Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects

Showing 76 through 100 of 105 matching records.
Program Review for Information Security Assistance PRISMA
The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics and Measurement project, and research to support...
Protecting Controlled Unclassified Information CUI
Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective. Recent Updates August 18, 2025: NIST has released a small business primer to supplement SP 800-171 Revision 3, to help smaller,...
Public Key Infrastructure Testing PKI
Testing PKI Components NIST/Information Technology Laboratory responds to industry and user needs for objective, neutral tests for information technology. ITL recognizes such tests as the enabling tools that help companies produce the next generation of products and services. It is a goal of the NIST PKI Program to develop such tests to help companies produce interoperable PKI components. NIST worked with CygnaCom Solutions and BAE Systems to develop a suite of tests that will enable...
Random Bit Generation RBG
The National Institute of Standards and Technology (NIST) Random Bit Generation (RBG) project focuses on the development and validation of generating random numbers that are essential for cryptographic and security applications. SP 800-90 Series The project provides guidelines through the SP 800-90 series, which includes recommendations on deterministic random bit generator (DRBG) mechanisms, entropy sources, and construction principles for RBGs, and has three parts: SP 800-90A,...
Ransomware Protection and Response
Thanks for helping shape our ransomware guidance! We've published an initial public draft of NISTIR 8374 Revision 1, Ransomware Risk Management: A Cybersecurity Framework Profile. It reflects changes made to the Cybersecurity Framework (CSF) from CSF 1.1 to CSF 2.0 which identifies security objectives that support managing, detecting, responding to, and recovering from ransomware events. The public comment period is open until September 11, 2025 March 14, 2025. Please send your feedback about...
REDLedger - REdactable Distributed Ledger
Hyperledger Fabric drop-in component for data block matrix is now available.  Privacy laws increasingly require some types of data to be erased at user request, according to GDPR and related regulations. We have developed a secure distributed trust solution for networks using Next-Generation Database Access Control (NDAC) and the Data Block Matrix (DBM), with an open source implementation of the DBM using Hyperledger Fabric.  This Hyperledger Fabric component solves the conflict between...
Resource Oriented Lightweight Information Exchange ROLIE
Published as RFC8322 in the IETF, The Resource Oriented Lightweight Information Exchange (ROLIE) is standard for exchanging security automation information between two machines, or between a machine and a human operator.   As a cooperative effort between NIST and the international computer security community, ROLIE seeks to improve the current state of the art in security automation information sharing. Reducing communication bandwidth, enabling new automation use cases, and easing complicated...
Role Based Access Control RBAC
ARCHIVED PROJECT: This project is no longer being supported and will be removed from this website on June 30, 2025.   One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (RBAC) (also called "role based security"), as formalized in 1992 by David Ferraiolo and Rick Kuhn, has become the predominant model for advanced access control because it reduces this cost.   This project site explains RBAC concepts,...
Roots of Trust RoT
Modern computing devices consist of various hardware, firmware, and software components at multiple layers of abstraction. Many security and protection mechanisms are currently rooted in software that, along with all underlying components, must be trustworthy. A vulnerability in any of those components could compromise the trustworthiness of the security mechanisms that rely upon those components. Stronger security assurances may be possible by grounding security mechanisms in roots of trust....
SAMATE: Software Assurance Metrics And Tool Evaluation SAMATE
[Redirect to https://www.nist.gov/itl/ssd/software-quality-group/samate] The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. The scope of the SAMATE project is broad: ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to...
SARD: Software Assurance Reference Dataset SARD
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/software-assurance-reference-dataset-sard] The purpose of the Software Assurance Reference Dataset (SARD) is to provide users, researchers, and software security assurance tool developers with a set of known security flaws. This will allow end users to evaluate tools and tool developers to test their methods. You will be redirected to the SARD homepage.
SATE: Static Analysis Tool Exposition SATE
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/static-analysis-tool-exposition-sate] SATE is a non-competitive study of static analysis tool effectiveness, aiming at improving tools and increasing public awareness and adoption. Briefly, participating tool makers run their static analyzer on a set of programs, then researchers led by NIST analyze the tool reports. Everyone shares results and experiences at a workshop. The analysis report is made publicly available...
Secure Federated Data Sharing SFDS
The ability to share database resources among collaborating organizations is highly desirable.  However, sharing data continues to be a challenge when it comes from different types of database management systems (DBMSs) due to different schemas and data formats.  Another challenge that is limiting collaboration is being able to enforce the home organizations local data protection policies while sharing data.  For example, can a patient’s condition details be shared with an outside research...
