Draft: IoT device network-layer onboarding is an automated mechanism for securely provisioning network credentials to devices, thereby enhancing network security and management. IoT devices can measure energy consumption, detect component faults, monitor water quality, measure toxins, and detect infrastruc...

Draft: The NIST Privacy Framework is a “living” tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1. This update builds on the success of Privacy Framework 1.0 by responding to current privacy risk management needs, realigning with NIST Cybersecurity Framework (CS...

Draft: The Domain Name System (DNS) plays an integral role in every organization’s security posture by translating domain names into IP addresses. It can serve as an enforcement point for enterprise security policy and an indicator of potential malicious activity on a network. A disruption or attack agains...

Draft: This is a second public draft. Threshold schemes should NOT be submitted until the final version of this report is published. However, the present draft can be used as a baseline to prepare for future submissions. The scope of the call is organized into categories related to signing (Sign), pub...

Draft: Modern enterprise IT systems rely on a family of application programming interfaces (APIs) for integration to support organizational business processes. Hence, a secure development and deployment of APIs is critical for overall enterprise security. This, in turn, requires the identification of risk...

Draft: As 5G rolls out more widely, we must safeguard the technology from cyberattacks since 5G development, deployment, and usage continuously evolves. The NIST National Cybersecurity Center of Excellence (NCCoE)—working with communications and cybersecurity collaborators—is addressing these challenges by...

Draft: Criminal and non-criminal justice agencies in the U.S. require the use of multi-factor authentication (MFA) to protect access to criminal justice information (CJI). MFA is important for protecting against credential compromises and other cyber risks such as attacks by cybercriminals or other adversa...

Draft: This document shows how the Workforce Framework for Cybersecurity (NICE Framework) and the Cybersecurity Framework (CSF) 2.0 can be used together to address cybersecurity risk. It is the newest of the CSF 2.0 Quick Start Guides (QSG) released since February 26, 2024; these resources provide differen...

Draft: The NIST National Cybersecurity Center of Excellence (NCCoE) is proposing to update the NIST Internal Report (IR) 8323 Foundational Position, Navigation, and Timing (PNT) Profile: Applying the Cybersecurity Framework (CSF) for Responsible Use of PNT Services (Revision 1) to reflect the NIST Cybersec...

Draft: Advances in computing capabilities, cryptographic research, and cryptanalytic techniques periodically create the need to replace algorithms that no longer provide adequate security for their use cases. For example, the threats posed by future cryptographically-relevant quantum computers (CRQCs) to p...

Draft: This draft CSF 2.0 Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cybersecurity risk to semiconductor manufacturing. The semiconductor manufacturing environment is a complex ecosystem of device makers, equipment OEMs, suppliers and solution provi...

Draft: The NIST Interagency Report (IR) 8286 series of publications helps practitioners better understand the close relationship between cybersecurity and enterprise risk management (ERM). All five publications in the series have been updated to align more closely with the Cybersecurity Framework (CSF) 2.0...

Draft: The NIST Interagency Report (IR) 8286 series of publications helps practitioners better understand the close relationship between cybersecurity and enterprise risk management (ERM). All five publications in the series have been updated to align more closely with the Cybersecurity Framework (CSF) 2.0...

Draft: The NIST Interagency Report (IR) 8286 series of publications helps practitioners better understand the close relationship between cybersecurity and enterprise risk management (ERM). All five publications in the series have been updated to align more closely with the Cybersecurity Framework (CSF) 2.0...

Draft: SummaryThe NIST Risk Management Framework (RMF) Team has released the initial public draft (ipd) version of NIST Internal Report (IR) 8011v1r1 (Volume 1, Revision 1), Testable Controls and Security Capabilities for Continuous Monitoring: Volume 1 — Overview and Methodology.We welcome your input and...

Draft: SummaryNIST has released a second public draft (2PD) of Special Publication (SP) 800-38Gr1 (Revision 1), Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, for public comment. The main technical changes to the original publication are the following:The doma...

Draft: 5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and p...

Draft: This draft Ransomware Community Profile reflects changes made to the Cybersecurity Framework (CSF) from CSF 1.1 to CSF 2.0 which identifies security objectives that support managing, detecting, responding to, and recovering from ransomware events. Ransomware can attack organizations of all sizes fro...

Draft: NIST recently published FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard, to update its cryptographic standards with an algorithm designed to provide protection from quantum attacks.  In addition, NIST will select one or two additional quantum-resistant key-encapsulation...

Draft: Summary In March 2024, NIST announced its intention to revise NIST Special Publication (SP) 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007). See NIST’s Crypto Publication Review Project site ;for information about the review. NIST re...

Draft: In recent years, numerous Internet routing incidents — such as Border Gateway Protocol (BGP) prefix hijacking, and route leaks — have resulted in denial of service (DoS), unwanted data traffic detours, and performance degradation. Large-scale distributed denial-of-service (DDoS) attacks on servers u...

Draft: The Advanced Encryption Standard (AES) specifies a subset of the Rijndael block cipher family with 128-bit blocks that was submitted to the NIST AES development effort. While this block size remains sufficient for many applications, the increasing demand for processing large volu...

Draft: The NIST National Cybersecurity Center of Excellence (NCCoE) has released two new draft publications to help organizations address cybersecurity and privacy risks associated with processing genomic data. Both drafts are open for public comment until 11:59 PM (ET) on Friday, February 24, 2025 Thursda...

Draft: The NIST National Cybersecurity Center of Excellence (NCCoE) has released two new draft publications to help organizations address cybersecurity and privacy risks associated with processing genomic data. Both drafts are open for public comment until 11:59 PM (ET) on Thursday, January 30, 2025.About...

Draft: The NIST National Cybersecurity Center of Excellence (NCCoE) has released the initial public draft of the practice guide, Implementing a Zero Trust Architecture (NIST SP 1800-35), for public comment. This publication outlines results and best practices from the NCCoE effort working with 24 vendors t...

Draft: The Privacy Workforce Taxonomy IPD contains Task, Knowledge, and Skill Statements aligned with the NIST Privacy Framework, Version 1.0, and the NICE Workforce Framework. The Workforce Taxonomy can help organizations better achieve their desired privacy outcomes, support recruitment, and in...

