Search CSRC

This 1-day virtual conference will focus on DevSecOps and ZTA as foundational approaches in multi-cloud environments. They facilitate rapid secure application development, promote interoperability, and mitigate threats in a perimeter-less environment. The emphasis will be on delivery of DevSecOps and ZTA constructs through use of a “service mesh architecture” – a high-assurance operational infrastructure. These assurances are made available through new tool sets and open-source SDKs, that, through configuration and API calls, enable features such as mutual TLS, secure service discovery,...

Presentations & Speakers at a Glance: NIST Cyber Risk Scoring Program Overview, Sheldon Pratt, IT Security Assessor, & Santi Kiran, IT Security Assessor, NIST; and Threat-based Risk Profiling Methodology, Zach Baldwin, FedRAMP, Program Manager for Strategy, Innovation, and Technology, GSA, and Tom Volpe, Principal and Subject Matter Expert, VITG NOTE:  FORUM MEETINGS ARE OPEN TO ONLY FEDERAL/STATE EMPLOYEES, HIGHER EDUCATION EMPLOYEES, AND THEIR DESIGNATED SUPPORT CONTRACTORS.  REGISTRANTS MUST USE A .GOV, .EDU, OR .MIL ADDRESS FOR SIGN-UP.  SUPPORT CONTRACTORS MUST INDICATE THE AGENCY...

The National Institute of Standards and Technology will be hosting on Tuesday, February 2 and Wednesday, February 3, 2021, the second workshop in a new series focusing on the Open Security Controls Assessment Language (OSCAL). Setting the foundation for security automation, OSCAL provides machine-readable representations of control catalogs, control baselines, system security plans, assessment plans and assessment results in a set of formats expressed in XML, JSON, and YAML.   For more information regarding this event, please visit the main NIST events page to learn more about the 2nd OSCAL...

The Information Security and Privacy Advisory Board (ISPAB) is authorized by 15 U.S.C. 278g-4, as amended, and advises the National Institute of Standards and Technology (NIST), the Secretary of Homeland Security (DHS), and the Director of the Office of Management and Budget (OMB) on information security and privacy issues pertaining to Federal government information systems, including through review of proposed standards and guidelines developed by NIST.  The Federal Register Notice is available here. Contact Jeffrey.Brewer@nist.gov with any questions. Meeting Minutes are available here....

The purpose of this workshop is to discuss the National Institute of Standards and Technology’s (NIST’s) proposed approach for helping industry and government improve the security of their DevOps practices. During this workshop, NIST will solicit proposed approaches from the participating organizations and hear from the community about DevSecOps-related topics that NIST could tackle. The findings from the workshop will inform NIST in the creation of new applied guidance to fill any gaps, updates to existing guidance, and potential development of a National Cybersecurity Center of Excellence...

→ June 22, 2020 Meeting the Need: Training that Rocks The world is changing before our eyes – no doubt about it. If we, as learning and development leaders, are to keep up with the required changes, trends, and learner needs, we’ve also got to make some big changes. We’ve invited four incredibly high-impact learning and development leaders to talk with us about how we can take our training development and delivery to the next level. In this session, experts from both cybersecurity and training development are going to discuss how you can change your cybersecurity awareness program to be...

The NIST Post-Quantum Cryptography Standardization Process has entered the third phase, in which 7 third round finalists and eight alternate candidates are being considered for standardization. NIST held the third NIST PQC Standardization Conference June 7-9, 2021 to discuss various aspects of these candidates, and to obtain valuable feedback for the final selection(s). Each submission team, of the 15 finalists and alternates, was invited to give a short update on their algorithm. The conference was held virtually. Call for Papers Agenda (includes links to on-demand videos) On-Demand...

Knowledge based authentication (KBA) offers several advantages to traditional (conventional) forms of e-authentication like passwords, PKI and biometrics. KBA is a particularly useful tool to remotely authenticate individuals who conduct business electronically with Federal agencies or businesses infrequently. In these situations, other authentication tools such as passwords and PKI certificates can be expensive to administer for the application provider and difficult to use for the remote individual. By successfully participating in a series of KBA challenge-response queries, the identity of...

STPPA Event #2: Structure: Three talks and one panel related to privacy-enhancing cryptography. Featured topics: private set intersection; secure multi-party computation. Date and place: Monday, April 19, 2021. Virtual event, via Webex Schedule (Eastern Time) 13:00–13:15: Brief comments on PEC and STPPA. Luis Brandao (NIST/Strativia). Slides and video. 13:15–13:55: A Brief Overview of Private Set Intersection. Mike Rosulek (Oregon State University). Slides and video. 13:55–14:55: Secure Computation on Datasets. Steve Lu (Stealth Software Technologies) and Rafail Ostrovsky...

