Events
July 23, 2024 - July 25, 2024
https://csrc.nist.gov/events/2024/nist-workshop-on-fmcp-2024
Full Workshop and Registration Details NIST will host the Workshop on Formal Methods within Certification Programs (FMCP 2024) on July 23-25, 2024, at the National Cybersecurity Center of Excellence in Rockville, Maryland. The goal of the workshop is to explore the use of formal methods within certification programs for cryptographic modules such as FIPS 140-3. Topics for discussion include: Software formal methods of different families: model checking, interactive proof, use of SMT and SAT solvers, static analysis How formal methods can fit within existing validation programs and...
Events
June 20, 2024 - June 21, 2024
https://csrc.nist.gov/events/2024/accordion-cipher-mode-workshop-2024
REGISTER! Registration will close June 13, 2024. NIST will host a workshop on the development of a new block cipher mode of operation on June 20–21, 2024, at the National Cybersecurity Center of Excellence in Rockville, Maryland. Important Dates Workshop: June 20-21, 2024 Submission deadline: May 1, 2024 Notification date: May 17, 2024 Last day to reserve hotel room: May 29, 2024 Registration deadline: June 13, 2024 NIST plans to develop a new mode of the AES that is a tweakable, variable-input-length-strong pseudorandom permutation (VIL-SPRP) with a reduction proof to...
Events
May 21, 2024 - May 21, 2024
https://csrc.nist.gov/events/2024/federal-cybersecurity-privacy-professionals-forum
The Federal Cybersecurity and Privacy Professionals Forum is an informal group sponsored by the National Institute of Standards and Technology (NIST) to promote the sharing of system security and privacy information among federal, state, and local government, and higher education employees. The Forum maintains an extensive e-mail list and holds quarterly meetings to discuss current issues and items of interest to those responsible for protecting non-national security systems. For more information about the Forum and instructions on how to join, see: https://csrc.nist.gov/Projects/forum. View...
Project Pages
https://csrc.nist.gov/projects/mcspwg/leadership
Credits: Ned Goren NED GOREN IT Specialist ITL/CSD/SSA NIST Ned Goren is a security researcher and a member of the Secure System and Applications Group at NIST. Prior to joining NIST, he served as a control assessor and an Information Systems Security Officer (ISSO) at the U.S. Census Bureau. Ned also served as a control assessor and an ISSO at NIST. Credits: Brian Ruf BRIAN RUF Director of Cybersecurity Easy Dynamics Mr. Brian Ruf contributed substantially to NIST’s planning and creation of OSCAL,...
Projects
https://csrc.nist.gov/projects/mcspwg
Cloud computing has become the core accelerator of the US Government's digital business transformation. NIST is establishing a Multi-Cloud Security Public Working Group (MCSPWG) to research best practices for securing complex cloud solutions involving multiple service providers and multiple clouds. The White House Executive Order on Improving the Nation's Cybersecurity highlights that “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life” by focusing “the full scope of its authorities...
Project Pages
https://csrc.nist.gov/projects/ispab/documentation
ISPAB Charter for 2024-2026. ISPAB Annual Report for Fiscal Year 2023 ISPAB Annual Report for Fiscal Year 2022 ISPAB Annual Report for Fiscal Year 2021 ISPAB Annual Report for Fiscal Year 2020 ISPAB Annual Report for Fiscal Year 2019 Annual reports for 1995 - 2018 are found on the GSA web page at: Federal Advisory Committee Act (FACA) . When you reach the site, please select “The Annual Report of the President on Federal Advisory Committees – 1972-1998.” (http://www.facadatabase.gov/rpt/printedannualreports.asp) To view reports and information, please select “SEARCH” the third tab...
Projects
https://csrc.nist.gov/projects/ssdf
NIST has released the first-ever SSDF Community Profile for public comment! SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile, augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. The Profile supports Executive Order (EO) 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Submit your comments on SP 800-218A by June 1, 2024. To...
Publications
SP 800-218A (Initial Public Draft)
April 29, 2024
https://csrc.nist.gov/pubs/sp/800/218/a/ipd
Abstract: This document augments the secure software development practices and tasks defined in Secure Software Development Framework (SSDF) version 1.1 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the softw...
Project Pages
https://csrc.nist.gov/projects/software-identification-swid/guidelines
Completed Specifications and Guidelines The SWID Tag format, defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard ISO/IEC 19770-2, is a structured metadata format for describing a software product. NIST recommends use of the latest version of this standard, ISO/IEC 19770-2:2015. A SWID Tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, identify the organizations and individuals that had a role in the production and distribution of...
Projects
https://csrc.nist.gov/projects/software-identification-swid
Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage compliance with software license agreements. Knowing what software is installed and used can help an...
Projects
https://csrc.nist.gov/projects/forum
The Federal Cybersecurity and Privacy Professionals Forum is an informal group sponsored by the National Institute of Standards and Technology (NIST) to promote the sharing of cybersecurity and privacy knowledge, best practices, and resources among U.S. federal, state, and local government, and higher education organizations. The Federal Cybersecurity and Privacy Professionals Forum ("the Forum") maintains an extensive email list, and holds quarterly meetings - including an annual 2-day conference - to discuss current issues and items of interest to those responsible for protecting...
