Celebrating 50 Years of Cybersecurity at NIST!

With each day bringing new cybersecurity challenges and advances, it’s easy to understand why people feel like it’s hard to keep up. It is important to be agile and move quickly to avoid the consequences of cybersecurity attacks — and that need extends to government agencies, like NIST, as we work collaboratively with industry, academia, and government to help meet these challenges. Those of us at NIST realize that we have a responsibility to keep an eye on current needs AND on potential future needs including changes in technologies and threats that could affect the ability of organizations to manage cybersecurity risks.

For the last 50 years, NIST — formerly the National Bureau of Standards (NBS) until 1988 — has been up to the job. Our efforts to cultivate trust in information, systems, and technologies have provided a foundation for cybersecurity advancements. They include specific information that can be put into practice immediately to longer-term research that anticipates advances in technologies and future challenges.

We have been successful because of the emphasis we place not only on addressing near-term demands — but also the time we spend thinking, exploring, listening, sharing, and speaking with others about the longer-term. We make that our business.

Here is a quick look at some of our highlights along the way:

1972 | The National Bureau of Standards (NBS) establishes a Computer Security Program.

1974 | NBS publishes its first guide: the pocket Executive Guide to Computer Security, intended for executives and published at a time when only about 130,000 computers were installed across the entire United States.

1977 | NBS releases the first authentication publications—Guidelines for authenticating users long before most people had ever used a computer.

1977 | NBS publishes the Data Encryption Standard (DES) – the first standardized encryption algorithm.

1979 – 2000 | We host what became the National Information Systems Security Conference, an important annual forum for the broad security community.

1985 | A Password Usage Standard is published: “FIPS 112” included many concepts still considered in today’s user authentication systems.

1988 | Congress passes the Computer Security Act of 1987, transferring some computer security responsibilities from the National Security Agency (NSA) to NBS.

1992 | Role-Based Access Control (RBAC) was introduced by NIST. This has a significant impact on how access control is implemented in computer systems.

1995 | NIST establishes the Cryptographic Module Validation Program (CMVP) and Cryptographic Algorithm Validation Program (CAVP).

1996 | NIST launches FedCIRC — the Federal Computer Incident Response Capability — which offered federal agencies incident response services and other cybersecurity capabilities, and eventually became US-CERT.

1997 | NIST announces its intention to develop a publicly disclosed Advanced Encryption Standard (AES) to replace DES.

1999 | NIST begins vulnerability tracking and analysis with the Internet – Categorization of Attacks Toolkit (ICAT). Becoming the National Vulnerability Database (2005), it now sustains the global vulnerability management ecosystem.

2004 | NIST’s Electronic Authentication Guideline (SP 800-63) has been released.

2004 | NIST issues the Risk Management Framework (RMF), a continuous approach to managing cybersecurity risk throughout the system development life cycle and used widely by federal agencies and others.

2012 | NIST launches the National Cybersecurity Center of Excellence (NCCoE) in partnership with the State of Maryland and Montgomery County.

2014 | Congress affirms NIST’s role through legislation as lead for the National Initiative for Cybersecurity Education (NICE) – a partnership with industry, academia, and government – to promote an ecosystem of cybersecurity education and workforce development.

2014 | With major input from the private and public sectors, NIST publishes the Cybersecurity Framework 1.0. The initial version is released as voluntary guidance for critical infrastructure organizations and is used extensively. Federal agencies now are required to use the Framework.

2016 | NIST’s Post-Quantum Cryptography Standardization effort begins.

2020 | NIST’s Privacy Framework 1.0 is published.

2021 | Carrying out an Executive Order from the President, NIST begins to issue a series of guidance documents to improve the cybersecurity of the software supply chain.

These and many other efforts add up to cultivating trust in information, systems, and technologies… and that’s our charge. I encourage you to review our recent progress and to help us look well beyond the here-and-now of technology, cybersecurity, and privacy; this will enable all of us to meet the future with confidence that we can manage the emerging risks and change the world for the better for the next 50 years. You can do that in many ways. Start here or by responding to this new Request for Information.

