Publications
IR 8320 (Final)
May 4, 2022
https://csrc.nist.gov/pubs/ir/8320/final
Abstract: In today’s cloud data centers and edge computing, attack surfaces have shifted and, in some cases, significantly increased. At the same time, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computi...
Publications
SP 1800-33 (Initial Preliminary Draft)
April 25, 2022
https://csrc.nist.gov/pubs/sp/1800/33/iprd
Abstract: Organizations face significant challenges in transitioning from 4G to 5G usage, particularly the need to safeguard new 5G-using technologies at the same time that 5G development, deployment, and usage are evolving. Some aspects of securing 5G components and usage lack standards and guidance, making...
Publications
SP 1800-19 (Final)
April 20, 2022
https://csrc.nist.gov/pubs/sp/1800/19/final
Abstract: A cloud workload is an abstraction of the actual instance of a functional application that is virtualized or containerized to include compute, storage, and network resources. Organizations need to be able to monitor, track, apply, and enforce their security and privacy policies on their cloud worklo...
Project Pages
https://csrc.nist.gov/projects/cybersecurity-framework/nist-cybersecurity-framework-a-quick-start-guide
What is the NIST Cybersecurity Framework, and how can my organization use it? The NIST Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices to help organizations better manage and reduce cybersecurity risk. It fosters cybersecurity risk management and related communications among both internal and external stakeholders, and for larger organizations, helps to better integrate and align cybersecurity risk management with broader enterprise risk management processes as described in the NISTIR 8286 series. The Framework is organized by five key...
Publications
SP 800-40 Rev. 4 (Final)
April 6, 2022
https://csrc.nist.gov/pubs/sp/800/40/r4/final
Abstract: Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization. Patching is more important than ever because of the increasing reliance on technology, but there is often a div...
Publications
SP 1800-31 (Final)
April 6, 2022
https://csrc.nist.gov/pubs/sp/1800/31/final
Abstract: Patching is the act of applying a change to installed software – such as firmware, operating systems, or applications – that corrects security or functionality problems or adds new capabilities. Despite widespread recognition that patching is effective and attackers regularly exploit unpatched softw...
Publications
IR 8420 (Final)
March 25, 2022
https://csrc.nist.gov/pubs/ir/8420/final
Abstract: Prior industry surveys and research studies have revealed that organizational cybersecurity awareness (hereafter shortened to “security awareness”) programs may face a number of challenges, including lack of: leadership support; resources; and staff with sufficient background and skills to implement...
Publications
IR 8420A (Final)
March 25, 2022
https://csrc.nist.gov/pubs/ir/8420/a/final
Abstract: Organizational security awareness programs experience a number of challenges, including lack of resources, difficulty measuring the impact of the program, and perceptions among the workforce that training is a boring, “check-the-box” activity. While prior surveys and research have examined programs...
Publications
IR 8420B (Final)
March 25, 2022
https://csrc.nist.gov/pubs/ir/8420/b/final
Abstract: Organizational cybersecurity awareness (hereafter shortened to “security awareness”) programs may experience a number of challenges, including lack of funding and staff with the appropriate knowledge and skills to manage an effective program. While prior surveys and research have examined programs i...
Events
March 24, 2022 - March 24, 2022
https://csrc.nist.gov/events/2022/rfi-feedback-session
NIST recently issued a Request for Information (RFI) asking for information that would improve the effectiveness of the Cybersecurity Framework (CSF) for a potential update. As a part of this initiative, NIST wants to better understand how the CSF is being used today and to learn what’s working and what’s not. NIST also wants to explore better ways to align the CSF with other NIST guidance, such as the Privacy Framework, Secure Software Development Framework, Risk Management Framework, NICE Workforce Framework, and its series on IoT cybersecurity. NIST wants to know what would help use...
Publications
SP 1800-10 (Final)
March 16, 2022
https://csrc.nist.gov/pubs/sp/1800/10/final
Abstract: Today’s manufacturing organizations rely on industrial control systems (ICS) to conduct their operations. Increasingly, ICS are facing more frequent, sophisticated cyber attacks—making manufacturing the second-most-targeted industry. Cyber attacks against ICS threaten operations and worker safety, r...
Projects
https://csrc.nist.gov/projects/small-business-cybersecurity-corner
[Redirect to https://www.nist.gov/itl/smallbusinesscyber] The vast majority of smaller businesses rely on information technology to run their businesses and to store, process, and transmit information. Protecting this information from unauthorized disclosure, modification, use, or deletion is essential for those companies and their customers. With limited resources and budgets, these companies need cybersecurity guidance, solutions, and training that is practical, actionable, and enables them to cost-effectively address and manage their cybersecurity risks. This NIST Small Business...
Project Pages
https://csrc.nist.gov/projects/cyber-supply-chain-risk-management/federal-c-scrm
The Federal C-SCRM Forum fosters collaboration and the exchange of cybersecurity supply chain risk management (C-SCRM) information among federal organizations to improve the security of federal supply chains. Through periodic meetings and informal exchanges, the Forum offers all agencies that depend upon or guide C-SCRM an opportunity to discuss issues of interest with – and to inform – many of those leading C-SCRM efforts in the federal ecosystem, including the Office of Management and Budget (OMB), the Department of Defense (DOD), the Cybersecurity and Infrastructure Security Agency (CISA),...
Events
March 1, 2022 - March 2, 2022
https://csrc.nist.gov/events/2022/3rd-oscal-workshop
The National Institute of Standards and Technology hosted on Tuesday, March 1st, and Wednesday, March 2nd, 2022, the third workshop in the series focusing on the Open Security Controls Assessment Language (OSCAL). Setting the foundation for security automation, with particular focus on the continuous authorization to operate (ATO) processes and continuous monitoring, OSCAL provides machine-readable representations of control catalogs, control baselines or profiles, system security plans, assessment plans, assessment results, and plan of actions and milestones, in a set of formats expressed in...
