Oversight

NIST to review cryptographic standards development process

documentation

The National Institute of Standards and Technology will review its methods for developing cryptographic standards following the controversy stirred by leaked documents that highlighted efforts by the National Security Agency to subvert NIST'S work.

The agency, which sets guidelines, policy and standards for computer systems in the federal government and worldwide, has initiated a formal review in an effort to build back public trust.

"Trust is crucial to the adoption of strong cryptographic algorithms," the agency said in a statement. "To ensure that our guidance has been developed according the highest standard of inclusiveness, transparency and security, NIST has initiated a formal review of our standards development efforts. We are compiling our goals and objectives, principles of operation, processes for identifying cryptographic algorithms for standardization, methods for reviewing and resolving public comments, and other important procedures necessary for a rigorous process."

Once the review is over, the public cryptographic community and an as-yet unselected independent organization will have a chance to comment on the process before NIST makes permanent changes to its process. The agency will also review existing cryptographic standards; should any official guidance not meet the agency's revamped standard, NIST plans to address the issues immediately.

A NIST spokesperson told FCW the agency has not yet set a timeline for the process, but said its importance mandates it be done right.

"Our mission is to protect the nation's IT infrastructure and information through strong cryptography," agency officials said in a statement. "We cannot carry out that mission without the trust and assistance of the world's cryptographic experts. We're committed to continually earning that trust."

NSA's meddling was brought to light in early September through documents leaked by former agency contractor Edward Snowden. The documents showed that NSA deliberately weakened encryption standards in Special Publication 800-90A and draft Special Publications 800-90B and 800-90C.

When the leaks surfaced, about 70 government vendors used the standards. NIST quickly recommended against any organization using the standards, which contained an algorithm called the Deterministic Random Bit Generator that was long-rumored to contain weaknesses known to the NSA.

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.