Secure Software Development Framework SSDF
NIST has finalized SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. This publication augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. NIST has recently added a Community Profiles section to this page. It will contain links to SSDF Community Profiles developed by...
Security Aspects of Electronic Voting
The Help America Vote Act (HAVA) of 2002 was passed by Congress to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. The Information...
Security Content Automation Protocol SCAP
The Security Content Automation Protocol (SCAP) is a suite of interoperable specifications for the standardized expression, exchange, and processing of security configuration and vulnerability information. SCAP enables consistent automation and reporting across products and environments by defining machine-readable content and associated processing requirements. SCAP continues to be maintained through the development of SCAP 1.4, which builds upon prior releases to preserve...
Security Content Automation Protocol Validation Program SCAPVP
End-of-Life Announcement: NIST SCAP Validation Program The National Institute of Standards and Technology (NIST) announces the phased conclusion of the Security Content Automation Protocol (SCAP) Validation Program. Since its inception in 2009, the SCAP Validation Program has played a crucial role in advancing standardized security automation and vulnerability management. Managed through the National Voluntary Laboratory Accreditation Program (NVLAP), the program enabled independent...
Security Content Automation Protocol Version 2 (SCAP v2) SCAP v2
Security Content Automation Protocol Version 2 (SCAP v2) is a major update to the SCAP 1.x publications. SCAP v2 covers a broader scope in an attempt to further improve enterprise security through standardization and automation. This project page will be used to provide information on the SCAP v2 effort, as well as updates on ongoing work, and directions on how to get involved.   Important Links: SCAPv2 Community - Get involved in the SCAP effort by joining our mailing lists. SCAPv2...
Security Research Review Seminar SRR
Security Research Review Seminar is a biweekly talk arranged by the  Computer Security Division (773) of the Information Technology Laboratory (ITL) at NIST. Researchers, academics, and practitioners for within and outside NIST are invited to discuss their work in the areas of hardware, software, AI, and system level security. Interesting topics related to verification, validation, assurance, and standardizations are also discussed.    Upcoming Talks The following schedule is tentative:...
Small Business Cybersecurity Corner
[Redirect to https://www.nist.gov/itl/smallbusinesscyber]  The vast majority of smaller businesses rely on information technology to run their businesses and to store, process, and transmit information. Protecting this information from unauthorized disclosure, modification, use, or deletion is essential for those companies  and their customers. With limited resources and budgets, these companies need cybersecurity guidance, solutions, and training that is practical, actionable, and enables them...
Software Identification (SWID) Tagging SWID
Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage...
SP 800-53 Control Overlays for Securing AI Systems COSAiS
Recent Updates August 14, 2025: The NIST SP 800-53 Control Overlays for Securing AI Systems Concept Paper is available for comment, and we welcome stakeholders to join the NIST Overlays Securing AI Systems Slack Collaboration to engage in facilitated discussions with the NIST principal investigators and other subgroup members, share ideas, provide real-time feedback, and contribute to overlay development. Feedback about the concept paper and questions about the development of the...
Space Domain Cybersecurity | NCCoE
[Redirect to: https://www.nccoe.nist.gov/cybersecurity-space-domain] Space is an emerging commercial critical infrastructure sector that is no longer the domain of only national government authorities. Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations. 
Stateful Hash-Based Signatures HBS
In Special Publication 800-208, Recommendation for Stateful Hash-Based Signature Schemes, NIST approves two schemes for stateful hash-based signatures (HBS) as part of the post-quantum cryptography development effort.  The two schemes were developed through the Internet Research Task Force (IRTF): 1) XMSS, specified in Request for Comments (RFC) 8391 in May 2018, and 2) LMS, in RFC 8554 in April 2019. Since being published in 2020, NIST has received feedback in regards to the restriction...
Systems Security Engineering (SSE) Project SSE
Systems security engineering contributes to a broad-based and holistic security perspective and focus within the systems engineering effort. This ensures that stakeholder protection needs and security concerns associated with the system are properly identified and addressed in all systems engineering tasks throughout the system life cycle. Mission Statement... To provide a basis to formalize a discipline for systems security engineering in terms of its principles, concepts, and activities....

<< first   < previous   1     2     3     4     5  next >  last >>