Draft: This draft of SP 800-157r1 incorporates all comment resolutions since the initial public draft (ipd) was posted in 2023 [see comments received on the ipd]. The final public draft details the expanded set of derived PIV credentials in a variety of form factors and authenticator types, as envisioned i...

Draft: This draft of SP 800-217 incorporates all comment resolutions since the initial public draft (ipd) was posted in 2023 [see comments received on the ipd]. The document describes technical requirements on the use of federated PIV identity and assertions to implement PIV federations backed by PIV ident...

Draft: SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations...

Draft: This report describes NIST’s expected approach to transitioning from quantum-vulnerable cryptographic algorithms to post-quantum digital signature algorithms and key-establishment schemes. It identifies existing quantum-vulnerable cryptographic standards and the current quantum-resistant standards t...

Draft: This draft standard introduces a new Ascon-based family of symmetric-key cryptographic primitives that provides robust security, efficiency, and flexibility. With its compact state and range of cryptographic functions, it is ideal for resource-constrained environments, such as Internet of Things (Io...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has released for public comment the draft of NIST Cybersecurity White Paper (CSWP) 34, Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration. The comment period for the draft is now open through January 6, 2025.About t...

Draft: 5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and p...

Draft: The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The NIST National Cybersecurit...

Draft: Supply chain risk assessments start with due diligence. Acquirers who make procurement decisions need to be informed about potential supplier risks before those decisions are executed. Consequently, many acquisition operating procedures strongly recommend or even require an assessment of a supplier’...

Draft: NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of mor...

Draft: In the digital age, the accurate identification of individuals is paramount to ensuring security, privacy, and trust in online interactions. Whether it's for accessing medical records, applying for benefits, or engaging in other high-stakes transactions, the need to confirm the identity and attribut...

Draft: 5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and p...

Draft: This document presents a comprehensive framework designed to enhance traceability across manufacturing supply chains, focusing on improving product provenance, pedigree, and supply chain transparency.The Meta-Framework introduces key concepts such as trusted data repositories, ecosystems, and tracea...

Draft: This report studies the cryptographic random number generation standards and guidelines written by Germany’s Federal Office for Information Security (BSI) and NIST, namely AIS 20/31 and the NIST Special Publication (SP) 800-90 series. It compares these publications, focusing on the similarities and...

Draft: NIST requests comments on the second draft of the fourth revision to the four-volume suite of Special Publication 800-63, Digital Identity Guidelines. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volum...

Draft: NIST requests comments on the second draft of the fourth revision to the four-volume suite of Special Publication 800-63, Digital Identity Guidelines. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volum...

Draft: NIST requests comments on the second draft of the fourth revision to the four-volume suite of Special Publication 800-63, Digital Identity Guidelines. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volum...

Draft: NIST requests comments on the second draft of the fourth revision to the four-volume suite of Special Publication 800-63, Digital Identity Guidelines. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volum...

Draft: 5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and p...

Draft: 5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and p...

Draft: The NIST SP 800-90 series of documents supports the generation of high-quality random bits for cryptographic and non-cryptographic use. SP 800-90A specifies several deterministic random bit generator (DRBG) mechanisms based on cryptographic algorithms. SP 800-90B provides gu...

Draft: This publication includes the HMAC specification from Federal Information Processing Standard (FIPS) 198-1, The Keyed-Hash Message Authentication Code (HMAC) (2008) and incorporates some requirements from SP 800-107r1 (Revision 1), Recommendation for Applications Using Approved Hash A...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has undertaken a project to identify common cybersecurity challenges among Water and Wastewater Systems (WWS) sector participants, develop reference cybersecurity architectures, and propose the utilization of existing commercially available pro...

Draft: About the ProjectProvisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechani...

Draft: NIST intends to develop a new block cipher mode of operation that is a tweakable, variable-input-length-strong pseudorandom permutation (VIL-SPRP). NIST introduces the term accordion cipher mode — or simply accordion mode — for the proposed mode because it would act as a cipher on a range of sizes f...

Draft: This Product Development Cybersecurity Handbook describes broadly applicable considerations for developing and deploying secure IoT products across sectors and use cases. This handbook extends NIST’s work to consider the cybersecurity of IoT product components beyond the IoT device. Significant risk...

Draft: SummaryNIST plans to update NIST IR 7621 Rev. 1, Small Business Information Security: The Fundamentals and is issuing this Pre-Draft Call for Comments to solicit feedback. The public is invited to provide input by 12 p.m. ET on May 16, 2024. DetailsSince NIST IR 7621 Revision 1 was publish...

Draft: Since the NIST Cybersecurity Framework (CSF) was first released in 2014, the CSF has been used by communities with shared interests in cybersecurity risk management. These communities developed what are now called “Community Profiles” to outline shared interests, goals, and outcomes within a specifi...

Draft: SummaryNIST seeks to update and improve the guidance in Special Publication (SP) 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. Specifically, NIST seeks feedback on the document’s current use, proposed updates in the initial working draft and informati...

Draft: The Addressing Visibility Challenges with TLS 1.3 project builds on the NCCoE's earlier work, TLS Server Certificate Management, which showed organizations how to centrally monitor and manage their TLS certificates. We are now focusing on protocol enhancements such as TLS 1.3 which have helped...

Draft: SummaryNIST plans to update Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers, and is issuing this Pre-Draft Call for Comments to solicit feedback from users. The public is invited to provide input by February 23, 2024. DetailsSince SP 800-100 was published i...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has published for comment the Preliminary Draft of Volumes B and C for NIST SP 1800-38A, Migration to Post-Quantum Cryptography. The public comment period for this draft is open through February 20, 2024.NIST SP 1800-38B, Quantum Readiness...

Draft: NIST SP 800-79r3 ipd, Guidelines for the Authorization of PIV Card and Derived PIV Credential Issuers, expands the set of issuer controls to include new and updated requirements from FIPS 201-3, its supporting updated publications (e.g., SP 800-157r1, SP 800-76r2, etc.) and newly-issued OMB Memorand...

Draft: Data classification is the process an organization uses to characterize its data assets using persistent labels so those assets can be managed properly. Data classification is vital for protecting an organization’s data at scale because it enables application of cybersecurity and privacy protection...

