Publications
SP 800-18 Rev. 2 (Initial Public Draft)
June 4, 2025
https://csrc.nist.gov/pubs/sp/800/18/r2/ipd
Abstract: The system security plan, system privacy plan, and cybersecurity supply chain risk management plan are collectively referred to as system plans. They describe the purpose of the system, the operational status of the controls selected and allocated for meeting risk management requirements, and the re...
Publications
IR 8557 (Final)
May 23, 2025
https://csrc.nist.gov/pubs/ir/8557/final
Abstract: This document reports on the Virtual Workshop on Usable Cybersecurity and Privacy for Immersive Technologies (the Workshop) hosted by the Symposium in Usable Privacy and Security (SOUPS). The Workshop was held on August 7th, 2024 before the in-person symposium held August 11th and 12th, 2024 in Phil...
Project Pages
https://csrc.nist.gov/projects/access-control-policy-tool/beta-release-of-access-control-policy-tool
ARCHIVED PROJECT: This project is no longer being supported and will be removed from this website on June 30, 2025. This ACPT version is a beta release, which includes a concise user manual, examples, and Java code. The user documentation and software will be updated in the future. Please check the web site for update information. To download the latest ACPT version (.zip file, May, 15, 2019), please contact: Vincent Hu [email protected] for the password to unzip the zip file. The source code is also available. The Access Control Policy Tool (ACPT) was developed by NIST's Computer...
Publications
IR 8572 (Final)
May 13, 2025
https://csrc.nist.gov/pubs/ir/8572/final
Abstract: This report summarizes discussions held at the March 5, 2025 "Workshop on Foundational Cybersecurity Activities for IoT Device Manufacturers” organized by the NIST Cybersecurity for the Internet of Things (IoT) program. This workshop follows an earlier event held in December 2024 titled “Workshop on...
Projects
https://csrc.nist.gov/projects/auto-cybersecurity-coi
The automotive industry is facing significant challenges from increased cybersecurity risk and adoption of AI and opportunities from rapid technological innovations. NIST is setting up this community of interest (COI) to allow the industry, academia, and government to discuss, comment, and provide input on the potential work that NIST is doing which will affect the automotive industry. Topics of interest include, but are not limited to: Cryptography Cryptographic agility Migration to secure algorithms, e.g., quantum resistant cryptography Supply chain Code integrity and...
Projects
https://csrc.nist.gov/projects/security-aspects-of-electronic-voting
The Help America Vote Act (HAVA) of 2002 was passed by Congress to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. The Information Technology Laboratory supports the activities of the EAC and TGDC related to voting equipment...
Projects
https://csrc.nist.gov/projects/enhanced-distributed-ledger-technology
Privacy Enhancing Lightweight Distributed Ledger Technology When is blockchain a problem for privacy? Immutability can be a problem because private information stored in a blockchain cannot be deleted. Laws and regulations may require that users be allowed to remove private information at their request. Thus there is a need for redactable blockchain and redactable distributed ledger technology. When is blockchain a problem for security? Immutability can be a problem because security sensitive information stored in a blockchain cannot be deleted. Security policies may require deleting...
Projects
https://csrc.nist.gov/projects/attribute-based-access-control
The concept of Attribute Based Access Control (ABAC) has existed for many years. It represents a point on the spectrum of logical access control from simple access control lists to more capable role-based access, and finally to a highly flexible method for providing access based on the evaluation of attributes. In November 2009, the Federal Chief Information Officers Council (Federal CIO Council) published the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0, which provided guidance to federal organizations to evolve their logical access control...
Project Pages
https://csrc.nist.gov/projects/role-based-access-control/role-engineering-and-rbac-standards
ARCHIVED PROJECT: This project is no longer being supported and will be removed from this website on June 30, 2025. Many organizations are in the process of moving to role based access control. The process of developing an RBAC structure for an organization has become known as "role engineering.". Role engineering can be a complex undertaking, For example, in implementing RBAC for a large European bank with over 50,000 employees and 1400 branches serving more than 6 million customers, approximately 1300 roles were discovered. In view of the complexities, RBAC is best implemented by...
Project Pages
https://csrc.nist.gov/projects/vulnerability-disclosure-guidelines/related-references
ATTENTION: The Project Lead is no longer at NIST. Inquiry responses may be delayed. ISO/IEC 29147 International Organization for Standardization/International Electrotechnical Commission (2018) ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/72311.html ISO/IEC 30111 International Organization for Standardization/International Electrotechnical Commission (2019) ISO/IEC 30111:2019 – Information technology – Security techniques – Vulnerability handling processes (ISO,...
Projects
https://csrc.nist.gov/projects/vulnerability-disclosure-guidelines
ATTENTION: The Project Lead is no longer at NIST. Inquiry responses may be delayed. Internal and external reporting of security vulnerabilities in software and information systems owned or utilized by the Federal Government is critical to mitigating risk, establishing a robust security posture, and maintaining transparency and trust with the public. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities and exposures. NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure...
Publications
IR 7621 Rev. 2 (Initial Public Draft)
May 1, 2025
https://csrc.nist.gov/pubs/ir/7621/r2/ipd
Abstract: This report is designed to help small firms use the NIST Cybersecurity Framework (CSF) 2.0 to begin managing their cybersecurity risks. The document is tailored to the smallest of businesses—those with no employees, or “non-employer” firms. These firms are also often colloquially referred to as “sol...
Publications
SP 800-236 (Final)
April 28, 2025
https://csrc.nist.gov/pubs/sp/800/236/final
Abstract: Throughout Fiscal Year 2024 (FY 2024) — from October 1, 2023, through September 30, 2024 — the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This Annual Report highlights the ITL...
Projects
https://csrc.nist.gov/projects/measurements-for-information-security
The Measurements for Information Security Program aims to better equip organizations to purposefully and effectively manage their information security risk through the development of flexible approaches to the selection, assessment, and management of measures and metrics. Information Security Measurement Guide SP 800-55v1 Measurement Guide for Information Security – Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures. SP 800-55v2 Measurement Guide for Information Security – Volume...
Projects
https://csrc.nist.gov/projects/cybersecurity-risk-analytics
The Cyber Risk Analytics and Measurement program aims to develop cybersecurity risk analytics methods, tools, and guides to improve the understanding of cybersecurity risks, inform management practices, and facilitate information sharing among risk owners. Below are the internal and external collaborative activities of the program: Cyber Supply Chain Survey Tool NIST is prototyping a survey tool be an educational resource to facilitate cybersecurity supply chain risk management. The tool provides insights for organizations to evaluate and manage their processes to minimize cyber supply...
