Search CSRC

Windows Vista Content

CCE entries are currently assigned to configuration issues by members of the CCE Content Team and posted on the public CCE Web site. Operating system vendors are encouraged to coordinate with the CCE Content Team to have CCEs assigned to their configuration controls and/or new platforms. Please contact cce@nist.gov for more information. Typically, a CCE Content Team Analyst first encounters a configuration issue in one of two ways: (1) The most common way an analyst encounters a configuration issue is a configuration guidance statement is in a resource document or audit tool. For example,...

Date: August 18, 2006  Document version: 0.1 This is a draft report and does not represent an official position of The MITRE Corporation. Copyright © 2006, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice. Table of Contents Summary and Purpose Content Decisions CD.1 Effect vs. Technical Mechanism (Basic CD) CD.2 One Effect/Multiple Technical Mechanisms (Combine) CD.3 One Effect/Multiple Parameter Values (Combine) CD.4 Single Object vs. Parameters...

CCE is industry-endorsed through the CCE Working Group, which includes members from industry, academia, and government. IMPORTANT: Activity on the CCE effort has been suspended Send comments or concerns to cce@nist.gov. Participants American International Group, Inc. Application Security Inc. ArcSight, Inc. Belarc, Inc. Bentley College BlackStratus, Inc. Booz Allen Hamilton Center for Internet Security CERIAS/Purdue University Cisco Systems, Inc. Critical Watch Defense Information Systems Agency (DISA) Department of Homeland...

The government-wide category consists of overlay submissions from federal, state, tribal, and local governments.  Select from overlays listed below for more information and to access the overlay.   Overlay Title Submitted by Overlay Description/Applicability Closed Isolated Network U.S. Army Europe   A Closed Isolated Network is defined as a data communications enclave that operates in a single security domain, implements a security policy administered by a single authority, does not connect to any other network and has a single,...

The government-wide category consists of overlay submissions from commercial, educational, or non-profit organizations.  Select from overlays listed below for more information and to access the overlay.   Overlay Title Submitted by Overlay Description/Applicability               Return to Control Overlay Repository Overview   Disclaimer Statement The National Institute of Standards and Technology (NIST) has established the Security Overlay Repository as a public service. Security control overlays are made available by NIST...

NIST developed category consists of submissions developed by NIST staff or contractors. Select from overlays listed below for more information and to access the overlay.  Overlay Name / Version Author / Point of Contact Technology or System Comment SP 800-82 v1 / Version 2 Author: Keith Stouffer PoC: Keith Stouffer x1234 Industrial Control System The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include...

Overlay Name:  NIST SP 800-82, Rev. 3, Guide to Operational Technology (OT) Security Overlay Publication Date: September 2023 Technology or System: Operational Technology Overlay Author: Keith Stouffer (NIST), Michael Pease (NIST), CheeYee Tang (NIST), Timothy Zimmerman (NIST), Victoria Pillitteri (NIST), Suzanne Lightman (NIST), Adam Hahn (MITRE), Stephanie Saravia (MITRE), Aslam Sherule (MITRE), Michael Thompson (MITRE) Comments: The OT overlay is a partial tailoring of the controls and security baselines in SP 800-53, Revision 5, for Low, Moderate, and High-Impact (per FIPS 199) OT...

Overlay Name:  NIST SP 800-161, Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Overlay Publication Date: May 2022 Technology or System: Cyber Supply Chain Overlay Author: Jon Boyens (NIST), Angela Smith (NIST), Nadya Bartol (BCG), Kris Winkler (BCG), Alex Holbrook (BCG), Matthew Fallon (BCG) Comments: Identification and augmentation of cybersecurity supply chain risk management (C-SCRM)-related controls in SP 800-53, Revision 5. Refer to SP 800-161r1, Appendix A, for the C-SCRM Controls. C-SCRM is an enterprise-wide activity that should be...

Overlay Name:  Email Messaging Systems  Overlay Publication Date: February 19, 2019 Technology or System: Email Messaging Systems  Overlay Author: Scott Rose, NIST Comments: Overlay for email messaging systems using the SP 800-53, Revision 4 controls. Email system is taken to mean any system (as defined by FIPS 199), that is said to generate, send, or store email messages for an enterprise. Refer to Appendix C for the Email Messaging Systems Overlay. Overlay Point of Contact: Scott Rose   Download Overlay   Return to Control Overlay Repository Overview Disclaimer Statement The...

Testing is roughly 50% of the cost of producing consumer software, and can be 90% or more of the cost for a critical application such as aviation.  Combinatorial methods can provide huge reductions in this cost.

Autonomous systems must function correctly in an enormous range of environments.  For example, self-driving cars must deal with lighting, rain, fog, pedestrians, animals, other vehicles, road markings, signs, etc.  How do we ensure that autonomous systems are safe in such complex and rapidly changing environments, when conventional test coverage and formal verification methods cannot be applied?   Achieving assured autonomy in any environment requires methods for measuring the input space, to show that the test environment adequately covers real-world conditions that may be encountered....

Combinatorial approach Case studies

These are current NIST research to identify meaningful metrics and measures in context to understand the effectiveness and resource needs of different cybersecurity technical measures.   Measuring Security Risk in Enterprise Networks Methodology to measure the overall system risk by combining the attack graph structure with the Common Vulnerability Scoring System (CVSS).   Cyber Risk Analytics and Measurement Research and prototype methods and tools to enable predictive risk analytics and identify cyber risk trends. Develop guidelines to improve the assessment and measurement of...

These are standard publications and guidelines that provide perspectives and frameworks to inform, measure, and manage cybersecurity vulnerabilities and exposures.   NIST SP 800-55 Vol. 1 (Initial Public Draft) Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures Volume 1 — Identifying and Selecting Measures is a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and...

These are tools and utilities to assess the level of security risks and provide a mechanism to enhance automation for the cybersecurity information exchange.   Baldrige Cybersecurity Excellence Builder (BCEB) A self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identity improvement opportunities in the context of their overall organizational performance.   Common Vulnerability Scoring System (CVSS) An open framework for communicating the characteristics and severity of software vulnerabilities. CVSS is well...

These are reference sources for frameworks, algorithms validation, software assurance, testing, and other measurements related to information security.   Automated Combinatorial Testing for Software Combinatorial or t-way testing is a proven method for more effective software testing at lower cost.  The research toolkit can make sure that there are no simultaneous input combinations that might inadvertently cause a dangerous error.   Cryptographic Algorithm Validation Program (CAVP)  The NIST Cryptographic Algorithm Validation Program provides validation testing of Approved (i.e.,...

Official comments on the Third Round Candidate Algorithms should be submitted using the "Submit Comment" link for the appropriate algorithm. Comments from the pqc-forum Google group subscribers will also be forwarded to the pqc-forum Google group list. We will periodically post and update the comments received to the appropriate algorithm. All relevant comments will be posted in their entirety and should not include PII information in the body of the email message. Please refrain from using OFFICIAL COMMENT to ask administrative questions, which should be sent to pqc-comments@nist.gov...