Search CSRC

Download the SP 800-53 Controls in Different Data Formats Note that NIST Special Publication (SP) 800-53, 800-53A, and SP 800-53B contain additional background, scoping, and implementation guidance in addition to the controls, assessment procedures, and baselines. This NIST SP 800-53 database represents the derivative format of controls defined in NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. If there are any discrepancies noted in the content between these NIST SP 800-53 and 53A derivative data formats and the latest published NIST SP...

Security Requirements for Protecting CUI Purpose Recommended security requirements for protecting the confidentiality of CUI: (1) when the CUI is resident in a nonfederal system and organization; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI...

Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 Purpose Enhanced security requirements to help protect the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI) associated with critical programs or high value assets from the advanced persistent threat (APT). Scope The enhanced security requirements in NIST SP 800-172 are supplemental and do not impact the basic and derived security requirements contained in NIST SP 800-171, nor the scope of the implementation of the NIST...

Accessing Security Requirements for Controlled Unclassified Information Purpose Assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST SP 800-171. Scope A system security plan describes how the SP 800-171 security requirements are met. The plan describes the system boundary; the environment in which the system operates; how the requirements are implemented; and the relationships with or connections to other systems. The scope of the assessments conducted using the procedures described in SP 800-171A are guided and...

Accessing Enhanced Security Requirements for Controlled Unclassified Information Purpose Assessment procedures and a methodology that can be employed to conduct assessments of the enhanced security requirements in NIST Special Publication 800-172. Scope Assessments conducted using the SP 800-172A procedures are guided and informed by the system security plans for the organizational systems processing, storing, or transmitting CUI. The assessments focus on the overall effectiveness of the security safeguards intended to satisfy the SP 800-172 enhanced security requirements. Download the SP...

On July 19, 2022, NIST announced its intention to update the series of special publications dedicated to the Protection of Controlled Unclassified Information (CUI). Many changes are actively under consideration reflecting the current thinking of NIST after extensive review and analyses of the public comments. Based on the feedback received, inputs from workshops and conferences, and discussions with federal agencies, the changes under consideration include: Streamlining the Introduction and Fundamentals sections of the document Withdrawing requirements that are either outdated, no longer...

Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective. Comments Received SP 800-171 Revision 3 (Final Public Draft) and SP 800-171A Revision 3 (Initial Public Draft) February 21, 2024: NIST issues summary and analysis of comments received in response to SP 800-171 Revision 3 (final public...

The NIST Special Publication (SP) 800-140x series supports Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP).

FIPS 201-2 Supporting Special Publications Workshop

NIST and the Department of Transportation (DOT) co-hosted a public workshop to gather input on the privacy controls in Appendix J of NIST Special Publication 800-53, Revision 4. The workshop explored the effectiveness and challenges of applying the current privacy controls in 800-53 and whether changes should be made in the publication’s fifth revision. Panelists and attendees participated in facilitated discussions on topics including potential amendments to the privacy control families, broader guidance on the relationship between the privacy and security controls, and the need for...

Spring 2017 Software and Supply Chain Assurance Forum

The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved. Forums are held 2-3 times / year and are FREE and open to the public; registration is required.

D.C. Area Crypto Day is a bi-annual, one-day regional meeting of cryptographic researchers to promote research collaborations and disseminate fresh, state-of-the-art results in cryptography. Previous D.C. Area Crypto Day events have been held at several local universities. Program and Additional details There is no registration fee, however, all attendees must be pre-registered to enter the NIST campus. Registration closed April 4. IMPORTANT INFORMATION: Your name in our registration system must match your identification exactly to gain entry. You will be required to stop at the NIST...

STPPA Event #2: Structure: Three talks and one panel related to privacy-enhancing cryptography. Featured topics: private set intersection; secure multi-party computation. Date and place: Monday, April 19, 2021. Virtual event, via Webex Schedule (Eastern Time) 13:00–13:15: Brief comments on PEC and STPPA. Luis Brandao (NIST/Strativia). Slides and video. 13:15–13:55: A Brief Overview of Private Set Intersection. Mike Rosulek (Oregon State University). Slides and video. 13:55–14:55: Secure Computation on Datasets. Steve Lu (Stealth Software Technologies) and Rafail Ostrovsky...

