Search Publications

Displaying 1 - 25 of 1521

NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide

March 23, 2026

Author(s)

Stephen Quinn, Daniel Eliot, Michael Prebil, Greg Witte, Matthew Smith

This Quick-Start Guide (QSG) draws on concepts and practices from enterprise risk management, cybersecurity risk management, and workforce management to help organizations improve communication about cybersecurity risks and to plan and implement workforce

5G Network Security Design Principles: Applying 5G Cybersecurity and Privacy Capabilities

March 19, 2026

Author(s)

Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Karen Kent, Parisa Grayeli, Sanjeev Sharma

This white paper describes the network infrastructure design principles that commercial and private 5G network operators are encouraged to use to improve cybersecurity and privacy. Such a network infrastructure isolates types of 5G network traffic from

Applying 5G Cybersecurity and Privacy Capabilities: Introduction to the White Paper Series

March 19, 2026

Author(s)

Jeffrey Cichonski, Michael Bartock, Murugiah Souppaya, Karen Kent, Parisa Grayeli, Sanjeev Sharma, Thomas McCarthy, Muthukkumaran Ramalingam, Presanna Raman, Stefano Righi, Jitendra Patel, Bogdan Ungureanu, Tao Wan, Matt Hyatt, Kori Rongey, Dan Carroll, Steve Orrin, Corey Piggott, Simon Hwang, Gary Atkinson, Rajasekhar Bodanki, Robert Cranston, Jorge Escobar, Don McBride, Aarin Buskirk, Bryan Wenger, Todd Gibson

This document introduces the white paper series titled Applying 5G Cybersecurity and Privacy Capabilities. This series is being published by the National Cybersecurity Center of Excellence (NCCoE) 5G Cybersecurity project. Each paper in the series will

No SUPI-Based Paging Applying 5G Cybersecurity and Privacy Capabilities

March 19, 2026

Author(s)

Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Karen Kent, Parisa Greyeli, Sanjeev Sharma

This white paper provides an overview of "no Subscription Permanent Identifier (SUPI) based paging," a 5G capability for protecting users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in

Protecting Subscriber Identifiers with Subscription Concealed Identifier (SUCI) Applying 5G Cybersecurity and Privacy Capabilities

March 19, 2026

Author(s)

Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Karen Kent, Parisa Grayeli, Sanjeev Sharma, Charles Teague

This white paper describes enabling Subscription Concealed Identifier (SUCI) protection, an optional 5G capability which provides important security and privacy protections for subscriber identifiers. 5G network operators are encouraged to enable SUCI on

Reallocation of Temporary Identities: Applying 5G Cybersecurity and Privacy Capabilities

March 19, 2026

Author(s)

Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Karen Kent, Parisa Grayeli, Sanjeev Sharma

This white paper is part of a series called Applying 5G Cybersecurity and Privacy Capabilities, which covers 5G cybersecurity- and privacy-supporting capabilities that were implemented as part of the 5G Cybersecurity project at the National Cybersecurity

Secure Domain Name System (DNS) Deployment Guide

March 19, 2026

Author(s)

Scott Rose, Cricket Liu, Ross Gibson

This document provides Domain Name System (DNS) deployment guidelines to secure the DNS protocol and infrastructure, mitigate misuse or misconfiguration, and provide an additional layer of network security as part of a zero trust and/or defense-in-depth

Using Hardware- Enabled Security to Ensure 5G System Platform Integrity Applying 5G Cybersecurity and Privacy Capabilities

March 19, 2026

Author(s)

Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Karen Kent, Parisa Grayeli, Sanjeev Sharma

This white paper provides an overview of employing hardware-enabled [1] security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system's server infrastructure. It discusses security

Guidelines for API Protection for Cloud-Native Systems - March 2026 Update

March 13, 2026

Author(s)

Ramaswamy Chandramouli, Zack Butcher

Modern enterprise IT systems rely on a family of application programming interfaces (APIs) for integration to support organizational business processes. Hence, a secure deployment of APIs is critical for overall enterprise security. This, in turn, requires

U.S. Election Expert Perspectives on End-to-End Verifiable Voting Systems

February 27, 2026

Author(s)

Julie Haney, Shanee Dawkins, Sandra Prettyman, Mary Theofanos, Kristen Greene, Kristin Koskey, Jody Jacobs

By using cryptographic techniques, end-to-end verifiable (E2EV) voting systems have been proposed as a way to increase voter trust and confidence in elections by providing the public with direct evidence of the integrity of election systems and outcomes

Survey on Smart Home Users' Security and Privacy Perceptions and Actions: A Device Category Perspective

December 19, 2025

Author(s)

Julie Haney, Yasemin Acar, Anna Li, Faith Haney

Although smart home adoption in the United States (U.S.) is growing, smart home users may harbor security and privacy concerns or uncertainty about how to best protect their devices and the data those collect. Further, there have been few insights into how

An Improved Robotic Workcell for Operational Technology (OT) Research

December 18, 2025

Author(s)

