Search CSRC

Many organizations are in the process of moving to role based access control. The process of developing an RBAC structure for an organization has become known as "role engineering.". Role engineering can be a complex undertaking, For example, in implementing RBAC for a large European bank with over 50,000 employees and 1400 branches serving more than 6 million customers, approximately 1300 roles were discovered. In view of the complexities, RBAC is best implemented by applying a structured framework that breaks down each task into its component parts. The resources on this page can help...

The Sarbanes-Oxley Act establishes a set of requirements for financial systems, to deter fraud and increase corporate accountability.  For information technology systems, regulators may need to know who used a system, when they logged in and out, what accesses or modifications were made to what files, and what authorizations were in effect.  IT vendors responding to Sarbanes-Oxley (SOX) requirements have adopted RBAC as central to compliance solutions because RBAC was designed to solve this type of problem. Sarbanes-Oxley Act of 2002 and Impact on the IT Auditor, IT Knowledgebase -...

The following RBAC case studies and experience reports may be useful in planning for RBAC implementations. We will add to this collection as more reports become available. (Please note that the authors and organizations below are not affiliated with NIST or any other agency of the US Government, unless otherwise noted, and NIST cannot endorse or comment on these publications.) Submit comments or suggestions on this collection to the Project Contacts. Health Care A Case Study in Access Control Requirements for a Health Information System - "a detailed examination of the access...

Publications: Daniel Borbor, Lingyu Wang, Sushil Jajodia, Anoop Singhal,"Securing Networks Against Unpatchable and Unknown Vulnerabilities Using Hetrogeneous Hardening Options", 31st IFIP Conference on Data and Application Security and Privacy (DBSEC 2017), Philadelphia, Pennsylvania, July 19-21, 2017. Xiaoyan Sun, Anoop Singhal, Peng Liu,"Towards Actionable Mission Impact Assessment in the Context of Cloud Computing", 31st IFIP Conference on Data and Application Security and Privacy (DBSEC 2017), Philadelphia, Pennsylvania, July 19-21, 2017. Changwei Liu, Anoop Singhal, Duminda...

Organizational mission enabled by networked infrastructure can be impacted by cyber attacks.  Mission is defined as a set of business processes that provide some service. For example, the mission of a travel management system is to provide a set of business processes to support airline and hotel reservation. Quantifying the impact of cyber attacks is of importance to mission planners. Mission impact evaluation approaches and tools provide a way to estimate the impact of cyber attacks on missions.   In an enterprise information environment, the system supports different business processes...

An essential type of security risk analysis is to determine the level of compromise possible for important hosts in a network from a given starting location. This is a complex task as it depends on the network topology, security policy in the network as determined by the placement of firewalls, routers and switches and on vulnerabilities in hosts and communication protocols. Traditionally, this type of analysis is performed by a red team of computer security professionals who actively test the network by running exploits that compromise the system. Red team exercises are effective,  however...

Cloud computing provides several benefits to organizations such as increased flexibility, scalability and reduced cost. However, it provides several challenges for digital forensics and criminal investigation.  Existing forensics analysis frameworks and tools are largely intended for off line investigation and it is assumed that the logs are under the control of the investigator. In cloud computing, the evidence can be distributed across several machines and they can be stored on machines that are beyond the control of the investigator. Some other challenges are the dependence of forensically...

The suite of NIST information security risk management standards and guidelines is not a "FISMA Compliance checklist." Federal agencies, contractors, and other sources that use or operate a federal information system use the suite of NIST Risk Management standards and guidelines to develop and implement a risk-based approach to manage information security risk. FISMA emphasizes the importance of risk management. Compliance with applicable laws, regulations, executive orders, directives, etc. is a byproduct of implementing a robust, risk-based information security program. The NIST Risk...

A Comprehensive, Flexible, Risk-Based Approach The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type...

Join the NIST Risk Management Framework (FISMA Implementation Project) Email List NIST will inform our stakeholders immediately when updates to the emerging set of security standards and guidelines are available, or when there are important project-related events scheduled. Please note that only mailing list administrators are able to send messages on this email list.    Join the NIST RMF Email List     Troubleshooting If your organization's firewall is preventing you from joining via the NIST Risk Management Framework Email List, please send an email to sec-cert@nist.gov. A NIST...

