Search CSRC

Accessing Security Requirements for Controlled Unclassified Information Purpose Assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST SP 800-171. Scope A system security plan describes how the SP 800-171 security requirements are met. The plan describes the system boundary; the environment in which the system operates; how the requirements are implemented; and the relationships with or connections to other systems. The scope of the assessments conducted using the procedures described in SP 800-171A are guided and...

Accessing Enhanced Security Requirements for Controlled Unclassified Information Purpose Assessment procedures and a methodology that can be employed to conduct assessments of the enhanced security requirements in NIST Special Publication 800-172. Scope Assessments conducted using the SP 800-172A procedures are guided and informed by the system security plans for the organizational systems processing, storing, or transmitting CUI. The assessments focus on the overall effectiveness of the security safeguards intended to satisfy the SP 800-172 enhanced security requirements. Download the SP...

Comments received in response to the pre-draft call for comments on the CUI Series. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. Date  Received From...

Examples of combinatorial coverage achieved by real-world test suites in various application domains.  Application Config t = 2 t = 3 t = 4 t = 5 t = 6 Reference Spacecraft control 132754262 0.940 0.831 0.668 0.536   Maximoff, J. R., Kuhn, D. R., Trela, M. D., & Kacker, R. A method for analyzing system state-space coverage within a t-wise testing framework. In 2010 IEEE ICST. Spacecraft component...

Abstract: Managing bias in an AI system is critical to establishing and maintaining trust in its operation. Despite its importance, bias in AI systems remains endemic across many application domains and can lead to harmful impacts regardless of intent. Bias is also context-dependent. To tackle this complex pr...

Abstract: This Recommendation specifies techniques for the derivation of additional keying material from a secret key—either established through a key establishment scheme or shared through some other manner—using pseudorandom functions HMAC, CMAC, and KMAC.

Abstract: This report considers threshold signature schemes interchangeable with respect to the verification mechanism of the Edwards-Curve Digital Signature Algorithm (EdDSA). Historically, EdDSA is known as a variant of Schnorr signatures, which are well-studied and suitable for efficient thresholdization,...

Abstract: A zero trust architecture (ZTA) focuses on protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time...

Abstract: Access to multiple cloud services, the geographic spread of enterprise IT resources (including multiple data centers), and the emergence of microservices-based applications (as opposed to monolithic ones) have significantly altered the enterprise network landscape. This document is meant to provide...

Abstract: DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing the...

Abstract: The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible us...

Abstract: All enterprises should ensure that information and communications technology (ICT) risk receives appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an enterprise improve their ICT risk management (ICTRM). Th...

Abstract: The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communication technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, bu...

Abstract: Public safety officials utilizing public safety broadband networks will have access to devices, such as mobile devices, tablets, and wearables. These devices offer new ways for first responders to complete their missions but may also introduce new security vulnerabilities to their work environment....

Abstract: N/A

Abstract: The objective of this Cybersecurity Profile is to identify an approach to assess the cybersecurity posture of Hybrid Satellite Networks (HSN) systems that provide services such as satellite-based systems for communications, position, navigation, and timing (PNT), remote sensing, weather monitoring,...

Abstract: The National Institute of Standards and Technology is in the process of selecting publickey cryptographic algorithms through a public, competition-like process. The new publickey cryptography standards will specify additional digital signature, public-key encryption, and key-establishment algorithms...

Abstract: The national and economic security of the United States (US) is dependent upon the reliable functioning of the nation’s critical infrastructure. Positioning, Navigation, and Timing (PNT) services are widely deployed throughout this infrastructure. In a government wide effort to mitigate the potentia...

Abstract: The macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. This publication in...

Abstract: Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Cyber supply chain risks include counterfeiting, unauthorized production, tampering, theft, and insertion of unexpected software and hardware. Managing these risks requires ensuring the int...

Abstract: This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for small businesses to consider in the purchase of IoT pro...

Abstract: Fault detection often depends on the specific order of inputs that establish states which eventually lead to a failure. However, beyond basic structural coverage metrics, it is often difficult to determine if code has been exercised sufficiently to ensure confidence in its functions. Measures are ne...

Abstract: While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide broad understanding of the potential impacts to the enterprise mission from any type of loss. The management of enterprise risk requi...

Abstract: This work evaluates the validity of the Common Vulnerability Scoring System (CVSS) Version 3 ``base score'' equation in capturing the expert opinion of its maintainers. CVSS is a widely used industry standard for rating the severity of information technology vulnerabilities; it is based on human exp...

Abstract: This publication provides a basis for establishing a discipline for systems security engineering (SSE) as part of systems engineering and does so in terms of its principles, concepts, activities, and tasks. The publication also demonstrates how those SSE principles, concepts, activities, and tasks c...