Search CSRC

Abstract: The predominant application architecture for cloud-native applications consists of multiple microservices, accompanied in some instances by a centralized application infrastructure, such as a service mesh, that provides all application services. This class of applications is generally developed usin...

Abstract: Security is essential component of high-performance computing (HPC). HPC systems often differ based on the evolution of their system designs, the applications they run, and the missions they support. An HPC system may also have its own unique security requirements, follow different security guidance...

Abstract: This Recommendation specifies techniques for the derivation of additional keying material from a secret key—either established through a key establishment scheme or shared through some other manner—using pseudorandom functions HMAC, CMAC, and KMAC.

Abstract: This document is a Cybersecurity Framework Profile developed for voting equipment and information systems that support elections. This Election Infrastructure Profile can be utilized by election administrators and IT professionals who manage election infrastructure to reduce the risks associated wit...

Abstract: NIST Special Publication (SP) 800-60 facilities the application of appropriate levels of information security according to a range of levels of impact or consequence that may result from unauthorized disclosure, modification, or use of the information or systems. This publication provides a methodol...

Abstract: The Transport Layer Security (TLS) protocol is widely deployed to secure network traffic. The latest version, TLS 1.3, has been strengthened so that even if a TLS-enabled server is compromised, the contents of its previous TLS communications are still protected—better known as forward secrecy. The a...

Abstract: This document provides guidance on how an organization can develop information security measures to identify the adequacy of in-place security policies, procedures, and controls. It explains the measures prioritization process and how to evaluate measures.

Abstract: This document provides guidance on how an organization can develop an information security measurement program with a flexible structure for approaching activities around the development and implementation of information security measures.

Abstract: [See the Abstract for SP 800-100]

Abstract: This NIST Trustworthy and Responsible AI report develops a taxonomy of concepts and defines terminology in the field of adversarial machine learning (AML). The taxonomy is built on surveying the AML literature and is arranged in a conceptual hierarchy that includes key types of ML methods and lifecy...

Abstract: Genomic data has enabled the rapid growth of the U.S. bioeconomy and is valuable to the individual, industry, and government because it has multiple intrinsic properties that in combination make it different from other types of data that possess only a subset of these properties. The characteristics...

Abstract: Encryption technology can be incorporated into access control mechanisms based on user identities, user attributes, or resource attributes. Traditional public-key encryption requires different data to have different keys that can be distributed to users who satisfy perspective access control policie...

Abstract:

Abstract: The document provides appropriate and useful guidelines for assessing the reliability of issuers of PIV Cards and derived PIV credentials. These issuers store personal information and issue credentials based on OMB policies and the standards published in response to HSPD-12. The reliability of an is...

Abstract: This publication describes differential privacy — a mathematical framework that quantifies privacy risk to individuals as a consequence of data collection and subsequent data release. It serves to fulfill one of the assignments to the National Institute of Standards and Technology (NIST) by the Exec...

Abstract: In 2017, the National Institute of Standards and Technology (NIST) published a methodology for supporting the automation of Special Publication (SP) 800-53 control assessments in the form of Interagency Report (IR) 8011. IR 8011 is a multi-volume series that starts with an overview of the methodolog...

Abstract: All enterprises should ensure that information and communications technology (ICT) risk receives appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an enterprise improve their ICT risk management (ICTRM). Th...

Abstract: The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communications technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, b...

Abstract: NIST Special Publication (SP) 800-140Br1 is to be used in conjunction with ISO/IEC 19790 Annex B and ISO/IEC 24759 section 6.14. The special publication modifies only those requirements identified in this document. SP 800-140Br1 also specifies the content of the information required in ISO/IEC 19790...

Abstract: Data classification is the process an organization uses to characterize its data assets using persistent labels so those assets can be managed properly. Data classification is vital for protecting an organization’s data at scale because it enables application of cybersecurity and privacy protection...

Abstract: Phishing cyber threats impact private and public sectors both in the United States and internationally. Embedded phishing awareness training programs, in which simulated phishing emails are sent to employees, are designed to prepare employees in these organizations to combat real-world phishing scen...

Abstract: Providing devices with the credentials and policy needed to join a network is a process known as network-layer onboarding. Establishing trust between a network and an IoT device prior to such onboarding is crucial for mitigating the risk of potential attacks. There are two sides of this attack: one...

Abstract: This document is the Cybersecurity Framework Profile (Profile) developed for the Electric Vehicle Extreme Fast Charging (EV/XFC) ecosystem and the subsidiary functions that support each of the four domains: (i) Electric Vehicles (EV); (ii) Extreme Fast Charging (XFC); (iii) XFC Cloud or Third-Party...

Abstract: A log is a record of events that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments. Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage...

Abstract: This document is the Cybersecurity Framework Profile developed for the Liquefied Natural Gas (LNG) industry and the subsidiary functions that support the overarching liquefaction process, transport, and distribution of LNG. The LNG Cybersecurity Framework Profile can be used by liquefaction faciliti...