Use this form to search content on CSRC pages.
Systems security engineering contributes to a broad-based and holistic security perspective and focus within the systems engineering effort. This ensures that stakeholder protection needs and security concerns associated with the system are properly identified and addressed in all systems engineering tasks throughout the system life cycle. Mission Statement... To provide a basis to formalize a discipline for systems security engineering in terms of its principles, concepts, and activities. To foster a common mindset to deliver security for any system, regardless of its scope, size,...
To become a laboratory for the CST program there are a number of requirements. A lab must become accredited under the CST LAP which is part of NIST’s NVLAP. A lab must sign and enter into a Cooperative Research and Development Agreement (CRADA) with NIST. Click here for an example agreement. A lab must follow the “Principles of Proper Conduct” listed below. A lab must be US based if participating in the NPIVP scope. The following list are the Scopes maintained at NIST: Cryptographic Algorithm Validation Program (CAVP); Cryptographic Module Validation Program (CMVP); NIST Personal...
The National Institute of Standards and Technology (NIST) Usable Cybersecurity team brings together experts in diverse disciplines to work on projects aimed at understanding and improving the usability of cybersecurity software, hardware, systems, and processes. Our goal is to provide actionable guidance for policymakers, system engineers and security professionals so that they can make better decisions that enhance the usability of cybersecurity in their organizations. Recent Media Hacker Valley Studios Podcast: Cybersecurity Advocates Cybersecurity Awareness Month: Fight the...
[Redirect to https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program] NIST’s Cybersecurity for the Internet of Things (IoT) program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, and academia, the program aims to cultivate trust and foster an environment that enables innovation on a global scale.
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/software-assurance-reference-dataset-sard] The purpose of the Software Assurance Reference Dataset (SARD) is to provide users, researchers, and software security assurance tool developers with a set of known security flaws. This will allow end users to evaluate tools and tool developers to test their methods. You will be redirected to the SARD homepage.
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/static-analysis-tool-exposition-sate] SATE is a non-competitive study of static analysis tool effectiveness, aiming at improving tools and increasing public awareness and adoption. Briefly, participating tool makers run their static analyzer on a set of programs, then researchers led by NIST analyze the tool reports. Everyone shares results and experiences at a workshop. The analysis report is made publicly available later. SATE's purpose is NOT to evaluate nor choose the "best" tools. Rather, it is aimed at exploring the...
Today, many employees telework (also known as “telecommuting,” “work from home,” or “work from anywhere”). Teleworking is the ability of an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. Telework has been on the rise for some time, but sharply increased in 2020 because of the COVID-19 pandemic. For many, telework is now the only way to get work done, and the original concept of “telework” has evolved into being able to work anytime, anywhere. The technologies used for telework have...
[Redirect to: https://samate.nist.gov/BF/] The Bugs Framework (BF) organizes software weaknesses (bugs) into distinct classes, such as Buffer Overflow (BOF), Injection (INJ), and Control of Interaction Frequency (CIF). Each BF class has an accurate and precise definition and comprises: Level (high or low) that identifies the fault as language-related or semantic; Attributes that identify the software fault; Causes that bring about the fault; Consequences the fault could lead to; and Sites in code where the fault might occur. You will be redirected to the BF homepage.
DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. NIST held a virtual workshop in January 2021 on improving the security of DevOps practices; you can access the workshop recording and materials here. Value |...
NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving information about security vulnerabilities, as part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and 30111 whenever practical. The guidelines address: Establishing a federal vulnerability disclosure framework, including the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs) Receiving information about a potential security vulnerability in an information system owned or...
SSDF version 1.1 is published! NIST Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities has been posted as final, along with a Microsoft Excel version of the SSDF 1.1 table. SP 800-218 includes mappings from Executive Order (EO) 14028 Section 4e clauses to the SSDF practices and tasks that help address each clause. Also, see a summary of changes from version 1.1 and plans for the SSDF. Has your organization produced a set of secure software development practices? If you want to map...