The purpose of these courses is to provide those new to risk management with an introduction to key publications associated with the NIST Risk Management Framework (RMF) methodology for managing cybersecurity and privacy risk. The RMF Online Introductory Courses are developed by NIST and available on-demand, and free of charge. Please refer first to the FAQ below for questions about course logistics, topics and content, initial troubleshooting of issues, and certificate of completion and course credit before reaching out to the team with questions.   Select a course below to learn more...

As part of a holistic risk management strategy and applying the information security concept of defense-in-depth, organizations should employ appropriate configuration settings on commercial information technology products that compose their organizational systems. These products include, for example, mainframe computers, workstations, portable and mobile devices, and network components. Requirements to establish mandatory configuration settings derive from the Federal Information Security Management Act as implemented by FIPS 200 and NIST Special Publication 800-53 (Control CM-6,...

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics and Measurement project, and research to support updates will begin in FY24. For questions or comments regarding the NIST Cybersecurity Risk Analytics...

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics and Measurement project, and research to support updates will begin in FY24. For questions or comments regarding the NIST Cybersecurity Risk Analytics...

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics and Measurement project, and research to support updates will begin in FY24. For questions or comments regarding the NIST Cybersecurity Risk Analytics...

The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics and Measurement project, and research to support updates will begin in FY24. For questions or comments regarding the NIST Cybersecurity Risk Analytics...

ARCHIVED: The NIST HIPAA Security Rule Toolkit is no longer supported, and is provided here only for historical purposes. HIPAA Security Rule Toolkit The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance...

The SCAP Release Cycle Changes to SCAP impact a large number of organizations that manage content and provide SCAP Validated Products and Modules and SCAP-related services. A change to SCAP often results in considerable efforts to migrate products, content, and other capabilities to the new SCAP revision. To mitigate risks relating to level-of-effort, timing, and specification changes, revisions to SCAP are managed according to a coordinated process. The following work flow process addresses these concerns. The SCAP release cycle defines a process for managing change relating to SCAP and the...

SCAP Checklists Security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. SCAP Enumeration and Mapping Data Feeds SCAP related reference data for tool developers, integrators and SCAP Validated Product users.

SCAP must continually evolve to meet the ever changing needs of the community. This need for continual evolution results in multiple versions of SCAP being available at any given time. The SCAP Release Cycle defines a process for managing change relating to SCAP and the NIST SCAP Validation Program by providing a consistent and repeatable revision work flow. The following list represents the currently available versions of SCAP. The current effective version of SCAP is SCAP 1.3. Protocol SCAP: Security Content Automation Protocol Version: 2.0 Status: Initial Design Specification: TBD...

Specifications have both intrinsic and synergistic value. They have intrinsic value in that the specification demonstrates value on its own merits. For example, XCCDF is a standard way of expressing checklist content. XCCDF also has a synergistic value when combined with other specifications such as CPE, CCE, and OVAL to create an SCAP-expressed checklist that can be processed by SCAP-validated products. Likewise, CVE has use cases in simply being a consistent way to enumerate vulnerabilities for tracking purposes; however, when combined with CPE and OVAL, CVE is elevated to formulate a...

The SCAP community is a public/private partnership consisting of interested parties from industry, research and educational institutions, and government that are working to advance automation and standardization of technical security operations. Involvement in SCAP extends to email-based discussion lists, conferences, and various technical working groups sponsored by a variety of organizations. SCAP Email Discussion Lists SCAP Discussion List (View and Subscribe) The SCAP team at NIST maintains a moderated discussion list that users can post to, regarding the Security Content Automation...

The Least Version Principle The least version principle is designed to address which specification version to use when maintaining SCAP content. Under this principle, content is expressed using the minimum specification version, in a series of minor releases, that is necessary to properly address the content's purpose or use-case. This allows for the broadest support within products, while reducing the content maintenance burden that would be required to maintain revisions of content for multiple specification versions.

The following memoranda provide official guidance relating to the USGCB initiative: September 15, 2010 CIO Council Memo May 7, 2010 CIO Council Memo Additional Memoranda OMB Memo M-07-11 OMB Memo M-07-18 OMB Memo 19 Dec OMB Memo M-08-22