With each day bringing new cybersecurity challenges and advances, it’s easy to understand why people feel like it’s hard to keep up. It is important to be agile and move quickly to avoid the consequences of cybersecurity attacks — and that need extends to government agencies, like NIST, as we work collaboratively with industry, academia, and government to help meet these challenges. Those of us at NIST realize that we have a responsibility to keep an eye on current needs AND on potential future needs including changes in technologies and threats that could affect the ability of organizations to manage cybersecurity risks.

For the last 50 years, NIST — formerly the National Bureau of Standards (NBS) until 1988 — has been up to the job. Our efforts to cultivate trust in information, systems, and technologies have provided a foundation for cybersecurity advancements. They include specific information that can be put into practice immediately to longer-term research that anticipates advances in technologies and future challenges.

We have been successful because of the emphasis we place not only on addressing near-term demands — but also the time we spend thinking, exploring, listening, sharing, and speaking with others about the longer-term. We make that our business.

Here is a quick look at some of our highlights along the way:

1972 | The National Bureau of Standards (NBS) establishes a Computer Security Program.

1974 | NBS publishes its first guide: the pocket Executive Guide to Computer Security, intended for executives and published at a time when only about 130,000 computers were installed across the entire United States.

1977 | NBS releases the first authentication publications—Guidelines for authenticating users long before most people had ever used a computer.

1977 | NBS publishes the Data Encryption Standard (DES) – the first standardized encryption algorithm.

1979 – 2000 | We host what became the National Information Systems Security Conference, an important annual forum for the broad security community.

1985 | A Password Usage Standard is published: “FIPS 112” included many concepts still considered in today’s user authentication systems.

1988 | Congress passes the Computer Security Act of 1987, transferring some computer security responsibilities from the National Security Agency (NSA) to NBS.

1992 | Role-Based Access Control (RBAC) was introduced by NIST. This has a significant impact on how access control is implemented in computer systems.

1995 | NIST establishes the Cryptographic Module Validation Program (CMVP) and Cryptographic Algorithm Validation Program (CAVP).

1996 | NIST launches FedCIRC — the Federal Computer Incident Response Capability — which offered federal agencies incident response services and other cybersecurity capabilities, and eventually became US-CERT.

1997 | NIST announces its intention to develop a publicly disclosed Advanced Encryption Standard (AES) to replace DES.

1999 | NIST begins vulnerability tracking and analysis with the Internet – Categorization of Attacks Toolkit (ICAT). Becoming the National Vulnerability Database (2005), it now sustains the global vulnerability management ecosystem.

2004 | NIST’s Electronic Authentication Guideline (SP 800-63) has been released.

2004 | NIST issues the Risk Management Framework (RMF), a continuous approach to managing cybersecurity risk throughout the system development life cycle and used widely by federal agencies and others.

2012 | NIST launches the National Cybersecurity Center of Excellence (NCCoE) in partnership with the State of Maryland and Montgomery County.

2014 | Congress affirms NIST’s role through legislation as lead for the National Initiative for Cybersecurity Education (NICE) – a partnership with industry, academia, and government – to promote an ecosystem of cybersecurity education and workforce development.

2014 | With major input from the private and public sectors, NIST publishes the Cybersecurity Framework 1.0. The initial version is released as voluntary guidance for critical infrastructure organizations and is used extensively. Federal agencies now are required to use the Framework.

2016 | NIST’s Post-Quantum Cryptography Standardization effort begins.

2020 | NIST’s Privacy Framework 1.0 is published.

2021 | Carrying out an Executive Order from the President, NIST begins to issue a series of guidance documents to improve the cybersecurity of the software supply chain.

These and many other efforts add up to cultivating trust in information, systems, and technologies… and that’s our charge. I encourage you to review our recent progress and to help us look well beyond the here-and-now of technology, cybersecurity, and privacy; this will enable all of us to meet the future with confidence that we can manage the emerging risks and change the world for the better for the next 50 years. You can do that in many ways. Start here or by responding to this new Request for Information.