Draft: Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage and analysis for many purposes, including identifying and investigating cybersecurity incidents, finding operational issues, and ensuring that records are stored for th...

Draft: To support implementation of the research cybersecurity effort detailed in Section 10229  of the CHIPS and Science Act, NIST is leading an initiative to disseminate and make publicly available resources to help qualifying institutions of higher education identify, assess, manage, and...

Draft: Since the beginning of the Cryptographic Module Validation Program (CMVP), demands for the latest technology, cryptographic module fixes, and patch releases have outpaced NIST’s validation model. Today, NIST is working to reduce the length of the validation cycle, while maintaining and improving ass...

Draft: Most applications on the internet are run by centralized service providers that are a single point of failure: if the provider crashes or is malicious, users may lose access to the application, or it may return erroneous or inconsistent results. Consensus algorithms and state machine replication ena...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has published for comment Preliminary Draft NIST SP 1800-39A, Implementing Data Classification Practices.  About the Project Organizations are managing an increasing volume of data while maintaining compliance with policies for protectin...

Draft: NISTIR 8320D is the latest in a series of reports on hardware-enabled security techniques and technologies. Organizations employ a growing volume of machine identities, often numbering in the thousands or millions per organization. Machine identities, such as secret cryptographic keys, can be used...

Draft: This report considers signature schemes that are compatible with the verification phase of the Edwards Curve Digital Signature Algorithm (EdDSA) specified in Draft Federal Information Processing Standards (FIPS) publication 186-5. The report analyzes threshold schemes, where the private signing key...

Draft: NIST’s National Cybersecurity Center of Excellence (NCCoE) has published portions of a preliminary draft practice guide, “5G Cybersecurity,” and is seeking the public's comments on the contents. Our proposed solution contains approaches that organizations can use to better secure 5G networks through...

Draft: The initial public draft of NIST IR 8320C presents an approach for overcoming security challenges associated with creating, managing, and protecting machine identities, such as cryptographic keys, throughout their lifecycle.    NOTE: A call for patent claims is included on page iii of th...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has prepared Draft NISTIR 8349 for public comment. Securing a network is a complex task made more challenging when Internet of Things (IoT) devices are connected to it. NISTIR 8349 demonstrates how to use device characterization techniques and...

Draft: Publication of this project description begins a process to further identify project requirements, scope, and hardware and software components for use in a laboratory demonstration environment. The National Cybersecurity Center of Excellence (NCCoE) will solicit participation from industry to devel...

Draft: Combinatorial coverage measures have been defined and applied to a wide range of problems, including fault location and evaluating the adequacy of test inputs and input space models. More recently, methods applying coverage measures have been used in applications of artificial intelligence and machi...

Draft: The NIST Special Publication (SP) 800-140x series supports Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP). The series specifies modif...

Draft: Structural coverage criteria are widely used tools in software engineering, useful for measuring aspects of test execution thoroughness. However, in many cases, structural coverage may not be applicable, either because source code is not available, or because processing is based on neural networks o...

Draft: Identity as a service (IDaaS) is when a company offers identity, credential, and access management (ICAM) services to customers through a software-as-a-service (SaaS) cloud-service model. Public safety organizations (PSOs) could potentially reduce costs and adopt new standards and authenticators mor...

Draft: NIST Special Publication 800-63-3 defines identity federation as “a process that allows the conveyance of identity and authentication information across a set of networked systems.” Identity federation technologies can help public safety organizations (PSOs) to share information with each other more...

Draft: Many public safety organizations (PSOs) are adopting mobile devices, such as smartphones and tablets, to provide first responders with immediate access to the sensitive information they need from any location. However, authentication requirements meant to safeguard that information, like entering a...

Draft: The purpose of this draft paper is to start a conversation about what it means to have confidence in the cybersecurity of IoT devices used by individuals and organizations and the various ways of gaining that confidence. This paper describes the landscape of confidence mechanisms that are currently...

Draft: Privacy-enhancing cryptography (PEC) refers to cryptography used to enhance privacy, beyond the traditional sense of data confidentiality. For example, it enables sophisticated interactions that obtain a useful output of the combined information of multiple entities, although without them sharing th...

Draft: Draft NISTIR 8259C describes a process, usable by any organization, that starts with the core baselines provided in NISTIRs 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop...

Draft: The National Cybersecurity Center of Excellence (NCCoE) at NIST is actively engaged in helping organizations address the challenge of ransomware and other data integrity events through the Data Integrity projects. These projects help organizations implement technical capabilities that address data i...

Draft: Summary NIST requests review and comments on Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. This documents presents recommendations for safeguarding the technologies used for telework and remote access. The public...

Draft: This paper provides background information on trusted IoT device network-layer onboarding and lifecycle management. It defines a taxonomy of onboarding characteristics that will enable stakeholders to have a common language to describe and express their onboarding capabilities and fully capture the...

Draft: The National Cybersecurity Center of Excellence (NCCoE) at NIST is announcing the release of a draft project description on Improving Cybersecurity of Managed Service Providers.  Many small and medium sized businesses use managed service providers (MSPs) to manage their organiza...

Draft: In 2017, more than eight billion IoT devices were in use worldwide and the current estimate is that more than 20 billion IoT devices will be in use by 2020, according to various market research organizations. Since many IoT devices  are accessible via the internet, malicious actors can exploit...

Draft: The National Cybersecurity Center of Excellence (NCCoE) is seeking comments on a draft Project Description. The NCCoE is proposing a project to explore continuous monitoring capabilities that can effectively, efficiently and automatically detect when a malicious actor—be it an authorized...

Draft: This short paper introduces an approach to producing explanations or justifications of decisions made in some artificial intelligence and machine learning (AI/ML) systems, using methods derived from those for fault location in combinatorial testing. We show that validation and explainability issues...

Draft: Draft NISTIR 8213 provides a reference for implementing interoperable randomness beacons. The document defines terminology and notation, a format for pulses, a protocol for beacon operations, hash-chaining and skiplists of pulses, and the beacon interface calls. It also provides directions for&...

Draft: The National Cybersecurity Center of Excellence (NCCoE) at NIST is proposing a project to protect building management systems’ IoT sensor networks. Our findings may be applicable to other industry sectors and are listed for consideration for inclusion as future NCCoE use cases. We will exp...

