The 995-Node
Intelligence Forest
The world's most comprehensive, source-verified resource for autonomous AI agents. Every node is cryptographically signed, RAG-optimized, and gated via L402 settlement protocols.
Neural Discovery Search
bidda.com / authority / sovereign-forest
SHA-256_INTEGRITY_AUDIT_PASSED
AI Model Valuation (IAS 38)
"IAS 38 Intangible Assets, issued by the IASB, governs the recognition, measurement, and disclosure of intangible assets including internally developed AI models, training datasets, and software. An intangible asset must meet strict recognition criteria: identifiability, control, and probable future economic benefit. Development-phase AI expenditure may be capitalized only after technical feasibility is established under all six IAS 38.57 criteria, while research-phase costs must be expensed immediately. Failure to correctly distinguish research from development phases, or to apply impairment testing under IAS 36, results in materially misstated financial statements and potential regulatory action by securities authorities."
Technical ID
accounting-ias-38
Digital Asset Fair Value (IFRS 13)
"IFRS 13 Fair Value Measurement establishes a single framework for measuring fair value across all IFRS standards that require or permit fair value measurement, including digital assets, AI-tokenized instruments, and crypto holdings. Fair value is defined as the exit price in an orderly transaction between market participants at the measurement date. Entities must classify inputs into a three-level hierarchy (Level 1: quoted prices in active markets; Level 2: observable inputs; Level 3: unobservable inputs) and maximize use of observable inputs. Digital and AI-linked assets with limited trading history frequently fall into Level 3, requiring robust valuation models and extensive disclosures; inadequate classification or disclosure triggers audit qualifications and securities regulator scrutiny."
Technical ID
accounting-ifr-13
Engineers Ethics (ACEC)
"The American Council of Engineering Companies (ACEC) Code of Ethics establishes the binding professional obligations for licensed engineers and consulting firms. Engineers must hold paramount the safety, health, and welfare of the public above all client or employer interests. Core obligations include qualifications-based fee competition (Brooks Act compliance), professional seal authorization, conflict-of-interest disclosure, errors and omissions insurance, and continuing professional education. Violations expose firms to license revocation, civil liability, and federal debarment."
Technical ID
acec-ethics-eng
ADA (Employment Title I)
"The Americans with Disabilities Act Title I (42 U.S.C. §12101–12117), as amended by the ADA Amendments Act of 2008 (ADAAA), is the primary U.S. federal law prohibiting employment discrimination against qualified individuals with disabilities. Covered employers with 15 or more employees must provide reasonable accommodations unless doing so causes undue hardship. Title I restricts all medical inquiries to post-conditional-offer only, mandates initiation of the interactive process upon disclosure of a disabling limitation, and requires accessible employment technology at WCAG 2.1 AA minimum. The EEOC enforces Title I through administrative charges; violations expose employers to back pay, compensatory and punitive damages, and injunctive relief requiring policy and structural changes."
Technical ID
ada-employment-title-1
ADA (Hospitality Accessibility)
"ADA Title III (42 U.S.C. §12181–12189) requires all places of public accommodation — including hotels, motels, restaurants, bars, and food service establishments — to provide equal access to individuals with disabilities. New construction and alterations commenced after January 26, 1992 must fully comply with the 2010 ADA Standards for Accessible Design. Existing facilities must remove architectural barriers where readily achievable. Hotels must provide a regulated percentage of accessible guest rooms, van-accessible parking at prescribed ratios, accessible routes of 36-inch minimum clear width, pool lifts for pools exceeding 300 linear feet of pool wall, and visual communication features for guests with hearing impairments. DOJ enforces Title III through civil investigations and pattern-or-practice suits; private plaintiffs may sue for injunctive relief and attorney fees. Non-compliant operators face structural modification orders and potential damages in states with enhanced state accessibility laws."
Technical ID
ada-hospitality-access
Agent Budgetary Controls & Ceiling Checks
"Agentized financial controls (Action Boundaries) restrict an autonomous agent's spending power per session, task, or API call to prevent catastrophic loss or unbounded consumption. A properly implemented budget cap architecture requires: a durable spend counter initialized at agent boot, pre-call ceiling checks before every API invocation, fleet-level daily aggregation across all sessions, hard stops on breach with no retry path, mandatory human approval gates for high-value actions, full audit logging of every spend event, and MFA-gated emergency override procedures. Absent these controls, autonomous agents can exhaust allocated compute budgets, incur unexpected cloud costs, or trigger runaway API consumption within a single malformed task."
Technical ID
agent-budget-cap
Agent Emergency Stop (Kill-Switch) Design Patterns
"An AI Agent Kill-Switch is a deterministic safety mechanism designed to immediately terminate or throttle an autonomous agent's execution if it exceeds predefined behavioral, financial, or operational boundaries."