Presentations & Speakers at a Glance: Security & Privacy Authorization: One Agency’s Tool Based Approach. Shawn Hartley, Chief Privacy Officer, PBGC and Sue-Schultz-Searcy, Assessment & Authorization Division Manager PBGC; and Security Automation with Open Security Controls Assessment Language. Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST and David Waltermire, Lead Standards Architect for the Security Automation Program, NIST Cyber Security Assessment and Management (CSAM): Planning for Implementing SP 800-53, Revision 5. Ramon Burks and Adam Oline, Department of Justice...

The Information Security and Privacy Advisory Board (ISPAB) is authorized by 15 U.S.C. 278g-4, as amended, and advises the National Institute of Standards and Technology (NIST), the Secretary of Homeland Security (DHS), and the Director of the Office of Management and Budget (OMB) on information security and privacy issues pertaining to Federal government information systems, including through review of proposed standards and guidelines developed by NIST.  The Federal Register Notice is available here. Contact Jeffrey.Brewer@nist.gov with any questions. Meeting Minutes are available here....

The FISSEA Forums are quarterly meetings to provide opportunities for policy and programmatic updates, the exchange of best practices, and discussion and engagement among members of the Federal Information Security Educators (FISSEA) community.  More information will be provided here once it becomes available including information on how to register.

STPPA Event #1: Date: Monday, January 27, 2020. Place: NIST Gaithersburg, Administrative Building (101), Lecture room B. Featured topics: public randomness and auditability; differential privacy; census data; fake videos. Structure: Four talks related to privacy and cryptography. Schedule (Eastern Time) 10:00–10:15: Introductory remarks. Rene Peralta (NIST) 10:15–10:45: Randomness beacons as enablers of public auditability. Luis Brandao (NIST). Slides and video. 10:45–11:30:* De-Identification and Differential Privacy. Simson Garfinkel (U.S. Census Bureau). Slides and video....

The "Challenges for Digital Proximity Detection in Pandemics: Privacy, Accuracy, and Impact" workshop is a forum to discuss successes and challenges associated with implementation of proximity detection technologies and identify areas in which additional effort is required. These areas could be, but are not limited to, privacy and cybersecurity concerns, testbeds, machine learning algorithms, efficacy modelling, new technologies, data and standards, validation and verification, and commercialization. See more details on the workshop webpage:...

STPPA Event #3: Featured topics: private information retrieval (PIR); searchable encryption; fully homomorphic encryption (FHE). Structure: welcome; three invited talks; panel conversation. Date, time, location/format: July 06, 2021, 13:30–16:30 EDT @ virtual event over Webex video conference Attendance: open and free to the public, upon registration Schedule 13:30--13:40: STPPA#3 intro 13:40--14:20: Private Information Retrieval with Near-Optimal Online Bandwidth and Time, by Elaine Shi (Carnegie Mellon University) 14:20--15:00: An Overview of Encrypted Databases, by Seny...

The NIST Cyber Supply Chain Risk Management Team is hosting a webinar to provide an overview of the changes made in its Initial Public Draft of Special Publication 800 – 161, Revision 1, Supply Chain Risk Management Practices for Systems and Organizations. NIST seeks to engage stakeholders to provide clarity, answer questions, and get stakeholder comments and opinions that ensure Revision 1 will deliver comprehensive and relevant cyber supply chain risk management practices and guidance.  

On June 2-3, NIST will host a virtual workshop to enhance the security of the software supply chain and to fulfill the President’s Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, issued May 12, 2021. Among other things, Section 4 of EO 14028 directs the Secretary of Commerce, through NIST, to consult with federal agencies, the private sector, academia, and other stakeholders in identifying standards, tools, best practices, and other guidelines to enhance software supply chain security.  Those standards and guidelines will be used by other agencies to govern the federal...

Agenda at a glance: Executive Order 14028 – Section 4 Enhancing Software Supply Chain Security, Matthew Scholl, Computer Security Division Draft SP 800-161 Revision 1, Supply Chain Risk Management Practices for Information Systems and Organizations, Angela Smith and Jon Boyens, Computer Security Division __ NOTE:  FORUM MEETINGS ARE OPEN TO ONLY FEDERAL/STATE EMPLOYEES AND THEIR DESIGNATED SUPPORT CONTRACTORS.  REGISTRANTS MUST USE A .GOV OR .MIL ADDRESS FOR SIGN-UP.  SUPPORT CONTRACTORS MUST INDICATE THE AGENCY OR ORGANIZATION THEY SUPPORT. The Federal C-SCRM Forum fosters...

