumbered by intellectual property claims, it may select algorithms with associated patents if

the technical benefits outweigh the potential costs that would be incurred in implementing the

patented technologies. NIST will explicitly recognize and respect the value of IP and the need to

protect IP if it is incorporated into standards or guidelines. Furthermore, NIST believes it is

important to balance the rights of IP holders and of those seeking to utilize technologies

involving intellectual property rights.

Overarching Considerations

Following formal processes as described in this document is necessary but insufficient in

developing robust, trustworthy, and effective cryptographic standards and guidelines. Ultimately,

the final decision about what to include in a cryptographic standard or guideline rests with NIST.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

That decision must reflect a high degree of integrity to ensure that its decision will garner the

support of cryptographic experts regardless of affiliation.

NIST's mission includes the rigorous development of strong cryptographic standards for meeting

U.S. federal agency non-national security and promote the U.S. economy and public welfare by

providing technical leadership for the Nation’s measurement and standards infrastructure. In

order to make independent decisions, NIST stresses the importance of its access to sufficient

expertise, both from within NIST and from organizations and individuals external to NIST.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

3. Publications for NIST’s Cryptographic Standards and

Guidelines

NIST uses several types of documents to publish and disseminate its cryptographic standards and

guidelines. Three categories of NIST publications are commonly used: Federal Information

Processing Standards, NIST Special Publications, and NIST Internal/Interagency Reports. Draft

and final cryptographic standards and guidelines are posted by NIST on its Computer Security

Resource Center web pages (http://www.csrc.nist.gov) and are freely available to everyone.

Federal Information Processing Standards (FIPS): By federal statute

, FIPS publications are

issued by NIST after approval by the Secretary of Commerce and mandatory for non-national

security federal systems. They are used by NIST to publish — among other things — standards

for fundamental cryptographic primitives, such as block ciphers, digital signature algorithms, and

hash functions.

NIST Special Publications (SP): NIST SPs document a wide range of research, guidelines, and

outreach efforts, including computer and information security. Cryptographic guidelines in the

800 series build upon the core cryptographic components specified in FIPS and other

publications produced by SDOs and by NIST, sometimes specifying additional cryptographic

algorithms, schemes and modes of operation, as well as providing guidance for their use. For

example, cryptographic SPs in the 800 series specify random bit generators, block cipher modes

of operation, key-establishment schemes, and key-derivation functions. These algorithms and

schemes use the block ciphers, hash functions, and mathematical primitives defined in FIPS

publications as fundamental building blocks. NIST also issues guidelines on the selection and

use of cryptographic algorithms via SPs in the 800 series.

NIST Internal/Interagency Reports (NISTIR): NISTIRs describe technical research of interest

to a specialized audience. NIST does not specify cryptographic algorithms in NISTIR

publications. Instead, NIST uses NISTIR publications to disseminate information about its

cryptographic standards efforts. CSD has used NISTIRs to publish workshop and conference

reports, discussion documents on new challenges in cryptography, and status reports on

cryptographic algorithm competitions.

All NIST publications containing cryptographic standards or guidelines are first released as a

draft for public comment, although the development process differs by publication type. Because

FIPS are mandated by statute and the algorithms they specify are at the heart of many critical

security technologies, they require the most formal development process. Developed by NIST,

15 U.S.C. 278g-3, as amended.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

FIPS are approved and promulgated by the Secretary of Commerce. Formal announcements for

draft and final FIPS are published in the Federal Register. In part due to this development

process, FIPS tend to have relatively long development cycles. SPs are promulgated by NIST,

with announcements posted on the NIST Computer Security Resource Center (CSRC) website

(http://csrc.nist.gov) rather than in the Federal Register, and may have a shorter development

cycle. The same holds true for most of the computer security-related NISTIRs published by

NIST.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

4. Stakeholders for NIST’s Cryptographic Standards and

Guidelines

NIST is statutorily responsible for developing cryptographic standards and guidelines for the

protection of information on non-national security systems that are used widely across the

Federal Government. Additionally, the Executive Office of the President occasionally directs

NIST to develop specific standards or guidelines. Therefore, U.S. Government agencies and their

suppliers and users are primary stakeholders for this work.

