Publications
IR 8572 (Final)
May 13, 2025
https://csrc.nist.gov/pubs/ir/8572/final
Abstract: This report summarizes discussions held at the March 5, 2025 "Workshop on Foundational Cybersecurity Activities for IoT Device Manufacturers” organized by the NIST Cybersecurity for the Internet of Things (IoT) program. This workshop follows an earlier event held in December 2024 titled “Workshop on...
Projects
https://csrc.nist.gov/projects/auto-cybersecurity-coi
The automotive industry is facing significant challenges from increased cybersecurity risk and adoption of AI and opportunities from rapid technological innovations. NIST is setting up this community of interest (COI) to allow the industry, academia, and government to discuss, comment, and provide input on the potential work that NIST is doing which will affect the automotive industry. Topics of interest include, but are not limited to: Cryptography Cryptographic agility Migration to secure algorithms, e.g., quantum resistant cryptography Supply chain Code integrity and...
Projects
https://csrc.nist.gov/projects/telework-working-anytime-anywhere
Today, many employees telework (also known as “telecommuting,” “work from home,” or “work from anywhere”). Teleworking is the ability of an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. Telework has been on the rise for some time, but sharply increased because of the COVID-19 pandemic. For many, telework is now the only way to get work done, and the original concept of “telework” has evolved into being able to work anytime, anywhere. The technologies used for telework have also...
Projects
https://csrc.nist.gov/projects/security-aspects-of-electronic-voting
The Help America Vote Act (HAVA) of 2002 was passed by Congress to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. The Information Technology Laboratory supports the activities of the EAC and TGDC related to voting equipment...
Projects
https://csrc.nist.gov/projects/enhanced-distributed-ledger-technology
Privacy Enhancing Lightweight Distributed Ledger Technology When is blockchain a problem for privacy? Immutability can be a problem because private information stored in a blockchain cannot be deleted. Laws and regulations may require that users be allowed to remove private information at their request. Thus there is a need for redactable blockchain and redactable distributed ledger technology. When is blockchain a problem for security? Immutability can be a problem because security sensitive information stored in a blockchain cannot be deleted. Security policies may require deleting...
Projects
https://csrc.nist.gov/projects/attribute-based-access-control
The concept of Attribute Based Access Control (ABAC) has existed for many years. It represents a point on the spectrum of logical access control from simple access control lists to more capable role-based access, and finally to a highly flexible method for providing access based on the evaluation of attributes. In November 2009, the Federal Chief Information Officers Council (Federal CIO Council) published the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0, which provided guidance to federal organizations to evolve their logical access control...
Project Pages
https://csrc.nist.gov/projects/role-based-access-control/role-engineering-and-rbac-standards
ARCHIVED PROJECT: This project is no longer being supported and will be removed from this website on June 30, 2025. Many organizations are in the process of moving to role based access control. The process of developing an RBAC structure for an organization has become known as "role engineering.". Role engineering can be a complex undertaking, For example, in implementing RBAC for a large European bank with over 50,000 employees and 1400 branches serving more than 6 million customers, approximately 1300 roles were discovered. In view of the complexities, RBAC is best implemented by...
Project Pages
https://csrc.nist.gov/projects/vulnerability-disclosure-guidelines/related-references
ATTENTION: The Project Lead is no longer at NIST. Inquiry responses may be delayed. ISO/IEC 29147 International Organization for Standardization/International Electrotechnical Commission (2018) ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/72311.html ISO/IEC 30111 International Organization for Standardization/International Electrotechnical Commission (2019) ISO/IEC 30111:2019 – Information technology – Security techniques – Vulnerability handling processes (ISO,...
Projects
https://csrc.nist.gov/projects/vulnerability-disclosure-guidelines
ATTENTION: The Project Lead is no longer at NIST. Inquiry responses may be delayed. Internal and external reporting of security vulnerabilities in software and information systems owned or utilized by the Federal Government is critical to mitigating risk, establishing a robust security posture, and maintaining transparency and trust with the public. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities and exposures. NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure...
Publications
IR 7621 Rev. 2 (Initial Public Draft)
May 1, 2025
https://csrc.nist.gov/pubs/ir/7621/r2/ipd
Abstract: This report is designed to help small firms use the NIST Cybersecurity Framework (CSF) 2.0 to begin managing their cybersecurity risks. The document is tailored to the smallest of businesses—those with no employees, or “non-employer” firms. These firms are also often colloquially referred to as “sol...