Draft: This draft white paper identifies seventeen technical trust-related issues that may negatively impact the adoption of IoT products and services. The paper offers recommendations for mitigating or reducing the effects of these concerns while also suggesting additional areas of research regarding the...

Draft: Draft NIST Special Publication (SP) 800-71, Recommendations for Key Establishment Using Symmetric Block Ciphers, addresses key establishment techniques that use symmetric key cryptography algorithms to protect symmetric keying material. The objective is to provide recommendations for reducing exposu...

Draft: The national need for a common lexicon to describe and organize the cybersecurity workforce and requisite knowledge, skills, and abilities (KSAs) led to the creation of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework). The NICE Framework d...

Draft: Privileged Account Management (PAM) is a domain within Identity and Access Management (IdAM) focusing on monitoring and controlling the use of privileged accounts. Privileged accounts include local and domain administrative accounts, emergency accounts, application management, and service accounts....

Draft: [10/11/16 - The comment period has been extended to 11/10 (from 10/12).] The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Authentication for Law Enforcement Vehicle Systems. Law enforcement vehicles often serve as mobile offices for off...

Draft: The Mobile Threat Catalogue outlines a catalogue of threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security capabilities, best practices, and security solutions to better protect enterprise information technology (IT). Threats are d...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Securing Non-Credit Card, Sensitive Consumer Data.   Retailers easily gather sensitive data during typical business activities, such as date of birth, address, phone number, and email...

Draft: NIST requests public comments on draft Special Publication (SP) 800-154, Guide to Data-Centric System Threat Modeling. Data-centric system threat modeling is a form of risk assessment that models aspects of the attack and defense sides for selected data within a system. Draft SP 800-154 provides inf...

Abstract: This report summarizes the feedback received by the NIST Cybersecurity for the Internet of Things (IoT) program at the in-person and hybrid workshop on "Updating Manufacturer Guidance for Securable Connected Product Development" held in December 2024. The purpose of this workshop was to consider how...

Abstract: This report introduces the cryptographic accordion as a tweakable, variable-input-length strong pseudorandom permutation (VIL-SPRP) that is constructed from an underlying block cipher. An accordion facilitates the cryptographic processing of messages of various sizes while offering enhanced security...

Abstract: This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incid...

Abstract: This NIST Trustworthy and Responsible AI report provides a taxonomy of concepts and defines terminology in the field of adversarial machine learning (AML). The taxonomy is arranged in a conceptual hierarchy that includes key types of ML methods, life cycle stages of attack, and attacker goals, objec...

Abstract: NIST is selecting public-key cryptographic algorithms through a public, competition-like process to specify additional digital signature, public-key encryption, and key-establishment algorithms to supplement FIPS 186-5, SP 800-56Ar3, and SP 800-56Br2. These algorithms are intended to protect sensiti...

Abstract: This publication describes differential privacy — a mathematical framework that quantifies privacy loss to entities when their data appears in a dataset. The primary goal of this publication is to help practitioners of all backgrounds better understand how to think about differentially private softw...

Abstract: This document is the second in a series that supplements NIST Interagency Report (IR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional detail regarding the enterprise application of cybersecurity risk information; the previous document, NIST IR 82...

Abstract: While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requi...

Abstract: Web3 is a proposed vision for the future of the internet that is restructured to be more user-centric with an emphasis on decentralized data. Users would own and manage their personal data, and systems would be decentralized and distributed. Digital tokens would be used to represent assets, and web-...

Abstract: The National Institute of Standards and Technology (NIST) hosted an in-person, all-day workshop on February 27, 2024, to discuss existing and emerging cybersecurity threats and mitigation techniques for semiconductors throughout their life cycle. The workshop obtained valuable feedback from industry...

Abstract: Digital twin technology enables the creation of electronic representations of real-world entities and the ability to view the states and transitions between states of these entities. This report discusses the concept and purpose of digital twin technology and describes its characteristics, features,...

Abstract: Quasi-cyclic moderate-density parity check (QC-MDPC) code-based encryption schemes under iterative decoders offer highly-competitive performance in the quantum-resistant space of cryptography, but the decoding-failure rate (DFR) of these algorithms are not well-understood. The DFR decreases extremel...

Abstract: Verifying the security properties of access control policies is a complex and critical task. The policies and their implementation often do not explicitly express their underlying semantics, which may be implicitly embedded in the logic flows of policy rules, especially when policies are combined. I...

Abstract: This paper investigates the application of large language models (LLMs) for the automated translation and information extraction of access control policies from a natural language source. Prior research in this domain have predominantly relied on manual methods, traditional natural language processi...

Abstract: This report provides practical cybersecurity guidance for small-scale solar inverter implementations that are typically used in homes and small businesses. These guidelines are informed by a review of known smart-inverter vulnerabilities documented in the National Vulnerability Database (NVD), a rev...

Abstract: We present an efficient quantum algorithm for solving the semidirect discrete logarithm problem (SDLP) in any finite group. The believed hardness of the semidirect discrete logarithm problem underlies more than a decade of works constructing candidate post-quantum cryptographic algorithms from nonab...

Abstract: This document provides guidance on how an organization can develop information security measures to identify the adequacy of in-place security policies, procedures, and controls. It explains the measures prioritization process and how to evaluate measures.

Abstract: This document provides guidance on how an organization can develop an information security measurement program with a flexible structure for approaching activities around the development and implementation of information security measures.

Abstract: NIST hosted the NIST Workshop on the Requirements for an Accordion Cipher Mode 2024 on June 20--21, 2024, at the National Cybersecurity Center of Excellence in Rockville, Maryland. This report summarizes the participant feedback, key takeaways, and future directions discussed during the event. 

Abstract: Hardware is often assumed to be robust from a security perspective. However, chips are both created with software and contain complex encodings (e.g., circuit designs and firmware). This leads to bugs, some of which compromise security. This publication evaluates the types of vulnerabilities that ca...

Abstract: We develop a novel post-synthesis obfuscation technique, PoTeNt, to protect NoC fabrics against reverse engineering attacks. PoTeNt integrates programmable switches at NoC routers, concealing topology and communication paths under a dynamically controlled key to make the design resilient to reverse-...

Abstract: Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise’s decr...