In addition, NIST cryptographic standards have long been adopted voluntarily by other public

and private organizations and have significant, positive impacts on U.S. businesses and

commerce and the broader global economy. For example, the Data Encryption Standard (DES),

published as FIPS 46 in 1977, filled a critical need for the financial services industry – through

its adoption as American National Standard X3.92 in 1981 – at a time when electronic

transactions were becoming commonplace. NIST cryptographic standards and guidelines

continue to be widely used voluntarily in the private sector. Consequently, NIST considers its

stakeholder community for cryptographic standards, guidelines, tools and metrics to be much

broader than those entities focused strictly on protecting government information on non-

national security systems.

The national security community within the U.S. Federal Government has also adopted a subset

of NIST’s cryptographic standards and guidelines through the Suite B program and, more

recently, the Commercial National Security Algorithm (CNSA) Suite. The National Security

Agency (NSA) has approved the algorithms that comprise these suites to protect classified

information through the Top Secret level. Because of the national security sector’s use of NIST

cryptographic standards and guidelines, that sector is also an important stakeholder.

Widespread adoption of cryptographic standards has had significant benefits for all participating

communities, whether they do so by statute or voluntarily. International adoption has resulted in

widely available commercial products that support strong cryptography. In combination with

these international standards, security services that are globally interoperable have facilitated the

rapid expansion of global e-commerce. With increasing awareness of the risks associated with

the use of the Internet, ready access to strong, reliable cryptography that is accepted globally has

become even more important throughout the world.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

5. Engaging the Cryptographic Community

NIST works closely with experts in industry, academia and government to develop its

cryptographic standards and guidelines. Since the development of DES in the 1970s, the

community researching and developing cryptographic technologies within industry and academia

has expanded dramatically.

As NIST identifies national trends and needs, it can be a primary driver, functioning in a

proactive and not just a reactive mode. NIST’s technical expertise, knowledge of industry, its

relationships, and the information it gathers from interactions with others via conferences and its

work directly with other federal agencies, industry, and researchers are all crucial in making

these determinations.

Using a variety of approaches and processes, NIST works with these stakeholders to identify

areas where standards or guidelines are needed, evaluate proposals, and develop standards or

other publications. As a well-respected and trusted technical authority in this field, NIST must

balance these needs to ensure that its standards and guidelines are technically sound and have the

confidence of the community. Retaining that respect and authority requires that NIST must be –

and must be seen as – a trustworthy steward of the public’s interest and a leader in driving and

identifying advances in cryptography.

NIST informs and involves stakeholders through:

 participation in SDO activities;

 regular interactions in professional forums;

 open solicitations for input;

 cryptographic competitions;

 early announcements of its intention to work in specific areas;

 extending invitations to external subject-matter experts to work as NIST guest

researchers;

 presentations and discussions at conferences and standards meetings;

 publication of draft documents for public review and comment; and

 providing feedback on how NIST has addressed comments.

NIST also seeks input by hosting and funding external experts. NIST has a variety of

mechanisms to engage or host external researchers in cooperative work with NIST staff, and will

take steps to raises awareness about these opportunities in order to increase its access to expertise

from external sources.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

NIST prioritizes its participation in meetings, conferences, SDOs and industry groups based on

the expected impact of NIST’s involvement. In addition, NIST has resource limits that affect the

number of guest researchers and visiting scholars that NIST can accommodate. Within these

constraints, NIST strives to keep stakeholders informed by reaching out to the community, being

accessible for discussions, listening to concerns, responding to questions, making important

activities public, participating actively in the cryptographic research community, and supporting

voluntary standards development efforts.

Federal Stakeholders

NIST works in multiple ways with federal stakeholders, especially the agencies that are required

to use FIPS and NIST SPs for non-national security systems. Mechanisms for meeting the needs

of these organizations include the full range of vehicles NIST uses with others: encouraging

participation in NIST conferences and workshops; NIST’s participation in events organized by

others; solicitations for input as NIST sets its agenda and proposes cryptographic standards and

guidelines; and informal, one-on-one discussions. Some special collaborative arrangements,

including memoranda of understanding (MOUs), can be used in working with these agencies.

Participation in the Federal Government’s Chief Information Officer (CIO) Council and its

committees offers another way for NIST to ensure that it has direct links in the U.S. Government

who are most interested in or affected by NIST’s cryptographic standards and guidelines.

NIST sponsors the Federal Computer Security Managers Forum, an informal group that

promotes information sharing among federal agencies regarding information system security.

