Search CSRC

Automation of the NIST Cryptographic Module Validation Program: September 2024 Status Report

Abstract: The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The NIST National Cybersecurit...

NIST Releases the C-SCRM Due Diligence Assessment Quick-Start Guide for Public Comment

The Initial Public Draft for SP 1326, NIST Cybersecurity Supply Chain Risk Management: Due Diligence Assessment Quick-Start Guide; is available for public comment. The public comment period is open through December 16, 2024.

NIST Cybersecurity Supply Chain Risk Management: Due Diligence Assessment Quick-Start Guide

Abstract: Due diligence research is the minimum amount of understanding that an acquirer should have on a supplier and should be done with most of the acquiring organization’s suppliers, regardless of criticality. This Quick-Start Guide provides cybersecurity supply chain risk management (C-SCRM) program capa...

CPLP

Cybersecurity and Privacy Learning Program

role-based training

significant cybersecurity or privacy responsibilities

Cybersecurity and/or Privacy Learning Program manager

NIST Cybersecurity Framework 2.0: Quick-Start Guide for Cybersecurity Supply Chain Risk Management (C-SCRM)

Abstract: Use the CSF to Improve Your C-SCRM Processes. The CSF can help an organization become a smart acquirer and supplier of technology products and services. This guide focuses on two ways the CSF can help you: 1) Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability. 2) Define and co...

NIST Cybersecurity Framework 2.0: Quick-Start Guide for Using the CSF Tiers

Abstract: This Quick-Start Guide describes how to apply the CSF 2.0 Tiers. CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes. This can help provide context on how an organization views cybersecurity risk...

NIST Cybersecurity Framework 2.0: Enterprise Risk Management Quick-Start Guide

Abstract: This guide provides an introduction to using the NIST Cybersecurity Framework (CSF) 2.0 for planning and integrating an enterprise-wide process for integrating cybersecurity risk management information, as a subset of information and communications technology risk management, into enterprise risk ma...

NIST Cybersecurity White Paper (CSWP) 36B Using Hardware-Enabled Security to Ensure 5G System Platform Integrity - Applying 5G Cybersecurity and Privacy Capabilities White Paper Series Available for Comment

NIST Cybersecurity White Paper (CSWP) 36B Using Hardware-Enabled Security to Ensure 5G System Platform Integrity - Applying 5G Cybersecurity and Privacy Capabilities White Paper Series is available for public comment. The deadline to submit comments to this draft document is October 30, 2024.

Using Hardware-Enabled Security to Ensure 5G System Platform Integrity: Applying 5G Cybersecurity and Privacy Capabilities

Abstract: This white paper provides an overview of employing hardware-enabled1 security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system’s server infrastructure. This white paper is part of a series called Applying 5G Cybersecurity...

NIST Releases CSWP 31, Proxy Validation and Verification for Critical AI Systems: A Proxy Design Process

NIST Cybersecurity White Paper (CSWP) 31, Proxy Validation and Verification for Critical AI Systems: A Proxy Design Process has been published.

RMF Online Introductory Courses

The purpose of these courses is to provide those new to risk management with an introduction to key publications associated with the NIST Risk Management Framework (RMF) methodology for managing cybersecurity and privacy risk. The RMF Online Introductory Courses are developed by NIST and available on-demand, and free of charge. Please refer first to the FAQ below for questions about course logistics, topics and content, initial troubleshooting of issues, and certificate of completion and course credit before reaching out to the team with questions. Select a course below to learn...

BlackBerry’s 2024 State of Software Supply Chain Security Research Report

Type: Presentation

ICT-SCRM Control Overlay: A Threat Based Approach

Type: Presentation

Operational Technology Security

Recent Updates: September 28, 2023: NIST Special Publication 800-82 Revision 3, Guide to Operational Technology (OT) Security, is now available. Operational technology (OT) encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access...

Building a Cybersecurity and Privacy Learning Program: NIST Publishes SP 800-50r1

NIST Special Publication (SP) 800-50r1 (Revision 1), Building a Cybersecurity and Privacy Learning Program.

Building a Cybersecurity and Privacy Learning Program

Abstract: This publication provides guidance for federal agencies and organizations to develop and manage a life cycle approach to building a Cybersecurity and Privacy Learning Program (CPLP). The approach is intended to address the needs of large and small organizations as well as those building an entirely...

NIST Cybersecurity for IoT Program Publishes NIST IR 8425A, Recommended Cybersecurity Requirements for Consumer-Grade Router Products

The NIST Cybersecurity for IoT Program is proud to announce the release of NIST IR 8425A.

Recommended Cybersecurity Requirements for Consumer-Grade Router Products

Abstract: Ensuring the security of routers is crucial for safeguarding not only individuals’ data but also the integrity and availability of entire networks. With the increasing prevalence of smart home Internet of Things (IoT) devices and remote work setups, the significance of consumer-grade router cybersec...

Forum Meeting - August 27, 2024

The Federal Cybersecurity and Privacy Professionals Forum is an informal group sponsored by the National Institute of Standards and Technology (NIST) to promote the sharing of system security and privacy information among federal, state, and local government, and higher education employees. The Forum maintains an extensive e-mail list and holds quarterly meetings to discuss current issues and items of interest to those responsible for protecting non-national security systems. For more information about the Forum and instructions on how to join, see: https://csrc.nist.gov/Projects/forum....

Applying 5G Cybersecurity and Privacy Capabilities | New White Paper Series

The NCCoE is launching a new series of papers on 5G cybersecurity and privacy that will provide recommended practices and illustrate how to implement them. All of the featured capabilities have been implemented in the NCCoE testbed on commercial-grade 5G equipment. The first two drafts in this series are open for public comment through September 16, 2024.

Protecting Subscriber Identifiers with Subscription Concealed Identifier (SUCI): Applying 5G Cybersecurity and Privacy Capabilities

Abstract: This white paper describes enabling Subscription Concealed Identifier (SUCI) protection, an optional 5G capability which provides important security and privacy protections for subscriber identifiers. 5G network operators are encouraged to enable SUCI on their 5G networks and subscriber SIMs and to...