Search CSRC

[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/samate/static-analysis-tool-exposition-sate] SATE is a non-competitive study of static analysis tool effectiveness, aiming at improving tools and increasing public awareness and adoption. Briefly, participating tool makers run their static analyzer on a set of programs, then researchers led by NIST analyze the tool reports. Everyone shares results and experiences at a workshop. The analysis report is made publicly available later. SATE's purpose is NOT to evaluate nor choose the "best" tools. Rather, it is aimed at exploring the...

Today, many employees telework (also known as “telecommuting,” “work from home,” or “work from anywhere”). Teleworking is the ability of an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. Telework has been on the rise for some time, but sharply increased because of the COVID-19 pandemic. For many, telework is now the only way to get work done, and the original concept of “telework” has evolved into being able to work anytime, anywhere. The technologies used for telework have also...

[Redirect to:  https://usnistgov.github.io/BF/] The Bugs Framework (BF) is a structured causal classification of security bugs and related faults, featuring a formal language for unambiguous specification of security weaknesses and underlined by them vulnerabilities. It organizes bugs by the operations of orthogonal software or hardware execution phases, faults -- by their input operands, and errors -- by their output results. An error either propagates to a fault or is a final error introducing an exploit vector. Bugs and faults are the possible causes for security weaknesses; errors and...

Mappings to NIST Documents The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Interagency or Internal Report (IR) 8278 - National Online Informative References (OLIR) Program: Program Overview and OLIR Uses focuses on explaining what OLIRs are,...

NCCoE DevSecOps project has launched! The NIST NCCoE has launched a new project, Software Supply Chain and DevOps Security Practices. In early 2023, the project team will be publishing a Federal Register Notice based on the final project description to solicit collaborators to work with the NCCoE on the project.   DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are...

NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving​ information about security vulnerabilities​, as part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and 30111 whenever practical.  The guidelines address: Establishing a federal vulnerability disclosure framework, including the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs)  Receiving information about a potential security vulnerability in an information system owned or...

NIST has released the first-ever SSDF Community Profile for public comment! SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile, augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. The Profile supports Executive Order (EO) 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Submit your comments on SP 800-218A by June 1, 2024. To...

[Redirect to https://www.nist.gov/itl/ssd/software-quality-group/samate] The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. The scope of the SAMATE project is broad: ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to correct-by-construction methods.

[Redirect to: https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl] The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that...

This project summarizes NIST’s current and planned activities for reviewing its cryptography standards and other publications. The Crypto Publication Review Board (“the Board”) within the Computer Security Division identifies a publication for review based on its original publishing date and any relevant issues raised since it was published. The targeted review period for each publication is every five years. The Board welcomes public comments on the publications under review and will consider those comments as it develops a proposal for processing each publication.. Publications Under...

NIST has released Draft Special Publication (SP) 800-92 Revision 1, Cybersecurity Log Management Planning Guide for public comment through November 29, 2023. The purpose of this document is to help all organizations improve their log management so they have the log data they need. The document's scope is cybersecurity log management planning, and all other aspects of logging and log management, including implementing log management technology and making use of log data, are out of scope. This document replaces the original SP 800-92, Guide to Computer Security Log Management. That material...

Thanks for helping shape our ransomware guidance! We've published the final NISTIR 8374, Ransomware Risk Management: A Cybersecurity Framework Profile and the Quick Start Guide: Getting Started with Cybersecurity Risk Management | Ransomware. Thanks for attending our July 14th Virtual Workshop on Preventing and Recovering from Ransomware and Other Destructive Cyber Events. Please watch the recording HERE. Our new resources on tips and tactics for preparing your organization for ransomware attacks are here!  Video: Protecting Your Small Business--Ransomware  Fact sheet: How do I stay...

[Redirect to https://www.nccoe.nist.gov/projects/building-blocks/data-security] The Data Security program at the National Cybersecurity Center of Excellence (NCCoE) has produced guidance for both data integrity and data confidentiality. Each will consist of a series of publications that work together to identify, protect, detect, respond to, and recover from critical events.