The forum maintains an extensive e-mail list, and holds bi-monthly meetings to discuss current

issues and items of interest to those responsible for protecting non-national security systems. The

forum provides an opportunity for managers of federal security programs to exchange

information system security materials and knowledge for use in other programs in a timely

manner, build upon the experiences of other programs, and reduce possible duplication of effort.

NIST uses the forum to engage federal agencies on cryptographic issues, including standards and

guidelines.

From time-to-time, NIST is called upon by the Executive Office of the President to develop

standards or guidelines related to cryptography for the protection of federal information systems.

The Office of Management and Budget (OMB) is a primary stakeholder in its capacity of

providing directions to agencies about their planning for and use of information technology

resources, including the protection of non-national security federal information systems.

NIST brings its cryptographic expertise to bear on priority national issues when directed by

Congress, the President, or OMB and it also assists individual agencies that have specific needs.

Recent examples include secure electronic voting, protecting the electric power “smart grid,” and

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

health information technology initiatives that must ensure the protection of personal and

proprietary business data. This work may be accomplished through interagency agreements,

other formal measures, or by informal consultation and collaboration. NIST dedicates resources

to these kinds of assistance efforts when they are directed by Congress, the President or OMB,

when they are compatible with its mission, and where NIST has special expertise.

Multiple federal agencies contribute to NIST’s cryptography efforts in research and in

developing standards and guidelines. Consultation with several of those organizations – OMB,

the Departments of Defense, Homeland Security and Energy, the NSA, and the Government

Accountability Office– is mandated by the Federal Information Security Modernization Act

(FISMA) in order to avoid unnecessary and costly duplication of effort, and to assure that

NIST’s standards and guidelines are complementary and compatible with those employed for the

protection of national security systems and information contained in those systems.

Beyond this statutory requirement calling for NIST to consult with other agencies, the NSA, in

particular, has significant expertise in cryptography. Their cooperation with NIST is governed by

an MOU between the two agencies and technical staff meet monthly to discuss ongoing

collaborative work and future priorities.

As part of NSA and other agencies’ collaboration with NIST, their staff may assist in the

development of new standards and guidelines. This may take the form of coauthoring

publications with NIST staff, providing comments on draft documents, or submitting

cryptographic algorithms for consideration by NIST. All contributions that significantly affect

the content of any standard or guideline – particularly normative statements – will be clearly

and publicly acknowledged. In accordance with NIST’s authorship policy, NIST will identify the

names of any authors of standards or guidelines. If a NIST standard or guideline contains an

algorithm that was designed by another agency’s employees, NIST will acknowledge that agency

as the designer, even though NIST may not be able to list specific individuals.

As is the case

with private sector organizations, NIST will consider and acknowledge other agencies’

comments, whether they are provided during the formal public comment period or other stages

of development. That includes information that may be provided during monthly NIST meetings

The names of some NSA staff cannot, by law, be publicly revealed. 50 U.S.C. §402 note. Freedom of Information

Act (FOIA) requests for documents involving any NIST-NSA collaboration are normally reviewed by both

organizations and exempted or excluded information, which may include the names of specific NSA participants as

noted, may be redacted.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

with NSA. Comments from federal agencies received during the public comment period will be

posted and adjudicated in the same way as those submitted by the public.

Another venue where NIST interacts with NSA about cryptography is the Committee on

National Security Systems (CNSS), where NIST is an observer. The CNSS is chaired by the

Department of Defense, while the NSA staffs the CNSS Secretariat. The CNSS mission is to set

national-level information assurance policies, directives, instructions, operational procedures,

guidance and advisories for United States Government departments and agencies for the security

of national security systems. NIST reviews and comments on drafts of proposed CNSS

documents, including policies, directives, instructions and standards. The CNSS policy CNSSP-

15 specifies the use of NIST standardized cryptographic algorithms for the protection of national

security information.

Collaboration with federal agencies helps NIST to identify, prioritize, and conduct work in

cryptography. While all agencies share a desire to strengthen cybersecurity, there is the

possibility for tension between NIST’s mission to promulgate the use of strong cryptography,

and the law enforcement and national security missions of other agencies. Though NIST works

closely with other agencies, it makes independent decisions, and remains committed to strong

cryptography due to its vital role in protecting information and information systems. As part of

this commitment, NIST will always develop standards and guidelines that promote the use of

strong cryptography using open and transparent processes.

NIST understands that having its own independent cryptographic expertise is essential in order to

carry out its statutory responsibility to develop strong cryptographic standards and guidelines to

protect non-national security federal information systems. Moreover, this capability is vital to

NIST’s development of standards and guidelines that promote economic development and

protect sensitive personal and corporate information.

