Use this form to search content on CSRC pages.
Abstract: Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs for cybersecurity labeling. NIST is, among other actions, direct...
Abstract: Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, May 12, 2021, directs the National Institute of Standards and Technology (NIST) to publish guidance on practices for software supply chain security. This document starts by explaining NIST’s approach for addressing Section 4e. Next...
The SSDF uses these established secure development practice documents as references. Note that these references were current at the time SSDF version 1.1 was published, and may no longer be current. NIST Publications General Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (SP 800-181) Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5) Software Development Cybersecurity Supply Chain Risk Management Practices for Systems and...
Abstract: Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This document recommends the Secure Software Development...
NIST has published SP 1800-32, "Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity."
Abstract: The Industrial Internet of Things (IIoT) refers to the application of instrumentation and connected sensors and other devices to machinery and vehicles in the transport, energy, and other critical infrastructure sectors. In the energy sector, distributed energy resources (DERs) such as solar photovo...
Type: Presentation
This year’s Multi-Cloud Conference co-hosted by NIST and Tetrate will focus on DevSecOps and ZTA as foundational approaches to development, deployment, and operational phases for achieving high-assurance cloud-native applications. The latest generation of cloud-native applications often consists of a collection of microservices that could be distributed and deployed across a heterogeneous infrastructure (on-premises, public cloud, containerized, running on virtual machines, etc). With the proliferation of DevSecOps, a service mesh has proven to provide the desired bridge between...
Genomic data are central to basic science research, pharmaceutical drug and vaccine development, disease diagnosis and prediction, ancestry tracing, and forensic investigations. These applications require information fidelity and appropriate availability as bad actors may wish to misuse genomic data to invade privacy, gain an unfair competitive advantage, or inflict harm with devastating impacts on individuals, companies, and nations. The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) is seeking to identify genomic data...
NIST has released Draft NISTIR 8286C, "Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight." The public comment period closes March 11, 2022.
Abstract: Bluetooth wireless technology is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs), and has been integrated into many types of business and consumer devices. This publication provides information on the security capabil...
Additional resources are available for the following SWID Tag specification revisions: ISO/IEC 19770-2:2015 Revision ISO/IEC 19770-2:2015 Resources SWID Tag Validation Tool NIST has developed a SWID Tag validation tool that can be used to verify that a produced SWID has properly implemented the requirements defined in NISTIR 8060. This tool can validate different types of SWID Tags that are used in different stages of the software lifecycle: SWID Tags that pass this validation tool provide support for license management as well as multiple cybersecurity use cases including:...
Abstract: This report describes an approach to capturing and documenting the network communication behavior of Internet of Things (IoT) devices. From this information, manufacturers, network administrators, and others can create and use files based on the Manufacturer Usage Description (MUD) specification to...
Draft NISTIR 8389, “Cybersecurity Considerations for Open Banking Technology and Emerging Standards,” is available for comment through March 3, 2022.
The National Initiative for Cybersecurity Education (NICE) has released a second draft of NISTIR 8355, NICE Framework Competencies: Assessing Learners for Cybersecurity Work.
Title / Topic Description Executive Order (EO) 14028 On Improving The Nation's Cybersecurity Executive Order 14028, “Improving the Nation’s Cybersecurity” marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. To keep pace with modern technological advancements and evolving threats, the Federal Government continues to migrate to the cloud. In support of these efforts, the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency...
The National Cybersecurity Center of Excellence (NCCoE) has released a new draft project description, Secure IPv6-Only Implementation in the Enterprise.
Abstract: The NCCoE is planning a project to provide guidance and a reference architecture that address operational, security, and privacy issues associated with the evolution to IPv6-only network infrastructures. The project will demonstrate tools and methods for securely implementing IPv6, whether as a “gre...
A draft NIST Cybersecurity White Paper, Combination Frequency Differencing, is now available for public comment.
Type: Presentation
Presentations & Speakers at a Glance: Update from the Office of the Federal Chief Information Officer, Maria Roat (OMB) Update from GAO on the Cybersecurity & Information Security Audit Manual, Jennifer R. Franks (GAO) OMB Circular A-130 Implementation and Updates to SP 800-53 and FedRAMP, Carol Bales (OMB), Brian Conrad (GSA), and Vicky Pillitteri (NIST) Federal Zero Trust Strategy, Eric Mill (OMB) NOTE: FORUM MEETINGS ARE OPEN TO ONLY FEDERAL/STATE EMPLOYEES, HIGHER EDUCATION EMPLOYEES, AND THEIR DESIGNATED SUPPORT CONTRACTORS. REGISTRANTS MUST USE A .GOV, .EDU, OR .MIL...
Type: Opening Remarks
Click on the image to access the 2nd public draft of Special Publication (SP) 800-161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (released October 28, 2021). PRESENTATION for WORKSHOP (.PDF) Event Description: The NIST Cybersecurity Supply Chain Risk Management Team is hosting a webinar to provide an overview of the changes made in its 2nd public draft of Special Publication 800 – 161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. NIST seeks to engage stakeholders to provide clarity,...
Type: Presentation
NIST has released final IoT-specific guidance (NIST Special Publications 800-213 and 800-213A) to federal organizations to support extending their risk management process to the inclusion of IoT devices in federal systems.