Timothy Zimmerman, Michael Pease, Michael Dawson

The National Institute of Standards and Technology (NIST) has constructed a discrete manufacturing workcell to support its operational technology (OT) and critical infrastructure research. This work is an improvement on the "Collaborative Robotics Testbed"

Integrating Cybersecurity and Enterprise Risk Management (ERM)

December 18, 2025

Author(s)

Stephen Quinn, Julie Anne Chua, Nahla Ivy, Robert Gardner, Karen Scarfone, Matthew Smith, Greg Witte

The increasing frequency, creativity, and severity of cybersecurity attacks means that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs. This document is

Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight

December 18, 2025

Author(s)

Stephen Quinn, Nahla Ivy, Matthew Barrett, Robert Gardner, Matthew Smith, Greg Witte

This document is the third in a series that supplements NIST Interagency Report (IR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding enterprise application of cybersecurity risk

Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management

December 17, 2025

Author(s)

Stephen Quinn, Nahla Ivy, Matthew Barrett, Larry Feldman, Greg Witte, Robert Gardner

This document supplements NIST Interagency Report (IR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information

Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration

December 17, 2025

Author(s)

Ronald Pulivarti, Kevin Littlefield, Sue Wang, Bronwyn Patrick, Ryan Williams

In-patient service demands have increased during a time when patients have experienced reduced access to hospital care. Hospital-at-Home (HaH) solutions provide an in-patient care experience for patients, which may result in reduced costs and improved

Recommendation for Random Bit Generator (RBG) Constructions

September 25, 2025

Author(s)

Elaine Barker, John Kelsey, Kerry McKay, Allen Roginsky, Meltem Sonmez Turan

The NIST Special Publication (SP) 800-90 series of documents supports the generation of high-quality random bits for cryptographic and non-cryptographic use. SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators

Multi-Factor Authentication for Criminal Justice Information Systems: Implementation Considerations for Protecting Criminal Justice Information

September 3, 2025

Author(s)

William Fisher, Jason Ajmo, Sudhindra Umarji, Spike Dog, Mark Russell, Karen Scarfone

Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies

Report on the Design-A-Thon: Designing Effective and Accessible Approaches for Digital Product Cybersecurity Education and Awareness

September 3, 2025

Author(s)

Michael Fagan, Julie Haney, Daniel Eliot, Barbara Cuthill, Kristina Rigopoulos

This report documents the first SOUPS Design-A-Thon, which was held on August 11th, 2024, and focused on Designing Effective and Accessible Approaches for Digital Product Cybersecurity Education and Awareness. In total, eight individuals participated in

EVALUATING IDENTITY LEAKAGE IN SPEAKER DE-IDENTIFICATION SYSTEMS

August 21, 2025

Author(s)

Seungmin Seo, Oleg Aulov, Afzal Godil, Kevin Mangold

Speaker de-identification aims to conceal a speaker's identity while preserving intelligibility of the underlying speech. We introduce a benchmark that quantifies residual identity leak- age with three complementary error rates: equal error rate (EER)

Protecting Controlled Unclassified Information (CUI): NIST Special Publication 800-171, Revision 3 Small Business Primer

August 13, 2025

Author(s)

Daniel Eliot

This introductory guide provides small businesses with a high level overview of NIST Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The document is broken up into two

NIST SP 800-63-4: Digital Identity Guidelines

August 1, 2025

Author(s)

David Temoshok, Yee-Yin Choong, Ryan Galluzzo, Marie LaSalle, Andrew Regenscheid, Diana Proud-Madruga, Sarbari Gupta, Naomi Lefkovitz

These guidelines cover identity proofing, authentication, and federation of users (such as employees, contractors, or private individuals) interacting with government information systems over networks. They define technical requirements in each of the

NIST SP 800-63A-4:Digital Identity Guidelines - Identity Proofing and Enrollment

August 1, 2025

Author(s)

David Temoshok, Yee-Yin Choong, Ryan Galluzzo, Marie LaSalle, Andrew Regenscheid, Christine Abruzzi, James L. Fenton, Naomi Lefkovitz

This guideline focuses on identity proofing and enrollment for use in digital authentication. During the process of identity proofing, an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing

NIST SP 800-63B-4:Digital Identity Guidelines - Authentication and Authenticator Management

August 1, 2025

Author(s)

David Temoshok, Yee-Yin Choong, Andrew Regenscheid, Ryan Galluzzo, James L. Fenton, Justin Richer, Naomi Lefkovitz

This guideline focuses on the authentication of subjects who interact with government information systems over networks to establish that a given claimant is a subscriber who has been previously authenticated. The result of the authentication process may

NIST SP 800-63C-4:Digital Identity Guidelines - Federation and Assertions

August 1, 2025

Author(s)

Justin Richer, James L. Fenton, Naomi Lefkovitz, David Temoshok, Ryan Galluzzo, Andrew Regenscheid, Yee-Yin Choong

This guideline focuses on the use of federated identity and the use of assertions to implement identity federations. Federation allows a given credential service provider to provide authentication attributes and (optionally) subscriber attributes to a