原文： A Statistical Test Suite for the Validation of Random Number Generators and Pseudo Random Number Generators for Cryptographic Applications

NIST Cloud ComputingSecurity Reference Architecture.pdf

T • Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems; • Promoting a better understanding of agency-related mission risks resulting from the operation of information systems; and • Creating more complete, reliable, and trustworthy information for authorizing officials—to facilitate more informed security accreditation decisions. Security certification and accreditation are important activities that support a risk management process and are an integral part of an agency’s information security program. Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.

美国商务部国家标准与技术研究院（NIST）发布《提升关键基础设施网络安全的框架》，该框架由框架核心、框架实施层和框架概况三大基本要素组成。框架核心提供了一套关键基础设施行业通用的网络安全活动、预期结果和适用参考。框架核心提出了行业标准、指南和实践，以便组织机构从管理层到执行层的层级沟通网络安全活动和结果。框架核心包含功能、类别、 子类别和信息参考4个要素，以及识别、保护、检测、响应和恢复5个功能。 框架实施层为组织机构提供相关机制，供其了解网络安全风险管理方法的特征，并提供网络安全风险审视方法和管理风险的流程，可帮助组织机构确定优先级并实现网络安全目标。实施层指的是组织机构安全风险管理实践的程度，衡量标准包括风险与威胁意识、可重复和自适应等要素。实施层通过四个层级范围描述组织机构的实践程度，各层级（从部分的层级1到自适应的层级4）反映了从非正式、被动响应到自适应的表现。该框架指出，在确定实施层级的过程中，组织机构应考虑当前的风险管理实践、威胁环境、法律法规要求、业务/任务目标和限制条件。 　　框架概况根据组织机构的业务需求、风险承受能力、资源等要素，对功能、类别和子类别进行调整，帮助各组织机构建立降低网络安全风险的路线图，确保既能兼顾整体与部门目标、考虑法律法规要求和行业最佳实践，又能反映风险管理的轻重缓急。“概况”可被定义为在特定实施场景下对核心框架的类别和子类别进行调整。借助概况，组织机构可对比“当前概况”和“目标概况”，以此识别提升网络安全态势的机会。要制定出框架“概况”，组织机构可查看所有的类别和子类别，并基于业务或任务需求以及风险评估，以此确定最重要的事项。组织机构可按需添加类别和子类别解决风险。“当前概况”可用来审视“目标概况”需考虑的优先级和进度衡量，同时考虑包括成本效益和创新在内的其它业务需求。组织机构可利用概况进行自我评估，并有助于在组织机构内部和组织机构之间进行风险沟通。

nist-300-83D-(Galois Counter Mode (GCM)) Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC

This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary data. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation.

文档是早期对NIST SP800-82的翻译稿，供大家参考。

NIST为智能电网信息安全战略规划发布的NISTIR 7628《智能电网信息安全指南》明确了智能电网信息安全研究的5个阶段的战略步骤，提出了清晰的涵盖组件和接口的智能电网功能逻辑架构，并针对接口定义了安全要求。NISTIR 7628中提出了一个普适性的框架。

官方的FIPS，包括ECDSA（椭圆曲线加密），原汁原味

一款物性计算软件，是NIST推出的物性查询软件，个人觉得是这方面最好用的软件了