nist – Noise

Introducing the Landing Zone Accelerator on AWS Universal Configuration and LZA Compliance Workbook

Kevin Donohue — Thu, 20 Nov 2025 22:55:20 +0000

We’re pleased to announce the availability of the latest sample security baseline from Landing Zone Accelerator on AWS (LZA)—the Universal Configuration. Developed from years of field experience with highly regulated customers including governments across the world, and in consultation with AWS Partners and industry experts, the Universal Configuration was built to help you implement security […]

Everything you need to know about NIST’s new guidance in “SP 1800-35: Implementing a Zero Trust Architecture”

Aaron McAllister — Thu, 19 Jun 2025 13:00:00 +0000

We read NIST’s new guidance on “Implementing a Zero-Trust Architecture” so that you don’t have to. Read this to get the key points on the newly-released NIST Special Publication 1800-35.

A Taxonomy of Adversarial Machine Learning Attacks and Mitigations

Bruce Schneier — Thu, 27 Mar 2025 11:00:32 +0000

NIST just released a comprehensive taxonomy of adversarial machine learning attacks and countermeasures.

Updated whitepaper available: Aligning to the NIST Cybersecurity Framework in the AWS Cloud

Luca Iannario — Tue, 28 Jan 2025 22:13:02 +0000

Today, we released an updated version of the Aligning to the NIST Cybersecurity Framework (CSF) in the AWS Cloud whitepaper to reflect the significant changes introduced in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, published in February 2024. This comprehensive update helps you understand how AWS services align with the […]

AWS-LC FIPS 3.0: First cryptographic library to include ML-KEM in FIPS 140-3 validation

Jake Massimo — Tue, 10 Dec 2024 16:28:08 +0000

We’re excited to announce that AWS-LC FIPS 3.0 has been added to the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) modules in process list. This latest validation of AWS-LC introduces support for Module Lattice-Based Key Encapsulation Mechanisms (ML-KEM), the new FIPS standardized post-quantum cryptographic algorithm. This is a significant step towards enhancing the […]

NIST Recommends Some Common-Sense Password Rules

Bruce Schneier — Fri, 27 Sep 2024 11:01:53 +0000

NIST’s second draft of its “SP 800-63-4“—its digital identify guidelines—finally contains some really good rules about passwords:

The following requirements apply to passwords:

lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a signgle character when evaluating password length. ...

NIST’s first post-quantum standards

Luke Valenta — Tue, 20 Aug 2024 13:00:39 +0000

NIST has published the first cryptographic standards for protecting against attacks from quantum computers. Learn what this means for you and your organization

NIST Releases First Post-Quantum Encryption Algorithms

Bruce Schneier — Thu, 15 Aug 2024 15:37:42 +0000

From the Federal Register:

After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+.

These algorithms are part of three NIST standards that have been finalized:

FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard
FIPS 204: Module-Lattice-Based Digital Signature Standard
FIPS 205: Stateless Hash-Based Digital Signature Standard...

AWS achieves third-party attestation of conformance with the Secure Software Development Framework (SSDF)

Hayley Kleeman Jung — Wed, 10 Jul 2024 20:11:40 +0000

Amazon Web Services (AWS) is pleased to announce the successful attestation of our conformance with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), Special Publication 800-218. This achievement underscores our ongoing commitment to the security and integrity of our software supply chain. Executive Order (EO) 14028, Improving the Nation’s Cybersecurity […]

Implementing a compliance and reporting strategy for NIST SP 800-53 Rev. 5

Josh Moss — Tue, 11 Jun 2024 17:06:18 +0000

Amazon Web Services (AWS) provides tools that simplify automation and monitoring for compliance with security standards, such as the NIST SP 800-53 Rev. 5 Operational Best Practices. Organizations can set preventative and proactive controls to help ensure that noncompliant resources aren’t deployed. Detective and responsive controls notify stakeholders of misconfigurations immediately and automate fixes, thus […]

NIST Cybersecurity Framework 2.0

Bruce Schneier — Fri, 01 Mar 2024 12:08:23 +0000

NIST has released version 2.0 of the Cybersecurity Framework:

The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation...

Apple Announces Post-Quantum Encryption Algorithms for iMessage

Bruce Schneier — Mon, 26 Feb 2024 12:04:34 +0000

Apple announced PQ3, its post-quantum encryption standard based on the Kyber secure key-encapsulation protocol, one of the post-quantum algorithms selected by NIST in 2022.

There’s a lot of detail in the Apple blog post, and more in Douglas Stabila’s security analysis.

