Publications
SP 1800-39 (Initial Public Draft)
February 12, 2026
https://csrc.nist.gov/pubs/sp/1800/39/ipd
Abstract: This guide demonstrates how organizations can discover, identify and label unstructured data using data classification practices. Performing Data Classification Practices allows an organization to know its data and apply technologies that minimize the risk of valuable or sensitive data being lost or...
Projects
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management
Cybersecurity Supply Chain Risk Management (C-SCRM) involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of Information Communications Technology and Operational Technology (ICT/OT) product and service supply chains throughout the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). Examples of risks include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing...
Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/ssca
ABOUT: Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved. The effort is co-led by the National Institute...
Project Pages
https://csrc.nist.gov/projects/human-centered-cybersecurity/research-areas/human-centered-cybersecurity-general
Our team often writes articles or provides presentations that discuss and provide information about human-centered cybersecurity to various audiences, for example, cybersecurity practitioners or fellow researchers. We are co-hosting the Human-Centered Cybersecurity Series for the Redefining Cybersecurity Podcast (see General Human-Centered Cybersecurity -> Podcasts below). Currently, we are conducting a multi-phased research project to understand the interactions between human-centered cybersecurity researchers and practitioners. We hope the results will lead to the creation of mutually...
Projects
https://csrc.nist.gov/projects/human-centered-cybersecurity
The National Institute of Standards and Technology (NIST) Human-Centered Cybersecurity program, which is part of the Visualization and Usability Group, seeks to "champion the human in cybersecurity" by conducting interdisciplinary research to better understand and improve people’s interactions with cybersecurity systems, products, processes, and services. Research Areas
Project Pages
https://csrc.nist.gov/projects/risk-management/fisma-background
The suite of NIST information security risk management standards and guidelines is not a "FISMA Compliance checklist." Federal agencies, contractors, and other sources that use or operate a federal information system use the suite of NIST Risk Management standards and guidelines to develop and implement a risk-based approach to manage information security risk. FISMA emphasizes the importance of risk management. Compliance with applicable laws, regulations, executive orders, directives, etc. is a byproduct of implementing a robust, risk-based information security program. The NIST Risk...
Projects
https://csrc.nist.gov/projects/risk-management
Recent Updates August 27, 2025: In response to Executive Order 14306, NIST SP 800-53 Release 5.2.0 has been finalized and is now available on the Cybersecurity and Privacy Reference Tool. Release 5.2.0 includes changes to SP 800-53 and SP 800-53A, there are no changes to the baselines in SP 800-53B. A summary of the changes is available, and replaces the "preview version" issued on August 22 (no longer available). August 22, 2025: A preview of the updates to NIST SP 800-53 (Release 5.2.0) is available on the Public Comment Site. This preview will be available until NIST issues...
Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/public-comments
Questions and comments about Cybersecurity Supply Chain Risk Management (C-SCRM) are always welcome and can be directed to [email protected]. When a public comment period for a C-SCRM publication is open, contact information for providing feedback on it will be listed in the "Status" column of the table below. The following C-SCRM guidance documents are in progress: Status of C-SCRM Guidance Publications in Progress Title Series & Number Public Comment Period Status NICE Workforce Framework for Cybersecurity N/A CLOSED Reviewing feedback...
Project Pages
https://csrc.nist.gov/projects/protecting-controlled-unclassified-information/sp-800-171/comments-draft-sp-800-171-r3
Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective. Comments Received SP 800-171 Revision 3 (Final Public Draft) and SP 800-171A Revision 3 (Initial Public Draft) February 21, 2024: NIST issues summary and analysis of comments received in response to SP 800-171 Revision 3 (final public...
Projects
https://csrc.nist.gov/projects/protecting-controlled-unclassified-information
Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective. Recent Updates August 18, 2025: NIST has released a small business primer to supplement SP 800-171 Revision 3, to help smaller, under-resourced organizations better protect Controlled Unclassified Information (CUI). This resource...
Projects
https://csrc.nist.gov/projects/pec
The PEC project in the Cryptographic Technology Group (CTG), Computer Security Division (CSD), Information Technology Laboratory (ITL), at NIST accompanies the progress of emerging technologies in the area of privacy-enhancing cryptography (PEC). Recent events with available reference material: 2025-Sep-18: STPPA #8: Talks on PSI, ZKP, and Threshold BLS Signatures. [Slides] 2025-Jan-16: STPPA #7: Talks on Timelock Encryption, Witness Encryption, and Deniable Encryption. [Slides] 2024-Sep-24–26: WPEC 2024: NIST Workshop on Privacy-Enhancing Cryptography. [Slides] [Videos] The PEC...
Project Pages
https://csrc.nist.gov/projects/protecting-controlled-unclassified-information/sp-800-171/call-for-comments
November 1, 2022: NIST issues summary and analysis of responses to the CUI Series pre-draft call for comments. Comments received in response to the pre-draft call for comments on the CUI Series. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. Date Received From July 19, 2022 Williams International July 19, 2022 Real IT Care July 19, 2022 RSM US LLP July19, 2022 ePlus Technology, Inc July 19, 2022 Mercy Medical Center July 20, 2022 ESN...
Project Pages
https://csrc.nist.gov/projects/open-security-controls-assessment-language/oscal-adopters-workshops
The NIST OSCAL team is hosting a series of monthly mini workshops that aims to address topics of interest for our community and to open this forum for its members to present their OSCAL-related work. Unless specifically stated, the workshops will not require a deep, technical understanding of OSCAL, and the dialog is informal, allowing the community to interact with the presenters and with the OSCAL team members. Call for Proposals The NIST OSCAL Mini Workshop program committee is seeking timely, topical, and thought-provoking technical presentations or demonstrations highlighting OSCAL...
Projects
https://csrc.nist.gov/projects/operational-technology-security
Recent Updates: January 22, 2026: A pre-draft call for comments on SP 800-82, Guide to Operational Technology (OT) Security, is open through February 23rd. See the full announcement for details. Operational technology (OT) encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation...
Updates
January 22, 2026
https://csrc.nist.gov/news/2026/comment-on-nist-sp-800-82
NIST has initiated the process of revising NIST SP 800-82, Guide to Operational Technology (OT) Security, to incorporate lessons learned, align with relevant NIST guidance and OT cybersecurity standards and practices, and address changes in the OT threat landscape.
Publications
IR 8576 (Initial Public Draft)
January 22, 2026
https://csrc.nist.gov/pubs/ir/8576/ipd
Abstract: This document is a Cybersecurity Framework (CSF) Community Profile developed to support United States-based transit agencies. This “Transit Profile” is aligned with transit sector priorities and best practices and can be used as a guide for prioritizing cybersecurity activities and outco...
Project Pages
https://csrc.nist.gov/projects/ispab/members
Steven Lipner, Chairperson Executive Director SAFECode Term Expires 5/30/2026 Edna Conway CEO & Founder EMC Advisors Term Expires 1/19/2030 Dr. Brett Baker Inspector General for the National Archives U.S. National Archives and Records Administration Term Expires 3/14/2026 Resigned as Member 2/18/2025 Anne Dames Distinguished Engineer International Business Machines (IBM) Term Expires 11/24/2028 Michael Duffy Associate Director for Capacity Building CISA Cybersecurity Division, Department of Homeland Security Term Expires 3/13/2028 Jessica Fitzgerald-McKay Co-Lead, Center for...
