Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications

NIST Authors in Bold

Displaying 1 - 25 of 1275

Personal Identity Verification (PIV) of Federal Employees and Contractors

January 24, 2022
Hildegard Ferraiolo, Andrew Regenscheid, Salvatore Francomacaro, David A. Cooper, Ketan Mehta, Annie W. Sokol, David Temoshok, Gregory Fiumara, Justin Richer, James L. Fenton, Johnathan Gloster, nabil anwer
FIPS 201 establishes a standard for a Personal Identity Verification (PIV) system (Standard) that meets the control and security objectives of Homeland Security Presidential Directive-12 (HSPD-12). It is based on secure and reliable forms of identity

IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements

November 29, 2021
Michael Fagan, Katerina N. Megas, Jeffrey Marron, Kevin Gerard Brady, Barbara Bell Cuthill, Rebecca Herold, David Lemire, Noel Hoehn
Organizations will increasingly use Internet of Things (IoT) devices for the mission benefits they can offer, but care must be taken in the acquisition and implementation of IoT devices. This publication contains background and recommendations to help

IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog

November 29, 2021
Katerina N. Megas, Michael Fagan, Jeffrey Marron, Kevin Gerard Brady, Barbara Bell Cuthill, Rebecca Herold, David Lemire, Noel Hoehn
This publication provides a catalog of internet of things (IoT) device cybersecurity capabilities (i.e., features and functions needed from a device to support security controls) and non-technical supporting capabilities (i.e., actions and support needed

Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management

November 12, 2021
Kevin Stine, Stephen Quinn, Nahla Ivy, Matthew Barrett, Greg Witte, Larry Feldman, Robert Gardner
This document supplements NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and

User Perceptions & Preferences for Smart Home Device Updates

November 5, 2021
Susanne M. Furman, Julie Haney
IoT smart home updates are a critical mechanism by which manufacturers can remediate security vulnerabilities and one of the few tools users have to secure their devices. Yet, security professionals view difficulties in patching IoT devices as a major

Privacy-enhancing cryptography to complement differential privacy

November 3, 2021
Luis Brandao, Rene Peralta
In this post, we illustrate how various techniques from privacy-enhancing cryptography, coupled with differential privacy protection, can be used to protect data privacy while enabling data utility. Of notable interest is the setting where there are

Encryption is Futile: Reconstructing 3D-Printed Models using the Power Side-Channel

October 6, 2021
Jacob Gatlin, Sofia Belikovetsky, Yuval Elovici, Anthony Skjellum, Joshua Lubell, Paul Witherell, Mark Yampolskiy
Outsourced Additive Manufacturing (AM) exposes sensitive design data to external malicious actors. Even with end-to-end encryption between the design owner and 3D-printer, side-channel attacks can be used to bypass cyber-security measures and obtain the

2020 Cybersecurity and Privacy Annual Report

September 28, 2021
Patrick D. O'Reilly, Kristina Rigopoulos, Larry Feldman, Greg Witte
During Fiscal Year 2020 (FY 2020), from October 1, 2019 through September 30, 2020, the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy

Classifying Memory Bugs Using Bugs Framework Approach

September 9, 2021
Irena Bojanova, Carlos Galhardo
In this work, we present an orthogonal classification of memory corruption bugs, allowing precise structured descriptions of related software vulnerabilities. The Common Weakness Enumeration (CWE) is a well-known and used list of software weaknesses

IoT Non-Technical Supporting Capability Core Baseline

August 25, 2021
Michael Fagan, Katerina N. Megas, Jeffrey Marron, Kevin Gerard Brady, Barbara Bell Cuthill, Rebecca Herold
Non-technical supporting capabilities are actions a manufacturer or third-party organization performs in support of the cybersecurity of an IoT device. This publication defines an Internet of Things (IoT) device manufacturers' non-technical supporting

Approaches for Federal Agencies to Use the Cybersecurity Framework

August 17, 2021
Jeffrey Marron, Victoria Yan Pillitteri, Jon M. Boyens, Stephen Quinn, Gregory Witte
The document highlights examples for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) in a manner that complements the use of other NIST security and privacy risk management standards

'Passwords Keep Me Safe' - Understanding What Children Think about Passwords

August 11, 2021
Mary Theofanos, Yee-Yin Choong
Children use technology from a very young age, and often have to authenticate. The goal of this study is to explore children's practices, perceptions, and knowledge regarding passwords. Given the limited work to date and that the world's cyber posture and

Review of the Advanced Encryption Standard

July 23, 2021
Nicky Mouha, Morris Dworkin
The field of cryptography continues to advance at a very rapid pace, leading to new insights that may impact the security properties of cryptographic algorithms. The Crypto Publication Review Board ("the Board") has been established to identify

Managing the Security of Information Exchanges

July 20, 2021
Kelley L. Dempsey, Victoria Yan Pillitteri, Andrew Regenscheid
An organization often has mission and business-based needs to exchange (share) information with one or more other internal or external organizations via various information exchange channels. However, it is recognized that the information being exchanged

Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process

July 20, 2021
Meltem Sonmez Turan, Kerry McKay, Donghoon Chang, Cagdas Calik, Lawrence E. Bassham, Jinkeon Kang, John M. Kelsey
The National Institute of Standards and Technology (NIST) is in the process of selecting one or more authenticated encryption and hashing schemes suitable for constrained environments through a public, competition-like process. In February 2019, 57

Deep Learning for Detecting Network Attacks: An End to End approach

July 19, 2021
Qingtian Zou, Anoop Singhal, Xiaoyan Sun, Peng Liu
Network attack is still a major security concern for organizations worldwide. Recently, researchers have started to apply neural networks to detect network attacks by leveraging network traÿc data. However, public network data sets have major drawbacks

Contextualized Filtering for Shared Cyber Threat Information

July 18, 2021
Athanasios Dimitriadis, Christos Prassas, Jose L. Flores, Boonserm Kulvatunyou, Nenad Ivezic, Dimitris Gritzalis, Ioannis Mavridis
Cyber threat information sharing is an imperative process towards achieving collaborative security, but it poses several challenges. One crucial challenge is the plethora of shared threat information. Therefore, there is a need to advance filtering of such

Scaling the Phish: Advancing the NIST Phish Scale

July 3, 2021
Fernando Barrientos, Jody Jacobs, Shanee Dawkins
Organizations use phishing training exercises to help employees defend against the phishing threats that get through automatic email filters, reducing potential compromise of information security for both the individual and their organization. These

NVLAP Cryptographic and Security Testing

June 30, 2021
Bradley Moore, Beverly Trapnell, James Fox, Carolyn French
NIST Handbook 150-17 presents the technical requirements and guidance for the accreditation of laboratories under the National Voluntary Laboratory Accreditation Program (NVLAP) Cryptographic and Security Testing (CST) program. It is intended for

A Decade of Reoccurring Software Weaknesses

June 24, 2021
Assane Gueye, Carlos Galhardo, Irena Bojanova, Peter Mell
The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'Most Dangerous Software Errors.' However, the used equation highly biases frequency and almost ignores exploitability and impact. We provide a metric to
Displaying 1 - 25 of 1275