Project Pages
https://csrc.nist.gov/projects/vulnerability-disclosure-guidelines/related-references
ATTENTION: The Project Lead is no longer at NIST. Inquiry responses may be delayed. ISO/IEC 29147 International Organization for Standardization/International Electrotechnical Commission (2018) ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/72311.html ISO/IEC 30111 International Organization for Standardization/International Electrotechnical Commission (2019) ISO/IEC 30111:2019 – Information technology – Security techniques – Vulnerability handling processes (ISO,...
Projects
https://csrc.nist.gov/projects/vulnerability-disclosure-guidelines
ATTENTION: The Project Lead is no longer at NIST. Inquiry responses may be delayed. Internal and external reporting of security vulnerabilities in software and information systems owned or utilized by the Federal Government is critical to mitigating risk, establishing a robust security posture, and maintaining transparency and trust with the public. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities and exposures. NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure...
Publications
IR 7621 Rev. 2 (Initial Public Draft)
May 1, 2025
https://csrc.nist.gov/pubs/ir/7621/r2/ipd
Abstract: This report is designed to help small firms use the NIST Cybersecurity Framework (CSF) 2.0 to begin managing their cybersecurity risks. The document is tailored to the smallest of businesses—those with no employees, or “non-employer” firms. These firms are also often colloquially referred to as “sol...
Publications
SP 800-236 (Final)
April 28, 2025
https://csrc.nist.gov/pubs/sp/800/236/final
Abstract: Throughout Fiscal Year 2024 (FY 2024) — from October 1, 2023, through September 30, 2024 — the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This Annual Report highlights the ITL...
Projects
https://csrc.nist.gov/projects/measurements-for-information-security
The Measurements for Information Security Program aims to better equip organizations to purposefully and effectively manage their information security risk through the development of flexible approaches to the selection, assessment, and management of measures and metrics. Information Security Measurement Guide SP 800-55v1 Measurement Guide for Information Security – Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures. SP 800-55v2 Measurement Guide for Information Security – Volume...
Projects
https://csrc.nist.gov/projects/cybersecurity-risk-analytics
The Cyber Risk Analytics and Measurement program aims to develop cybersecurity risk analytics methods, tools, and guides to improve the understanding of cybersecurity risks, inform management practices, and facilitate information sharing among risk owners. Below are the internal and external collaborative activities of the program: Cyber Supply Chain Survey Tool NIST is prototyping a survey tool be an educational resource to facilitate cybersecurity supply chain risk management. The tool provides insights for organizations to evaluate and manage their processes to minimize cyber supply...
Events
April 17, 2025 - April 18, 2025
https://csrc.nist.gov/events/2025/crypto-agility-workshop
Read the Code of Conduct for NIST Meetings Call for Submissions (Submission Deadline: March 30, 2025) On March 5, 2025, NIST released the draft Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility - Strategies and Practices. This white paper provides an in-depth survey of current approaches and considerations to achieving crypto agility. It discusses challenges, trade-offs, and some approaches to providing operational mechanisms for achieving crypto agility while maintaining interoperability. It also highlights some critical working areas that require additional...
Publications
IR 8562 (Final)
April 16, 2025
https://csrc.nist.gov/pubs/ir/8562/final
Abstract: This report summarizes the feedback received by the NIST Cybersecurity for the Internet of Things (IoT) program at the in-person and hybrid workshop on "Updating Manufacturer Guidance for Securable Connected Product Development" held in December 2024. The purpose of this workshop was to consider how...
Events
April 15, 2025 - April 15, 2025
https://csrc.nist.gov/events/2025/trusted-semiconductor-supply-chain-workshop
Code of Conduct for NIST Conferences Final Agenda with Links to Presentations The NIST Trust and Provenance in the Semiconductor Supply Chain Workshop will be held as an in-person on Tuesday, April 15, 2025 at the NIST National Cybersecurity Center of Excellence (NCCoE) conference facility, in Rockville, MD. This one-day event aims to bring together technical experts from industry, academia, and the government to discuss drivers, need, methods and process to establish trust and provenance across the semiconductor supply chain. The workshop will solicit and obtain valuable feedback from the...
Projects
https://csrc.nist.gov/projects/software-identification-swid
Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage compliance with software license agreements. Knowing what software is installed and used can help an...
Publications
CSWP 40 (Initial Public Draft)
April 14, 2025
https://csrc.nist.gov/pubs/cswp/40/nist-privacy-framework-11/ipd
Abstract: The NIST Privacy Framework 1.1 is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. It provides high-level privacy risk management outcomes tha...
Project Pages
https://csrc.nist.gov/projects/incident-response/preparation-resources
The following are selected examples of additional resources supporting incident response preparation. General Incident Response Programs, Policies, and Plans Carnegie Mellon University, Incident Management (includes plan, policy, and reporting templates, and incident declaration criteria) Computer Crime & Intellectual Property Section (CCIPS), U.S. Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents Cybersecurity & Infrastructure Security Agency (CISA), Incident Response Plan (IRP) Basics NIST, Guide for Cybersecurity Event Recovery (SP...
Project Pages
https://csrc.nist.gov/projects/incident-response/life-cycle-resources
The following are selected examples of additional resources supporting the incident response life cycle. Vulnerability and Threat Information CISA, Automated Indicator Sharing (AIS) CISA, CISA Cyber Threat Indicator and Defensive Measure Submission System CISA, Cybersecurity Alerts & Advisories CISA, Cybersecurity Directives CISA, Ransomware Vulnerability Warning Pilot (RVWP) The MITRE Corporation, MITRE ATT&CK National Council of ISACs (NCI) NIST, Guide to Cyber Threat Information Sharing (SP 800-150) NIST, National Vulnerability Database (NVD) NIST, Recommendations for...
Publications
SP 800-61 Rev. 3 (Final)
April 3, 2025
https://csrc.nist.gov/pubs/sp/800/61/r3/final
Abstract: This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incid...
Publications
SP 1800-33 (Initial Public Draft)
March 18, 2025
https://csrc.nist.gov/pubs/sp/1800/33/ipd
Abstract: The National Cybersecurity Center of Excellence (NCCoE) is collaborating with technology providers and other companies on a project to develop example solution approaches for safeguarding 5G networks. These solutions use combinations of cybersecurity and privacy measures drawn from 5G capabilities a...
