Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Karen Scarfone (Ctr)

Displaying 26 - 50 of 67

Guide to Securing WiMAX Wireless Communications

September 30, 2010

Author(s)

Karen A. Scarfone, Cyrus Tibbs, Matt Sexton

The purpose of this document is to provide information to organizations regarding the security capabilities of wireless communications using WiMAX networks and to provide recommendations on using these capabilities. WiMAX technology is a wireless

Guide to Adopting and Using the Security Content Automation Protocol (SCAP), Version 1.0

July 27, 2010

Author(s)

Stephen D. Quinn, Karen A. Scarfone, Matthew P. Barrett, Christopher S. Johnson

The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP). This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

April 6, 2010

Author(s)

Erika McCallister, Timothy Grance, Karen A. Scarfone

The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. The document explains the importance of protecting the confidentiality of PII in the context

The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0

November 5, 2009

Author(s)

Stephen D. Quinn, David A. Waltermire, Christopher S. Johnson, Karen A. Scarfone, John F. Banghart

This document defines the technical specification for Version 1.0 of the Security Content Automation Protocol (SCAP). SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates

An Analysis of CVSS Version 2 Vulnerability Scoring

October 14, 2009

Author(s)

Karen A. Scarfone, Peter M. Mell

The Common Vulnerability Scoring System (CVSS) is a specification that is used to measure the relative severity of software vulnerabilities. CVSS version 2, which was finalized in June 2007, was designed to address several deficiencies discovered during

National Checklist Program for IT Products Guidelines for Checklist Users and Developers

September 30, 2009

Author(s)

Stephen Quinn, Karen A. Scarfone, Murugiah Souppaya

[Superseded by SP 800-70 Rev. 2 (February 2011): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=907732] A security configuration checklist is a series of instructions for configuring a product to a particular operational environment

System and Network Security Acronyms and Abbreviations

September 30, 2009

Author(s)

Karen A. Scarfone, Victoria Thompson

This report contains a list of selected acronyms and abbreviations for system and network security terms with their generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system and network

Guidelines on Firewalls and Firewall Policy

September 28, 2009

Author(s)

Karen A. Scarfone, Paul Hoffman

Firewalls are devices or programs that control the flow of network traffic between networks or hosts employing differing security postures. This publication provides an overview of several types of firewall technologies and discusses their security

Security for Enterprise Telework and Remote Access Solutions

June 24, 2009

Author(s)

Karen A. Scarfone

Many people telework (also known as telecommuting), which is the ability for an organization s employees and contractors to perform work from locations other than the organization s facilities. Teleworkers use various client devices, such as desktop and

Guide to Enterprise Telework and Remote Access Security

June 16, 2009

Author(s)

Karen A. Scarfone, Paul Hoffman, Murugiah P. Souppaya

[Superseded by NIST SP 800-46 Rev. 2 (July 2016): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=921406] Many organizations employees and contractors use enterprise telework technologies to perform work from external locations. Most

Cyber Security Standards

June 15, 2009

Author(s)

Karen A. Scarfone, Daniel R. Benigni, Timothy Grance

The goal of cyber security standards is to improve the security of information technology (IT) systems, networks, and critical infrastructures. A cyber security standard defines both functional and assurance requirements within a product, system, process

Cyber Security Metrics and Measures

March 2, 2009

Author(s)

Paul E. Black, Karen A. Scarfone, Murugiah P. Souppaya

Metrics are tools to facilitate decision making and improve performance and accountability. Measures are quantifiable, observable, and objective data supporting metrics. Operators can use metrics to apply corrective actions and improve performance

A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

November 20, 2008

Author(s)

William I. MacGregor, Ketan L. Mehta, David A. Cooper, Karen A. Scarfone

This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. Specifically, this document recommends a risk-based approach for selecting

Access Control Policy Composition for Resource Federation Networks Using Semantic Web and Resource Description Framework (RDF)

November 13, 2008

Author(s)

Chung Tong Hu, Stephen Quirolgico, Karen A. Scarfone

The availability of global, pervasive information relies on seamless access to federated resources through sharing and trust between the participating members. However, most of the current architectures for federation networks are designed based on a

Guidelines on Cell Phone and PDA Security

November 3, 2008

Author(s)

Wayne Jansen, Karen A. Scarfone

[Superseded by SP 800-124 Rev. 1 (June 2013): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=913427] Cell phones and personal digital assistants (PDAs) have become indispensable tools for today's highly mobile workforce. Small and relatively

Vulnerability Scoring for Security Configuration Settings

October 29, 2008

Author(s)

Karen A. Scarfone, Peter M. Mell

The best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted

Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist

October 24, 2008

Author(s)

Karen A. Scarfone, Murugiah P. Souppaya, Paul M. Johnson

This publication assists IT professionals in securing Windows XP workstations, mobile computers, and computers used by telecommuters within various environments. The recommendations are specifically intended for Windows XP Professional systems running

Guide to Bluetooth Security

September 30, 2008

Author(s)

Karen A. Scarfone, John Padgette

[Superseded by SP 800-121 Rev. 1 (June 2012): http://www.nist.gov/manuscript-publication-search.cfm? pub_id=911133] Bluetooth is an open standard for short-range radio frequency communication. Bluetooth technology is used primarily to establish wireless

Technical Guide to Information Security Testing and Assessment

September 30, 2008

Author(s)

Murugiah P. Souppaya, Karen A. Scarfone

The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing

Guide to Industrial Control Systems (ICS) Security (final draft)

September 2, 2008

Author(s)

Keith A. Stouffer, Joseph A. Falco, Karen A. Scarfone

[Superseded by NIST SP 800-82 (June 2011): http://www.nist.gov/manuscript-publication-search.cfm? pub_id=907249] The purpose of this document is to provide guidance for securing industrial control systems (ICS), including supervisory control and data

Evidence-Based, Good Enough, and Open

August 4, 2008

Author(s)

Karen A. Scarfone

One of the holy grail questions in computer security is how secure are my organization systems? This paper describes our new approach to answering this question. This approach is distinguished from previous efforts in three ways: 1) uses evidence-based

Guide to General Server Security

July 25, 2008

Author(s)

Karen A. Scarfone, Wayne Jansen, Miles C. Tracy

The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function. The document

Guide to Securing Legacy IEEE 802.11 Wireless Networks

July 25, 2008

Author(s)

Karen A. Scarfone, Derrick Dicoi, Matt Sexton, Cyrus Tibbs

The purpose of this document is to provide guidance to organizations in securing their legacy Institute of Electrical and Electronics Engineers (IEEE) 802.11 wireless local area networks (WLAN) that cannot use IEEE 802.11i. The document provides an

A Framework for Measuring the Vulnerability of Hosts

June 30, 2008

Author(s)

Karen A. Scarfone, Timothy Grance

This paper proposes a framework for measuring the vulnerability of individual hosts based on current and historical operational data for vulnerabilities and attacks. Previous approaches have not been scalable because they relied on complex manually

Computer Security Incident Handling Guide

March 7, 2008

Author(s)

Karen A. Scarfone, Timothy Grance, Kelly Masone

[Superseded by SP 800-61 Rev. 2 (August 2012): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=911736] Computer security incident response has become an important component of information technology (IT) programs. Security-related threats have