I am of two minds about this. On the one hand, it’s probably premature to switch to any particular post-quantum algorithms. The mathematics of cryptanalysis for these lattice and other systems is still rapidly evolving, and we’re likely to break more of them—and learn a lot in the process—over the coming few years. But if you’re going to make the switch, this is an excellent choice. And Apple’s ability to do this so efficiently speaks well about its algorithmic agility, which is probably more important than its particular cryptographic design. And it is probably about the right time to worry about, and defend against, attackers who are storing encrypted messages in hopes of breaking them later on future quantum computers...

AWS Customer Compliance Guides now publicly available

Kevin Donohue — Thu, 22 Feb 2024 18:37:25 +0000

The AWS Global Security & Compliance Acceleration (GSCA) Program has released AWS Customer Compliance Guides (CCGs) on the AWS Compliance Resources page to help customers, AWS Partners, and assessors quickly understand how industry-leading compliance frameworks map to AWS service documentation and security best practices. CCGs offer security guidance mapped to 16 different compliance frameworks for more than […]

Improving the Cryptanalysis of Lattice-Based Public-Key Algorithms

Bruce Schneier — Wed, 14 Feb 2024 12:08:03 +0000

The winner of the Best Paper Award at Crypto this year was a significant improvement to lattice-based cryptanalysis. This is important, because a bunch of NIST’s post-quantum options base their security on lattice problems. I worry about standard...

AWS FedRAMP Revision 5 baselines transition update

Kevin Donohue — Wed, 25 Oct 2023 13:22:37 +0000

On May 20, 2023, the Federal Risk and Authorization Management Program (FedRAMP) released the FedRAMP Rev.5 baselines. The FedRAMP baselines were updated to correspond with the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Rev. 5 Catalog of Security and Privacy Controls for Information Systems and Organizations and SP 800-53B Control Baselines for Information Systems […]

Bounty to Recover NIST’s Elliptic Curve Seeds

Bruce Schneier — Thu, 12 Oct 2023 11:09:38 +0000

This is a fun challenge:

The NIST elliptic curves that power much of modern cryptography were generated in the late ’90s by hashing seeds provided by the NSA. How were the seeds generated? Rumor has it that they are in turn hashes of English sentences, but the person who picked them, Dr. Jerry Solinas, passed away in early 2023 leaving behind a cryptographic mystery, some conspiracy theories, and an historical password cracking challenge.

So there’s a $12K prize to recover the hash seeds.

Some backstory:

Some of the backstory here (it’s the funniest fucking backstory ever): it’s lately been circulating—though I think this may have been somewhat common knowledge among practitioners, though definitely not to me—that the “random” seeds for the NIST P-curves, generated in the 1990s by Jerry Solinas at NSA, were simply SHA1 hashes of some variation of the string “Give Jerry a raise”...

AWS-LC is now FIPS 140-3 certified

Nevine Ebeid — Fri, 06 Oct 2023 17:55:44 +0000

AWS Cryptography is pleased to announce that today, the National Institute for Standards and Technology (NIST) awarded AWS-LC its validation certificate as a Federal Information Processing Standards (FIPS) 140-3, level 1, cryptographic module. This important milestone enables AWS customers that require FIPS-validated cryptography to leverage AWS-LC as a fully owned AWS implementation. AWS-LC is an […]

You Can’t Rush Post-Quantum-Computing Cryptography Standards

Bruce Schneier — Tue, 08 Aug 2023 11:13:22 +0000

I just read an article complaining that NIST is taking too long in finalizing its post-quantum-computing cryptography standards.

This process has been going on since 2016, and since that time there has been a huge increase in quantum technology and an equally large increase in quantum understanding and interest. Yet seven years later, we have only four algorithms, although last week NIST announced that a number of other candidates are under consideration, a process that is expected to take “several years.

The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market. It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time...

Customer Compliance Guides now available on AWS Artifact

Kevin Donohue — Fri, 23 Jun 2023 13:14:27 +0000

Amazon Web Services (AWS) has released Customer Compliance Guides (CCGs) to support customers, partners, and auditors in their understanding of how compliance requirements from leading frameworks map to AWS service security recommendations. CCGs cover 100+ services and features offering security guidance mapped to 10 different compliance frameworks. Customers can select any of the available frameworks and services […]

NIST Draft Document on Post-Quantum Cryptography Guidance

Bruce Schneier — Tue, 02 May 2023 14:10:30 +0000

NIST has released a draft of Special Publication1800-38A: “Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography.” It’s only four pages long, and it doesn&#821...