Search CSRC

Abstract: This bulletin provides information for organizational security managers who are responsible for designing and implementing security patch and vulnerability management programs and for testing the effectiveness of the programs in reducing vulnerabilities. The information is also useful to system admi...

Abstract: This report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during the Fiscal Year 2005. It discusses all projects and programs within the Division, staff highlights, and publications. For many years, the Computer Security Division (CS...

Abstract: This bulletin provides information about testing and validation of personal identity verification (PIV) components and subsystems for conformance to Federal Information Processing Standard 201, Personal Identification Verification of Federal Employees and Contractors. The bulletin discusses requirem...

Abstract: NIST Special Publication 800-73 provides technical specifications for Personal Identity Verification (PIV) cards. However, it does not contain a complete card management specification for PIV systems. This Report provides an overview of card management systems, identifies generic card management req...

Abstract: Cell phones and other handheld devices incorporating cell phone capabilities (e.g., Personal Digital Assistant (PDA) phones) are ubiquitous. Rather than just placing calls, certain phones allow users to perform additional tasks such as SMS (Short Message Service) messaging, Multi-Media Messaging Ser...

Abstract: This report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during Fiscal Year 2004. It discusses all projects and programs within the Division, staff highlights, and publications. For many years, the Computer Security Division (CSD) h...

Abstract: This bulletin summarizes some of NIST's efforts to help federal agencies implement Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors. The standard, which was approved by the Secretary of Commerce in February 2005, supports i...

Abstract: NIST hosted the fourth annual Public Key Infrastructure (PKI) Research Workshop on April 19-21, 2005. The two and a half day event brought together PKI experts from academia, industry, and government to explore the remaining challenges in deploying public key authentication and authorization technol...

Abstract: The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive business advantages for the mobile workforce. While these devices prov...

Conference: Tenth ACM Symposium on Access Control Models and Technologies (SACMAT '05) Abstract: As a major component of any host, or network operating system, access control mechanisms come in a wide variety of forms, each with their individual attributes, functions, methods for configuring policy, and a tight coupling to a class of policies. To afford generalized protection, NIST has initiate...

Abstract: The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive business advantages for the mobile workforce. While these devices prov...

Abstract: This ITL Bulletin helps to educate readers about the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule. This publication is also designed to direct readers to helpful information in other NIST publications on individual topics the...

Abstract: This bulletin describes NIST's Special Publication (SP) 800-65, Integrating IT Security into the Capital Planning and Investment Control Process. It provides tips and pointers in addition to a sample methodology, which can be used to address prioritization of security requirements in support of agen...

Abstract: This document specifies the data model and XML representation for the Extensible Configuration Checklist Description Format. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interch...

Abstract: Voice over Internet Protocol (VOIP) refers to the transmission of speech across data-style networks. This form of transmission is conceptually superior to conventional circuit switched communication in many ways. However, a plethora of security issues are associated with still-evolving VOIP technolo...

Abstract: Forensic specialists periodically encounter unusual devices and new technologies normally not envisaged as having immediate relevance from a digital forensics perspective. The objective of the guide is twofold: to help organizations evolve appropriate policies and procedures for dealing with Persona...

Abstract: Voice over IP - the transmission of voice over traditional packet-switched IP networks - is one of the hottest trends in telecommunications. As with any new technology, VOIP introduces both opportunities and problems. Lower cost and greater flexibility are among the promises of VOIP for the enterpri...

Abstract: NIST hosted the third annual Public Key Infrastructure (PKI) Research Workshop on April 12-14, 2004. The two and a half day event brought together PKI experts from academia, industry, and government to explore the remaining challenges in deploying public key authentication and authorization technolo...

Abstract: Many system development life cycle (SDLC) models exist that can be used by an organization to effectively develop an information system. Security should be incorporated into all phases, from initiation to disposition, of an SDLC model. This Bulletin lays out a general SDLC that includes five phases....

Abstract: Adequate user authentication is a persistent problem, particularly with mobile devices such as Personal Digital Assistants (PDAs), which tend to be highly personal and at the fringes of an organization's influence. Yet these devices are being used increasingly in military and government agencies, ho...

Conference: 3rd European Conference on Information Warfare and Security Abstract: Understanding the principles of knowledge based authentication (KBA) and developing metrics that can be applied to KBA systems will improve information system security. This paper reviews the basics of KBA systems including some environments that KBA can support. 

Journal: IEEE Transactions on Software Engineering Abstract: Exhaustive testing of computer software is intractable, but empirical studies of software failures suggest that testing can in some cases be effectively exhaustive. Data reported in this study and others show that software failures in a variety of domains were caused by combinations of relatively fe...

Abstract: This ITL Bulletin summarizes the contents of NIST Special Publication (SP) 800-35, Guide to Information Technology Security Services, Recommendations of the National Institute of Standards and Technology. SP 800-35 provides guidance to help organizations negotiate the many complexities and challenge...

Abstract: This report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during the Fiscal Year 2003. It discusses all projects and programs within the Division, staff highlights, and publications. For many years, the Computer Security Division (CS...

Abstract: This bulletin summarizes NIST Special Publication 800-36, "Guide to Selecting Information Technology Security Products." The selection of IT security products is an integral part of the design, development and maintenance of an IT security infrastructure that ensures confidentiality, integrity, and...