STPPA Event #1: Date: Monday, January 27, 2020. Place: NIST Gaithersburg, Administrative Building (101), Lecture room B. Featured topics: public randomness and auditability; differential privacy; census data; fake videos. Structure: Four talks related to privacy and cryptography. Schedule (Eastern Time) 10:00–10:15: Introductory remarks. Rene Peralta (NIST) 10:15–10:45: Randomness beacons as enablers of public auditability. Luis Brandao (NIST). Slides and video. 10:45–11:30:* De-Identification and Differential Privacy. Simson Garfinkel (U.S. Census Bureau). Slides and video....

STPPA Event #3: Featured topics: private information retrieval (PIR); searchable encryption; fully homomorphic encryption (FHE). Structure: welcome; three invited talks; panel conversation. Date, time, location/format: July 06, 2021, 13:30–16:30 EDT @ virtual event over Webex video conference Attendance: open and free to the public, upon registration Schedule 13:30--13:40: STPPA#3 intro 13:40--14:20: Private Information Retrieval with Near-Optimal Online Bandwidth and Time, by Elaine Shi (Carnegie Mellon University) 14:20--15:00: An Overview of Encrypted Databases, by Seny...

Featured topics: anonymous credentials, blind signatures, private authentication. Structure: welcome; three invited talks; panel conversation. Date and time: November 21st, 2022, 09:00–12:30 EST [Note: it was postponed to Nov 21st, after an initial scheduling for October 31st] Location/format: virtual event over Webex video conference Attendance: open and free to the public, upon registration Schedule 09:00--09:10: STPPA #4 intro 09:10--09:55: Invited talk: Anonymous Credentials, by Anna Lysyanskaya (Brown University, USA), 09:55--10:40: Invited talk: Blind Signatures: Past,...

Featured topics: identity-based encryption (IBE), attribute-based encryption (ABE) and broadcast encryption Structure: welcome; 3 invited talks; panel conversation. Date and time: February 9th (Thursday), 2023, 12:00–15:50 EST Location/format: virtual event over Webex video conference Attendance: open and free to the public, upon registration (attendees can pose questions via chat / Q&A functionality) Registration direct link: https://nist-secure.webex.com/weblink/register/r92f4ffc27fc2534733799ac4161f454e Schedule Event schedule, Eastern Standard Time (GMT-5): 12:00–12:10:...

Event #6's theme: Community Efforts on Advanced Cryptographic Techniques Featured topics: FHE, MPC, ZKP, ABE, Threshold Crypto, PAKE. Structure: Welcome/introduction; 6 invited talks; panel conversation. Date and time: July 25th (Tuesday), 2023, 09:30–15:00 EDT. Location: Virtual event (video conference). Attendance: Open and free to the public, upon registration. Format: Webinar (presenters can share video and audio; attendees can use text for questions and comments). Tweet: https://twitter.com/NISTcyber/status/1678435569284812802 Schedule Welcome and introduction...

Abstract: This supplement to NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management, provides agencies with additional guidance on the use of authenticators that may be synced between devices.

Abstract: The NIST Special Publication (SP) 800-90 series supports the generation of high-quality random bits for cryptographic and non-cryptographic use. The security strength of a random number generator depends on the unpredictability of its outputs. This unpredictability can be measured in terms of entrop...

Abstract: This document provides instructions and definitions for completing the Cybersecurity Framework (CSF) Online Informative References (OLIR) spreadsheet template available for download at https://www.nist.gov/cyberframework/informative-references. This document is intended to assist developers of...

Abstract: This document provides instructions and definitions for completing the Cybersecurity Framework (CSF) Online Informative References (OLIR) spreadsheet template available for download at https://www.nist.gov/cyberframework/informative-references. This document is intended to assist developers of...

Abstract: This document provides instructions and definitions for completing the Cybersecurity Framework (CSF) Online Informative References (OLIR) spreadsheet template available for download at https://www.nist.gov/cyberframework/informative-references. This document is intended to assist developers of...

Abstract: The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This publication, along with its annex (NIST Special Publication 800-1...