Abstract: We present experimental findings on the decoding failure rate (DFR) of BIKE, a fourth-round candidate in the NIST Post-Quantum Standardization process, at the 20-bit security level using graph-theoretic approaches. We select parameters according to BIKE design principles and conduct a series of expe...

Abstract: NIST is in the process of evaluating public-key digital signature algorithms for potential standardization to protect sensitive information into the foreseeable future, including after the advent of quantum computers. Any signature scheme that is eventually selected would augment FIPS 204, Module-La...

Abstract: Use the CSF to Improve Your C-SCRM Processes. The CSF can help an organization become a smart acquirer and supplier of technology products and services. This guide focuses on two ways the CSF can help you: 1) Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability. 2) Define and co...

Abstract: This Quick-Start Guide describes how to apply the CSF 2.0 Tiers. CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes. This can help provide context on how an organization views cybersecurity risk...

Abstract: This guide provides an introduction to using the NIST Cybersecurity Framework (CSF) 2.0 for planning and integrating an enterprise-wide process for integrating cybersecurity risk management information, as a subset of information and communications technology risk management, into enterprise risk ma...

Abstract: The service mesh has become the de-facto application services infrastructure for cloud-native applications. It enables the various runtime functions (network connectivity, access control etc.) of an application through proxies which thus form the data plane of the service mesh. Depending upon the di...

Abstract: Significant vulnerabilities have been found in chips. Computer programs and methods have been developed to prevent, find, and mitigate them. We proposed Secure Hardware Assurance Reference Dataset (SHARD) as a repository of reference examples(test cases) of both vulnerable and “clean” hardware chip...

Abstract: This document addresses the need for effective data protection strategies in the evolving realm of cloud-native network architectures, including multi-cloud environments, service mesh networks, and hybrid infrastructures. By extending foundational data classification concepts, it provides a framewor...

Abstract: This white paper describes a five-phase process that includes identifying or building proxy systems that have high similarity to a Critical AI System (CAIS), representing a kind of validation, and verifying the proxy by creating and testing both use and misuse cases of each proxy against its CAIS.

Abstract: Machine learning (ML)-based Artificial Intelligence (AI) systems rely on training data to perform optimally, but the internal workings of how ML models learn from and use this data are often a black- box. Influence analysis provides valuable insights into the model's behavior by evaluating the effec...

Abstract: In this paper, we present an application of combinatorial security testing to the well-known anonymity network Tor. Rigorous testing of the Tor network is important to evaluate not only its functionality, but also the security it provides to its users. However, such testing efforts are facing challe...

Abstract: This publication provides guidance for federal agencies and organizations to develop and manage a life cycle approach to building a Cybersecurity and Privacy Learning Program (CPLP). The approach is intended to address the needs of large and small organizations as well as those building an entirely...

Abstract: Ensuring the security of routers is crucial for safeguarding not only individuals’ data but also the integrity and availability of entire networks. With the increasing prevalence of smart home Internet of Things (IoT) devices and remote work setups, the significance of consumer-grade router cybersec...

Abstract: This report focuses on the NIST-recommended block cipher modes of operation specified in NIST Special Publications (SP) 800-38A through 800-38F. The goal is to provide a concise survey of relevant research results about the algorithms and their implementations. Based on these findings, the report co...

Abstract: A key-encapsulation mechanism (KEM) is a set of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel. A shared secret key that is securely established using a KEM can then be used with symmetric-key cryptographic algorithms to p...

Abstract: Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed si...

Abstract: This standard specifies the stateless hash-based digital signature algorithm (SLH-DSA). Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in dem...

Abstract: This document summarizes the research performed by the NIST Cloud Computing Forensic Science Working Group and presents the NIST Cloud Computing Forensic Reference Architecture (CC FRA or FRA), whose goal is to provide support for a cloud system’s forensic readiness. The CC FRA helps users understan...

Abstract: The Bugs Framework (BF) is a classification of security bugs and related faults that features a formal language for the unambiguous specification of software and hardware security weaknesses and vulnerabilities. BF bugs models, multidimensional weakness and failure taxonomies, and vulnerability mode...

Abstract: This document augments the secure software development practices and tasks defined in Secure Software Development Framework (SSDF) version 1.1 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the softw...

Abstract: For organizations of all sizes, managing risk (including information security and privacy risk), is critical for organizational resilience. This guide is designed to help small, under-resourced entities understand the value and core components of the NIST Risk Management Framework (RMF) and provide...

Abstract: FIPS 201 defines the requirements and characteristics of government-wide interoperable identity credentials. It specifies that these identity credentials must be stored on a smart card and that additional common identity credentials, known as derived PIV credentials, may be issued by a federal depar...

Abstract: FIPS 201 defines the requirements and characteristics of government-wide interoperable identity credentials. It specifies that these identity credentials must be stored on a smart card and that additional common identity credentials, known as derived PIV credentials, may be issued by a federal depar...

Abstract: FIPS 201 defines the requirements and characteristics of government-wide interoperable identity credentials. It specifies that these identity credentials must be stored on a smart card and that additional common identity credentials, known as derived PIV credentials, may be issued by a federal depar...

Abstract: Federal Information Processing Standard 201-3 (FIPS 201-3) defines the requirements for Personal Identity Verification (PIV) life cycle activities, including identity proofing, registration, PIV Card issuance, and PIV Card usage. FIPS 201-3 also defines the structure of an identity credential that i...

Abstract: In the dynamic landscape of cybersecurity, curated knowledge plays a pivotal role in empowering security analysts to respond effectively to cyber threats. Cyber Threat Intelligence (CTI) reports offer valuable insights into adversary behavior, but their length, complexity, and inconsistent structure...

Abstract: In quantum position verification, a prover certifies her location by performing a quantum computation and returning the results (at the speed of light) to a set of trusted verifiers. One of the very first protocols for quantum position verification was proposed in (Kent, Munro, Spiller 2011): the pr...

Abstract: Identifying the software weaknesses exploited by attacks supports efforts to reduce developer introduction of vulnerabilities and to guide security code review efforts. A weakness is a bug or fault type that can be exploited through an operation that results in a security-relevant error. Ideally, th...

