Use this form to search content on CSRC pages.
Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective. Comments Received SP 800-171 Revision 3 (Final Public Draft) and SP 800-171A Revision 3 (Initial Public Draft) February 21, 2024: NIST issues summary and analysis of comments received in response to SP 800-171 Revision 3 (final public...
NIST published the final version of Special Publication (SP) 800-66r2 (Revision 2), Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide.
Abstract: The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible us...
Our Goal The Human-Centered Cybersecurity program within the NIST Visualization and Usability Group provides research evidence and guidance to policymakers, system engineers, organizational decision makers, and cybersecurity professionals so that they can make better decisions that consider the human element, thereby advancing cybersecurity adoption and empowering people to be active, informed partners in cybersecurity. Ideally, this guidance should: Have a basis in real empirical data Create solutions that are secure in practice, not just in theory Take stakeholders' needs and...
Abstract: This document is a Cybersecurity Framework Profile developed for voting equipment and information systems that support elections. This Election Infrastructure Profile can be utilized by election administrators and IT professionals who manage election infrastructure to reduce the risks associated wit...
Abstract: NIST Special Publication (SP) 800-60 facilities the application of appropriate levels of information security according to a range of levels of impact or consequence that may result from unauthorized disclosure, modification, or use of the information or systems. This publication provides a methodol...
Volumes A (2nd preliminary draft) and B (initial prelim. draft) of NIST Special Publication 1800-37, Addressing Visibility Challenges with TLS 1.3 within the Enterprise, are available for public comment through April 1, 2024.
Abstract: The Transport Layer Security (TLS) protocol is widely deployed to secure network traffic. The latest version, TLS 1.3, has been strengthened so that even if a TLS-enabled server is compromised, the contents of its previous TLS communications are still protected—better known as forward secrecy. The a...
These are standard publications and guidelines that provide perspectives and frameworks to inform, measure, and manage cybersecurity vulnerabilities and exposures. NIST SP 800-55 Vol. 1 (Initial Public Draft) Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures Volume 1 — Identifying and Selecting Measures is a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and...
These are tools and utilities to assess the level of security risks and provide a mechanism to enhance automation for the cybersecurity information exchange. Baldrige Cybersecurity Excellence Builder (BCEB) A self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identity improvement opportunities in the context of their overall organizational performance. Common Vulnerability Scoring System (CVSS) An open framework for communicating the characteristics and severity of software vulnerabilities. CVSS is well...
[Redirect to: https://www.nist.gov/cybersecurity/measurements-information-security] Every organization wants to gain maximum value and effect for its finite cybersecurity-related investments. This includes managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make go-ahead decisions by comparing scenarios that differ in projected cost with associated likely benefits and risk reduction. However, these scenarios are often based on a “best guess.” Increasingly, senior executives are asking for a more accurate...
Type: Presentation
We look forward to welcoming you to NIST’s Virtual Workshop on Secure Development Practices for AI Models on January 17. This workshop is being held in support of Executive Order (EO) 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. EO 14110 tasked NIST with “developing a companion resource to the Secure Software Development Framework (SSDF) to incorporate secure development practices for generative AI and for dual-use foundation models.” What You Will Learn This workshop will bring together industry, academia, and government to discuss secure development...
NIST Special Publication (SP) Draft 800-55, Measurement Guide for Information Security, Volume 1 — Identifying and Selecting Measures, and Volume 2 — Developing an Information Security Measurement Program, are now available for public review and comment through March 18, 2024.
NIST plans to update Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers, and is issuing a Pre-Draft Call for Comments to solicit feedback from users. Deadline to submit comments is February 23, 2024.
Abstract: [See the Abstract for SP 800-100]
Understanding user perceptions and behavior is critical to achieving security objectives. People are repeatedly bombarded with messages about the dangers lurking on the Internet and are encouraged (or forced) to take numerous security-related actions, often without a clear understanding of why and to what end. We conduct research to discover people’s security and privacy perceptions, attitudes, and behaviors with a goal of developing cybersecurity guidance that: 1) takes into account user needs, biases, and limitations and 2) helps people make sound security decisions. Recent projects include...
Many security research efforts have focused on adults' perceptions and practices, leaving gaps in our understanding of youth perceptions and practices. To help fill this gap, our team explores the online security and privacy perceptions and practices of youth and influencing social factors from three perspectives: youth themselves, parents/guardians, and teachers/educators. Research insights are informing NIST's contributions to the interagency Task Force on Kids Online Health & Safety. Publications Influences on Youth Online Privacy and Security Papers Youth understandings of...
Internet of Things (IoT) technology is becoming more pervasive in the home environment. These technologies are increasingly used by non-technical users who have little understanding of the technologies or awareness of the security and privacy implications of use. We conduct research to help improve consumers' security and privacy experiences and outcomes when using IoT, with a specific focus on smart home devices. Our work in this area informed the human-centered label and consumer education considerations in IoT cybersecurity criteria for a consumer labeling program in response to NIST's...
Authentication mechanisms such as passwords and multi-factor authentication methods (e.g., smart cards and tokens) provide examples of the challenges involved in creating usable cybersecurity solutions. Our research explores the usage and usability of authentication mechanisms. We focus on how these mechanisms can be improved to aid in their correct, secure employment by different user populations while avoiding user frustration and circumvention. Also see our Youth Security & Privacy research area for publications related to youth passwords. Publications Digital Identity Guidelines...
The NIST National Cybersecurity Center of Excellence has released NIST Internal Report (IR) 8432, "Cybersecurity of Genomic Data."
Abstract: Genomic data has enabled the rapid growth of the U.S. bioeconomy and is valuable to the individual, industry, and government because it has multiple intrinsic properties that in combination make it different from other types of data that possess only a subset of these properties. The characteristics...
Abstract:
NIST has released Cybersecurity White Paper (CSWP) 30, Automation Support for Control Assessments – Project Update and Vision, which describes planned updates to the NIST Interagency Report (IR) 8011 series.
Abstract: In 2017, the National Institute of Standards and Technology (NIST) published a methodology for supporting the automation of Special Publication (SP) 800-53 control assessments in the form of Interagency Report (IR) 8011. IR 8011 is a multi-volume series that starts with an overview of the methodolog...