Publications
SP 800-236 (Final)
April 28, 2025
https://csrc.nist.gov/pubs/sp/800/236/final
Abstract: Throughout Fiscal Year 2024 (FY 2024) — from October 1, 2023, through September 30, 2024 — the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This Annual Report highlights the ITL...
Projects
https://csrc.nist.gov/projects/measurements-for-information-security
The Measurements for Information Security Program aims to better equip organizations to purposefully and effectively manage their information security risk through the development of flexible approaches to the selection, assessment, and management of measures and metrics. Information Security Measurement Guide SP 800-55v1 Measurement Guide for Information Security – Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures. SP 800-55v2 Measurement Guide for Information Security – Volume...
Projects
https://csrc.nist.gov/projects/cybersecurity-risk-analytics
The Cyber Risk Analytics and Measurement program aims to develop cybersecurity risk analytics methods, tools, and guides to improve the understanding of cybersecurity risks, inform management practices, and facilitate information sharing among risk owners. Below are the internal and external collaborative activities of the program: Cyber Supply Chain Survey Tool NIST is prototyping a survey tool be an educational resource to facilitate cybersecurity supply chain risk management. The tool provides insights for organizations to evaluate and manage their processes to minimize cyber supply...
Events
April 17, 2025 - April 18, 2025
https://csrc.nist.gov/events/2025/crypto-agility-workshop
Read the Code of Conduct for NIST Meetings Call for Submissions (Submission Deadline: March 30, 2025) On March 5, 2025, NIST released the draft Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility - Strategies and Practices. This white paper provides an in-depth survey of current approaches and considerations to achieving crypto agility. It discusses challenges, trade-offs, and some approaches to providing operational mechanisms for achieving crypto agility while maintaining interoperability. It also highlights some critical working areas that require additional...
Publications
IR 8562 (Final)
April 16, 2025
https://csrc.nist.gov/pubs/ir/8562/final
Abstract: This report summarizes the feedback received by the NIST Cybersecurity for the Internet of Things (IoT) program at the in-person and hybrid workshop on "Updating Manufacturer Guidance for Securable Connected Product Development" held in December 2024. The purpose of this workshop was to consider how...
Events
April 15, 2025 - April 15, 2025
https://csrc.nist.gov/events/2025/trusted-semiconductor-supply-chain-workshop
Code of Conduct for NIST Conferences Final Agenda with Links to Presentations The NIST Trust and Provenance in the Semiconductor Supply Chain Workshop will be held as an in-person on Tuesday, April 15, 2025 at the NIST National Cybersecurity Center of Excellence (NCCoE) conference facility, in Rockville, MD. This one-day event aims to bring together technical experts from industry, academia, and the government to discuss drivers, need, methods and process to establish trust and provenance across the semiconductor supply chain. The workshop will solicit and obtain valuable feedback from the...
Publications
CSWP 40 (Initial Public Draft)
April 14, 2025
https://csrc.nist.gov/pubs/cswp/40/nist-privacy-framework-11/ipd
Abstract: The NIST Privacy Framework 1.1 is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. It provides high-level privacy risk management outcomes tha...
Project Pages
https://csrc.nist.gov/projects/incident-response/preparation-resources
The following are selected examples of additional resources supporting incident response preparation. General Incident Response Programs, Policies, and Plans Carnegie Mellon University, Incident Management (includes plan, policy, and reporting templates, and incident declaration criteria) Computer Crime & Intellectual Property Section (CCIPS), U.S. Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents Cybersecurity & Infrastructure Security Agency (CISA), Incident Response Plan (IRP) Basics NIST, Guide for Cybersecurity Event Recovery (SP...
Project Pages
https://csrc.nist.gov/projects/incident-response/life-cycle-resources
The following are selected examples of additional resources supporting the incident response life cycle. Vulnerability and Threat Information CISA, Automated Indicator Sharing (AIS) CISA, CISA Cyber Threat Indicator and Defensive Measure Submission System CISA, Cybersecurity Alerts & Advisories CISA, Cybersecurity Directives CISA, Ransomware Vulnerability Warning Pilot (RVWP) The MITRE Corporation, MITRE ATT&CK National Council of ISACs (NCI) NIST, Guide to Cyber Threat Information Sharing (SP 800-150) NIST, National Vulnerability Database (NVD) NIST, Recommendations for...
Publications
SP 800-61 Rev. 3 (Final)
April 3, 2025
https://csrc.nist.gov/pubs/sp/800/61/r3/final
Abstract: This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incid...
Publications
SP 1800-33 (Initial Public Draft)
March 18, 2025
https://csrc.nist.gov/pubs/sp/1800/33/ipd
Abstract: The National Cybersecurity Center of Excellence (NCCoE) is collaborating with technology providers and other companies on a project to develop example solution approaches for safeguarding 5G networks. These solutions use combinations of cybersecurity and privacy measures drawn from 5G capabilities a...
Project Pages
https://csrc.nist.gov/projects/automated-combinatorial-testing-for-software/combinatorial-methods-in-testing/case-studies-and-examples
Combinatorial testing is being applied successfully in nearly every industry, and is especially valuable for assurance of high-risk software with safety or security concerns. Combinatorial testing is referred to as effectively exhaustive, or pseudo-exhaustive, because it can be as effective as fully exhaustive testing, while reducing test set size by 20X to more than 100X. Case studies below are from many types of applications, including aerospace, automotive, autonomous systems, cybersecurity, financial systems, video games, industrial controls, telecommunications, web applications, and...
