NIST pledges transparency in NSA dealings over crypto standards

The agency says it will disclose all contributions from the National Security Agency

A U.S. agency that develops widely used standards for encryption has pledged to be more transparent about its dealings with the National Security Agency, amid concerns the NSA undermined those standards to boost its surveillance efforts.

The National Institute of Standards and Technology outlined new proposed operating procedures in an updated draft published Friday. It's seeking public comments on the proposal through March 27.

The document follows a report last July from independent security experts who concluded NIST had put too much faith in the NSA in developing cryptographic standards.

"The new draft expands on NIST's interactions with the National Security Agency (NSA), explaining how the agencies work together and what steps are now in place to ensure NSA's contributions to the standards development process are transparent," NIST said.

"The new processes will ensure that NIST attributes to the NSA all algorithms, standards or guidelines contributed by the agency's staff, and acknowledges all comments received from the NSA."

NIST has been in the spotlight since 2013, when reports based on leaked documents from Edward Snowden claimed the NSA used its influence over NIST to insert a backdoor in at least one cryptographic standard and possibly to weaken others.

Last February, NIST appointed an independent panel of technologists review its practices, including Ed Felten, a computer scientist at Princeton University, Ron Rivest, an MIT professor, and Internet pioneer Vint Cerf, who works at Google.

They concluded that NIST needed to hire more cryptographic experts and reduce its reliance on the NSA for decisions about standards.

Friday's proposal reflects the feedback in that report and from public comments on the first draft, which was published last February and said much less about NIST's work with the NSA.

NIST is part of the U.S. Department of Commerce. Formed in 1901, it's charged with making U.S. businesses more competitive by creating standard measures for weights and time, as well as standards for encryption, x-ray radiation and other areas.

James Niccolai covers data centers and general technology news for IDG News Service. Follow James on Twitter at @jniccolai. James's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags regulationsecurityencryptiongovernment

More about Department of CommerceGoogleIDGMITNational Security AgencyNewsNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by James Niccolai

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place