Abstract: The data-intensive nature of machine learning (ML)-enabled systems introduces unique challenges in test and evaluation. We present an overview of combinatorial coverage, exploring its applications across the ML-enabled system lifecycle and its potential to address key limitations in performing test...

Abstract: This paper investigates one type of social engineering scam, where unsuspecting users inadvertently consent to hidden financial obligations by performing routine online actions, such as making a purchase. Terms and conditions, often dense and overlooked, can be a vehicle for these scams, embedding d...

Abstract: During Fiscal Year 2023 (FY 2023) – from October 1, 2022, through September 30, 2023 –the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This Annual Report highlights the FY 2023...

Abstract: Objective: To address database interoperability challenges to improve collaboration among disparate organizations.Materials and Methods:  We developed a lightweight system to allow broad but well-controlled data sharing while preserving local data protection policies. We used 2 NIST-developed t...

Abstract: The protection of Controlled Unclassified Information (CUI) is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with recommended security...

Abstract: The protection of Controlled Unclassified Information (CUI) is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides organizations with assessment procedures an...

Abstract: NoSQL database systems and data stores often outperform traditional RDBMS in various aspects, such as data analysis efficiency, system performance, ease of deployment, flexibility/scalability of data management, and users’ availability. However, with an increasing number of people storing sensitive...

Abstract: In the wake of recent progress on quantum computing hardware, the National Institute of Standards and Technology (NIST) is standardizing cryptographic protocols that are resistant to attacks by quantum adversaries. The primary digital signature scheme that NIST has chosen is CRYSTALS-Dilithium. The...

Abstract: This supplement to NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management, provides agencies with additional guidance on the use of authenticators that may be synced between devices.

Abstract: This document is the third in a series that supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding the enterprise application of cybersecurity risk information; the previous documen...

Abstract: Non-fungible token (NFT) technology provides a mechanism to enable real assets (both virtual and physical) to be sold and exchanged on a blockchain. While NFTs are most often used for autographing digital assets (associating one’s name with a digital object), they utilize a strong cryptographic foun...

Abstract: A deterministic random bit generator (DRBG) generates pseudorandom bits from an unpredictable seed, i.e. a seed drawn from any ramdom source with sufficient entropy. The current paper formalizes a security notion for a DRBG, allowing the attacker to compromise the internal state of the DRBG, requiri...

Abstract: Information and communications technology (ICT) domains — such as cybersecurity, privacy, and Internet of Things (IoT) — have many requirements and recommendations made by national and international standards, guidelines, frameworks, and regulations. An Online Informative Reference (OLIR) provides a...

Abstract: The National Online Informative References (OLIR) Program is a NIST effort to facilitate standardized definitions of Online Informative References (OLIRs) by subject matter experts. OLIRs are relationships between elements of documents from cybersecurity, privacy, and other information and communica...

Abstract: The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to bett...

Abstract: This guide provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy by using the NIST Cybersecurity Framework (CSF) 2.0. The guide also can assist other relat...

Abstract: This Quick-Start Guide gives an overview of creating and using organizational profiles for NIST CSF 2.0. An Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of cybersecurity outcomes from the Cybersecurity Framework (CSF) Core. Organizational Pr...

Abstract: This brief report presents a high-level overview of the CSF 2.0 and provides links to relevant resources such as the CSF 2.0 specification and supporting Quick-Start Guides.

Abstract: This document describes the National Institute of Standards and Technology’s (NIST’s) approach to mapping the elements of documentary standards, regulations, frameworks, and guidelines to a particular NIST publication, such as Cybersecurity Framework (CSF) Subcategories or SP 800-53r5 controls. This...

Abstract: Attacks that target data are of concern to companies and organizations across many industries. Data breaches represent a threat that can have monetary, reputational, and legal impacts. This guide seeks to provide guidance concerning the threat of data breaches, exemplifying standards and technologie...

Abstract: Attacks that target data are of concern to companies and organizations across many industries. Data breaches represent a threat that can have monetary, reputational, and legal impacts. This guide seeks to provide guidance around the threat of data breaches, exemplifying standards and technologies th...

Abstract: In digital forensics, file system analysis is a precursor task to event reconstruction. Often, unallocated content within a file system is content of interest to an investigation, and thus recognition, extraction, and ascription of unallocated files are typical intermediary steps en route to interpr...

Abstract: The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible us...

Abstract: The predominant application architecture for cloud-native applications consists of multiple microservices, accompanied in some instances by a centralized application infrastructure, such as a service mesh, that provides all application services. This class of applications is generally developed usin...

Abstract: Security is essential component of high-performance computing (HPC). HPC systems often differ based on the evolution of their system designs, the applications they run, and the missions they support. An HPC system may also have its own unique security requirements, follow different security guidance...

Abstract: Combinatorial testing is an approach where test suites are developed by efficiently covering interactions of parameter values and configuration settings. Multiple studies over the years have shown the interesting phenomenon where almost all defects in a system originate from interactions of a few sp...

Abstract: This Recommendation specifies techniques for the derivation of additional keying material from a secret key—either established through a key establishment scheme or shared through some other manner—using pseudorandom functions HMAC, CMAC, and KMAC.

Abstract: This document is a Cybersecurity Framework Profile developed for voting equipment and information systems that support elections. This Election Infrastructure Profile can be utilized by election administrators and IT professionals who manage election infrastructure to reduce the risks associated wit...

Abstract: This NIST Trustworthy and Responsible AI report develops a taxonomy of concepts and defines terminology in the field of adversarial machine learning (AML). The taxonomy is built on surveying the AML literature and is arranged in a conceptual hierarchy that includes key types of ML methods and lifecy...

Abstract: Encryption technology can be incorporated into access control mechanisms based on user identities, user attributes, or resource attributes. Traditional public-key encryption requires different data to have different keys that can be distributed to users who satisfy perspective access control policie...

Abstract: Genomic data has enabled the rapid growth of the U.S. bioeconomy and is valuable to the individual, industry, and government because it has multiple intrinsic properties that in combination make it different from other types of data that possess only a subset of these properties. The characteristics...

Abstract: In 2017, the National Institute of Standards and Technology (NIST) published a methodology for supporting the automation of Special Publication (SP) 800-53 control assessments in the form of Interagency Report (IR) 8011. IR 8011 is a multi-volume series that starts with an overview of the methodolog...

