Publications
IR 8272 (Final) (Withdrawn)
August 25, 2020
Withdrawn on May 21, 2021.
https://csrc.nist.gov/pubs/ir/8272/final
Abstract: As awareness of cybersecurity supply chain risks grows among federal agencies, there is a greater need for tools that evaluate the impacts of a supply chain-related cyber event. This can be a difficult activity, especially for those organizations with complex operational environments and supply chai...
Publications
SP 800-211 (Final)
August 24, 2020
https://csrc.nist.gov/pubs/sp/800/211/final
Abstract: During Fiscal Year 2019 (FY 2019), from October 1, 2018 through September 30, 2019, the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This annual report highlights the FY 2019 re...
Publications
SP 1500-16 (Final)
August 20, 2020
https://csrc.nist.gov/pubs/sp/1500/16/final
Abstract: The shortage of cybersecurity professionals is a significant risk to The United States of America’s overall national security and economic prosperity. The U.S. branches of the military provide training and education in cybersecurity, and some transitioning military are well versed in risk management...
Project Pages
https://csrc.nist.gov/projects/fissea/contests-and-awards/fissea-sate-winners
Contest Winners for 2020: Winners (selected by impartial judging committee prior to conference): Poster: Deborah Coleman, U.S. Department of Education Motivational Item: United States Postal Service, CISO Website: IHS OIT Division of Information Security Newsletter: National Institutes of Health – Cyber Safety Awareness Campaign Video: CMS/OIT Information Security & Privacy Group (ISPG) Blog: Cofense Podcast: CMS/OIT Information Security & Privacy Group (ISPG) Security Training Scenarios: Media Pro Contest Winners for 2019: Winners (selected by impartial judging...
Publications
SP 800-207 (Final)
August 11, 2020
https://csrc.nist.gov/pubs/sp/800/207/final
Abstract: Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zer...
Publications
TN 2066 (Final)
July 29, 2020
https://csrc.nist.gov/pubs/tn/2066/final
Abstract: There is a smart grid messaging framework known as an Open Field Message Bus (OpenFMB), which was ratified by the North American Energy Standards Board (NAESB) in March 2016 and has been released as NAESB RMQ.26, Open Field Message Bus (OpenFMB) Model Business Practices. OpenFMB focuses on describin...
Topics
https://csrc.nist.gov/topics/applications/internet-of-things
See the NIST Cybersecurity for IoT Program for details about how the Applied Cybersecurity Division supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. [This "Internet of Things" CSRC topic page consolidates content related to IoT that exists on the CSRC website.]
Publications
Conference Paper (Final)
July 19, 2020
https://csrc.nist.gov/pubs/conference/2020/07/19/smart-home-security-and-privacy-mitigations/final
Conference: Second International Conference on Human-Computer Interaction for Cybersecurity, Privacy and Trust (HCI-CPT 2020) Abstract: As smart home technology is becoming pervasive, smart home devices are increasingly being used by non-technical users who may have little understanding of the technology or how to properly mitigate privacy and security risks. To better inform security and privacy mitigation guidance for smart home d...
Publications
IR 8219 (Final)
July 16, 2020
https://csrc.nist.gov/pubs/ir/8219/final
Abstract: Industrial control systems (ICS) are used in many industries to monitor and control physical processes. As ICS continue to adopt commercially available information technology (IT) to promote corporate business systems’ connectivity and remote access capabilities, ICS become more vulnerable to cybers...
Publications
SP 800-77 Rev. 1 (Final)
June 30, 2020
https://csrc.nist.gov/pubs/sp/800/77/r1/final
Abstract: Internet Protocol Security (IPsec) is a widely used network layer security control for protecting communications. IPsec is a framework of open standards for ensuring private communications over Internet Protocol (IP) networks. IPsec configuration is usually performed using the Internet Key Exchange...
Project Pages
https://csrc.nist.gov/projects/automated-combinatorial-testing-for-software/cybersecurity-testing-1/cybersecurity-testing
Combinatorial methods improve security assurance in two ways: Reducing vulnerabilities - Multiple studies show that about two-thirds of security vulnerabilities result from ordinary coding errors that can be exploited (for example, lack of input validation). By identifying errors more efficiently, combinatorial testing can reduce vulnerabilities as well. Specialized security testing - We have been able to achieve huge improvements in fault detection for cryptographic software, hardware Trojan horse and malware, web server security, access control systems, and others. Below are some...
Events
June 23, 2020 - June 23, 2020
https://csrc.nist.gov/events/2020/de-mystifying-secure-software-development
Once seen as only tangential to cybersecurity planning, software security has recently emerged as a top priority for policymakers, businesses, and users around the world. As our collective understanding of cybersecurity has grown, we have come to recognize the central role secure design and development plays in protecting the software that powers our world. Unfortunately, software security discussions have long been hampered by inconsistent terminology, lack of clarity around best practices, and a sense that only the most technically inclined could ever really make sense of the process. A new...
Project Pages
https://csrc.nist.gov/projects/software-identification-swid/management
While SWID Tags demonstrate a possible standards-based way of tracking the state of installed software products, their fitness to support patch management processes depends on the availability and accuracy of deployed tags. Unfortunately, today most vendors never update a tag after it is installed on the endpoint. As a result, these tags fall out of date as soon as that product is updated. Once this happens, these tags are no longer usable for patch or update management as the state of the associated software product will differ from that reported by the tag. To address this issue, vendors...
