Search CSRC

Abstract: Deployment architecture in cloud-native applications now consists of loosely coupled components, called microservices, with all application services provided through a dedicated infrastructure, called a service mesh, independent of the application code. Two critical security requirements in this arc...

Abstract: This document intends to provide direction and guidance to those organizations – in any sector or community – seeking to improve cybersecurity risk management via utilization of the NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or the Framework). Cyberse...

Abstract: The NIST National Cybersecurity Center of Excellence (NCCoE) is initiating the development of practices to ease the migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks. These practices will take the form...

Conference: 7th Workshop on Security Information Workers (WSIW 2021) Abstract: Organizational security awareness programs are often underfunded and rely on part-time security awareness professionals who may lack sufficient background, skills, or resources necessary to manage an effective and engaging program. U.S. government organizations, in particular, face challenges due to...

Conference: Balisage: The Markup Conference 2021 Abstract: Client-side XSLT (Extensible Stylesheet Language Transformations) or CSX is often used in scenarios where data (in XML, Extensible Markup Language) from a remote server is provided to a user who processes it in some way, for example rendering it locally for display. That is, the server provides the...

Journal: Computer (IEEE Computer) Abstract: A Deep Neural Network (DNN) based system, such as the one used for autonomous vehicle operations, is a “black box” of complex interactions resulting in a classification or prediction. An important question for any such system is how to increase the reliability of, and consequently the trust in, the...

Abstract: The field of cryptography continues to advance at a very rapid pace, leading to new insights that may impact the security properties of cryptographic algorithms. The Crypto Publication Review Board ("the Board") has been established to identify publications to be reviewed. This report subjects the f...

Abstract: As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its cha...

Abstract: The National Institute of Standards and Technology (NIST) initiated a public standardization process to select one or more Authenticated Encryption with Associated Data (AEAD) and hashing schemes suitable for constrained environments. In February 2019, 57 candidates were submitted to NIST for consid...

Abstract: An organization often has mission and business-based needs to exchange (share) information with one or more other internal or external organizations via various information exchange channels; however, it is recognized that the information being exchanged also requires the same or similar level of pr...

Conference: IFIP Annual Conference on Data and Applications Security and Privacy Abstract: Network attack is still a major security concern for organizations worldwide. Recently, researchers have started to apply neural networks to detect network attacks by leveraging network traffic data. However, public network data sets have major drawbacks such as limited data sample variations and un...

Journal: IEEE Security & Privacy Abstract: Cybersecurity advocates motivate individuals and organizations to adopt positive security behaviors. Based on our research, we describe qualities of successful advocates. Our findings have practical implications for expanding the cybersecurity workforce by recruiting and developing professionals who...

Conference: Human Computer Interaction International 2021 Abstract: Organizations use phishing training exercises to help employees defend against the phishing threats that get through automatic email filters, reducing potential compromise of information security and privacy for both the individual and their organization. These exercises use fake and realistic phish...

Abstract: The NIST NCCoE is initiating a project to demonstrate the value and practicality of automation support for the current Cryptographic Module Validation Program (CMVP). The outcome of the project is intended to be improvement in the efficiency and timeliness of CMVP operation and processes. This...

Journal: IEEE Security & Privacy Abstract: The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the `Most Dangerous Software Errors.' However, the used equation highly biases frequency and almost ignores exploitability and impact. We provide a metric to mitigate this bias and discuss the most significant...

Abstract: Structural coverage criteria are widely used tools in software engineering, useful for measuring aspects of test execution thoroughness. However in many cases structural coverage may not be applicable, either because source code is not available, or because processing is based on neural networks or...

Abstract: In today’s cloud data centers and edge computing, attack surfaces have significantly increased, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the pl...

Abstract: On-demand access to public safety data is critical to ensuring that public safety and first responder (PSFR) personnel can protect life and property during an emergency. The increasing use of cloud technologies can improve data access but also causes authentication challenges. The objective of this...

Conference: 2021 ANS Virtual Annual Meeting Abstract: The major challenge faced by the nuclear industry related to software testing of digital embedded devices is the identification of practical software (SW) testing solutions that provide a strong technical basis and is at the same time effective in establishing credible evidence of software CCF reduc...

Abstract: This report provides the public safety and first responder (PSFR) community with a basic primer on identity federation—a form of trust relationship and partnership involving the verification of a claimed identity. Identity federation technologies can help public safety organizations (PSOs) to share...

Conference: 2021 IEEE/ACM 6th International Workshop on Metamorphic Testing (MET) Abstract: Metamorphic testing has been shown to be useful in testing "non-testable" programs in many domains. Modeling & simulation is one such domain, where both verification and validation can be difficult due to lack of oracles. Although the definition of verification and validation vary slightly in mo...

Abstract: Many public safety organizations (PSOs) are adopting mobile devices, such as smartphones and tablets, to enable field access to sensitive information for first responders. Most recent mobile devices support one or more forms of biometrics for authenticating users. This report examines how first resp...

Conference: 2021 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW) Abstract: Cross-Site scripting (XSS) is a common class of vulnerabilities in the domain of web applications. As it re-mains prevalent despite continued efforts by practitioners and researchers, site operators often seek to protect their assets using web application firewalls (WAFs). These systems employ filte...

Abstract: Enterprises use encryption—a cryptographic technique—to protect data transmission and storage. While encryption in transit protects data confidentiality and integrity, it also reduces the organization’s visibility into the data flowing through their systems. The NCCoE initiated a project to address...

Abstract: The goal of the Internet Engineering Task Force’s Manufacturer Usage Description (MUD) specification is for Internet of Things (IoT) devices to behave as the devices’ manufacturers intended. MUD provides a standard way for manufacturers to indicate the network communications that a device requires t...