Search CSRC

Human Factors in Smart Home Technologies Workshop September 24, 2019 National Institute of Standards and Technology, Gaithersburg, MD The workshop addressed human considerations for smart home devices, including usability, user perceptions, and end-user privacy and security considerations. Invited speakers from industry and academia provided their perspectives via presentations and a moderated panel. In addition to becoming more aware of human aspects of smart home technologies, the attendees from industry, government, and academia had the opportunity to influence NIST's future research...

NIST Special Publication 800-160, Volume 3 Systems Security Engineering Considerations for Software Assurance   NIST Special Publication 800-160, Volume 4 Systems Security Engineering Considerations for Hardware Assurance

October 10, 2018  The Underserved Cybersecurity Workforce - Securely Provisioning our Future National Initiative for Cybersecurity Education (NICE) Webinar https://www.nist.gov/news-events/events/2018/10/nice-webinar-underserved-cybersecurity-workforce-securely-provisioning   October 16, 2018 2018 Technology Expo & Cyber Forum The Armed Forces Communications and Electronics Association (AFCEA) (Middle Georgia Chapter) Robins Air Force Base, Georgia https://middlegeorgia.afceachapters.org   October 18, 2018 The Cotton Cyber Lecture Series Hood College Frederick, Maryland...

Blogs… Taking Measure Rethinking Cybersecurity from the Inside Out, R. Ross, November 2016.   Bulletins… ITL Bulletin Rethinking Security though Systems Security Engineering, R. Ross, L. Feldman, G. Witte, December 2016.   Videos… The Need for Systems Thinking in Cybersecurity, R. Ross, October 2021.

The following references provide historical background and important details about RBAC.   RBAC Book Role-Based Access Control, 2nd edition (2007) by David Ferraiolo, Ramaswamy Chandramouli, and D. Richard Kuhn   Select a heading to expand/collapse the view. Early Papers D.F. Ferraiolo and D.R. Kuhn (1992), Role-Based Access Controls, 15th National Computer Security Conference. The original RBAC paper; introduced a formal model for role based access. D.F. Ferraiolo, J. Cugini, D.R. Kuhn (1995), Role-Based Access Control (RBAC): Features and...

Many organizations are in the process of moving to role based access control. The process of developing an RBAC structure for an organization has become known as "role engineering.". Role engineering can be a complex undertaking, For example, in implementing RBAC for a large European bank with over 50,000 employees and 1400 branches serving more than 6 million customers, approximately 1300 roles were discovered. In view of the complexities, RBAC is best implemented by applying a structured framework that breaks down each task into its component parts. The resources on this page can help...

The Sarbanes-Oxley Act establishes a set of requirements for financial systems, to deter fraud and increase corporate accountability.  For information technology systems, regulators may need to know who used a system, when they logged in and out, what accesses or modifications were made to what files, and what authorizations were in effect.  IT vendors responding to Sarbanes-Oxley (SOX) requirements have adopted RBAC as central to compliance solutions because RBAC was designed to solve this type of problem. Sarbanes-Oxley Act of 2002 and Impact on the IT Auditor, IT Knowledgebase -...

The following RBAC case studies and experience reports may be useful in planning for RBAC implementations. We will add to this collection as more reports become available. (Please note that the authors and organizations below are not affiliated with NIST or any other agency of the US Government, unless otherwise noted, and NIST cannot endorse or comment on these publications.) Submit comments or suggestions on this collection to the Project Contacts. Health Care A Case Study in Access Control Requirements for a Health Information System - "a detailed examination of the access...

Publications: Daniel Borbor, Lingyu Wang, Sushil Jajodia, Anoop Singhal,"Securing Networks Against Unpatchable and Unknown Vulnerabilities Using Hetrogeneous Hardening Options", 31st IFIP Conference on Data and Application Security and Privacy (DBSEC 2017), Philadelphia, Pennsylvania, July 19-21, 2017. Xiaoyan Sun, Anoop Singhal, Peng Liu,"Towards Actionable Mission Impact Assessment in the Context of Cloud Computing", 31st IFIP Conference on Data and Application Security and Privacy (DBSEC 2017), Philadelphia, Pennsylvania, July 19-21, 2017. Changwei Liu, Anoop Singhal, Duminda...

Organizational mission enabled by networked infrastructure can be impacted by cyber attacks.  Mission is defined as a set of business processes that provide some service. For example, the mission of a travel management system is to provide a set of business processes to support airline and hotel reservation. Quantifying the impact of cyber attacks is of importance to mission planners. Mission impact evaluation approaches and tools provide a way to estimate the impact of cyber attacks on missions.   In an enterprise information environment, the system supports different business processes...

