U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects

Showing 76 through 94 of 94 matching records.
Role Based Access Control RBAC
One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (RBAC) (also called "role based security"), as formalized in 1992 by David Ferraiolo and Rick Kuhn, has become the predominant model for advanced access control because it reduces this cost.   This project site explains RBAC concepts, costs and benefits, the economic impact of RBAC, design and implementation issues, the RBAC standard, and advanced research...
Roots of Trust RoT
Modern computing devices consist of various hardware, firmware, and software components at multiple layers of abstraction. Many security and protection mechanisms are currently rooted in software that, along with all underlying components, must be trustworthy. A vulnerability in any of those components could compromise the trustworthiness of the security mechanisms that rely upon those components. Stronger security assurances may be possible by grounding security mechanisms in roots of trust....
SAMATE: Software Assurance Metrics And Tool Evaluation SAMATE
[Redirect to https://www.nist.gov/itl/ssd/software-quality-group/samate] The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. The scope of the SAMATE project is broad: ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to...
SARD: Software Assurance Reference Dataset SARD
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/software-assurance-reference-dataset-sard] The purpose of the Software Assurance Reference Dataset (SARD) is to provide users, researchers, and software security assurance tool developers with a set of known security flaws. This will allow end users to evaluate tools and tool developers to test their methods. You will be redirected to the SARD homepage.
SATE: Static Analysis Tool Exposition SATE
[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/static-analysis-tool-exposition-sate] SATE is a non-competitive study of static analysis tool effectiveness, aiming at improving tools and increasing public awareness and adoption. Briefly, participating tool makers run their static analyzer on a set of programs, then researchers led by NIST analyze the tool reports. Everyone shares results and experiences at a workshop. The analysis report is made publicly available...
Secure Software Development Framework SSDF
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation. Key practices in the SSDF include: Define criteria...
Security Aspects of Electronic Voting
The Help America Vote Act (HAVA) of 2002 was passed by Congress to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. Researchers in the...
Security Content Automation Protocol SCAP
The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality. This Web site is provided to support continued community involvement. From this site, you will find information about both existing SCAP specifications and emerging specifications relevant to...
Security Content Automation Protocol Validation Program SCAPVP
The SCAP Validation Program is designed to test the ability of products to use the features and functionality available through SCAP and its component standards. Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Accreditation requirements are defined in NIST Handbook 150, and NIST Handbook 150-17. Independent laboratories conduct the tests contained in the SCAP Validation Program Derived Test...
Security Content Automation Protocol Version 2 (SCAP v2) SCAP v2
Security Content Automation Protocol Version 2 (SCAP v2) is a major update to the SCAP 1.x publications. SCAP v2 covers a broader scope in an attempt to further improve enterprise security through standardization and automation. This project page will be used to provide information on the SCAP v2 effort, as well as updates on ongoing work, and directions on how to get involved.   Important Links: SCAPv2 Community - Get involved in the SCAP effort by joining our mailing lists. SCAPv2...
Small Business Cybersecurity Corner
[Redirect to https://www.nist.gov/itl/smallbusinesscyber]  The vast majority of smaller businesses rely on information technology to run their businesses and to store, process, and transmit information. Protecting this information from unauthorized disclosure, modification, use, or deletion is essential for those companies  and their customers. With limited resources and budgets, these companies need cybersecurity guidance, solutions, and training that is practical, actionable, and enables them...
Software Identification (SWID) Tagging SWID
Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage...
Stateful Hash-Based Signatures HBS
In Special Publication 800-208, Recommendation for Stateful Hash-Based Signature Schemes NIST approves two schemes for stateful hash-based signatures (HBS) as part of the post-quantum cryptography development effort.  The two schemes were developed through the Internet Engineering Task Force: 1) XMSS, specified in Request for Comments (RFC) 8391 in May 2018, and 2) LMS, in RFC 8554 in April 2019. Background HBS schemes were the topic for a session of talks during the first public workshop on...
Systems Security Engineering (SSE) Project SSE
Systems security engineering contributes to a broad-based and holistic security perspective and focus within the systems engineering effort. This ensures that stakeholder protection needs and security concerns associated with the system are properly identified and addressed in all systems engineering tasks throughout the system life cycle. Mission Statement... To provide a basis to formalize a discipline for systems security engineering in terms of its principles, concepts, and activities....
Telework: Working Anytime, Anywhere
Today, many employees telework (also known as “telecommuting,” “work from home,” or “work from anywhere”). Teleworking is the ability of an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. Telework has been on the rise for some time, but sharply increased in 2020 because of the COVID-19 pandemic. For many, telework is now the only way to get work done, and the original concept of “telework”...
Testing Laboratories
To become a laboratory for the CST program there are a number of requirements. A lab must become accredited under the CST LAP which is part of NIST’s NVLAP. A lab must sign and enter into a Cooperative Research and Development Agreement (CRADA) with NIST.  Click here for an example agreement. A lab must follow the “Principles of Proper Conduct” listed below. A lab must be US based if participating in the NPIVP scope. The following list are the Scopes maintained at NIST: Cryptographic...
United States Government Configuration Baseline USGCB
The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal Government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security. 
Usable Cybersecurity
The National Institute of Standards and Technology (NIST) Usable Cybersecurity team brings together experts in diverse disciplines to work on projects aimed at understanding and improving the usability of cybersecurity software, hardware, systems, and processes. Our goal is to provide actionable guidance for policymakers, system engineers and security professionals so that they can make better decisions that enhance the usability of cybersecurity in their organizations. Recent Media...
Vulnerability Disclosure Guidance
NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving​ information about security vulnerabilities​, as part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and 30111 whenever practical.  The guidelines address: Establishing a federal vulnerability disclosure framework, including the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs)...

<< first   < previous   1     2     3     4