Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Murugiah Souppaya (Fed)

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 26 - 50 of 63

Security Considerations for Code Signing

January 26, 2018
David Cooper, Andrew Regenscheid, Murugiah Souppaya
A wide range of software products (also known as code)--including firmware, operating systems, mobile applications, and application container images--must be distributed and updated in a secure and automatic way to prevent forgery and tampering. Digitally

NIST Guidance on Application Container Security

October 25, 2017
Ramaswamy Chandramouli, Murugiah Souppaya, Karen Scarfone
This bulletin summarizes the information found in NIST SP 800-190, Application Container Security Guide and NISTIR 8176, Security Assurance Requirements for Linux Application Container Deployments. The bulletin offers an overview of application container

Application Container Security Guide

September 25, 2017
Murugiah P. Souppaya, John Morello, Karen Scarfone
Application container technologies, also known as containers, are a form of operating system virtualization combined with application software packaging. Containers provide a portable, reusable, and automatable way to package and run applications. This

Guide for Cybersecurity Incident Recovery

February 21, 2017
Murugiah P. Souppaya, Larry Feldman, Gregory A. Witte
This bulletin summarizes the information presented in NIST SP 800-184: Guide for Cybersecurity Event Recovery. The publication provides organizations with strategic guidance for planning, playbook developing, testing and improvements of recovery planning

Guide for Cybersecurity Event Recovery

December 22, 2016
Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Matthew C. Smith, Gregory Witte, Karen Scarfone
In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide

User's Guide to Telework and Bring Your Own Device (BYOD) Security

July 29, 2016
Murugiah P. Souppaya, Karen Scarfone
Many people telework, and they use a variety of devices, such as desktop and laptop computers, smartphones, and tablets, to read and send email, access websites, review and edit documents, and perform many other tasks. Each telework device is controlled by

Best Practices for Privileged User PIV Authentication

April 21, 2016
Hildegard Ferraiolo, David Cooper, Andrew R. Regenscheid, Karen Scarfone, Murugiah P. Souppaya
The Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requires that federal agencies use Personal Identity Verification (PIV) credentials for authenticating privileged users

Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research

January 20, 2016
Michael J. Bartock, Jeffrey A. Cichonski, Murugiah P. Souppaya, Paul Fox, Mike Miller, Ryan Holley, Karen Scarfone
This report documents proof of concept research for Derived Personal Identity Verification (PIV) Credentials. Smart card-based PIV Cards cannot be readily used with most mobile devices, such as smartphones and tablets, but Derived PIV Credentials (DPCs)

Securing Interactive and Automated Access Management Using Secure Shell (SSH)

January 11, 2016
Murugiah P. Souppaya, Karen Scarfone, Larry Feldman
This bulletin summarizes the information presented in NISTIR 7966, "Security of Interactive and Automated Access Management Using Secure Shell (SSH)". The publication assists organizations in understanding the basics of SSH interactive and automated access

Stopping Malware and Unauthorized Software through Application Whitelisting

December 15, 2015
Adam Sedgewick, Murugiah Souppaya, Karen Scarfone, Larry Feldman
This bulletin summarizes the information presented in NIST Special Publication 800-167, "Guide to Application Whitelisting," written by Adam Sedgewick, Murugiah Souppaya and Karen Scarfone. The publication is intended to assist organizations in

Trusted Geolocation in the Cloud: Proof of Concept Implementation

December 10, 2015
Michael Bartock, Murugiah Souppaya, Raghuram Yeluri, Uttam Shetty, James Greene, Steve Orrin, Hemma Prafullchandra, John McLeese, Jason Mills, Daniel Carayiannis, Tarik Williams, Karen Scarfone
This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The

Guide to Application Whitelisting

October 28, 2015
Adam Sedgewick, Murugiah Souppaya, Karen Scarfone
An application whitelist is a list of applications and application components that are authorized for use in an organization. Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host. This helps

Security of Interactive and Automated Access Management Using Secure Shell (SSH)

October 15, 2015
Tatu Ylonen, Paul Turner, Karen Scarfone, Murugiah Souppaya
Users and hosts must be able to access other hosts in an interactive or automated fashion, often with very high privileges, for a variety of reasons, including file transfers, disaster recovery, privileged access management, software and patch management

Guide to Enterprise Patch Management Technologies

July 22, 2013
Murugiah P. Souppaya, Karen Scarfone
Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware. There are several challenges that complicate patch

Guide to Malware Incident Prevention and Handling for Desktops and Laptops

July 22, 2013
Murugiah P. Souppaya, Karen Scarfone
Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the

Guidelines for Managing the Security of Mobile Devices in the Enterprise

June 21, 2013
Murugiah P. Souppaya, Karen Scarfone
Mobile devices, such as smart phones and tablets, typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured against a variety of threats. The purpose

Guidelines for Securing Wireless Local Area Networks (WLANs)

February 21, 2012
Murugiah P. Souppaya, Karen Scarfone
A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each

BIOS Protection Guidelines

April 29, 2011
David Cooper, William Polk, Andrew Regenscheid, Murugiah Souppaya
This document provides guidelines for preventing the unauthorized modification of Basic Input/Output System (BIOS) firmware on PC client systems. Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of

National Checklist Program for IT Products Guidelines for Checklist Users and Developers

February 25, 2011
Stephen D. Quinn, Murugiah P. Souppaya, Melanie Cook, Karen Scarfone
Special Publication 800-70 Revision 2 - National Checklist Program for IT Products Guidelines for Checklist Users and Developers describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program

Guide to Security for Full Virtualization Technologies

January 28, 2011
Murugiah P. Souppaya, Karen Scarfone, Paul Hoffman
The purpose of SP 800-125 is to discuss the security concerns associated with full virtualization technologies for server and desktop virtualization, and to provide recommendations for addressing these concerns. Full virtualization technologies run one or