Projects
https://csrc.nist.gov/projects/software-identification-swid
Software is vital to our economy and way of life as part of the critical infrastructure for the modern world. Too often cost and complexity make it difficult to manage software effectively, leaving the software open for attack. To properly manage software, enterprises need to maintain accurate software inventories of their managed devices in support of higher-level business, information technology, and cybersecurity functions. Accurate software inventories help an enterprise to: Manage compliance with software license agreements. Knowing what software is installed and used can help an...
Projects
https://csrc.nist.gov/projects/forum
The Federal Cybersecurity and Privacy Professionals Forum is an informal group sponsored by the National Institute of Standards and Technology (NIST) to promote the sharing of cybersecurity and privacy knowledge, best practices, and resources among U.S. federal, state, and local government, and higher education organizations. The Federal Cybersecurity and Privacy Professionals Forum ("the Forum") maintains an extensive email list, and holds quarterly meetings - including an annual 2-day conference - to discuss current issues and items of interest to those responsible for protecting...
Project Pages
https://csrc.nist.gov/projects/human-centered-cybersecurity/research-areas/phishing
Phishing continues to be an escalating cyber threat facing organizations of all types and sizes, including industry, academia, and government. Our team performs research to understand phishing within an operational (real-world) context by examining user behaviors during phishing awareness training exercises. Our projects provide insights into users’ rationale and role in early detection, and how these might be scaffolded with technological solutions. Recent efforts have focused on the NIST Phish Scale, a method for rating the human detection difficulty of phishing emails considering both the...
Projects
https://csrc.nist.gov/projects/human-centered-cybersecurity
The National Institute of Standards and Technology (NIST) Human-Centered Cybersecurity program seeks to "champion the human in cybersecurity" by conducting interdisciplinary research to better understand and improve people’s interactions with cybersecurity systems, products, processes, and services. Research Areas
Publications
IR 8425A (Initial Public Draft)
April 17, 2024
https://csrc.nist.gov/pubs/ir/8425/a/ipd
Abstract: Ensuring the security of routers is crucial for safeguarding not only individuals’ data but also the integrity and availability of entire networks. With the increasing prevalence of smart home IoT devices and remote work setups, the significance of consumer-grade router cybersecurity has expanded, a...
Projects
https://csrc.nist.gov/projects/olir
Mappings to NIST Documents The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Interagency or Internal Report (IR) 8278 - National Online Informative References (OLIR) Program: Program Overview and OLIR Uses focuses on explaining what OLIRs are,...
Projects
https://csrc.nist.gov/projects/cybersecurity-risk-analytics
Every organization wants maximum effect and value for its finite cybersecurity-related investments, including managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Organizations frequently make decisions by comparing projected costs with potential benefits and risk reduction scenarios. Senior executives need accurate and quantitative methods to portray and assess these factors, their effectiveness and efficiency, and their effect on risk exposure. Providing reliable answers to these questions requires organizations to employ a...
Project Pages
https://csrc.nist.gov/projects/risk-management/sp800-53-controls/public-comments-home/faq
General Questions and Background What is the purpose of the SP 800-53 Public Comment Website? NIST believes that robust, widely understood, and participatory development processes produce the strongest, most effective, most trusted, and broadly accepted standards and guidelines. The following principles guide NIST's standards and guidelines development: Transparency: All interested and affected parties have access to essential information regarding standards and guidelines-related activities throughout the development process. Openness: Participation is open to all interested...
Projects
https://csrc.nist.gov/projects/incident-response
NIST has released a new draft of Special Publication (SP) 800-61 Revision 3 for public comment! Your comments on Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile are welcome through May 20, 2024. NIST SP 800-61 Revision 3 seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incident responses, reduce...
Project Pages
https://csrc.nist.gov/projects/incident-response/preparation-resources
The following are selected examples of additional resources supporting incident response preparation. General Incident Response Programs, Policies, and Plans Carnegie Mellon University, Incident Management (includes plan, policy, and reporting templates, and incident declaration criteria) Computer Crime & Intellectual Property Section (CCIPS), U.S. Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents Cybersecurity & Infrastructure Security Agency (CISA), Incident Response Plan (IRP) Basics NIST, Guide for Cybersecurity Event Recovery (SP...
Project Pages
https://csrc.nist.gov/projects/incident-response/life-cycle-resources
The following are selected examples of additional resources supporting the incident response life cycle. Vulnerability and Threat Information CISA, Automated Indicator Sharing (AIS) CISA, CISA Cyber Threat Indicator and Defensive Measure Submission System CISA, Cybersecurity Alerts & Advisories CISA, Cybersecurity Directives CISA, Ransomware Vulnerability Warning Pilot (RVWP) DHS and DOJ, Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities The MITRE Corporation, MITRE ATT&CK National Council of ISACs (NCI)...
Publications
SP 800-61 Rev. 3 (Initial Public Draft)
April 3, 2024
https://csrc.nist.gov/pubs/sp/800/61/r3/ipd
Abstract: This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incid...
Project Pages
https://csrc.nist.gov/projects/human-centered-cybersecurity/research-areas/cybersecurity-adoption
People and organizations often fail to adopt and effectively use cybersecurity best practices and technologies for a variety of reasons, including poor awareness, lack of knowledge/skill, and personal biases. Those professionals tasked with educating others may likewise face a number of challenges, including lack of resources, support, and skills needed to be effective security communicators. We conduct research to better understand the approaches and challenges with cybersecurity awareness and role-based training through the eyes of training professionals within the U.S. government. In the...
Project Pages
https://csrc.nist.gov/projects/human-centered-cybersecurity/research-areas/human-centered-cybersecurity-general
Our team often writes articles or provides presentations that discuss and provide information about human-centered cybersecurity to various audiences, for example, cybersecurity practitioners or fellow researchers. Currently, we are conducting a multi-phased research project to understand the interactions between human-centered cybersecurity researchers and practitioners. We hope the results will lead to the creation of mutually beneficial “bridges” between the research and practitioner communities that facilitate the relevance and application of research findings to real-world practice....
Project Pages
https://csrc.nist.gov/projects/ispab/members
Steven Lipner, Chairperson Executive Director SAFECode Term Expires 5/30/2026 Dr. Brett Baker Inspector General for the National Archives U.S. National Archives and Records Administration Term Expires 3/14/2026 Michael Duffy Associate Director for Capacity Building CISA Cybersecurity Division, Department of Homeland Security Term Expires 3/13/2028 Giulia Fanti Assistant Professor Carnegie Mellon University Term Expires 7/8/2025 Jessica Fitzgerald-McKay Co-Lead, Center for Cyber Security Standards (CCSS) National Security Agency Term Expires 3/3/2027 Alex Gantman Vice President,...