Voluntary Standards Developing Organizations

NIST recognizes the important role that voluntary SDOs play in the global adoption of strong

cryptography for the agency’s various stakeholders. NIST is committed to pursuing a global

acceptance strategy for NIST’s cryptographic standards, and active participation in SDOs helps

to ensure that NIST cryptographic standards and guidelines are highly secure and interoperable

with those of international partners.

Based on need, impact, and industry interest, NIST decides how to engage with specific SDOs,

which existing voluntary standards it can adopt or adapt, which standards may be best developed

by an SDO rather than by NIST, and which of NIST’s standards and guidelines are brought to

SDOs for adoption.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

Federal policy contained in OMB Circular A-119

directs all agencies to use voluntary consensus

standards in lieu of government-unique standards “except where inconsistent with law or

otherwise impractical.” NIST is committed to making maximum use of standards produced by

SDOs as the first option in addressing a need for cryptographic standards. The section of this

document, “Policies and Processes for the Life Cycle Management of Cryptographic Standards

and Guidelines,” provides detail about how NIST implements this strategy.

When NIST decides to develop a standard, NIST will give strong consideration to submitting

that standard to an SDO for broader acceptance, use, alignment, and impact. In the past, SDOs

have adopted important NIST cryptographic standards as foundational building blocks for

security protocols. For example, the Advanced Encryption Standard (AES) block cipher is

included in ISO/IEC 18033-3:2010, is the preferred block cipher for IEEE 802.11 to secure

wireless networks, and is mandatory to implement in version 1.2 of the Internet Engineering

Task Force’s (IETF) Transport Layer Security (TLS) protocol.

When selecting priorities for working with SDOs or using standards produced by those

organizations, a major consideration for NIST is the degree of active participation in the SDO

from cryptographic researchers, industry, and others in the user community.

NIST staff participates in SDOs either through a NIST membership in an organization (e.g.,

Accredited Standards Committee X9, Inc.

working groups, INCITS

technical committees) or as

individuals (e.g., IEEE Standards Association

working groups and IETF working groups). NIST

experts also participate in some international SDOs through U.S. National Body or Member

State representation. ANSI

is the sole U.S. representative for two major non-treaty international

standards organizations, the International Organization for Standardization (ISO) and – via the

U.S. National Committee (USNC) – the International Electrotechnical Commission (IEC). For

treaty-based international standards bodies, such as the International Telecommunication Union

(ITU), the Department of State represents the United States.

Working with SDOs provides an important avenue for outreach to and feedback from multiple

stakeholders. In many cases, NIST staff members are contributors, editors, or working-group

Office of Management and Budget, Federal Participation in the Development and Use of Voluntary Consensus

Standards and in Conformity Assessment Activities, OMB Circular A-119 Revised, February 10, 1998.

http://www.whitehouse.gov/omb/circulars_a119#1

Accredited Standards Committee X9, Inc., Financial Industry Standards

InterNational Committee for Information Technology Standards (INCITS)

Institute of Electrical and Electronics Engineers (IEEE)

American National Standards Institute (ANSI)

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

chairs for proposed voluntary standards that use cryptography. NIST participates in the SDO

standards process along with industry involved in the design, development, and implementation

of cryptography. This interaction promotes the exchange of information and provides early

feedback on the effects of NIST standards and the need for new or different standards.

It is important that the roles of the NIST staff working with SDOs are very clear to all involved.

NIST has agency-wide guidelines governing participation in SDOs.

These guidelines make it

clear that participation in SDOs can, and must, tie directly to NIST’s mission and key goals. IT

security clearly falls within that realm.

The Research Community

NIST is deeply involved in the cryptographic research community through: participating in

research conferences; serving as program committee members; serving as speakers and

reviewers for conferences and workshops; and writing papers on NIST research. NIST also

invites and hosts guest researchers, postdoctoral fellows and visiting scholars; funds academic

research; and provides services, such as the NIST Randomness Beacon,

for the research

community. As a result, cryptographers around the world often know the NIST contact in their

area of interest, in addition to their identification through NIST web pages about their work.

NIST encourages and informally receives valuable informal information, often based on

independent cryptanalysis, from researchers. When NIST proposes new FIPS or SPs, or changes

to those publications, it reaches out to and relies on input from this community, and others, as an

important part of the process.