A main goal of circuit masking is to make more difficult the illegitimate exfiltration of secrets from a circuit evaluation. Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation. After past exploratory steps to obtain feedback, the Masked Circuits (MC) project is not considering actions toward standardization. However, there is a plan to create a Masked Circuits Library (MCL), specified at the logic level, based on public submissions to a Call for Masked...

[Redirect to https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture] Conventional network security has focused on perimeter defenses, but many organizations no longer have a clearly-defined perimeter. To protect a modern digital enterprise, organizations need a comprehensive strategy for secure “anytime, anywhere” access to their corporate resources (e.g., applications, legacy systems, data, and devices) regardless of where they are located.

Recent Updates: September 28, 2023: NIST Special Publication 800-82 Revision 3, Guide to Operational Technology (OT) Security, is now available. Operational technology (OT) encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access...

[Redirect to: https://www.nccoe.nist.gov/cybersecurity-space-domain] Space is an emerging commercial critical infrastructure sector that is no longer the domain of only national government authorities. Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations. 

[Redirect to: https://www.nist.gov/cybersecurity/improving-cybersecurity-supply-chains-nists-public-private-partnership] In 2021, NIST announced a new effort to work with the private sector and others in government to improve cybersecurity supply chains. This initiative, NIICS, will help organizations to build, evaluate, and assess the cybersecurity of products and services in their supply chains, an area of increasing concern. It will emphasize tools, technologies, and guidance focused on the developers and providers of technology. 

Cloud computing has become the core accelerator of the US Government's digital business transformation. NIST is establishing a Multi-Cloud Security Public Working Group (MCSPWG) to research best practices for securing complex cloud solutions involving multiple service providers and multiple clouds.   The White House Executive Order on Improving the Nation's Cybersecurity highlights that “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life” by focusing “the full scope of its authorities...

 Want to build your own cybersecurity guidance? This tool provides a simple way to access reference data from various NIST cybersecurity and privacy standards, guidelines, and Frameworks– downloadable in common formats (XSLS and JSON).    Other News & Info   Program News Get the scoop on what’s been happening with the CPRT program. More Contact Us Reach out via email with questions, ideas, or thoughts. Email  

Proposed Activities | Previous and Current Activities | Contact Us Semiconductor-based hardware is the foundation of modern-day electronics. Electronics are ubiquitous in our daily lives: from smartphones, computers, and telecommunication to transportation and critical infrastructure like power grids and waterways. The semiconductor hardware supply chain is a complex network consisting of many companies that collectively provide intellectual property, create designs, provide raw materials, and manufacture, test, package, and distribute products. Coordination among these companies is...

NIST has defined cloud computing in NIST SP 800-145 document as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. For more than a decade, cloud computing has offered cost savings both in terms of capital expenses and operational expenses, while leveraging leading-edge technologies to meet the information processing needs of users in the public and...

NIST announced that the PQC standardization process is continuing with a fourth round, with the following KEMs still under consideration: BIKE, Classic McEliece, HQC, and SIKE. However, there are no remaining digital signature candidates under consideration. As such, NIST posted a call for additional digital signature proposals to be considered in the PQC standardization process. The call for submissions closed June 1, 2023. On July 17, 2023, NIST announced additional Digital Signature candidates for the PQC standardization process. Background NIST initiated a public process to select...

Hyperledger Fabric drop-in component for data block matrix is now available.  Privacy laws increasingly require some types of data to be erased at user request, according to GDPR and related regulations. We have developed a secure distributed trust solution for networks using Next-Generation Database Access Control (NDAC) and the Data Block Matrix (DBM), with an open source implementation of the DBM using Hyperledger Fabric.  This Hyperledger Fabric component solves the conflict between conventional blockchain use and privacy regulations, by using a data structure that provides hash-based...

The automotive industry is facing significant challenges from increased cybersecurity risk and adoption of AI and opportunities from rapid technological innovations. NIST is setting up this community of interest (COI) to allow the industry, academia, and government to discuss, comment, and provide input on the potential work that NIST is doing which will affect the automotive industry. Topics of interest include, but are not limited to: Cryptography Cryptographic agility Migration to secure algorithms, e.g., quantum resistant cryptography Supply chain Code integrity and...