Use this form to search content on CSRC pages.
Conference: 3rd International Conference on Human Aspects of Information Security, Privacy and Trust Abstract: Password policies – documents which regulate how users must create, manage, and change their passwords – can have complex and unforeseen consequences on organizational security. Since these policies regulate user behavior, users must be clear as to what is expected of them. Unfortunately, current po...
Abstract: This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on replication devices (RDs). It suggests appropriate countermeasures in the context of the System Development Life Cycle. A security risk assessment tem...
Abstract: NIST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. governme...
Abstract: This three-volume report, Guidelines for Smart Grid Cybersecurity, presents an analytical framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities. Organizations in t...
Abstract: The Common Vulnerability Scoring System (CVSS) is an open standard designed to convey severity and risk of information system vulnerabilities. CVSS was commissioned by the National Infrastructure Advisory Council (NIAC) in support of the global Vulnerability Disclosure Framework. It is currently mai...
Conference: Second International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS 2014) Abstract: Passwords are the most commonly used mechanism in controlling users’ access to information systems. Little research has been established on the entire user password management lifecycle from the start of generating a password, maintaining the password, using the password to authenticate, then to the...
Conference: Second International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS 2014) Abstract: Many users must authenticate to multiple systems and applications, often using different passwords, on a daily basis. At the same time, the recommendations of security experts are driving increases in the required character length and complexity of passwords. The thinking is that longer passwords wi...
Conference: Second International Conference on Human Aspects of Information Security, Privacy, and Trust (HAS 2014) Abstract: Given the numerous constraints of onscreen keyboards, such as smaller keys and lack of tactile feedback, remembering and typing long, complex passwords—an already burdensome task on desktop computing systems—becomes nearly unbearable on small mobile touchscreens. Complex passwords require numerous s...
Journal: ei Magazine Abstract: On February 12, 2014 President Obama issued a statement that, "[c]yber threats pose one the gravest national security dangers that the United States faces. To better defend our nation against this systemic challenge, one year ago I signed an Executive Order directing the Administration to take steps...
Abstract: Recognizing that the national and economic security of the United States depends on the resilience of critical infrastructure, President Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed NIST to work with stakeholders to develop a...
Abstract: The Domain Name System (DNS) is a distributed computing system that enables access to Internet resources by user-friendly domain names rather than IP addresses, by translating domain names to IP addresses and back. The DNS infrastructure is made up of computing and communication entities called Name...
Journal: International Journal of Biometrics Abstract: The paper discusses the current status of biometric standards development activities, with a focus on international standards developments. Published standards, as well as standards under development or planned for the near future, are addressed. The work of Joint Technical Committee 1 of ISO and IE...
Abstract: The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an...
Abstract: This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specifica...
Abstract: Under Initiative 11 of the President’s CNCI Program, the National Institute of Standards and Technology (NIST) has been tasked with supporting federal policy development in Supply Chain Risk Management (SCRM) for Information Communications Technology (ICT). To support NIST’s work, the Supply Chain...
Abstract: This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specifica...
Abstract: This document provides guidelines for preventing the unauthorized modification of Basic Input/Output System (BIOS) firmware on PC client systems. Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position wit...
Journal: Journal of Systems Architecture Abstract: The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to generically enforce policy persists. While researchers, practi...
In: Handbook of Information and Communication Security Abstract: Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. An i...
Abstract: The purpose of this document is to provide information to organizations regarding the security capabilities of wireless communications using WiMAX networks and to provide recommendations on using these capabilities. WiMAX technology is a wireless metropolitan area network (WMAN) technology based upo...
Conference: Sixth International Conference on Information Assurance and Security (IAS 2010) Abstract: Attribute relations in access control mechanisms or languages allow accurate and efficient specification of some popular access control models. However, most of the access control systems including today s de-facto access control protocol and specification language, XACML, does not provide sufficien...
Journal: Computer (IEEE Computer) Abstract: Role based access control (RBAC) is a popular model for information security. It helps reduce the complexity of security administration and supports the review of permissions assigned to users, a feature critical to organizations that must determine their risk exposure from employee IT system access...
Abstract: A security configuration checklist is a series of instructions for configuring a product to a particular operational environment. Checklists can comprise templates or automated scripts, patches or patch descriptions, XML files, and other procedures. Checklists are intended to be tailored by each org...
Abstract: Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) provide users with secure remote access to an organization's resources. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers. The traffic between the Web browser and SSL VPN device is encrypted with...
Abstract: The purpose of this publication is to provide appropriate and useful guidelines for accrediting the reliability of issuers of Personal Identity Verification cards that are established to collect, store, and disseminate personal identity credentials and issue smart cards, based on the standards publi...