Search CSRC

Abstract: Organizations employ a growing volume of machine identities, often numbering in the thousands or millions per organization. Machine identities, such as secret cryptographic keys, can be used to identify which policies need to be enforced for each machine. Centralized management of machine identities...

Abstract: As supply chains become more complex and the origins of products become harder to discern, efforts are emerging that improve traceability of goods by exchanging traceability data records using blockchain and related technologies. This NIST NCCoE publication explores the issues that surround traceabi...

Abstract: Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization. Patching is more important than ever because of the increasing reliance on technology, but there is often a div...

Abstract: Patching is the act of applying a change to installed software – such as firmware, operating systems, or applications – that corrects security or functionality problems or adds new capabilities. Despite widespread recognition that patching is effective and attackers regularly exploit unpatched softw...

Conference: IEEE International Conference on Software Testing Verification and Validation Workshop (ICSTW 2022) Abstract: Combinatorial coverage measures have been defined and applied to a wide range of problems. These methods have been developed using measures that depend on the inclusion or absence of t-tuples of values in inputs and test cases. We extend these coverage measures to include the frequency of occurrence...

Abstract: Prior industry surveys and research studies have revealed that organizational cybersecurity awareness (hereafter shortened to “security awareness”) programs may face a number of challenges, including lack of: leadership support; resources; and staff with sufficient background and skills to implement...

Abstract: Organizational security awareness programs experience a number of challenges, including lack of resources, difficulty measuring the impact of the program, and perceptions among the workforce that training is a boring, “check-the-box” activity. While prior surveys and research have examined programs...

Abstract: Organizational cybersecurity awareness (hereafter shortened to “security awareness”) programs may experience a number of challenges, including lack of funding and staff with the appropriate knowledge and skills to manage an effective program. While prior surveys and research have examined programs i...

Abstract: Today’s manufacturing organizations rely on industrial control systems (ICS) to conduct their operations. Increasingly, ICS are facing more frequent, sophisticated cyber attacks—making manufacturing the second-most-targeted industry. Cyber attacks against ICS threaten operations and worker safety, r...

Abstract: The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions and business operations. This publication provides federa...

Journal: Computer (IEEE Computer) Abstract: Widescale adoption of intelligent algorithms requires that Artificial Intelligence (AI) engineers provide assurances that an algorithm will perform as intended. Providing such guarantees involves quantifying capabilities and the associated risks across multiple dimensions including: data quality, al...

Journal: Measurement Science and Technology Abstract: Software-controlled measuring instruments used in commercial transactions, such as fuel dispensers and smart meters, are sometimes subject to “memory replacement” attacks. Cybercriminals replace the approved software by a malicious one that then tampers with measurement results, inflicting a financi...

Abstract: Cloud-native applications have evolved into a standardized architecture consisting of multiple loosely coupled components called microservices (often typically implemented as containers) that are supported by an infrastructure for providing application services, such as service mesh. Both of these c...

Abstract: We show how to construct a threshold version of stateful hash-based signature schemes like those defined in XMSS (defined in RFC8391) and LMS (defined in RFC8554). Our techniques assume a trusted dealer and secure point-to-point communications; are efficient in terms of communications and computatio...

Abstract: With the threat of ransomware growing, this "quick start guide" will help organizations use the National Institute of Standards and Technology (NIST) "Ransomware Risk Management: A Cybersecurity Framework Profile" to combat ransomware. Like the broader NIST Cybersecurity Framework, which is widely u...

Abstract: Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the publi...

Abstract: Increasingly, healthcare delivery organizations (HDOs) are relying on telehealth and remote patient monitoring (RPM) capabilities to treat patients at home. RPM is convenient and cost-effective, and its adoption rate has increased. However, without adequate privacy and cybersecurity measures, unauth...

Abstract: This document is the second in a series that supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional detail regarding the enterprise application of cybersecurity risk information; the previous documen...

Abstract: Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs for cybersecurity labeling. These labeling programs are intended...

Abstract: Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs for cybersecurity labeling. NIST is, among other actions, direct...

Abstract: Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, May 12, 2021, directs the National Institute of Standards and Technology (NIST) to publish guidance on practices for software supply chain security. This document starts by explaining NIST’s approach for addressing Section 4e. Next...

Abstract: Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This document recommends the Secure Software Development...

Abstract: The Industrial Internet of Things (IIoT) refers to the application of instrumentation and connected sensors and other devices to machinery and vehicles in the transport, energy, and other critical infrastructure sectors. In the energy sector, distributed energy resources (DERs) such as solar photovo...

Abstract: This publication provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycl...

Abstract: This document establishes a standard for a Personal Identity Verification (PIV) system that meets the control and security objectives of Homeland Security Presidential Directive-12. It is based on secure and reliable forms of identity credentials issued by the Federal Government to its employees and...