NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.
Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Elaine Barker, John Kelsey, Kerry McKay, Allen Roginsky, Meltem Sonmez Turan
The NIST Special Publication (SP) 800-90 series of documents supports the generation of high-quality random bits for cryptographic and non-cryptographic use. SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators
William Fisher, Jason Ajmo, Sudhindra Umarji, Spike Dog, Mark Russell, Karen Scarfone
Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies
Michael Fagan, Julie Haney, Daniel Eliot, Barbara Cuthill, Kristina Rigopoulos
This report documents the first SOUPS Design-A-Thon, which was held on August 11th, 2024, and focused on Designing Effective and Accessible Approaches for Digital Product Cybersecurity Education and Awareness. In total, eight individuals participated in
Seungmin Seo, Oleg Aulov, Afzal Godil, Kevin Mangold
Speaker de-identification aims to conceal a speaker's identity while preserving intelligibility of the underlying speech. We introduce a benchmark that quantifies residual identity leak- age with three complementary error rates: equal error rate (EER)
This introductory guide provides small businesses with a high level overview of NIST Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The document is broken up into two
David Temoshok, Yee-Yin Choong, Ryan Galluzzo, Marie LaSalle, Andrew Regenscheid, Diana Proud-Madruga, Sarbari Gupta, Naomi Lefkovitz
These guidelines cover identity proofing, authentication, and federation of users (such as employees, contractors, or private individuals) interacting with government information systems over networks. They define technical requirements in each of the
David Temoshok, Yee-Yin Choong, Ryan Galluzzo, Marie LaSalle, Andrew Regenscheid, Christine Abruzzi, James L. Fenton, Naomi Lefkovitz
This guideline focuses on identity proofing and enrollment for use in digital authentication. During the process of identity proofing, an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing
David Temoshok, Yee-Yin Choong, Andrew Regenscheid, Ryan Galluzzo, James L. Fenton, Justin Richer, Naomi Lefkovitz
This guideline focuses on the authentication of subjects who interact with government information systems over networks to establish that a given claimant is a subscriber who has been previously authenticated. The result of the authentication process may
Justin Richer, James L. Fenton, Naomi Lefkovitz, David Temoshok, Ryan Galluzzo, Andrew Regenscheid, Yee-Yin Choong
This guideline focuses on the use of federated identity and the use of assertions to implement identity federations. Federation allows a given credential service provider to provide authentication attributes and (optionally) subscriber attributes to a
In this work, we propose a comprehensive framework to analyze threats related to semiconductor supply chain. The framework introduces a metric which quantifies the severity of different threats subjected to a collusion of adversaries from different stages
Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This
Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This
Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This
This document reports on the Virtual Workshop on Usable Cybersecurity and Privacy for Immersive Technologies (the Workshop) hosted by the Symposium in Usable Privacy and Security (SOUPS). The Workshop was held on August 7th, 2024 before the in-person
This work presents a proposed security metric to determine the likelihood that a vulnerability has been observed to be exploited. Only a small fraction of the tens of thousands of software and hardware vulnerabilities that are published every year will be
Michael Fagan, Katerina Megas, Barbara Cuthill, Brad Hoehn, Evelyn Petrella
This report summarizes discussions held at the March 5, 2025 "Workshop on Foundational Cybersecurity Activities for IoT Device Manufacturers" organized by the NIST Cybersecurity for the Internet of Things (IoT) program. This workshop follows an earlier
Experts struggle with explaining cybersecurity in a language and tone appropriate for non-expert audiences. This communication gap may make it difficult for a broad and diverse audience to fully engage in cybersecurity. Fundamental forms of communication
Throughout Fiscal Year 2024 (FY 2024) — from October 1, 2023, through September 30, 2024 — the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and
The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization —
The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization —
Katerina Megas, Michael Fagan, Barbara Cuthill, Brad Hoehn, Evie Petrella
This report summarizes the feedback received by the NIST Cybersecurity for the Internet of Things (IoT) program at the in-person and hybrid workshop on "Updating Manufacturer Guidance for Securable Connected Product Development" held in December 2024. The
Julie Haney, Matthew Canham, Mike Elkins, Lisa Flynn, Matthew Gordin, Victoria Granova, Wenjing Huang, Jody Jacobs, Greg Moody, Ann Rangarajan, Michael Ross, Robert Thomson, Joe Uchill
In August 2024, the National Institute of Standards and Technology (NIST) co-sponsored ConnectCon, an interactive workshop that facilitated meaningful conversations and connections between researchers and practitioners on the topic of human-centered
Alexander Nelson, Sanjay Rekhi, Karen Scarfone, Murugiah Souppaya
This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing
Stephen Quinn, Victoria Pillitteri, Matthew Barrett, Matthew Smith, Greg Witte
This guide provides an introduction to using the NIST Cybersecurity Framework (CSF) 2.0 for planning and integrating an enterprise-wide process for integrating cybersecurity risk management information, as a subset of information and communications
The CSF 2.0 represents a suite of resources (documents and applications) that can be used individually, together, or in combination over time as cybersecurity needs change and capabilities evolve. NIST's materials are designed to reach all audiences and to