The National Institute of Standards and Technology (NIST) is seeking comments on a revised draft document that details the principles and processes it will follow to develop its cryptographic standards and guidelines. Comments will be collected through March 27, 2015.
This second draft of NIST IR7977: NIST Cryptographic Standards and Guidelines provides more detail and identifies new policies and procedures that were not in the draft released for a two-month comment period in February 2014. The updates reflect feedback received in the public comments and a July 2014 report by an independent review committee.
“We appreciate all of the input we received from the cryptographic community, which is so vital to our work,” said Donna Dodson, chief cyber security advisor in NIST’s Information Technology Laboratory. “Based on that feedback, we’ve made substantive changes to the document with the goal of establishing steps to ensure our standards will have the trust and participation of the broader community.”
The revisions to the first draft include new principles to ensure the usability of standards and guidelines and to encourage innovation while protecting intellectual property. The second draft also details how NIST will ensure balance, transparency, openness and integrity in its development of cryptographic standards and guidelines, and poses several questions to reviewers.
The document contains an expanded section on engaging NIST’s primary cryptographic stakeholders within federal agencies, voluntary standards developing organizations and the research community. In particular, the new draft expands on NIST’s interactions with the National Security Agency (NSA), explaining how the agencies work together and what steps are now in place to ensure NSA’s contributions to the standards development process are transparent. The new processes will ensure that NIST attributes to the NSA all algorithms, standards or guidelines contributed by the agency’s staff, and acknowledges all comments received from the NSA.
The draft also includes a more detailed explanation of the steps NIST will follow to develop a new cryptographic standard or guideline—from the initial identification of the need and requirements, development and review of a standard or guideline, through maintenance and possible withdrawal of existing standards and guidelines. For example, NIST recently proposed the withdrawal of several Federal Information Processing Standards that were made obsolete by changes in voluntary industry standards.
The review and update of the NIST cryptography program began in November 2013 with an internal review prompted by allegations that an algorithm in a NIST publication could have an intentional vulnerability, or backdoor, that was inserted during the standards development process. NIST immediately issued a bulletinadvising against use of the algorithm, re-issued the publication for public review and then removed the algorithm from a draft revision of the standard that was released in November2014. Comments received on that document will be posted on the NIST website once they are reviewed.
NIST plans to finalize NIST IR 7977 in 2015, after reviewing and considering all comments received on this draft.