A group of noted cryptographers, academics and business leaders will provide an independent assessment of the way the National Institute of Standards and Technology develops cryptographic standards and guidelines.

NIST in February issued a draft report proposing changes in the way it develops cryptographic standards, following allegations that the National Security Agency meddled with NIST guidance dealing with generation of random bits (see NIST Unveils Crypto Standards Proposal ).

The Visiting Committee on Advanced Technology, NIST's primary advisory committee known as VCAT, on May 14 named seven prominent individuals to a Committee of Visitors to examine Interagency Report 7977, NIST Cryptographic Standards and Guidelines Development Process, which proposes revisions of how NIST develops cryptographic standards.

The panel members include Internet pioneer Vint Cerf, chief evangelist at Google; three computer science professors, Edward Felten of Princeton University, Bart Preneel of Katholieke Universiteit Leuven in Belgium and Ron Rivest of the Massachusetts Institute of Technology; Steve Lipner, Microsoft's director of security engineering strategy; Ellen Richey, Visa chief enterprise risk officer; and Fran Schrotter, chief operating officer of the American National Standards Institute.

One of the panel members, Princeton's Felten, has written blogs about the alleged NSA interference with NIST standards, concluding one entry titled On Security Backdoors by writing, "As long as the NSA has a license to undermine security standards, we'll have to be suspicious of any standard in which they participate."

Long-Term Relationship

NIST and the NSA have a long relationship working with one another in part because of the e-spying agency's expertise in cryptography. Also, the Federal Information Security Management Act, the law that governs federal government IT security, requires NIST to collaborate with the NSA on cybersecurity guidance. Federal civilian agencies must adopt NIST guidance.

Following publication of the draft of IR 7977, NIST sought public comment on its guide to developing cryptography, and 21 individuals or groups responded. The panel will review those recommendations, too.

A few of the recommendations suggest NIST be more transparent about past and future dealings with the NSA. "NIST has not publicly revealed to what extent or in what ways the NSA influenced these standards, or if evidence exists that other standards have been similarly undermined," writes Amie Stepanovich, senior policy counsel at the digital-rights advocacy group Access Washington. "In order to rebuild confidence in NIST, it is necessary that the agency takes proactive steps toward implementing a more transparent, accountable process for standards development.

Kent Landfield, Intel Security director of standards and technology policy, picks up on the transparency theme. "While this draft IR is a good start, it seems to be light on specifics, details and examples," he writes. "We believe this is an opportunity for NIST to demonstrate to the cryptographic community it is working hard to be extremely transparent in all aspects of cryptographic standards development. Enhancing this document with more details, using successes of the past as examples, would go a long way to assure the community NIST is serious about their concerns and is working hard to prove it."

Global Interests

Several stakeholders encourage NIST to take into account global interests in developing cryptography standards because NIST guidance is adopted worldwide. "Since these standards are the building blocks of assurance online and in digital environments, NIST cannot afford to prioritize U.S. interests or discount international perspectives," writes Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, an Internet advocacy group. "NIST should explicitly commit to recognizing international interest in its standards work."