Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).

View the beta site
NIST logo
Bookmark and Share

Secure Systems and Applications Group


Secure Systems and Applications Group's (SSAG) security research focuses on identifying emerging and high-priority technologies, and on developing security solutions that will have a high impact on U.S. critical infrastructure. The group conducted research and development related to both public and private sector use cases. The research considered many aspects of the system’s lifecycle from the earliest stages of technology development through proof-of-concept, reference and prototype implementations, and demonstrations. In addition, the group worked to transfer new technologies to industry; to produce new standards and guidance for federal agencies and industry; and to develop tests, test methodologies, and assurance methods.

SSAG investigated security concerns associated with such areas as mobile devices, cloud computing and virtualization, identity management, access control and authorization management, and software assurance. SSAG’s research helps to meet federal information security requirements that may not be fully addressed by existing technology. The group collaborated extensively with government, academia, and private sector entities.

Example successes from this work include:

  • Tools for access control policy testing;
  • New concepts in access control and policy enforcement;
  • Several Personal Identity Verification (PIV) documents to support interagency use of the PIV Card;
  • Methods for architecting a secure cloud ecosystem in a capability-oriented approach;
  • Guidance and tools for orchestrating a secure cloud ecosystem;
  • Guidance for secure deployment of virtualized infrastructure components – Hypervisor, Virtual Machines (VMs) and Virtual Network;
  • Methods for achieving comprehensive policy enforcement and data interoperability across enterprise data services; and
  • Test methods for mobile device (smart phone) application security.

In particular, the SSAG led the NIST Security and Forensics Working Group that published draft NISTIR 8006, NIST Cloud Computing - Security Reference Architecture, that aggregates forensics challenges in a cloud ecosystem. The working group has been working on developing a draft of SP 800-173, Guidance for Applying the Risk Management Framework to Federal-based Information Systems (target release date: spring/summer 2016). In response to the rapidly emerging use of virtualization in enterprise data centers for supporting both in-house mission-critical applications and for providing cloud services, two guidance documents were published: Draft SP 800-125A, Security Recommendations for Hypervisor Deployment, and Draft SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection. In support of the revised FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, two new PIV-related SP 800-series were released and five SP 800 documents were revised. One of the new publications, SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, guides the implementation and deployment of PIV credentials for mobile devices. In addition, the PIV team participated in the Office of Management and Budget (OMB) cybersecurity Sprint effort with a goal to strengthen the cybersecurity of federal networks, systems, and data through multi-factor authentication using the PIV Card. To improve access to new technologies, the group also chaired, edited, and participated in the development of a wide variety of national and international security standards.


Personal Identity Verification (PIV) of Federal Employees and Contractors—On August 27, 2004, the President signed Homeland Security Presidential Directive 12 (HSPD-12), entitled "Policy for a Common Identification Standard for Federal Employees and Contractors." HSPD-12 …

Access Control Policy Tool (ACPT)—Access control (AC) systems are among the most critical of information security components. Faulty policies, misconfigurations, or flaws in software implementation can result in serious …

Mobile Security and Forensics—The goal of the project is to improve the security of mobile devices and software. To that end, we devise and implement, as proof-of-concept prototypes, various types of security mechanisms and …

Model Driven Security Functional Testing—Model-Driven Engineering (MDE) is emerging as a promising approach that uses models to support various phases of system development lifecycle such as Code Generation and Verification/Validation (V …

IT System and Network Administration—The Information Technology (IT) System and Network Administration site represents NIST resources for managing, maintaining, and securing IT products that are widely deployed across the organization …


General Information:
David Ferraiolo, Group Manager
Phone: 301-975-3046
Email: david.ferraiolo@nist.gov

100 Bureau Drive, M/S 8930
Gaithersburg, MD 20899-8930