An essential type of security risk analysis is to determine the level of compromise possible for important hosts in a network from a given starting location. This is a complex task as it depends on the network topology, security policy in the network as determined by the placement of firewalls, routers and switches and on vulnerabilities in hosts and communication protocols. Traditionally, this type of analysis is performed by a red team of computer security professionals who actively test the network by running exploits that compromise the system. Red team exercises are effective,  however...

Cloud computing provides several benefits to organizations such as increased flexibility, scalability and reduced cost. However, it provides several challenges for digital forensics and criminal investigation.  Existing forensics analysis frameworks and tools are largely intended for off line investigation and it is assumed that the logs are under the control of the investigator. In cloud computing, the evidence can be distributed across several machines and they can be stored on machines that are beyond the control of the investigator. Some other challenges are the dependence of forensically...

The suite of NIST information security risk management standards and guidelines is not a "FISMA Compliance checklist." Federal agencies, contractors, and other sources that use or operate a federal information system use the suite of NIST Risk Management standards and guidelines to develop and implement a risk-based approach to manage information security risk. FISMA emphasizes the importance of risk management. Compliance with applicable laws, regulations, executive orders, directives, etc. is a byproduct of implementing a robust, risk-based information security program. The NIST Risk...

A Comprehensive, Flexible, Risk-Based Approach The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of...

Join the NIST Risk Management Framework (FISMA Implementation Project) Email List NIST will inform our stakeholders immediately when updates to the emerging set of security standards and guidelines are available, or when there are important project-related events scheduled. Please note that only mailing list administrators are able to send messages on this email list.    Join the NIST RMF Email List     Troubleshooting If your organization's firewall is preventing you from joining via the NIST Risk Management Framework Email List, please send an email to sec-cert@nist.gov. A NIST...

The purpose of this course is to provide people new to risk management with an overview of a methodology for managing organizational risk in accordance with NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. For individuals with experience with NIST SP 800-37, Revision 1, this course explains updates to the RMF in Revision 2, including the integration of privacy and supply chain risk management into this holistic process. The RMF provides a disciplined,...

As part of a holistic risk management strategy and applying the information security concept of defense-in-depth, organizations should employ appropriate configuration settings on commercial information technology products that compose their organizational systems. These products include, for example, mainframe computers, workstations, portable and mobile devices, and network components. Requirements to establish mandatory configuration settings derive from the Federal Information Security Management Act as implemented by FIPS 200 and NIST Special Publication 800-53 (Control CM-6,...

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing information systems. NIST will review and determine next steps to best support and potentially update the PRISMA content in 2022.  For any questions or comments, please contact sec-cert@nist.gov. Option one of a PRISMA review focuses on...

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing information systems. NIST will review and determine next steps to best support and potentially update the PRISMA content in 2022.  For any questions or comments, please contact sec-cert@nist.gov. Option two of a PRISMA review focuses on...

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing information systems. NIST will review and determine next steps to best support and potentially update the PRISMA content in 2022.  For any questions or comments, please contact sec-cert@nist.gov. The PRISMA review is based upon five levels...

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing information systems. NIST will review and determine next steps to best support and potentially update the PRISMA content in 2022.  For any questions or comments, please contact sec-cert@nist.gov. Download

ARCHIVED: The NIST HIPAA Security Rule Toolkit is no longer supported, and is provided here only for historical purposes. HIPAA Security Rule Toolkit The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance...

The SCAP Release Cycle Changes to SCAP impact a large number of organizations that manage content and provide SCAP Validated Products and Modules and SCAP-related services. A change to SCAP often results in considerable efforts to migrate products, content, and other capabilities to the new SCAP revision. To mitigate risks relating to level-of-effort, timing, and specification changes, revisions to SCAP are managed according to a coordinated process. The following work flow process addresses these concerns. The SCAP release cycle defines a process for managing change relating to SCAP and the...

SCAP Checklists Security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. SCAP Enumeration and Mapping Data Feeds SCAP related reference data for tool developers, integrators and SCAP Validated Product users.

SCAP must continually evolve to meet the ever changing needs of the community. This need for continual evolution results in multiple versions of SCAP being available at any given time. The SCAP Release Cycle defines a process for managing change relating to SCAP and the NIST SCAP Validation Program by providing a consistent and repeatable revision work flow. The following list represents the currently available versions of SCAP. The current effective version of SCAP is SCAP 1.3. Protocol SCAP: Security Content Automation Protocol Version: 2.0 Status: Initial Design Specification: TBD...