Publications
IR 8500A (Initial Public Draft)
May 19, 2026
https://csrc.nist.gov/pubs/ir/8500/a/ipd
Abstract: The report proposes a conceptual aggregation model for software acquisitions. The proposed approach relies on the immutability and auditability of blockchain technology. The model also enables automated, dynamic queries to the National Vulnerability Database (NVD) to continuously identify newly disc...
Project Pages
https://csrc.nist.gov/projects/human-centered-cybersecurity/research-areas/human-centered-cybersecurity-general
Our team often writes articles or provides presentations that discuss and provide information about human-centered cybersecurity to various audiences, for example, cybersecurity practitioners or fellow researchers. We are co-hosting the Human-Centered Cybersecurity Series for the Redefining Cybersecurity Podcast (see General Human-Centered Cybersecurity -> Podcasts below). Currently, we are conducting a multi-phased research project to understand the interactions between human-centered cybersecurity researchers and practitioners. We hope the results will lead to the creation of mutually...
Projects
https://csrc.nist.gov/projects/human-centered-cybersecurity
The National Institute of Standards and Technology (NIST) Human-Centered Cybersecurity program, which is part of the Human-Centered Technologies Group (formerly named Visualization and Usability Group), seeks to "champion the human in cybersecurity" by conducting interdisciplinary research to better understand and improve people’s interactions with cybersecurity systems, products, processes, and services. Research Areas
Project Pages
https://csrc.nist.gov/projects/ispab/members
FY 2026 ISPAB BOARD MEMBERS Steven Lipner, Chairperson Executive Director SAFECode Term Expires 5/30/2026 Edna Conway CEO & Founder EMC Advisors Term Expires 1/19/2030 Anne Dames Distinguished Engineer International Business Machines (IBM) Term Expires 11/24/2028 Michael Duffy Associate Director for Capacity Building CISA Cybersecurity Division, Department of Homeland Security Term Expires 3/13/2028 Jessica Fitzgerald-McKay Co-Lead, Center for Cyber Security Standards (CCSS) National Security Agency Term Expires 3/3/2027 Alex Gantman Vice President, Security Engineering: Head of...
Projects
https://csrc.nist.gov/projects/olir
Mappings to NIST Documents The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Internal Report (IR) 8278, R1 – National Online Informative References (OLIR) Program: Overview, Benefits, and Use focuses on explaining what OLIRs are, what benefits...
Projects
https://csrc.nist.gov/projects/protecting-controlled-unclassified-information
Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective. Recent Updates May 13, 2026: NIST issues SP 800-172r3, Enhanced Security Requirements for Protecting Controlled Unclassified Information, and SP 800-172Ar3, Assessing Enhanced Security Requirements for Controlled Unclassified...
Updates
May 13, 2026
https://csrc.nist.gov/news/2026/nist-releases-sp-800-172r3-and-sp-800-172ar3
As part of ongoing efforts to strengthen protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released SP 800-172r3, Enhanced Security Requirements for Protecting Controlled Unclassified Information, and SP 800-172Ar3, Assessing Enhanced Security Requirements for Controlled Unclassified Information
Project Pages
https://csrc.nist.gov/projects/open-security-controls-assessment-language/oscal-adopters-workshops
The NIST OSCAL team is hosting a series of monthly mini workshops that aims to address topics of interest for our community and to open this forum for its members to present their OSCAL-related work. Unless specifically stated, the workshops will not require a deep, technical understanding of OSCAL, and the dialog is informal, allowing the community to interact with the presenters and with the OSCAL team members. Call for Proposals The NIST OSCAL Mini Workshop program committee is seeking timely, topical, and thought-provoking technical presentations or demonstrations highlighting OSCAL...
Updates
May 6, 2026
https://csrc.nist.gov/news/2026/nist-releases-nistir-8323-rev-2
The NIST NCCoE has released the draft NIST Internal Report (IR) 8323 Revision 2, "Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT)." The public comment period is open through July 6, 2026.
Publications
IR 8323 Rev. 2 (Initial Public Draft)
May 6, 2026
https://csrc.nist.gov/pubs/ir/8323/r2/ipd
Abstract: The national and economic security of the United States (U.S.) is dependent upon the reliable operation and responsible use of Positioning, Navigation, and Timing (PNT) services. This document provides the Cybersecurity Framework (CSF) Version 2.0 Community Profile developed for supporting positioni...
Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/ssca
ABOUT: Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved. The effort is co-led by the National Institute...
Projects
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management
Cybersecurity Supply Chain Risk Management (C-SCRM) involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of Information Communications Technology and Operational Technology (ICT/OT) product and service supply chains throughout the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). Examples of risks include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing...
Publications
IR 8259 Rev. 1 (Final)
April 20, 2026
https://csrc.nist.gov/pubs/ir/8259/r1/final
Abstract: Internet of Things (IoT) products often lack product cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving the securability of their IoT products by providing necess...
Publications
SP 1800-40 (Initial Public Draft)
April 15, 2026
https://csrc.nist.gov/pubs/sp/1800/40/ipd
Abstract: The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. Historically, t...
Projects
https://csrc.nist.gov/projects/privacy-enhancing-lw-distributed-ledger-technology
Privacy Enhancing Lightweight Distributed Ledger Technology When is blockchain a problem for privacy? Immutability can be a problem because private information stored in a blockchain cannot be deleted. Laws and regulations may require that users be allowed to remove private information at their request. Thus there is a need for redactable blockchain and redactable distributed ledger technology. When is blockchain a problem for security? Immutability can be a problem because security sensitive information stored in a blockchain cannot be deleted. Security policies may require deleting...
Projects
https://csrc.nist.gov/projects/space-cybersecurity
[Redirect to: https://www.nccoe.nist.gov/cybersecurity-space-domain] Space is an emerging commercial critical infrastructure sector that is no longer the domain of only national government authorities. Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations.