Abstract: Ontology enables semantic interoperability, making it highly valuable for cyber threat hunting. Community-driven frameworks like MITRE ATT&CK, D3FEND, ENGAGE, CWE and CVE have been developed to combat cyber threats. However, manually navigating these independent data sources is time-consuming an...

Abstract: All enterprises should ensure that information and communications technology (ICT) risk receives appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an enterprise improve their ICT risk management (ICTRM). Th...

Abstract: The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communications technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, b...

Abstract: NIST Special Publication (SP) 800-140Br1 is to be used in conjunction with ISO/IEC 19790 Annex B and ISO/IEC 24759 section 6.14. The special publication modifies only those requirements identified in this document. SP 800-140Br1 also specifies the content of the information required in ISO/IEC 19790...

Abstract: Phishing cyber threats impact private and public sectors both in the United States and internationally. Embedded phishing awareness training programs, in which simulated phishing emails are sent to employees, are designed to prepare employees in these organizations to combat real-world phishing scen...

Abstract: While network attacks play a critical role in many advanced persistent threat (APT) campaigns, an arms race exists between the network defenders and the adversary: to make APT campaigns stealthy, the adversary is strongly motivated to evade the detection system. However, new studies have shown that...

Abstract: Matter is an open-source connectivity standard for the purpose of allowing smart home IoT devices from different vendors to interoperate with one another. A controller in a Matter system commissions new devices into the Matter fabric. The device needs to present a credential called Device Attestatio...

Abstract: Detecting out of policy speech (OOPS) content is important but difficult. While machine learning is a powerful tool to tackle this challenging task, it is hard to break the performance ceiling due to factors like quantity and quality limitations on training data and inconsistencies in OOPS definitio...

Abstract: This document is the Cybersecurity Framework Profile (Profile) developed for the Electric Vehicle Extreme Fast Charging (EV/XFC) ecosystem and the subsidiary functions that support each of the four domains: (i) Electric Vehicles (EV); (ii) Extreme Fast Charging (XFC); (iii) XFC Cloud or Third-Party...

Abstract: This document is the Cybersecurity Framework Profile developed for the Liquefied Natural Gas (LNG) industry and the subsidiary functions that support the overarching liquefaction process, transport, and distribution of LNG. The LNG Cybersecurity Framework Profile can be used by liquefaction faciliti...

Abstract: A new batch of "complete and proper" digital signature schemes submissions has recently been published by NIST as part of its process for establishing post-quantum cryptographic standards. This note communicates an attack on the 3WISE digital signature scheme that the submitters did not wish to with...

Abstract: Recently a completely new post-quantum digital signature scheme was proposed using the so called "scrap automorphisms." The structure is inherently multivariate, but differs significantly from most of the multivariate literature in that it relies on sparsity and rings containing zero divisors. In th...

Abstract: This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact...

Abstract: Bring Your Own Device (BYOD) refers to the practice of performing work-related activities on personally owned devices. This practice guide provides an example solution demonstrating how to enhance security and privacy in Android and Apple phones and tablets used in BYOD deployments. Incorporati...

Abstract: High-performance computing (HPC) is a vital computational infrastructure for processing large data volumes, performing complex simulations, and conducting advanced machine learning model training. As such, HPC is a critical component of scientific discovery, innovation, and economic competitiveness....

Abstract: The space sector is transitioning towards Hybrid Satellite Networks (HSN) which is an aggregation of independently owned and operated terminals, antennas, satellites, payloads, or other components that comprise a satellite system. The elements of an HSN may have varying levels of assurance.HSNs may...

Abstract: The support minors method has become indispensable to cryptanalysts in attacking various post-quantum cryptosystems in the areas of multivariate cryptography and rank-based cryptography. The complexity analysis for support minors minrank calculations is a bit messy, with no closed form for the Hilbe...

Abstract: There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance -- measured by training completion rates -- to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the...

Abstract: De-identification is a general term for any process of removing the association between a set of identifying data and the data subject. This document describes the use of deidentification with the goal of preventing or limiting disclosure risks to individuals and establishments while still allowing...

Abstract: One of the basic tenets of zero trust is to remove the implicit trust in users, services, and devices based only on their network location, affiliation, and ownership. NIST Special Publication 800-207 has laid out a comprehensive set of zero trust principles and referenced zero trust architectures (...

Abstract: Stablecoins are cryptocurrencies whose price is pegged to that of another asset (typically one with low price volatility). The market for stablecoins has grown tremendously – up to almost $200 billion USD in 2022. These coins are being used extensively in newly developing paradigms for digital money...

Abstract: Manufacturing supply chains are increasingly critical to maintaining the health, security, and the economic strength of the United States. As supply chains supporting Critical Infrastructure become more complex and the origins of products become harder to discern, efforts are emerging that improve t...

Abstract: With youth increasingly accessing and using the internet, it is important to understand what they know about online privacy and security (OPS), and from where they gain this knowledge in order to best support their learning and online practices. Currently, the field of literature surrounding such yo...

Abstract: Organizations use simulated phishing awareness training exercises to help users identify, detect, and defend against the ever-changing phishing threat landscape. Realistic phishing emails are used to test users’ ability to spot a phish from visible cues. However, there are no metrics aimed at classi...

Abstract: Our work-in-progress study aims to develop an understanding of current researcher-practitioner interaction points and associated challenges throughout the entire human-centered security research life cycle.

Abstract: Despite the importance of cybersecurity, there is no standard definition nor common terminology for explaining cybersecurity. Existing definitions largely target academics or technical experts but not non-experts (those without cybersecurity proficiency). To gain a better understanding of which defi...

Abstract: Organizations around the world are using the NIST Phish Scale (NPS) in their phishing awareness training programs. As a new metric for measuring human phishing detection difficulty of phishing emails, the use of the NPS by phishing training implementers across different types of organizations has no...

Abstract: Current definitions of cybersecurity are not standardized and are often targeted towards cybersecurity experts and academics. There has been little evaluation about the appropriateness and understandability of these definitions for non-experts (individuals without cybersecurity expertise). This pose...

Abstract: Space is a newly emerging commercial critical infrastructure sector that is no longer the domain of only national government authorities. Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite v...

