Use this form to search content on CSRC pages.
Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-161, Supply Chain Management Practices for Federal Information Systems and Organizations, which provides guidance to federal agencies on identifying, assessing and mitigating ICT supply chain risks at all levels...
Abstract: The main objective of this project was to complete the tasks of enhancing usability of the Cyber Risk Portal, which is a set of enterprise IT Supply Chain Risk Management Tools built in a partnership between the University Of Maryland’s Supply Chain Management Center and the Information Technology L...
Abstract: This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their uniqu...
Abstract: Federal Information Processing Standard 201-2 (FIPS 201-2) defines requirements for the Personal Identity Verification (PIV) lifecycle activities including identity proofing, registration, PIV Card issuance, and PIV Card usage. FIPS 201-2 also defines the structure of an identity credential that inc...
Abstract: This bulletin summarizes the information presented in NISTIR 8014, Considerations for Identity Management in Public Safety Mobile Networks, written by Nelson Hastings and Joshua Franklin. The publication analyzes approaches to identity management for public safety networks in an effort to assist ind...
Journal: Security Informatics Abstract: Popular network scan detection algorithms operate through evaluating external sources for unusual connection patterns and traffic rates. Research has revealed evasive tactics that enable full circumvention of existing approaches (specifically the widely cited Threshold Random Walk algorithm). To pre...
Abstract: The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP version 1.2 requirements are defined in NIST Special Publication...
Journal: Computer (IEEE Computer) Abstract: A two-year study of eight pilot projects to introduce combinatorial testing in a large aerospace corporation found that the new methods were practical, significantly lowered development costs, and improved test coverage by 20 to 50 percent.
Conference: Fourth International Workshop on Combinatorial Testing (IWCT 2015) Abstract: This short paper introduces a method for verifying equivalence classes for module/unit testing. This is achieved using a two-layer covering array, in which some or all values of a primary covering array represent equivalence classes. A second layer covering array of the equivalence class values is c...
Abstract: This bulletin summarizes the information presented in NISTIR 8023, Risk Management for Replication Devices, written by Celia Paulsen and Kelley Dempsey. The publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted o...
Abstract: Direct Digital Manufacturing (DDM) involves fabricating physical objects from a data file using computer-controlled processes with little to no human intervention. It includes Additive Manufacturing (AM), 3D printing, rapid prototyping, etcetera. The technology is advancing rapidly and has the poten...
Conference: 13th International Conference on Cognitive Modeling (ICCM 2015) Abstract: As we increasingly rely upon our computer information systems to store and operate on sensitive information, the methods we use to authenticate user identity also become more important. One of the most important such methods is the password. However, passwords that provide better security also tend...
Abstract: This note describes a theoretical chosen-plaintext attack on the VAES3 mode for format-preserving encryption. VAES3 was specified under the name FF2 in Draft National Institute of Standards and Technology (NIST) Special Publication 800-38G.
Abstract: Cybersecurity incidents have grown swiftly from conceivable to realized risks that regularly threaten national and economic security of the United States. These risks threaten the financial security of companies and the public, weaken consumer confidence, erode individual privacy protections, and da...
Conference: 24th Conference on Behavior Representation in Modeling and Simulation (BRiMS 2015) Abstract: Validated predictive models of human error for password-related tasks could better inform password requirements for both government and civilian systems. Here, we build upon prior modeling work focused on disentangling the source of password entry errors—recall errors versus motor execution errors—r...
Abstract: Enterprises rely upon strong access control mechanisms to ensure that corporate resources (e.g. applications, networks, systems and data) are not exposed to anyone other than an authorized user. As business requirements change, enterprises need highly flexible access control mechanisms that can adap...
Journal: Crosstalk (Hill AFB): the Journal of Defense Software Engineering Abstract: There are relatively few good methods for evaluating test set quality, after ensuring basic requirements traceability. Structural coverage, mutation testing, and related methods can be used if source code is available, but these approaches may entail significant cost in time and resources. This pape...
Abstract: This document analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks...
Abstract: This bulletin provides an overview of NIST Special Publication (SP) 800-163, "Vetting the Security of Mobile Applications." The NIST SP helps organizations understand the process for vetting the security of mobile applications, plan for the implementation of an app vetting process, develop app secur...
Conference: Third International Workshop on Lightweight Cryptography for Security and Privacy (LightSec 2014) Abstract: A generic way to design lightweight cryptographic primitives is to construct simple rounds using small nonlinear components such as 4 × 4 S-boxes and use these iteratively (e.g., PRESENT and SPONGENT). In order to efficiently implement the primitive, efficient implementations of its internal compone...
Abstract: This is a brief introduction on how to run the Python command-line programs (hosted on GitHub at https://github.com/usnistgov/SP800-90B_EntropyAssessment) that implement the statistical entropy estimation tests found in Section 9 of the Draft NIST SP 800-90B (August 2012). It is not a description or...
Conference: Security of Emerging Networking Technologies (SENT) Workshop at the 2015 Network and Distributed System Security Symposium (NDSS '15) Abstract: We show that the strength of Internet-based network interconnectivity of countries is increasing over time. We then evaluate bounds on the extent to which a group of colluding countries can disrupt this connectivity. We evaluate the degree to which a group of countries can disconnect two other count...
Abstract: As electric utilities turn to Advanced Metering Infrastructures (AMIs) to promote the development and deployment of the Smart Grid, one aspect that can benefit from standardization is the upgradeability of Smart Meters. The National Electrical Manufacturers Association (NEMA) standard SG-AMI 1-2009,...
Abstract: This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on replication devices (RDs). It suggests appropriate countermeasures in the context of the System Development Life Cycle. A security risk assessment tem...
Journal: Designs, Codes and Cryptography Abstract: Indifferentiability security of a hash mode of operation guarantees the mode's resistance against all generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function was one of the five finalists in the National Institute of...