NIST Initiating Review of Cryptographic Standards Development Process
(This news article is also available on the Computer Security Resource Center (CSRC) website at:
Recent news reports about leaked classified documents have caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines. NIST is also deeply concerned by these reports, some of which have questioned the integrity of the NIST standards development process.NIST has a proud history in open cryptographic standards, beginning in the 1970s with the Data Encryption Standard. We strive for a consistently open and transparent process that enlists the worldwide cryptography community to help us develop and vet algorithms included in our cryptographic guidance. NIST endeavors to promote confidence in our cryptographic guidance through these inclusive and transparent development processes, which we believe are the best in use.Trust is crucial to the adoption of strong cryptographic algorithms. To ensure that our guidance has been developed according the highest standard of inclusiveness, transparency and security, NIST has initiated a formal review of our standards development efforts. We are compiling our goals and objectives, principles of operation, processes for identifying cryptographic algorithms for standardization, methods for reviewing and resolving public comments, and other important procedures necessary for a rigorous process.Once complete, we will invite public comment on this process. We also will bring in an independent organization to conduct a formal review of our standards development approach and to suggest improvements. Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable.Furthermore, we will be reviewing our existing body of cryptographic work, looking at both our documented process and the specific procedures used to develop each of these standards and guidelines. If any current guidance does not meet the high standards set out in this process, we will address these issues as quickly as possible.Our mission is to protect the nation’s IT infrastructure and information through strong cryptography. We cannot carry out that mission without the trust and assistance of the world’s cryptographic experts. We’re committed to continually earning that trust.