Search CSRC

From Security Compliance to Resilience: Continuous Assurance with OSCAL

Type: Presentation

FORUM Meeting - April 15, 2026

Firmware-Based Monitoring for Bus-Based Computer Systems: NIST Publishes CSWP 52

NIST has published Cybersecurity White Paper (CSWP) 52, "Firmware-Based Monitoring for Bus-Based Computer Systems," introducing a low-cost, innovative approach to enhancing hardware security visibility.

Automation of the NIST Cryptographic Module Validation Program

Abstract: The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. Historically, t...

NIST Releases Latest Draft of "Small Business Cybersecurity: Non-Employer Firms"

NIST has released a new public draft of Small Business Cybersecurity: Non-Employer Firms. The public comment period is open through May 14, 2026.

Small Business Cybersecurity: Non-Employer Firms

Abstract: This report is designed to help small businesses use the NIST Cybersecurity Framework (CSF) 2.0 to manage their cybersecurity risks. The document is tailored to the smallest of businesses—those with no employees other than the owner, or “non-employer” firms as defined by the U...

Privacy-Enhancing Lightweight Distributed Ledger Technology

Privacy Enhancing Lightweight Distributed Ledger Technology When is blockchain a problem for privacy? Immutability can be a problem because private information stored in a blockchain cannot be deleted. Laws and regulations may require that users be allowed to remove private information at their request. Thus there is a need for redactable blockchain and redactable distributed ledger technology. When is blockchain a problem for security? Immutability can be a problem because security sensitive information stored in a blockchain cannot be deleted. Security policies may require deleting...

Space Domain Cybersecurity | NCCoE

[Redirect to: https://www.nccoe.nist.gov/cybersecurity-space-domain] Space is an emerging commercial critical infrastructure sector that is no longer the domain of only national government authorities. Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations.

Software Identification (SWID) Tagging

Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage compliance with software license agreements. Knowing what software is installed and used can help an...

Security Content Automation Protocol Validation Program

End-of-Life Announcement: NIST SCAP Validation Program The National Institute of Standards and Technology (NIST) announces the phased conclusion of the Security Content Automation Protocol (SCAP) Validation Program. Since its inception in 2009, the SCAP Validation Program has played a crucial role in advancing standardized security automation and vulnerability management. Managed through the National Voluntary Laboratory Accreditation Program (NVLAP), the program enabled independent laboratories to test and validate products against SCAP standards, helping organizations worldwide...

Secure Software Development Framework

NIST has finalized SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. This publication augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. NIST has recently added a Community Profiles section to this page. It will contain links to SSDF Community Profiles developed by NIST and by third parties. Contact us at [email protected] if you have a published SSDF Community...

Operational Technology Security

Recent Updates: January 22, 2026: A pre-draft call for comments on SP 800-82, Guide to Operational Technology (OT) Security, is open through February 23rd. See the full announcement for details. Operational technology (OT) encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation...

FISSEA - Federal Information Security Educators

[Redirect to https://www.nist.gov/itl/applied-cybersecurity/fissea] FISSEA, founded in 1987, is an organization run by and for Federal government information security professionals to assist Federal agencies in strengthening their employee cybersecurity awareness and training programs. FISSEA conducts an annual fee-based conference.

Hardware Security

Proposed Activities | Previous and Current Activities | Contact Us Semiconductor-based hardware is the foundation of modern-day electronics. Electronics are ubiquitous in our daily lives: from smartphones, computers, and telecommunication to transportation and critical infrastructure like power grids and waterways. The semiconductor hardware supply chain is a complex network consisting of many companies that collectively provide intellectual property, create designs, provide raw materials, and manufacture, test, package, and distribute products. Coordination among these companies is...

National Online Informative References Program

Mappings to NIST Documents The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Internal Report (IR) 8278, R1 – National Online Informative References (OLIR) Program: Overview, Benefits, and Use focuses on explaining what OLIRs are, what benefits...

Phishing

Short URL: https://csrc.nist.gov/phishing Phishing continues to be an escalating cyber threat facing organizations of all types and sizes, including industry, academia, and government. Our team performs research to understand phishing within an operational (real-world) context by examining user behaviors during phishing awareness training exercises. Our projects provide insights into users’ rationale and role in early detection, and how these might be scaffolded with technological solutions. Recent efforts have focused on the NIST Phish Scale, a method for rating the human detection...

Human-Centered Cybersecurity

The National Institute of Standards and Technology (NIST) Human-Centered Cybersecurity program, which is part of the Human-Centered Technologies Group (formerly named Visualization and Usability Group), seeks to "champion the human in cybersecurity" by conducting interdisciplinary research to better understand and improve people’s interactions with cybersecurity systems, products, processes, and services. Research Areas

Cybersecurity Adoption, Awareness, & Training

People and organizations often fail to adopt and effectively use cybersecurity best practices and technologies for a variety of reasons, including lack of knowledge/skills. Those professionals tasked with educating others may likewise face a number of challenges, including lack of resources, support, and skills needed to be effective security communicators. We conduct research to better understand the approaches and challenges with cybersecurity awareness and role-based training through the eyes of training professionals within the U.S. government. In the recent past, we also explored...

About

Our Goal The Human-Centered Cybersecurity program within the NIST Human-Centered Technologies Group provides research evidence and guidance to policymakers, system engineers, organizational decision makers, and cybersecurity professionals so that they can make better decisions that consider the human element, thereby advancing cybersecurity adoption and empowering people to be active, informed partners in cybersecurity. Ideally, this guidance should: Have a basis in real empirical data Create solutions that are secure in practice, not just in theory Take stakeholders' needs and behaviors...

Internet of Things

Internet of Things (IoT) technology is becoming more pervasive in the home environment. These technologies are increasingly used by non-technical users who have little understanding of the technologies or awareness of the security and privacy implications of use. We conduct research to help improve consumers' security and privacy experiences and outcomes when using IoT, with a specific focus on smart home devices. Publications IoT Cybersecurity Labels Papers Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products - National Institute of...

Multi-Cloud Security Public Working Group

Cloud computing has become the core accelerator of the US Government's digital business transformation. NIST is establishing a Multi-Cloud Security Public Working Group (MCSPWG) to research best practices for securing complex cloud solutions involving multiple service providers and multiple clouds. The White House Executive Order on Improving the Nation's Cybersecurity highlights that “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life” by focusing “the full scope of its authorities...

Cybersecurity Supply Chain Risk Management

Cybersecurity Supply Chain Risk Management (C-SCRM) involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of Information Communications Technology and Operational Technology (ICT/OT) product and service supply chains throughout the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). Examples of risks include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing...

Software and Supply Chain Assurance Forum

ABOUT: Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved. The effort is co-led by the National Institute...

Secure Software Development, Security, and Operations (DevSecOps) Practices

Abstract: Today’s software applications are typically constructed by combining a diverse range of elements, including components, frameworks, libraries, and tools. Rather than building everything from the ground up, developers often leverage a mix of internally developed and externally sourced component...

NIST Releases Two New CSF 2.0 Quick-Start Guides

The final release of NIST Special Publication 1308, "NIST CSF 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management QSG," is now available. Also, NIST requests public comments on SP 1347, "CSF 2.0 Informative References Quick-Start Guide." The public comment period ends