Presentations & Speakers at a Glance: Updates from the Office of Management and Budget on Executive Order (EO) 14028, Steven McAndrews;  EO 14028, Updates from CISA on Coordination Activities, Harry Mourtos, CISA; and EO 14028, Updates from NIST on Supply Chain Risk Management and Critical Software, Jon Boyens, Barbara Guttman, and Karen Scarfone.    NOTE:  FORUM MEETINGS ARE OPEN TO ONLY FEDERAL/STATE EMPLOYEES, HIGHER EDUCATION EMPLOYEES, AND THEIR DESIGNATED SUPPORT CONTRACTORS.  REGISTRANTS MUST USE A .GOV, .EDU, OR .MIL ADDRESS FOR SIGN-UP.  SUPPORT CONTRACTORS MUST INDICATE THE...

Meeting Agenda: Welcome and Opening Remarks, Steve Lipner ISPAB Chair, Executive Director, SAFECODE  Information Technology Laboratory (ITL) Update, Jim St. Pierre, Acting Director, ITL, NIST National Security Memo on Preliminary ICS Performance Goals, Peter Colombo, DHS, Keith Stouffer, NIST, and Vicky Pillitteri, NIST OMB Zero Trust Architecture Strategy, Eric Mill, Office of the CIO, OMB   The Information Security and Privacy Advisory Board (ISPAB) is authorized by 15 U.S.C. 278g-4, as amended, and advises the National Institute of Standards and Technology (NIST), the Secretary of...

The Information Security and Privacy Advisory Board (ISPAB) is authorized by 15 U.S.C. 278g-4, as amended, and advises the National Institute of Standards and Technology (NIST), the Secretary of Homeland Security (DHS), and the Director of the Office of Management and Budget (OMB) on information security and privacy issues pertaining to Federal government information systems, including through review of proposed standards and guidelines developed by NIST.  The Federal Register Notice is available here. Meeting Minutes are available here. Contact Jeffrey.Brewer@nist.gov with any questions.

Presentations & Speakers at a Glance: Update from the Office of the Federal Chief Information Officer, Maria Roat (OMB) Update from GAO on the Cybersecurity & Information Security Audit Manual, Jennifer R. Franks (GAO) OMB Circular A-130 Implementation and Updates to SP 800-53 and FedRAMP, Carol Bales (OMB), Brian Conrad (GSA), and Vicky Pillitteri (NIST) Federal Zero Trust Strategy, Eric Mill (OMB) NOTE:  FORUM MEETINGS ARE OPEN TO ONLY FEDERAL/STATE EMPLOYEES, HIGHER EDUCATION EMPLOYEES, AND THEIR DESIGNATED SUPPORT CONTRACTORS.  REGISTRANTS MUST USE A .GOV, .EDU, OR .MIL...

Click on the image to access the 2nd public draft of Special Publication (SP) 800-161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (released October 28, 2021). PRESENTATION for WORKSHOP (.PDF)   Event Description: The NIST Cybersecurity Supply Chain Risk Management Team is hosting a webinar to provide an overview of the changes made in its 2nd public draft of Special Publication 800 – 161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. NIST seeks to engage stakeholders to provide clarity,...

NIST hosted the fifth Lightweight Cryptography Workshop (virtual) on May 9-11, 2022, to discuss various aspects of the finalists and to obtain valuable feedback for the standardization of lightweight cryptographic primitives. Call for Papers Agenda On-Demand Webcast Session 1 - Standardization process and applications (May 9, 2022) Session 2a - Benchmarking and side channel resistance (May 9, 2022) Session 2b - Benchmarking and side channel resistance (May 9, 2022) Session 3 - Cryptanalysis (May 10, 2022) Session 4 - Side channel resistance (May 10, 2022) Session 5 - Updates on the...

This year’s Multi-Cloud Conference co-hosted by NIST and Tetrate will focus on DevSecOps and ZTA as foundational approaches to development, deployment, and operational phases for achieving high-assurance cloud-native applications.  The latest generation of cloud-native applications often consists of a collection of microservices that could be distributed and deployed across a heterogeneous infrastructure (on-premises, public cloud, containerized, running on virtual machines, etc). With the proliferation of DevSecOps, a service mesh has proven to provide the desired bridge between...