Cryptographic algorithm competitions are an especially powerful vehicle for working with

cryptographers from the broad research community to fill particular standards-related needs.

They allow NIST to standardize a state-of-the-art, widely accepted cryptographic primitive by

involving the international cryptographic research community in an open competition to select an

algorithm that NIST will standardize and promote. Competitions are only one of several

approaches for establishing a cryptographic standard; sometimes the needed standard has already

been developed by an SDO and been well accepted by the community. Moreover, competitions

are very time and resource intensive. However, they can bring significant benefits when properly

used. Section 7 of this document, Policies and Processes for the Life Cycle Management of

Cryptographic Standards and Guidelines, provides details about how NIST approaches these

competitions.

N. Rioux, E. Puskar and M.J. DiBernardo, Guidelines for NIST Staff Participating in Documentary Standards

Developing Organizations’ Activities, NISTIR 7854, May 2012. http://dx.doi.org/10.6028/NIST.IR.7854.

See http://www.nist.gov/itl/csd/ct/nist_beacon.cfm

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

6. Public Notice and Review of Proposed and Final Standards

and Guidelines

NIST strives to be open and transparent in its cryptographic standards and guidelines activities.

That includes involving stakeholders from the time that NIST identifies an area of interest

through the full life cycle of managing a standard or guideline. Public notice and review of

proposed and final standards and guidelines is a key element. Basic features are noted below;

details are described in Section 7, Policies and Processes for the Life Cycle Management of

Cryptographic Standards and Guidelines.

NIST provides public notice of its most significant activities in cryptography, including:

 plans for cryptographic standards and guidelines, including seeking information from the

public about available standards and guidelines or ongoing development work;

 invitations for public participation in NIST-sponsored workshops and conferences that

discuss and advance topics in cryptography and its standardization;

 participation by NIST staff in workshops and conferences sponsored by other

organizations on cryptography and standardization;

 announcements of draft cryptographic standards and guidelines for public review and

comment; and

 announcements of NIST’s responses to comments and posting of final publications.

All announcements are posted on the NIST CSRC website (http://csrc.nist.gov). Requests for

comments on proposed FIPS, as well as announcements of the final FIPS, are published in the

Federal Register.

When NIST is aware of SDOs working on related standards, NIST will reach

out to relevant working groups to inform them of these announcements. In addition, press

releases usually accompany significant announcements, and NIST Information Technology

Laboratory (ITL) Bulletins provide information about the use of cryptographic standards and

guidelines.

In some cases, NIST maintains a public email forum for ongoing open discussion of

subjects relevant to cryptographic standards or research activities.

The primary public comment and feedback mechanism for NIST cryptographic standards and

guidelines is the posting of drafts and requests for comment on the CSRC website. Comment

periods depend on the size and complexity of the drafts, as well as prior history of public

exposure and commentary, but typically run from 30 to 90 days.

http://www.federalregister.gov/

http://csrc.nist.gov/publications/PubsITLSB.html

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

If the nature or extent of changes to a draft resulting from comments is sufficiently extensive,

one or more additional cycles of public review may be conducted.

NIST will track, post, and publicly respond to all comments received as a result of a request for

comment on a draft FIPS or draft guideline, in compliance with applicable law. When NIST

receives a comment that contains information that is proprietary or falls under privacy, Freedom

of Information, or national security statutes, it is obligated by law to protect that information

from disclosure. In these cases, NIST will work with the commenter to identify what information

may be publicly disclosed. In the event that NIST receives restricted information that has or will

materially affect a standard or guideline, NIST will make every effort to provide a meaningful

summary of the comment. NIST will publicly provide rationale for all substantive changes to

draft documents, either as a response to a public comment or in a separate description and

justification for the change.

For standards developed within consensus-based SDOs, feedback is generated and received in

accordance with the policies and procedures of the respective SDOs. In these cases, in keeping

with its own principles, NIST takes into account the transparency and openness of the

environment in which those standards are developed before adopting or recommending a

standard.

