Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects

Showing 11 matching records.
Bugs Framework BF
[Redirect to:  https://usnistgov.github.io/BF/] The Bugs Framework (BF) is a structured causal classification of security bugs and related faults, featuring a formal language for unambiguous specification of security weaknesses and underlined by them vulnerabilities. It organizes bugs by the operations of orthogonal software or hardware execution phases, faults -- by their input operands, and errors -- by their output results. An error either propagates to a fault or is a final error introducing...
Cybersecurity Supply Chain Risk Management C-SCRM
Cybersecurity Supply Chain Risk Management (C-SCRM) involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of Information Communications Technology and Operational Technology (ICT/OT)  product and service supply chains throughout the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). Examples of risks include insertion of counterfeits, unauthorized...
DevSecOps
[Redirect to https://www.nccoe.nist.gov/projects/software-supply-chain-and-devops-security-practices ] DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full...
Incident Response
In April 2025, NIST finalized Special Publication (SP) 800-61 Revision 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile. NIST SP 800-61 Revision 3 seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for...
National Checklist Program NCP
NIST maintains the National Checklist Repository, which is a publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products. A security configuration checklist (also called a lockdown, hardening guide, or benchmark) is a series of instructions or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and/or for...
Ransomware Protection and Response
Thanks for helping shape our ransomware guidance! We've published an initial public draft of NISTIR 8374 Revision 1, Ransomware Risk Management: A Cybersecurity Framework Profile. It reflects changes made to the Cybersecurity Framework (CSF) from CSF 1.1 to CSF 2.0 which identifies security objectives that support managing, detecting, responding to, and recovering from ransomware events. The public comment period is open until September 11, 2025 March 14, 2025. Please send your feedback about...
Secure Software Development Framework SSDF
NIST has finalized SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. This publication augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. NIST has recently added a Community Profiles section to this page. It will contain links to SSDF Community Profiles developed by...
Security Content Automation Protocol SCAP
The Security Content Automation Protocol (SCAP) is a suite of interoperable specifications for the standardized expression, exchange, and processing of security configuration and vulnerability information. SCAP enables consistent automation and reporting across products and environments by defining machine-readable content and associated processing requirements. SCAP continues to be maintained through the development of SCAP 1.4, which builds upon prior releases to preserve...
Security Content Automation Protocol Validation Program SCAPVP
End-of-Life Announcement: NIST SCAP Validation Program The National Institute of Standards and Technology (NIST) announces the phased conclusion of the Security Content Automation Protocol (SCAP) Validation Program. Since its inception in 2009, the SCAP Validation Program has played a crucial role in advancing standardized security automation and vulnerability management. Managed through the National Voluntary Laboratory Accreditation Program (NVLAP), the program enabled independent...
United States Government Configuration Baseline USGCB
The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal Government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security. 
Vulnerability Disclosure Guidelines
ATTENTION: The Project Lead is no longer at NIST. Inquiry responses may be delayed.   Internal and external reporting of security vulnerabilities in software and information systems owned or utilized by the Federal Government is critical to mitigating risk, establishing a robust security posture, and maintaining transparency and trust with the public. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities and...