Search CSRC

Abstract: FIPS 201 defines the requirements and characteristics of a government-wide interoperable identity credential. FIPS 201 also specifies that this identity credential must be stored on a smart card. This document, SP 800-73, contains the technical specifications to interface with the smart card to retr...

Journal: IEEE Security & Privacy Abstract: What can you glean from using inexpensive, off-the-shelf parts to create Internet of Things (IoT) use cases? As it turns out, a lot. The fast productization of IoT technologies is leaving users vulnerable to security and privacy risks.

Abstract: This report defines the requirements and associated test procedures necessary for products or modules to achieve one or more Security Content Automation Protocol (SCAP) validations. Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been accredite...

Abstract: This report documents proof of concept research for Derived Personal Identity Verification (PIV) Credentials. Smart card-based PIV Cards cannot be readily used with most mobile devices, such as smartphones and tablets, but Derived PIV Credentials (DPCs) can be used instead to PIV-enable these device...

Journal: IEEE Transactions on Information Forensics and Security Abstract: Diversity has long been regarded as a security mechanism for improving the resilience of software and networks against various attacks. More recently, diversity has found new applications in cloud computing security, moving target defense, and improving the robustness of network routing. However, mo...

Abstract: This bulletin summarizes the information presented in NISTIR 7966, "Security of Interactive and Automated Access Management Using Secure Shell (SSH)." The publication assists organizations in understanding the basics of SSH interactive and automated access management in an enterprise, focusing on th...

Abstract: This interagency report sets out proposed United States Government (USG) strategic objectives for pursuing the development and use of international standards for cybersecurity and makes recommendations to achieve those objectives. The recommendations cover interagency coordination, collaboration wit...

Abstract: This report provides background information and analysis in support of NISTIR 8074 Volume 1, "Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity." It provides a current summary of ongoing activities in critical int...

Journal: Computer (IEEE Computer) Abstract: Integrating software developed by third-party organizations into a larger system raises concerns about the software's quality, origin, functionality, security, and interoperability. Addressing these concerns requires rethinking the roles of software's principal supply-chain actors--vendor, assessor,...

Journal: IEEE Cloud Computing Abstract: Economies of scale, cutting-edge technology advancements, and higher concentration of expertise enable cloud providers to offer state-of-the-art cloud ecosystems that are resilient, self-regenerating, and secure--far more secure than the environments of consumers who manage their own systems. This h...

Abstract: This report describes the association between the use of Software Identification (SWID) Tags and the Common Platform Enumeration (CPE) specifications. The publication is intended as a supplement to NIST Internal Report 8060, Guidelines for the Creation of Interoperable Software Identification (SWID)...

Abstract: This bulletin summarizes the information presented in NIST Special Publication 800-167, "Guide to Application Whitelisting," written by Adam Sedgewick, Murugiah Souppaya and Karen Scarfone. The publication is intended to assist organizations in understanding the basics of application whitelisting....

Abstract: The National Institute of Standards and Technology (NIST) is developing a cybersecurity performance testbed for industrial control systems. The goal of the testbed is to measure the performance of industrial control systems (ICS) when instrumented with cybersecurity controls in accordance with the b...

Abstract: This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The publication provides sufficient details about the p...

Abstract: In the past, medical devices were stand-alone instruments that interacted only with the patient. Today, medical devices have operating systems and communication hardware that allow them to connect to networks and other devices. While this technology has created more powerful tools and improved healt...

Abstract: This bulletin summarizes the information presented in NIST SP 800-82, Rev 2: Guide to Industrial Control Systems (ICS) Security written by Keith Stouffer, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams and Adam Hahn. The publication provides guidance on how to secure Industrial Control Syste...

Conference: Tenth International Conference on Software Engineering Advances (ICSEA 2015) Abstract: An attack graph is a data structure representing how an attacker can chain together multiple attacks to expand their influence within a network (often in an attempt to reach some set of goal states). Restricting attack graph size is vital for the execution of high degree polynomial analysis algorith...

Journal: Computer (IEEE Computer) Abstract: Continuous Authentication has been around but has been met with several limitations. Recent development of mobile platforms are providing relief for many of these limitations as they take advantage of multiple sensors and sufficient processing power for the user and system monitoring.

Journal: Rocky Mountain Journal of Mathematics Abstract: In this work, we present a modification of a well-established measure of dependence appropriate for the analysis of stopping times for adversarial processes on cryptographic primitives. We apply this measure to construct generic criteria for the ideal behavior of fixed functions in both the random o...

Abstract: This Profile for U. S. Federal Cryptographic Key Management Systems (FCKMSs) contains requirements for their design, implementation, procurement, installation, configuration, management, operation, and use by U. S. Federal organizations. The Profile is based on SP 800-130, "A Framework for Designing...

Abstract: An application whitelist is a list of applications and application components that are authorized for use in an organization. Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host. This helps to stop the execution of malware, unlicensed...

Abstract: Multiplicative complexity is a complexity measure, which is defined as the minimum number of AND gates required to implement a given primitive by a circuit over the basis (AND, XOR, NOT), with an unlimited number of NOT and XOR gates. Implementations of ciphers with a small number of AND gates are p...

Abstract: The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to enforce a comprehensive range of policy persists. While resear...

Abstract: De-identification removes identifying information from a dataset so that individual data cannot be linked with specific individuals. De-identification can reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing information. De-identification thus attempt...

Abstract: This bulletin summarizes the information presented in NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The publication the protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and...