Publications
IR 8587 (Initial Public Draft)
December 22, 2025
https://csrc.nist.gov/pubs/ir/8587/ipd
Abstract: This report provides implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse. Building on updates to NIST SP 800-53 (Release 5.1.1), it outlines principles for CSPs and consuming agencies, details arch...
Projects
https://csrc.nist.gov/projects/scap-validation-program
End-of-Life Announcement: NIST SCAP Validation Program The National Institute of Standards and Technology (NIST) announces the phased conclusion of the Security Content Automation Protocol (SCAP) Validation Program. Since its inception in 2009, the SCAP Validation Program has played a crucial role in advancing standardized security automation and vulnerability management. Managed through the National Voluntary Laboratory Accreditation Program (NVLAP), the program enabled independent laboratories to test and validate products against SCAP standards, helping organizations worldwide...
Publications
IR 8286 Rev. 1 (Final)
December 18, 2025
https://csrc.nist.gov/pubs/ir/8286/r1/final
Abstract: The increasing frequency, creativity, and severity of cybersecurity attacks means that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs. This document is intended to help individual organizations within an...
Publications
IR 8286C Rev. 1 (Final)
December 18, 2025
https://csrc.nist.gov/pubs/ir/8286/c/r1/final
Abstract: This document is the third in a series that supplements NIST Interagency Report (IR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding enterprise application of cybersecurity risk information; the previous documents, IRs 8286A and...
Publications
IR 8286A Rev. 1 (Final)
December 18, 2025
https://csrc.nist.gov/pubs/ir/8286/a/r1/final
Abstract: This document supplements NIST Interagency Report (IR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information to illustrate risk tolerance, risk appetite,...
Projects
https://csrc.nist.gov/projects/mcspwg
Cloud computing has become the core accelerator of the US Government's digital business transformation. NIST is establishing a Multi-Cloud Security Public Working Group (MCSPWG) to research best practices for securing complex cloud solutions involving multiple service providers and multiple clouds. The White House Executive Order on Improving the Nation's Cybersecurity highlights that “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life” by focusing “the full scope of its authorities...
Publications
IR 8596 (Initial Preliminary Draft)
December 16, 2025
https://csrc.nist.gov/pubs/ir/8596/iprd
Abstract: The Cybersecurity Framework Profile for Artificial Intelligence (AI) Profile (“Cyber AI Profile” or “The Profile”) will provide guidelines for managing cybersecurity risk related to AI systems as well as identifying opportunities for using AI to enhance cybersecurity capabili...
Projects
https://csrc.nist.gov/projects/post-quantum-cryptography
Short URL: https://www.nist.gov/pqcrypto For a plain-language introduction to post-quantum cryptography, see What Is Post-Quantum Cryptography? PQC Standards | Migration to PQC | Ongoing PQC Standardization Process NIST’s Post-Quantum Cryptography (PQC) project leads the national and global effort to secure electronic information against the future threat of quantum computers—machines that may be years or decades away but could eventually break many of today’s widely used cryptographic systems. Through a multi-year international competition involving industry, academia, and...
Publications
SP 800-70 Rev. 5 (Initial Public Draft)
December 9, 2025
https://csrc.nist.gov/pubs/sp/800/70/r5/ipd
Abstract: A security configuration checklist is a document or technical content that contains instructions or procedures for securely configuring an IT product to match an operational environment’s risk tolerance, verifying that the product has been configured properly, and/or identifying unauthorized c...
Project Pages
https://csrc.nist.gov/projects/key-management/key-management-guidelines
The following publications provide general key management guidance: Recommendation for Key Management December 5, 2025: An initial public draft of SP 800-57 Part 1 Revision 6 is available for comment through February 5, 2026. SP 800-57 Part 1 Revision 5 - General This Recommendation provides cryptographic key-management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material, including definitions of the security services that may be provided when using cryptography and the algorithms and key...
Publications
CSWP 53 (Initial Public Draft)
December 2, 2025
https://csrc.nist.gov/pubs/cswp/53/charting-the-course-for-nist-oscal/ipd
Abstract: This document introduces the Open Security Controls Assessment Language (OSCAL), a NIST-developed, open-source, machine-readable language that modernizes manual, paper-based cybersecurity compliance by enabling automated and scalable processes. OSCAL standardizes security documentation for easier mo...
Projects
https://csrc.nist.gov/projects/forum
The Federal Cybersecurity and Privacy Professionals Forum is an informal group sponsored by the National Institute of Standards and Technology (NIST) to promote the sharing of cybersecurity and privacy knowledge, best practices, and resources among U.S. federal, state, and local government, and higher education organizations. The Federal Cybersecurity and Privacy Professionals Forum ("the Forum") maintains an extensive email list, and holds quarterly meetings to discuss current issues and items of interest to those responsible for protecting non-national security systems. There is no cost...
Projects
https://csrc.nist.gov/projects/srr-seminar
Security Research Review Seminar is a biweekly talk arranged by the Computer Security Division (773) of the Information Technology Laboratory (ITL) at NIST. Researchers, academics, and practitioners for within and outside NIST are invited to discuss their work in the areas of hardware, software, AI, and system level security. Interesting topics related to verification, validation, assurance, and standardizations are also discussed. Upcoming Talks The following schedule is tentative: Date Speaker Title Dec/Jan Hamid...
Publications
SP 1800-36 (Final)
November 25, 2025
https://csrc.nist.gov/pubs/sp/1800/36/final
Abstract: Establishing trust between a network and an Internet of Things (IoT) device (as defined in NIST Internal Report 8425) prior to providing the device with the credentials it needs to join the network is crucial for mitigating the risk of potential attacks. There are two possibilities for attack. One h...
Publications
SP 1308 (2nd Public Draft)
November 24, 2025
https://csrc.nist.gov/pubs/sp/1308/2pd
Abstract: This Quick Start Guide (QSG) shows how the NICE Workforce Framework for Cybersecurity and the Cybersecurity Framework (CSF) can be used together to facilitate communication across business units and improve organizational processes where cybersecurity, enterprise risk management (ERM), and workforce...
Projects
https://csrc.nist.gov/projects/telework-working-anytime-anywhere
Today, many employees telework (also known as “telecommuting,” “work from home,” or “work from anywhere”). Teleworking is the ability of an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. Telework has been on the rise for some time, but sharply increased because of the COVID-19 pandemic. For many, telework is now the only way to get work done, and the original concept of “telework” has evolved into being able to work anytime, anywhere. The technologies used for telework have also...