Publications
SP 800-236 (Final)
April 28, 2025
https://csrc.nist.gov/pubs/sp/800/236/final
Abstract: Throughout Fiscal Year 2024 (FY 2024) — from October 1, 2023, through September 30, 2024 — the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This Annual Report highlights the ITL...
Projects
https://csrc.nist.gov/projects/measurements-for-information-security
The Measurements for Information Security Program aims to better equip organizations to purposefully and effectively manage their information security risk through the development of flexible approaches to the selection, assessment, and management of measures and metrics. Information Security Measurement Guide SP 800-55v1 Measurement Guide for Information Security – Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures. SP 800-55v2 Measurement Guide for Information Security – Volume...
Project Pages
https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline
Workshops Date September 24-26, 2025 Sixth PQC Standardization Conference (In-Person / Virtual) Venue: NIST Gaithersburg, Maryland, USA Call for Papers April 10-12, 2024 Fifth PQC Standardization Conference (In-Person) Hilton Washington DC/Rockville Hotel Rockville, MD Call for Papers November 29- December 1, 2022 Fourth PQC Standardization Conference Virtual Call for Papers June 7-9, 2021 Third...
Projects
https://csrc.nist.gov/projects/cybersecurity-risk-analytics
The Cyber Risk Analytics and Measurement program aims to develop cybersecurity risk analytics methods, tools, and guides to improve the understanding of cybersecurity risks, inform management practices, and facilitate information sharing among risk owners. Below are the internal and external collaborative activities of the program: Cyber Supply Chain Survey Tool NIST is prototyping a survey tool be an educational resource to facilitate cybersecurity supply chain risk management. The tool provides insights for organizations to evaluate and manage their processes to minimize cyber supply...
Events
April 17, 2025 - April 18, 2025
https://csrc.nist.gov/events/2025/crypto-agility-workshop
Read the Code of Conduct for NIST Meetings Call for Submissions (Submission Deadline: March 30, 2025) On March 5, 2025, NIST released the draft Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility - Strategies and Practices. This white paper provides an in-depth survey of current approaches and considerations to achieving crypto agility. It discusses challenges, trade-offs, and some approaches to providing operational mechanisms for achieving crypto agility while maintaining interoperability. It also highlights some critical working areas that require additional...
Publications
IR 8562 (Final)
April 16, 2025
https://csrc.nist.gov/pubs/ir/8562/final
Abstract: This report summarizes the feedback received by the NIST Cybersecurity for the Internet of Things (IoT) program at the in-person and hybrid workshop on "Updating Manufacturer Guidance for Securable Connected Product Development" held in December 2024. The purpose of this workshop was to consider how...
Events
April 15, 2025 - April 15, 2025
https://csrc.nist.gov/events/2025/trusted-semiconductor-supply-chain-workshop
Code of Conduct for NIST Conferences Final Agenda with Links to Presentations The NIST Trust and Provenance in the Semiconductor Supply Chain Workshop will be held as an in-person on Tuesday, April 15, 2025 at the NIST National Cybersecurity Center of Excellence (NCCoE) conference facility, in Rockville, MD. This one-day event aims to bring together technical experts from industry, academia, and the government to discuss drivers, need, methods and process to establish trust and provenance across the semiconductor supply chain. The workshop will solicit and obtain valuable feedback from the...
Project Pages
https://csrc.nist.gov/projects/cprt/program-news
What have we been up to? Here are some of the latest updates… We are currently in Phase 1 of updating the CPRT roadmap tool. Stay tuned as NIST adds reference data from other publications to this tool and develops features to interact with the data in new ways in the future. Recent CPRT Additions: 05/14/2024 | NIST Special Publication 800-171A Rev 3, Assessing Security Requirements for Controlled Unclassified Information, was added to CPRT 05/14/2024 | NIST Special Publication 800-171 Rev 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, was...
Projects
https://csrc.nist.gov/projects/cprt
Want to build your own cybersecurity guidance? This tool provides a simple way to access reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks– downloadable in common formats (XLSX and JSON). Other News & Info Program News Get the scoop on what’s been happening with the CPRT program. More Contact Us Reach out via email with questions, ideas, or thoughts. Email
Projects
https://csrc.nist.gov/projects/software-identification-swid
Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage compliance with software license agreements. Knowing what software is installed and used can help an...
