U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology

Cybersecurity and privacy

Search Publications

Search Title, Abstract, Conference, Citation, Keyword or Author
  • Published Date
Displaying 476 - 500 of 1509

Cyber Threat Intelligence and Information Sharing

May 8, 2017
Author(s)
Christopher S. Johnson, Larry Feldman, Gregory A. Witte
This bulletin, based on NIST Special Publication (SP) 800-150, introduces cyber threat intelligence and information sharing concepts, describes the benefits and challenges of sharing, clarifies the importance of trust, and introduces specific data handling

Comparing the Usability of Cryptographic APIs

May 1, 2017
Author(s)
Yasemin Acar, Michael Backes, Sascha Fahl, Simson L. Garfinkel, Doowon Kim, Michelle L. Mazurek, Christian Stransky
Potentially dangerous cryptography errors are well-documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programmer Interfaces (APIs) that are too complicated, have insecure defaults

Building the Bridge between Privacy and Cybersecurity for Federal Systems

April 19, 2017
Author(s)
Naomi B. Lefkovitz, Ellen M. Nadeau, Larry Feldman, Gregory A. Witte
This bulletin summarizes the information in NISTIR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Information Systems which provides an introduction to the concepts of privacy engineering and risk management for federal

Report on Lightweight Cryptography

March 28, 2017
Author(s)
Kerry McKay, Lawrence E. Bassham, Meltem Sonmez Turan, Nicky Mouha
NIST-approved cryptographic standards were designed to perform well using general-purpose computers. In recent years, there has been increased deployment of small computing devices that have limited resources with which to implement cryptography. When

Fundamentals of Small Business Information Security

March 15, 2017
Author(s)
Celia Paulsen, Gregory A. Witte, Larry Feldman
This bulletin summarizes the information in NISTIR 7621, Revision 1: Small Business Information Security: The Fundamentals. The bulletin presents the fundamentals of a small business information security program.

Building Caring Healthcare Systems in the Internet of Things

February 22, 2017
Author(s)
Phillip Laplante, Mohamad Kassab, Nancy Laplante, Jeff Voas
The nature of healthcare and the computational and physical technologies and constraints present a number of challenges to systems designers and implementers. In spite of the challenges, there is a significant market for systems and products to support

Guide for Cybersecurity Incident Recovery

February 21, 2017
Author(s)
Murugiah P. Souppaya, Larry Feldman, Gregory A. Witte
This bulletin summarizes the information presented in NIST SP 800-184: Guide for Cybersecurity Event Recovery. The publication provides organizations with strategic guidance for planning, playbook developing, testing and improvements of recovery planning

Email Authentication Mechanisms: DMARC, SPF and DKIM

February 16, 2017
Author(s)
J. S. Nightingale
In recent years the IETF has been making a range of efforts to secure the email infrastructure and its use. Infrastructure protection includes source authentication by RFC 7208 Sender Policy Framework (SPF), message integrity authentication by RFC 6376

Impact of Code Complexity On Software Analysis

February 9, 2017
Author(s)
Charles Daniel De Oliveira, Elizabeth N. Fong, Paul E. Black
The Software Assurance Metrics and Tool Evaluation (SAMATE) team evaluated approximately 800 000 warnings from static analyzers.We learned that elements that we call “code complexities” make the detection of warnings more difficult. Most tools cannot not

Measuring and Improving the Effectiveness of Defense-in-Depth Postures

January 26, 2017
Author(s)
Peter M. Mell, James Shook, Richard Harang
Defense-in-depth is an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is

Dramatically Reducing Software Vulnerabilities

January 18, 2017
Author(s)
Paul E. Black, Larry Feldman, Gregory A. Witte
This bulletin summarized the information presented in NISTIR 8151: Dramatically Reducing Software Vulnerabilities: Report to the White House Office of Science and Technology Policy. The publication starts by describing well known security risks and

An Introduction to Privacy Engineering and Risk Management in Federal Information Systems

January 5, 2017
Author(s)
Sean W. Brooks, Michael E. Garcia, Naomi B. Lefkovitz, Suzanne Lightman, Ellen M. Nadeau
This document provides an introduction to the concepts of privacy engineering and risk management for federal information systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy

The Emergence of DANE Trusted Email for Supply Chain Management

January 3, 2017
Author(s)
Scott Rose, Joseph Gersch, Daniel Massey
Supply chain management is critically dependent on trusted email with authentication systems that work on a global scale. Solutions to date have not adequately addressed the issues of email forgery, confidentiality, and sender authenticity. The IETF DANE

Threat Modeling for Cloud Data Center Infrastructures

December 29, 2016
Author(s)
Nawaf Alhebaishi, Lingyu Wang, Sushil Jajodia, Anoop Singhal
Cloud computing has undergone rapid expansion throughout the last decade. Many companies and organizations have made the transition from traditional data centers to the cloud due to its flexibility and lower cost. However, traditional data centers are

Guide for Cybersecurity Event Recovery

December 22, 2016
Author(s)
Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Matthew C. Smith, Gregory Witte, Karen Scarfone
In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide

Rethinking Security through Systems Security Engineering

December 21, 2016
Author(s)
Ronald S. Ross, Larry Feldman, Gregory A. Witte
This bulletin summarizes the information presented in NIST SP 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The publication addresses the engineering-driven

General Methods for Access Control Policy Verification

December 19, 2016
Author(s)
Chung Tong Hu, David R. Kuhn
Access control systems are among the most critical of computer security components. Faulty policies, misconfigurations, or flaws in software implementations can result in serious vulnerabilities. To formally and precisely capture the security properties

MyData API Patterns: OAuth

December 8, 2016
Author(s)
Martin Burns, David A. Wollman
The My Data initiatives are part of the Administration's efforts to empower Americans with secure access to their own personal data, and to increase citizens' access to private-sector data-based applications and services. With its focus on personal data

A Secure Multicast Group Management and Key Distribution in IEEE 802.21

December 5, 2016
Author(s)
Yoshikazu Hanatani, Naoki Ogura, Yoshihiro Ohba, Lidong Chen, Subir Das
Controlling a large number of devices such as sensors and smart end points, is always a challenge where scalability and security are indispensa-ble. This is even more critical when it comes to configuration updates to a large number of such devices when
Was this page helpful?