Search CSRC

Abstract: [Second Public Draft] This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference...

Abstract: This publication provides the technical specifications for the continuous monitoring (CM2) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy moni...

Conference: 4th Symposium on Configuration Analytics and Automation (SAFECONFIG), 2011 Abstract: This paper applies methods for analyzing fault hierarchies to the analysis of relationships among vulnerabilities in misconfigured access control rule structures. Hierarchies have been discovered previously for faults in arbitrary logic formulae, such that a test for one class of fault is guaranteed...

Abstract: Cryptographic keys are vital to the security of internet security applications and protocols. Many widely-used internet security protocols have their own application-specific Key Derivation Functions (KDFs) that are used to generate the cryptographic keys required for their cryptographic functions....

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-63-1, Electronic Authentication Guideline. This revised guideline, which supersedes an earlier guideline, NIST SP 800-63, updates information about, and recommendations for the secure implementation of electronic...

Abstract: Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and se...

Abstract: This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC)...

Journal: IT Professional Abstract: This article explains problems and approaches to designing permission structures for role based access control. RBAC and the RBAC standard are summarized, common approaches to role engineering described, and the current status and plans for the INCITS role engineering standard are explained.

Journal: IT Professional Abstract: Giving individuals this kind of information processing power, along with unprecedented connectivity, might be the single most impressive technical achievement of the 21st century. Nobody knows what the full impact of this transformation will be, but it's clear that our embrace of, and reliance on, c...

Abstract: Under Initiative 11 of the President’s CNCI Program, the National Institute of Standards and Technology (NIST) has been tasked with supporting federal policy development in Supply Chain Risk Management (SCRM) for Information Communications Technology (ICT). To support NIST’s work, the Supply Chain...

Conference: 4th International Conference on Post-Quantum Cryptography (PQCrypto 2011) Abstract: Since the discovery of an algorithm for factoring and computing discrete logarithms in polynomial time on a quantum computer, the cryptographic community has been searching for an alternative for security in the approaching post-quantum world. One excellent candidate is multivariate public key crypt...

Conference: IADIS International Conference Applied Computing 2011 Abstract: With the increasing adoption of cloud computing service models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), proper implementation of adequate and appropriate security protection measures has become a primary area of concern. In an enterprise co...

Journal: Journal of Combinatorics and Number Theory Abstract: R. Feng and H.Wu recently established a certain mean-value formula for the coordinates of the n-division points on an elliptic curve given inWeierstrass form (A mean value formula for elliptic curves, 2010, available at http://eprint.iacr.org/2009/586.pdf). We prove a similar result for the x and y-...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. The guide helps organizations develop an ISCM strategy and implement an ISCM program that provides awarene...

Journal: IA Newsletter Abstract: Security automation can harmonize the vast amounts of information technology (IT) data into coherent, comparable information streams that inform timely and active management of diverse IT systems. Through the creation of internationally recognized, flexible, and open standards, security automation c...

Abstract: The purpose of this guideline is to assist organizations in the development of a continuous monitoring strategy and the implementation of a continuous monitoring program providing visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness o...

Abstract: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-128, Guide to Security-Focused Configuration Management of Information Systems. The publication was written by Arnold Johnson, Kelley Dempsey, and Ron Ross of NIST, and by Sarbari Gupta and Dennis Bailey of Elec...

Abstract: This report defines the Trust Model for Security Automation Data 1.0 (TMSAD), which permits users to establish integrity, authentication, and traceability for security automation data. Since security automation data is primarily stored and exchanged using Extensible Markup Language (XML) documents,...

Abstract: The current version of the ANSI/NIST-ITL standard "Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information" is specified in two parts. Part 1, ANSI/NIST-ITL 1-2007, specifies the traditional format, and Part 2, ANSI/NIST-ITL 2-2008, specifies a NIEM-conformant XML fo...

Abstract: This document outlines the basic process for the distribution of election material including registration material and blank ballots to UOCAVA voters. It describes the technologies that can be used to support the electronic dissemination of election material along with security techniques ‹ both tec...

Abstract: IT systems used to support UOCAVA voting face a variety of threats. If IT systems are not selected, configured and managed using security practices commensurate with the importance of the services they provide and the sensitivity of the data they handle, a security compromise could carry consequence...

Conference: 13th IFIP TC13 Conference on Human-Computer Interaction (INTERACT 2011) Abstract: A field study of 24 participants over 10 weeks explored user behavior and perceptions in a smartcard authentication system. Ethnographic methods used to collect data included diaries, surveys, interviews, and field observations. We observed a number of issues users experienced while they integrated...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-82, Guide to Industrial Control Systems Security: Recommendations of the National Institute of Standards and Technology. The publication was written by Keith Stouffer and by Joe Falco of NIST, and by Karen Scarfo...

Abstract: This report defines the Common Platform Enumeration (CPE) Name Matching version 2.3 specification. The CPE Name Matching specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. The CPE Name Matching specification provi...