Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/key-resources-and-activities
Focusing on federal agencies but also engaging with and providing resources useful to government at other levels as well as the private sector, NIST: Guidance on Software Supply Chain Security, under Executive Order 14028 Sections 4(c) and (d), focuses on the critical sub-discipline of Cybersecurity Supply Chain Risk Management (C-SCRM) from the lens of federal acquirers. It covers both existing and evolving standards, tools, and recommended practices. The guidance is co-located with related EO guidance under NIST’s purview and will be maintained online to more easily update guidance on...
Publications
SP 800-231 (Final)
July 30, 2024
https://csrc.nist.gov/pubs/sp/800/231/final
Abstract: The Bugs Framework (BF) is a classification of security bugs and related faults that features a formal language for the unambiguous specification of software and hardware security weaknesses and vulnerabilities. BF bugs models, multidimensional weakness and failure taxonomies, and vulnerability mode...
Publications
SP 800-201 (Final)
July 30, 2024
https://csrc.nist.gov/pubs/sp/800/201/final
Abstract: This document summarizes the research performed by the NIST Cloud Computing Forensic Science Working Group and presents the NIST Cloud Computing Forensic Reference Architecture (CC FRA or FRA), whose goal is to provide support for a cloud system’s forensic readiness. The CC FRA helps users understan...
Publications
SP 800-218A (Final)
July 26, 2024
https://csrc.nist.gov/pubs/sp/800/218/a/final
Abstract: This document augments the secure software development practices and tasks defined in Secure Software Development Framework (SSDF) version 1.1 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the softw...
Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/key-practices
The NIST Framework for Improving Critical Infrastructure Cybersecurity ("the Framework") released in February 2014 was published simultaneously with the companion Roadmap for Improving Critical Infrastructure Cybersecurity. The Roadmap identified Cyber Supply Chain Risk Management (Cyber SCRM) as an area for future focus. Since the release of the Framework and in support of the companion Roadmap, NIST has researched industry best practices in cyber supply chain risk management through engagement with industry leaders. In 2014 and 2015, NIST interviewed a diverse set of organizations and...
Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/nist-sponsored-research
NIST regularly conducts and awards contracts, grants, or cooperative agreements to conduct research into cybersecurity supply chain risk management (C-SCRM) and related topics. The following are relevant research activities: Cyber Risk Analytics: A NIST and GSA-Sponsored grant from 2015-2017 examining the relationship between various risk management practices and publicly disclosed breaches. The Cyber Risk Predictive Analytics Project Cyber Risk Analytics Project Review Workshop (with video) Industry C-SCRM Best Practices: Ongoing work developing case studies exploring effective risk...
Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/federal-c-scrm
The Federal C-SCRM Forum fosters collaboration and the exchange of cybersecurity supply chain risk management (C-SCRM) information among federal organizations to improve the security of federal supply chains. Through periodic meetings and informal exchanges, the Forum offers all agencies that depend upon or guide C-SCRM an opportunity to discuss issues of interest with – and to inform – many of those leading C-SCRM efforts in the federal ecosystem, including the Office of Management and Budget (OMB), the Department of Defense (DOD), the Cybersecurity and Infrastructure Security Agency (CISA),...
Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/federal-c-scrm/forum-participation-and-email-listserv-information
Participation in the Forum, including events and online exchanges, is open to federal C-SCRM program managers or other federal personnel who have a dedicated and recurring responsibility for performing one or more C-SCRM functions. Federal contractors who provide direct C-SCRM programmatic support may also participate upon request by their federal sponsor and approval by the Forum co-hosts. The Forum may establish working groups or study groups and welcomes all suggestions to the co-hosts. NIST is hosting the Forum as part of its mandate under the SECURE Technology Act and the Federal...
Events
July 23, 2024 - July 25, 2024
https://csrc.nist.gov/events/2024/nist-workshop-on-fmcp-2024
Full Workshop and Registration Details NIST will host the Workshop on Formal Methods within Certification Programs (FMCP 2024) on July 23-25, 2024, at the National Cybersecurity Center of Excellence in Rockville, Maryland. The goal of the workshop is to explore the use of formal methods within certification programs for cryptographic modules such as FIPS 140-3. Topics for discussion include: Software formal methods of different families: model checking, interactive proof, use of SMT and SAT solvers, static analysis How formal methods can fit within existing validation programs and...
Publications
SP 1314 (Final)
July 23, 2024
https://csrc.nist.gov/pubs/sp/1314/final
Abstract: For organizations of all sizes, managing risk (including information security and privacy risk), is critical for organizational resilience. This guide is designed to help small, under-resourced entities understand the value and core components of the NIST Risk Management Framework (RMF) and provide...
Publications
Conference Paper (Final)
July 13, 2024
https://csrc.nist.gov/pubs/conference/2024/07/13/alert-a-framework-for-efficient-extraction/final
Conference: 38th International IFIP Conference on Data and Application Security and Privacy (DBSEC 2024) Abstract: In the dynamic landscape of cybersecurity, curated knowledge plays a pivotal role in empowering security analysts to respond effectively to cyber threats. Cyber Threat Intelligence (CTI) reports offer valuable insights into adversary behavior, but their length, complexity, and inconsistent structure...
Project Pages
https://csrc.nist.gov/projects/systems-security-engineering-project/sse-blogs
Blogs… Cybersecurity Risk Management: Choosing the Right Approach to Get the Job Done, June 2023. Taking Measure Rethinking Cybersecurity from the Inside Out, R. Ross, November 2016. Bulletins… ITL Bulletin Rethinking Security though Systems Security Engineering, R. Ross, L. Feldman, G. Witte, December 2016. Videos… The Need for Systems Thinking in Cybersecurity, R. Ross, October 2021.
Events
June 20, 2024 - June 21, 2024
https://csrc.nist.gov/events/2024/accordion-cipher-mode-workshop-2024
On Demand Videos Day 1 - Thursday, June 20 Day 2 - Friday, June 21 NIST hosted a workshop on the development of a new block cipher mode of operation on June 20–21, 2024, at the National Cybersecurity Center of Excellence in Rockville, Maryland. NIST IR 8537, NIST Workshop on the Requirements for an Accordion Cipher Mode 2024 - Workshop Report, summarizes the participant feedback, key takeaways, and future directions discussed during the event. Important Dates Workshop: June 20-21, 2024 Submission deadline: May 1, 2024 Notification date: May 10, 2024 Last day to reserve hotel...
Publications
TN 2283 (Initial Public Draft)
June 12, 2024
https://csrc.nist.gov/pubs/tn/2283/ipd
Abstract: This Technical Note describes the product-agnostic remote access security architectures and the example solutions the NIST National Cybersecurity Center of Excellence (NCCoE) plans to demonstrate as part of the Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitig...