The value of NIST’s processes for cryptographic standards and guidelines depends upon the

active involvement of subject matter experts from the cryptographic community, as well as those

organizations that use and depend on these standards and guidelines. NIST encourages all

stakeholders to provide input throughout the process from start to finish – including but not

limited to reviewing and commenting on drafts when they are posted for public comment. This

contributes to NIST’s objectives of gaining the full engagement of researchers, implementers and

users on its standards and guidelines.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

7. Policies and Processes for the Life Cycle Management of

Cryptographic Standards and Guidelines

NIST has policies and processes for the life cycle management of cryptographic standards and

guidelines. These cover the initial identification and selection of areas to be addressed through

development, solicitation and response to comments and recommendations, submission of

standards for consideration by SDOs, and regular maintenance and review, including updating

and withdrawing the approval of a standard or guideline. General approaches are described in the

previous sections; process details are described below. Public participation is fundamental to the

management of NIST’s cryptographic standards and guidelines throughout their life cycle.

1. Triggers: Identify and Evaluate the Need

NIST considers a variety of factors in initially identifying the need for a cryptographic

standard or guideline. Major considerations include:

 Is there a legal or administrative directive or guidance? NIST has statutory requirements

and high-level Executive Branch directives to undertake work in particular areas. These

include statutory mandates (e.g., FISMA), Presidential Directives (e.g., Homeland

Security Presidential Directive 12 (HSPD-12)), and OMB guidance (e.g., M-04-04).

 Did an environmental or technological development trigger a particular interest? As

processing speeds and memory get faster and cheaper, new advances in technology

demand that NIST constantly monitor the strength and effectiveness of the algorithms in

its standards and guidelines. Attacks and other security breaches can also be triggering

events. Research that shows vulnerabilities of a widely used cryptographic standard can

be a motivation for a new or revised standard or guideline. NIST may hold workshops to

assess the need, to discuss cryptographic research or proposed algorithms, or as part of a

cryptographic competition, for example.

 Is it a compelling area for NIST’s engagement? Work on a new standard or guideline

should be useful, first and foremost, to the Federal Government’s ability to carry out its

non-national security functions and to promote the U.S. economy and public welfare. The

work that is contemplated should have broad applicability, rather than simply fill a niche

need.

 Does it appear to be a matter that the communities of interest consider to be both

important and practical to address? This could include identifying existing methods that

are used to solve similar challenges within those communities.

2. Announce Intent to Work on a Standards or Guidelines Project

Once NIST identifies a need for a standard or guideline in a particular area and decides to

work on a project, it will:

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

 Publicly announce the need and its planned work on a project via the CSRC website and

other mechanisms. The announcement will provide the problem statement, a review of

possible approaches for producing a standard or guideline, and a rough development

schedule.

 Solicit input through the website, presentations, newsletters, and workshops, and/or an

open solicitation for comments.

 Issue formal requests for comments or information, as needed.

3. Consider Requirements and Solutions

To ensure that NIST has broad and in-depth knowledge of the challenge, requirements to be

addressed, and potential solutions – including work by others – early in the process, NIST

will:

 Identify the requirements and goals of the proposed standard or guideline project, for

example, by determining the desirable security properties and the evaluation criteria for

assessing potential solutions.

 Investigate the literature and what solutions are already incorporated into products and

standards.

 Determine what kind of analysis has been done on various options and the most

appropriate additional analysis to undertake. This work would include an analysis into the

design of a cryptographic algorithm or scheme, including any constants used in the

specification.

 Pursue security proofs for proposed cryptographic algorithms or schemes. While not a

prerequisite for consideration, security proofs are useful tools for analyzing and vetting

cryptographic algorithms being evaluated for inclusion in NIST standards and guidelines.

Proofs are usually conducted based on assumptions about the basic components of a

scheme using a specific threat model; the correctness of a proof and the applicability of

the threat model must be evaluated alongside an algorithm. NIST will pursue proofs and

encourage their development and analysis by the research community. In solicitations for

proposed algorithms, NIST will ask for these proofs and, when available, include them in

the public record when standards and guidelines are developed.

4. Define a Specific Plan and Process

NIST has several approaches that it may use to meet the needs for cryptographic standards or

guidelines. These include adopting or adapting existing SDO-produced standards,

encouraging and participating in the development of new standards by SDOs, or developing

NIST standards – which, in some cases, may involve holding a competition. NIST will solicit

input from stakeholders in determining the most appropriate approach for a particular

standard or guideline. After making a decision, NIST will publicly state and explain the

reason for this determination. Options include:

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

 Work with SDOs

From the time that NIST first identifies a specific standards-related need, the agency will

explore relevant SDO-developed standards that are available or already in process as an

alternative to developing its own standards. If there is an existing standard that has been

developed via a vigorous and documented participative process, NIST may choose to

adopt the standard in its entirety or to provide guidelines for its use rather than develop its

own standard.

