Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Search Publications by

Murugiah Souppaya (Fed)

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 1 - 25 of 46

Hardware-Enabled Security: Container Platform Security Prototype

June 17, 2021
Murugiah Souppaya, Michael Bartock, Karen Scarfone, Jerry Wheeler, Tim Knoll, Uttam Shetty, Ryan Savino, Joseprabu Inbaraj, Stefano Righi
In today's cloud data centers and edge computing, attack surfaces have significantly increased, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing

Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)

May 26, 2021
Murugiah Souppaya, Douglas Montgomery, William Polk, Mudumbai Ranganathan, Donna Dodson, William Barker, Steve Johnson, Ashwini Kadam, Craig Pratt, Darshak Thakore, Mark Walker, Eliot Lear, Brian Weis, Dean Coclin, Avesta Hojjati, Clint Wilson, Tim Jones, Adnan Baykal, Drew Cohen, Kevin Yeich, Yemi Fashima, Parisa Grayeli, Joshua Harrington, Joshua Klosterman, Blaine Mulugeta, Susan Symington, Jaideep Singh
The goal of the Internet Engineering Task Force's Manufacturer Usage Description (MUD) specification is for Internet of Things (IoT) devices to behave as intended by the manufacturers of the devices. MUD provides a standard way for manufacturers to

Security Considerations for Exchanging Files Over the Internet

August 3, 2020
Karen Scarfone, Matthew Scholl, Murugiah Souppaya
Every day, in order to perform their jobs, workers exchange files over the Internet through email attachments, file sharing services, and other means. To help organizations reduce potential exposure of sensitive information, NIST has released a new

Securing Web Transactions TLS Server Certificate Management

June 16, 2020
Murugiah P. Souppaya, William A. Haag Jr., Mehwish Akram, William C. Barker, Rob Clatterbuck, Brandon Everhart, Brian Johnson, Alexandros Kapasouris, Dung Lam, Brett Pleasant, Mary Raguso, Susan Symington, Paul Turner, Clint Wilson, Donna F. Dodson
Transport Layer Security (TLS) server certificates are critical to the security of both internet- facing and private web services. Despite the critical importance of these certificates, many organizations lack a formal TLS certificate management program

Security Considerations for Code Signing

January 26, 2018
David Cooper, Andrew Regenscheid, Murugiah Souppaya
A wide range of software products (also known as code)--including firmware, operating systems, mobile applications, and application container images--must be distributed and updated in a secure and automatic way to prevent forgery and tampering. Digitally

NIST Guidance on Application Container Security

October 25, 2017
Ramaswamy Chandramouli, Murugiah Souppaya, Karen Scarfone
This bulletin summarizes the information found in NIST SP 800-190, Application Container Security Guide and NISTIR 8176, Security Assurance Requirements for Linux Application Container Deployments. The bulletin offers an overview of application container

Application Container Security Guide

September 25, 2017
Murugiah P. Souppaya, John Morello, Karen Scarfone
Application container technologies, also known as containers, are a form of operating system virtualization combined with application software packaging. Containers provide a portable, reusable, and automatable way to package and run applications. This

Guide for Cybersecurity Incident Recovery

February 21, 2017
Murugiah P. Souppaya, Larry Feldman, Gregory A. Witte
This bulletin summarizes the information presented in NIST SP 800-184: Guide for Cybersecurity Event Recovery. The publication provides organizations with strategic guidance for planning, playbook developing, testing and improvements of recovery planning

Guide for Cybersecurity Event Recovery

December 22, 2016
Michael J. Bartock, Jeffrey A. Cichonski, Murugiah P. Souppaya, Matthew C. Smith, Gregory A. Witte, Karen Scarfone
In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide

User's Guide to Telework and Bring Your Own Device (BYOD) Security

July 29, 2016
Murugiah P. Souppaya, Karen Scarfone
Many people telework, and they use a variety of devices, such as desktop and laptop computers, smartphones, and tablets, to read and send email, access websites, review and edit documents, and perform many other tasks. Each telework device is controlled by

Best Practices for Privileged User PIV Authentication

April 21, 2016
Hildegard Ferraiolo, David Cooper, Andrew R. Regenscheid, Karen Scarfone, Murugiah P. Souppaya
The Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requires that federal agencies use Personal Identity Verification (PIV) credentials for authenticating privileged users

Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research

January 20, 2016
Michael J. Bartock, Jeffrey A. Cichonski, Murugiah P. Souppaya, Paul Fox, Mike Miller, Ryan Holley, Karen Scarfone
This report documents proof of concept research for Derived Personal Identity Verification (PIV) Credentials. Smart card-based PIV Cards cannot be readily used with most mobile devices, such as smartphones and tablets, but Derived PIV Credentials (DPCs)

Securing Interactive and Automated Access Management Using Secure Shell (SSH)

January 11, 2016
Murugiah P. Souppaya, Karen Scarfone, Larry Feldman
This bulletin summarizes the information presented in NISTIR 7966, "Security of Interactive and Automated Access Management Using Secure Shell (SSH)". The publication assists organizations in understanding the basics of SSH interactive and automated access

Stopping Malware and Unauthorized Software through Application Whitelisting

December 15, 2015
Adam Sedgewick, Murugiah Souppaya, Karen Scarfone, Larry Feldman
This bulletin summarizes the information presented in NIST Special Publication 800-167, "Guide to Application Whitelisting," written by Adam Sedgewick, Murugiah Souppaya and Karen Scarfone. The publication is intended to assist organizations in

Trusted Geolocation in the Cloud: Proof of Concept Implementation

December 10, 2015
Michael Bartock, Murugiah Souppaya, Raghuram Yeluri, Uttam Shetty, James Greene, Steve Orrin, Hemma Prafullchandra, John McLeese, Jason Mills, Daniel Carayiannis, Tarik Williams, Karen Scarfone
This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The

Guide to Application Whitelisting

October 28, 2015
Adam Sedgewick, Murugiah Souppaya, Karen Scarfone
An application whitelist is a list of applications and application components that are authorized for use in an organization. Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host. This helps

Security of Interactive and Automated Access Management Using Secure Shell (SSH)

October 15, 2015
Tatu Ylonen, Paul Turner, Karen Scarfone, Murugiah Souppaya
Users and hosts must be able to access other hosts in an interactive or automated fashion, often with very high privileges, for a variety of reasons, including file transfers, disaster recovery, privileged access management, software and patch management