Search CSRC

Development of an Internal-Use NCCoE Chatbot | Comment on Draft NIST IR 8579

The National Cybersecurity Center of Excellence (NCCoE) has released the initial public draft of Internal Report (IR) 8579. The comment period for this NIST IR closes on September 11, 2025.

Second Public Draft | Supply Chain Traceability: Manufacturing Meta-Framework

NIST's NCCoE has posted the second public draft of NIST IR 8536, "Supply Chain Traceability: Manufacturing Meta-Framework," for public comment. The comment period is open through October 3, 2025.

Supply Chain Traceability: Manufacturing Meta-Framework

Abstract: Manufacturing and critical infrastructure supply chains are vital to the security, resilience, and economic strength of the United States. However, increasing global complexity makes tracing product origins more difficult, exposing vulnerabilities to logistical disruptions, fraud, sabotage, and coun...

Developing the NCCoE Chatbot: Technical and Security Learnings from the Initial Implementation

Abstract: Chatbots are emerging as alternative interfaces for structured information retrieval and internal knowledge access. Chatbots can utilize the capabilities of large language models (LLMs) to help interpret user-provided input and provide responses to a variety of requests. This paper describes the dev...

Digital Identity Guidelines

Abstract: These guidelines cover the identity proofing, authentication, and federation of users (e.g., employees, contractors, or private individuals) who interact with government information systems over networks. They define technical requirements in each of the areas of identity proofing, enrollment, authe...

Secure Software Development, Security, and Operations (DevSecOps) Practices | Draft SP 1800-44A

Volume A of NIST Special Publication 1800-44, "Secure Software Development, Security, and Operations (DevSecOps) Practices," is available for comment through September 14, 2025.

Draft SP 800-53 Controls on Secure and Reliable Patches Available for Comment

NIST's draft updates to SP 800-53 providing additional guidance on how to securely and reliably deploy patches and updates in response to Executive Order 14306

Executive Order 14306

Sustaining Select Efforts To Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 (June 6, 2025)

Considerations for Achieving Crypto Agility | Second Public Draft Available for Comment

The second public draft of NIST Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility: Strategies and Practices is available for comment. The public comment period for this second draft is open through August 15, 2025.

NIST Cybersecurity and Privacy Update

Type: Briefing

NCCoE Roadmap and Select Project Overviews

Type: Presentation

Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments | Comment on NIST SP 1334

The NCCoE seeks public comments on the initial public draft of SP 1334, "Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments." Comments are due August 14, 2025.

Combinatorial Testing for AI-Enabled Systems

*NEW* Short course from the Defense and Aerospace Test and Analysis Workshop 2025 (Dataworks 2025) - complete course presentation here. The goal of this project is to provide practitioners and researchers with a foundational understanding of combinatorial testing techniques and applications to testing AI-enabled software systems (AIES). Resources are being developed in these areas: Combinatorial testing (CT), applying CT to test traditional software systems, including real-world examples and case studies. How Test and Evaluation (T&E) of AIES differ from traditional software systems...

smart grid

NIST's cybersecurity resources have supported NIST's smart grid development efforts, which resulted from the Energy Independence and Security Act of 2007 (EISA). RT=EISA

Software Understanding for National Security

Type: Presentation

adverse cybersecurity event

Analyzing Collusion Threats in the Semiconductor Supply Chain | NIST Cybersecurity White Paper 46

This document, Analyzing Collusion Threats in the Semiconductor Supply Chain | NIST Cybersecurity White Paper 46; has been approved as final.

Network Security Design Principles | Applying 5G Cybersecurity and Privacy Capabilities

NCCoE released the sixth white paper in the series, 5G Network Security Design Principles, which provides the network infrastructure security design principles that commercial and private 5G network operators are encouraged to use.

End-of-Life Announcement: NIST SCAP Validation Program

The National Institute of Standards and Technology (NIST) announces the phased conclusion of the Security Content Automation Protocol (SCAP) Validation Program.

Implementing a Zero Trust Architecture: NIST Publishes SP 1800-35

NIST Special Publication 1800-35, "Implementing a Zero Trust Architecture," provides results and best practices from NCCoE's work with 24 vendors to demonstrate end-to-end zero trust architecture.

Implementing a Zero Trust Architecture: High-Level Document

Abstract: A zero trust architecture (ZTA) enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organizat...

Metrics and Methodology for Hardware Security Constructs | NIST Publishes Cybersecurity White Paper 45

Metrics and Methodology for Hardware Security Constructs utilizes a comprehensive methodology and two key metrics to analyze different hardware weaknesses and the specific attack patterns that can exploit them.

Supply Chain

Overlay Name: NIST SP 800-161, Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Overlay Publication Date: May 2022 Technology or System: Cyber Supply Chain Overlay Author: Jon Boyens (NIST), Angela Smith (NIST), Nadya Bartol (BCG), Kris Winkler (BCG), Alex Holbrook (BCG), Matthew Fallon (BCG) Comments: Identification and augmentation of cybersecurity supply chain risk management (C-SCRM)-related controls in SP 800-53, Revision 5. Refer to SP 800-161r1, Appendix A, for the C-SCRM Controls. C-SCRM is an enterprise-wide activity that should be...

Open for Public Comment | Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

NIST has released the initial public draft (ipd) of Special Publication (SP) 800-18r2. The comment period is open through July 30, 2025.

Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

Abstract: The system security plan, system privacy plan, and cybersecurity supply chain risk management plan are collectively referred to as system plans. They describe the purpose of the system, the operational status of the controls selected and allocated for meeting risk management requirements, and the re...