If a needed standard does not already exist, NIST will consider the potential for

encouraging SDOs – while involving industry, the user community, and cryptographic

researchers – to begin the process of developing such a standard. This approach will

contribute to the global acceptability of the resulting standard.

One important consideration is the development time required. NIST may consider

assigning its own staff to participate in one or more SDO standards development efforts if

the work is of sufficient priority and could potentially meet NIST’s needs. The resources

required to provide this support also will be taken into account.

 Develop a New Standard or Guideline

When NIST identifies a requirement for a standard and determines that no suitable

standard already exists, NIST experts in cryptography may begin development of a new

standard or guideline, working in collaboration with experts in academia, industry and

government. The development team is responsible for ensuring that NIST’s principles

and processes described in this document are followed throughout the development

process. Transparency and collaboration are accomplished through formal public review

processes and interaction with experts at public workshops and industry meetings. For the

development of new cryptographic algorithms, NIST may invite contributions from the

public. If the work has broad applicability, and where feasible, NIST will contribute that

work to an SDO with the goal of bringing about broader acceptance, use, and impact.

 Hold a Competition

If NIST decides to pursue the development of a standard or guideline, it may use an open

competition. When a competition is used, interested parties will have an opportunity to

participate in the competition by reviewing core requirements and evaluation criteria,

publishing research papers, submitting comments, and attending public workshops.

Researchers worldwide may contribute candidate designs and papers on the theory,

cryptanalysis and performance of the candidates. The winning submitters are recognized,

but agree to relinquish claim to intellectual property rights for their design so that the

winning candidate can be available for royalty-free use. NIST determines the algorithm

submission requirements and selection criteria, organizes workshops, hosts a competition

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

website and e-mail discussion forum, selects the winning algorithm (based on its own

analysis and that of the public), and explains and documents the selection.

A typical competition starts with a public dialog on the need and requirements for a new

algorithm, both on-line and through public workshop(s), as well as a Federal Register

announcement inviting comments on NIST’s proposed criteria. A subsequent Federal

candidate conference is held, usually collocated with a major cryptographic research

conference, for each “round” of the competition to review the candidates and research

results (i.e., cryptanalysis, performance and proofs of properties) on the candidates.

Following each round, NIST announces the candidates selected to continue to the next

round, and provides a report that documents the rationale for the selections. This

winnowing allows the community to focus its analytical efforts on the most promising

candidates. The last round usually includes approximately five strong candidates.

Following the final candidate conference, NIST selects the winner, writes a final report

and formally proposes a standard or guideline for the algorithm through the normal FIPS

or Special Publication process.

NIST will consider the use of open competitions to establish cryptographic standards

particularly when no consensus exists yet around the best algorithmic approach.

Competitions work best when a proposed algorithm or scheme requires a great deal of

new cryptanalysis, as these competitions can focus the attention of cryptographers around

the world. Decisions to use competitions will be made while recognizing and considering

that these competitions are lengthy and resource intensive.

5. Develop a NIST Federal Information Processing Standard (FIPS) or Special Publication

(SP) Guideline

If NIST concludes that it will produce a FIPS or SP, a multi-step process is used. NIST will:

 Announce its intent to develop a FIPS or SP via multiple mechanisms, including the

NIST website, newsletters, public presentations, and direct notifications to relevant SDOs

and communities of interest.

 Seek information about existing standards, standards in development, guidelines, or other

information that could inform and assist NIST in the effort.

 Request information on potentially pertinent patents (in initial solicitations for

information as well as in its publication of draft standards). This includes disclosure,

where possible, of issued U.S. patents, pending U.S. patent applications, and

corresponding foreign patents and applications. In considering an algorithm that is or

may be subject to patent protection, NIST may seek assurances from the patent holder

that royalty-free or royalty-bearing licenses will be made available on a Reasonable and

Non-Discriminatory (RAND) basis.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

 Consider the option of using, adapting or profiling an existing standard or guideline,

rather than producing an entirely new standard or guideline.

 Develop a draft FIPS or SP – which may be entirely new or based on an existing standard

or specification – and, in the case of a FIPS, post that draft for public comment via a

Federal Register notice. Note that NIST employs multiple communication channels to

announce a draft standard. Time allotted for public comments is:

o a minimum of 90 days for a new FIPS;

o a minimum of 30 days for SPs and small revisions to existing FIPS.