Project Pages
https://csrc.nist.gov/projects/human-centered-cybersecurity/research-areas/phishing
Phishing continues to be an escalating cyber threat facing organizations of all types and sizes, including industry, academia, and government. Our team performs research to understand phishing within an operational (real-world) context by examining user behaviors during phishing awareness training exercises. Our projects provide insights into users’ rationale and role in early detection, and how these might be scaffolded with technological solutions. Recent efforts have focused on the NIST Phish Scale, a method for rating the human detection difficulty of phishing emails considering both the...
Projects
https://csrc.nist.gov/projects/human-centered-cybersecurity
The National Institute of Standards and Technology (NIST) Human-Centered Cybersecurity program seeks to "champion the human in cybersecurity" by conducting interdisciplinary research to better understand and improve people’s interactions with cybersecurity systems, products, processes, and services. Research Areas
Project Pages
https://csrc.nist.gov/projects/open-security-controls-assessment-language/oscal-adopters-workshops
The NIST OSCAL team is hosting a series of monthly mini workshops that aims to address topics of interest for our community and to open this forum for its members to present their OSCAL-related work. Unless specifically stated, the workshops will not require a deep, technical understanding of OSCAL, and the dialog is informal, allowing the community to interact with the presenters and with the OSCAL team members. Call for Proposals The NIST OSCAL Mini Workshop program committee is seeking timely, topical, and thought-provoking technical presentations or demonstrations highlighting OSCAL...
Publications
IR 8425A (Initial Public Draft)
April 17, 2024
https://csrc.nist.gov/pubs/ir/8425/a/ipd
Abstract: Ensuring the security of routers is crucial for safeguarding not only individuals’ data but also the integrity and availability of entire networks. With the increasing prevalence of smart home IoT devices and remote work setups, the significance of consumer-grade router cybersecurity has expanded, a...
Projects
https://csrc.nist.gov/projects/olir
Mappings to NIST Documents The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Interagency or Internal Report (IR) 8278 - National Online Informative References (OLIR) Program: Program Overview and OLIR Uses focuses on explaining what OLIRs are,...
Projects
https://csrc.nist.gov/projects/cybersecurity-risk-analytics
Every organization wants maximum effect and value for its finite cybersecurity-related investments, including managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make decisions by comparing projected costs with potential benefits and risk reduction scenarios. Senior executives need accurate and quantitative methods to portray and assess these factors, their effectiveness and efficiency, and their effect on risk exposure. Providing reliable answers to these questions requires organizations to employ a...
Project Pages
https://csrc.nist.gov/projects/risk-management/rmf-courses
The purpose of these courses is to provide those new to risk management with an introduction to key publications associated with the NIST Risk Management Framework (RMF) methodology for managing cybersecurity and privacy risk. The RMF Online Introductory Courses are developed by NIST and available on-demand, and free of charge. Please refer first to the FAQ below for questions about course logistics, topics and content, initial troubleshooting of issues, and certificate of completion and course credit before reaching out to the team with questions. Select a course below to learn more...
Project Pages
https://csrc.nist.gov/projects/risk-management/sp800-53-controls/public-comments-home/faq
General Questions and Background What is the purpose of the SP 800-53 Public Comment Website? NIST believes that robust, widely understood, and participatory development processes produce the strongest, most effective, most trusted, and broadly accepted standards and guidelines. The following principles guide NIST's standards and guidelines development: Transparency: All interested and affected parties have access to essential information regarding standards and guidelines-related activities throughout the development process. Openness: Participation is open to all interested...
Projects
https://csrc.nist.gov/projects/risk-management
Recent Updates April 10, 2024: NIST releases introductory courses for SP 800-53, SP 800-53A, and SP 800-53B. Each 45-60 minute course provides a high-level overview of the SP 800-53 controls, SP 800-53A assessment procedures, and SP 800-53B control baselines. January 31, 2024: NIST seeks to update and improve the guidance in SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. Specifically, NIST seeks feedback on its current use, proposed updates in the Revision 2 initial working draft and information types taxonomy, and opportunities for...
Projects
https://csrc.nist.gov/projects/attribute-based-access-control
The concept of Attribute Based Access Control (ABAC) has existed for many years. It represents a point on the spectrum of logical access control from simple access control lists to more capable role-based access, and finally to a highly flexible method for providing access based on the evaluation of attributes. In November 2009, the Federal Chief Information Officers Council (Federal CIO Council) published the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0, which provided guidance to federal organizations to evolve their logical access control...
Projects
https://csrc.nist.gov/projects/incident-response
NIST has released a new draft of Special Publication (SP) 800-61 Revision 3 for public comment! Your comments on Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile are welcome through May 20, 2024. NIST SP 800-61 Revision 3 seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incident responses, reduce...