Abstract: The approved security functions listed in this publication replace the ones listed in International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790 Annex C and ISO/IEC 24759 6.15, within the context of the Cryptographic Module Validation Program (CMVP). As...

Abstract: The approved sensitive security parameter generation and establishment methods listed in this publication replace the ones listed in International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790 Annex D and ISO/IEC 24759 paragraph 6.16, within the context o...

Abstract: The macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. This publication in...

Abstract: The goal of organizational security awareness programs is to positively influence employee security behaviors. However, organizations may struggle to determine program effectiveness, often relying on training policy compliance metrics (e.g., training completion rates) rather than measuring actual im...

Abstract: Cybercriminals relentlessly pursue vulnerabilities across cyberspace to exploit software, threatening the security of individuals, organizations, and governments. Although security teams strive to establish defense measures to thwart attackers, the complexity of cyber defense and the magnitude of ex...

Abstract: Unsupported smart home devices can pose serious safety and security issues for consumers. However, unpatched and vulnerable devices may remain connected because consumers may not be alerted that their devices are no longer supported or do not understand the implications of using unsupported devices....

Abstract: Though much is known about how adults understand and use passwords, little research attention has been paid specifically to parents or, more importantly, to how parents are involved in their children’s password practices. To better understand both the password practices of parents, as well as how pa...

Abstract: Encountering or engaging in risky online behavior is an inherent aspect of being an online user. In particular, youth are vulnerable to such risky behavior, making it important to know how they understand and think about this risk-taking behavior. Similarly, with parents being some of the first and...

Abstract: Many professional domains require the collection and use of personal data. Protecting systems and data is a major concern in these settings, making it necessary that workers who interact with personal data understand and practice good security and privacy habits. However, to date, there has been lit...

Abstract: Simulation is a useful and effective way to analyze and study complex, real-world systems. It allows researchers, practitioners, and decision makers to make sense of the inner working of a system that involves many factors often resulting in some sort of emergent behavior. The number parameter value...

Abstract: This publication from the National Initiative for Cybersecurity Education (NICE) describes Competency Areas as included in the Workforce Framework for Cybersecurity (NICE Framework), NIST Special Publication 800-181, Revision 1, a fundamental reference for describing and sharing information about cy...

Abstract: The U.S. Water and Wastewater Systems (WWS) sector has been undergoing a digital transformation. Many sector organizations are utilizing data-enabled capabilities to improve utility management, operations, and service delivery. The ongoing adoption of automation, sensors, data collection, network de...

Abstract: The National Institute of Standards and Technology (NIST) initiated a public standardization process to select one or more schemes that provide Authenticated Encryption with Associated Data (AEAD) and optional hashing functionalities and are suitable for constrained environments. In February 2019, 5...

Abstract: There are several new digital credentials-based standards emerging and they are all silos operating in specific environments and written for specific contexts.  As such, there is a lack of foundational, strongly verifiable, and trustable digital credentials available to make transition to today...

Abstract: During Fiscal Year 2022 (FY 2022) – from October 1, 2021, through September 30, 2022 – the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This Annual Report highlights the FY 2022...

Abstract: Fault detection often depends on the specific order of inputs that establish states which eventually lead to a failure. However, beyond basic structural coverage metrics, it is often difficult to determine if the code has been exercised sufficiently to ensure confidence in its functions. Measures ar...

Abstract: Data is a crucial component in machine learning. However, many datasets contain sensitive information such as personally identifiable health and financial data. Access to these datasets must be restricted to avoid potential security concerns. Synthetic data generation addresses this problem by gener...

Abstract: Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This docume...

Abstract: Updates may be one of the few tools consumers have to mitigate security and privacy vulnerabilities in smart home devices. However, little research has been undertaken to understand users’ perceptions and experiences with smart home updates. To address this gap, we conducted an online survey of a de...

Abstract: Mobile devices were initially personal consumer communication devices but they are now permanent fixtures in enterprises and are used to access modern networks and systems to process sensitive data. This publication assists organizations in managing and securing these devices by describing available...

Abstract: In 2000, NIST announced the selection of the Rijndael block cipher family as the winner of the Advanced Encryption Standard (AES) competition. Block ciphers are the foundation for many cryptographic services, especially those that provide assurance of the confidentiality of data. Three members of t...

Abstract: Mobile edge computing (MEC) integrates computing resources in wireless access networks to process computational tasks in close proximity to mobile users with low latency. This paper investigates the task assignment problem for cooperative MEC networks in which a set of geographically distributed het...

Abstract: When the cost of CD burners dropped precipitously in the late 1990s, consumers had access to the CD-R, a format with far greater storage capacity than floppy disks. Multiple session standards allowed users the flexibility to add subsequent content to an already-burned CD-R, which made them an attrac...

Abstract: This paper describes a vulnerability in several implementations of the Secure Hash Algorithm 3 (SHA-3) that have been released by its designers. The vulnerability has been present since the final-round update of Keccak was submitted to the National Institute of Standards and Technology (NIST) SHA-3...

Abstract: The NIST Special Publication (SP) 800-90 series supports the generation of high-quality random bits for cryptographic and non-cryptographic use. The security strength of a random number generator depends on the unpredictability of its outputs. This unpredictability can be measured in terms of entrop...

Abstract: Manufacturers are increasingly targeted in cyber-attacks.  Small manufacturers are particularly vulnerable due to limitations in staff and resources to operate facilities and manage cybersecurity. Security segmentation is a cost-effective and efficient security design approach for protecting cy...

Abstract: The skilled and dedicated professionals who strive to improve cyber security may unwittingly fall victim to misconceptions and pitfalls that hold other people back from reaching their full potential of being active partners in security. These pitfalls often reflect the cyber security community’s dep...

Abstract: Prior research has shown that public vulnerability systems such as US National Vulnerability Database (NVD) rely on a manual, time-consuming, and error-prone process which has led to inconsistencies and delays in releasing final vulnerability results. This work provides an approach to curate vulnera...

Abstract: This standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidenc...

Abstract: This Recommendation specifies the set of elliptic curves recommended for U.S. Government use. In addition to the previously recommended Weierstrass curves defined over prime fields and binary fields, this Recommendation includes two newly specified Edwards curves, which provide increased performance...