[Redirect to https://www.nist.gov/itl/ssd/software-quality-group/samate] The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. The scope of the SAMATE project is broad: ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to correct-by-construction methods.
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl] The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that...
This project summarizes NIST’s current and planned activities for reviewing its cryptography standards and other publications. The Crypto Publication Review Board (“the Board”) within the Computer Security Division identifies a publication for review based on its original publishing date and any relevant issues raised since it was published. The targeted review period for each publication is every five years. The Board welcomes public comments on the publications under review and will consider those comments as it develops a proposal for processing each publication. Publications Under Review...
NIST is in the process of revising NIST Special Publication (SP) 800-92, Guide to Computer Security Log Management. Recent incidents have underscored how important it is for organizations to generate, safeguard, and retain logs of their system and network events, both to improve incident detection and to aid in incident response and recovery activities. Logs that are retained for an extended period of time may be the only record an organization has of what occurred during an incident to identify root cause. The current version (September 2006) of SP 800-92 seeks to assist organizations in...
Thanks for helping shape our ransomware guidance! We've published the final NISTIR 8374, Ransomware Risk Management: A Cybersecurity Framework Profile and the Quick Start Guide: Getting Started with Cybersecurity Risk Management | Ransomware. Thanks for attending our July 14th Virtual Workshop on Preventing and Recovering from Ransomware and Other Destructive Cyber Events. Please watch the recording HERE. Our new resources on tips and tactics for preparing your organization for ransomware attacks are here! Video: Protecting Your Small Business--Ransomware Fact sheet: How do I stay...
[Redirect to https://www.nccoe.nist.gov/projects/building-blocks/data-security] The Data Security program at the National Cybersecurity Center of Excellence (NCCoE) has produced guidance for both data integrity and data confidentiality. Each will consist of a series of publications that work together to identify, protect, detect, respond to, and recover from critical events.
A main goal of circuit masking is to make more difficult the illegitimate exfiltration of secrets from a circuit evaluation. Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation. Recent documents: feedback 2021a compilation (updated 2022-Jan-27); project scope (updated 2022-Jan-24) Upcoming (1st half of 2022): Public Call for Concrete Masked Circuits After a d-th order masking, the probing of up to d wires in a masked circuit should not reveal...
Recent Updates: April 25, 2022: NIST requests comments on Draft SP 800-82 Revision 3, Guide to Operational Technology Security. Submit comments to sp800-82rev3@nist.gov by July 1, 2022. Operational technology (OT) encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems,...
[Redirect to: https://www.nist.gov/cybersecurity/improving-cybersecurity-supply-chains-nists-public-private-partnership] In 2021, NIST announced a new effort to work with the private sector and others in government to improve cybersecurity supply chains. This initiative, NIICS, will help organizations to build, evaluate, and assess the cybersecurity of products and services in their supply chains, an area of increasing concern. It will emphasize tools, technologies, and guidance focused on the developers and providers of technology.
Cloud computing has become the core accelerator of US Government digital business transformation. NIST is establishing a Multi-Cloud Security Public Working Group (MCSPWG) to research best practices for securing complex cloud solutions involving multiple service providers and multiple clouds. The White House Executive Order on Improving the Nation's Cybersecurity highlights that “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life” by focusing “the full scope of its authorities and...
The Cybersecurity and Privacy Reference Tool offers a consistent format for accessing the reference data of NIST cybersecurity and privacy standards, guidelines, and frameworks. Here you can find digitized reference data, in a unified data format, from certain NIST publications that can support numerous use cases. These datasets will make it much easier for users of NIST resources to identify, locate, compare, and customize content in and across NIST resources without needing to review hundreds of pages of narrative within the publications. The reference data can be exported in different data...
NIST has defined cloud computing in NIST SP 800-145 document as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. For more than a decade, cloud computing has offered cost savings both in terms of capital expenses and operational expenses, while leveraging leading-edge technologies to meet the information processing needs of users in the public and...
Events such as conferences, workshops, symposia, meetings, etc.