Similar mechanisms are used for announcing and accepting comments on a draft SP,

except that the Federal Register process is not used.

 Release any significant analyses and evaluations of algorithms or schemes that have been

made available to NIST, in accordance with applicable law.

 Ensure that specifications of new algorithms or schemes provide design rationale,

including a description of the provenance of any constants used within the specification.

 Consider and post comments and NIST’s disposition of those comments.

o NIST will track, post, and publicly respond to all comments received as a result of

a request for comment on a draft FIPS or draft guideline, in compliance with

applicable law

o NIST will publicly provide rationale for all substantive changes to draft

documents, either as a response to a public comment or in a separate description

and justification for the change.

o NIST will encourage all commenters to use the public comment process to ensure

that their comments are received, given due consideration, and attributed.

 Decide whether to finalize a FIPS or SP, or revise it and seek another round of comments.

o If there are no substantial changes, NIST will proceed to finalize the publication.

o Where there are significant dissenting comments, NIST will determine whether

all views have been given full consideration and whether an additional comment

period would provide additional information, and proceed accordingly.

 Finalize and approve a FIPS or SP, including an internal NIST editorial review and NIST

management review and approval. Guidelines are reviewed by the Director of the NIST

Information Technology Laboratory. For FIPS (standards), the NIST Director approves

the publication prior to submission to the Secretary of Commerce for final approval and

promulgation.

 Announce the final FIPS or SP via the CSRC website and other communication channels.

For FIPS, NIST will also publish a Federal Register notice.

6. Consider Contributing Standards and Guidelines for Adoption by SDOs

NIST recognizes the value of having cryptographic standards and guidelines adopted by

SDOs. Therefore, NIST will consider contributions to SDOs as follows:

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

 All FIPS and SP guidelines developed by NIST will be considered for contribution to

an SDO for their consideration.

 Because of the resources required to support a contribution (e.g., editors), NIST will

consider stakeholders’ input on potential submissions when determining priorities for

contribution.

 Priority will be given to: standards and guidelines that are being adopted by industry;

contribution to SDOs with international scope; standards that fulfill a critical need,

including those that result from competitions; and conformance-based standards,

rather than recommendations or guidelines.

7. Maintain Standards and Guidelines: Reviewing, Updating, and Withdrawal

Cryptographic standards and guidelines must be reviewed and maintained regularly because

of rapid technological advances, the specific applications and assets for which these

standards and guidelines are used, the threat environment, and the tolerance for risk by a

particular sector or organization. NIST is committed to periodic review and maintenance of

all cryptographic standards and guidelines. Maintenance can include updating or

withdrawing the publication. When each standard or guideline is published, NIST identifies

when the document will be subject to a review of its relevance and for possible updating.

NIST uses the following approach:

 Review standards and guidelines regularly. The planned review period is identified

when the document is initially finalized; FIPS are reviewed at least every five years

or more frequently if issues arise. This may involve seeking public comment on the

applicability and currency of the standard or guideline. Comments on proposed

updates to or the withdrawal of a FIPS will be solicited using the Federal Register.

 Make the review results public, including any public comments received.

 Renew, update or withdraw the standard or guideline. Renewal involves keeping the

document unchanged. Update involves making revisions to the document (technical

and otherwise). Withdrawal may be immediate, or it may be a phased withdrawal

(“sunsetting”). Some technical content of a withdrawn standard or guideline can

potentially be moved to another new or existing standard or guideline. An analysis of

the comments received on existing FIPS will be published in the Federal Register and

the comments posted on the CSRC website; comments received on existing SPs will

be posted on the CSRC website. NIST also will announce its decision on any

maintenance effort (e.g., document update or withdrawal) that will take place.

NIST will use the processes and procedures described in this publication to develop future

cryptographic standards and guidelines. They are designed to provide broad opportunity to offer

input on its cryptographic standards and guidelines, and to maximize openness and transparency.

NIST will review this publication and its processes and procedures every five years – and more

frequently if a need arises.

NISTIR 7977 NIST CRYPTOGRAPHIC STANDARDS AND

GUIDELINES DEVELOPMENT PROCESS

Please address any comments regarding these principles, processes and procedures – and NIST’s

use of them in developing cryptographic standards and guidelines – to Chief, NIST Computer

Security Division at [email protected]. All comments and NIST’s responses will be posted on the

CSRC website.