Technical ID
agent-kill-switch
Multi-Agent Collision Resolution
"Multi-agent collision logic provides deterministic protocols for resolving conflicts when two or more autonomous AI agents simultaneously attempt to access the same resource, modify the same shared state, execute contradictory actions, or pursue incompatible goal trajectories within a swarm or orchestration framework. Without collision resolution, multi-agent systems produce race conditions, data corruption, deadlocks, and cascading failures that are difficult to audit or remediate. The resolution framework draws from distributed systems theory — consensus algorithms, vector clocks, conflict-free replicated data types (CRDTs), and resource arbitration — as well as emerging agentic safety standards. Properly implemented collision logic ensures predictable, auditable outcomes and maintains system safety invariants even when individual agents operate concurrently and autonomously."
Technical ID
ai-agent-collision-logic
AI-IP: Guidance on Authorship
"The US Copyright Office's AI Policy Statement (February 2023) and subsequent guidance (March 2023) establish that copyright protection requires human authorship — purely AI-generated content without human creative control is not copyrightable in the United States. Works involving AI assistance may receive copyright protection for the human-authored elements, but only if a human author made sufficient creative choices that were expressed in the final output. The EU, UK, and other jurisdictions take varying positions, with the UK's Computer Generated Works doctrine providing limited protection for AI outputs. Misrepresenting AI-generated content as human-authored to obtain copyright registration constitutes fraud; failure to disclose AI involvement in patent applications may similarly invalidate those applications."
Technical ID
ai-ip-copyright
AICPA Code of Ethics
"The AICPA Code of Professional Conduct (ET §0.300) establishes binding ethical standards for Certified Public Accountants in public practice and business. The Code requires CPAs to maintain independence in all attest engagements — any direct or material indirect financial interest in an audit client creates an impairment with no de minimis exception. The Conceptual Framework (ET §1.010.010) mandates evaluation of five threat categories (self-interest, self-review, advocacy, familiarity, and intimidation) and application of safeguards before accepting or continuing any engagement. Key operational requirements include: 40 hours of continuing professional education annually, 7-year documentation retention under PCAOB Rule 4003, engagement quality review by a second partner for all public company audits, prohibition on management functions and bookkeeping for audit clients under SOX §201, and confidentiality breach notification within 24 hours. Violations expose CPAs to AICPA Ethics Division investigation, state board disciplinary action, license revocation, and SEC or PCAOB enforcement proceedings for registered firms."
Technical ID
aicpa-code-ethics
Responsible Alcohol Service
"Responsible alcohol service standards govern the legal and operational obligations of licensed on-premise alcohol retailers — bars, restaurants, hotels, event venues, and stadiums — to prevent service to minors and visibly intoxicated patrons. The National Minimum Drinking Age Act (23 U.S.C. §158) mandates a minimum legal drinking age of 21 in all U.S. states; service to minors exposes licensees to criminal liability, license revocation, and civil dram shop liability. State Dram Shop Acts impose third-party tort liability on servers who provide alcohol to visibly intoxicated persons who subsequently cause injury. Compliance requires: mandatory server certification through programs such as TIPS (Training for Intervention ProcedureS) or ServSafe Alcohol, documented ID verification procedures with a check-for-anyone-appearing-under-30 standard, written protocols for identifying signs of intoxication and executing patron cutoff, incident log maintenance, and manager override authorization for disputed service decisions. Licensees failing to enforce responsible service standards face ABC license suspension, criminal prosecution of servers, and civil judgments in dram shop actions that have exceeded $1 million in multiple U.S. jurisdictions."
Technical ID
alcohol-service-std
Amazon Ads (Policy)
"Compliance with this node ensures adherence to a comprehensive framework governing Amazon advertising, rooted in both platform policy and federal law. All advertising creative must meet stringent content requirements outlined in the Amazon Advertising Guidelines and Acceptance Policies, which mandate a minimum image longest side of 1000 pixels while strictly disallowing text on any main product image. Accompanying custom text fields are constrained to a maximum length of 50 characters. In alignment with guidance from FTC .com Disclosures, a sponsored disclosure is unequivocally required to maintain transparency with consumers. The node prohibits practices that could mislead consumers, reflecting the Lanham Act's general prohibition against false descriptions of fact in commerce. Consequently, deceptive pricing claims are disallowed, and any unsubstantiated claims are similarly forbidden, a rule further supported by the FTC Guides Concerning the Use of Endorsements and Testimonials regarding assertions like 'bestseller.' To protect platform integrity per the Amazon Seller Central Policy, off-platform redirection is not permitted, and a direct landing page ASIN match is mandated for all ad clicks. Intellectual property protections are enforced through mandatory brand registry verification as stipulated by the Amazon Brand Registry Terms of Use, a standard which also underpins the policy to prohibit competitor brand disparagement. Finally, all advertisements must utilize a supported marketplace language and avoid any restricted or prohibited product categories."
Technical ID
amazon-sponsored-ads-policy
Assessing Security and Privacy Controls in Information Systems and Organizations
"This publication provides a methodology and a set of procedures for conducting assessments of security and privacy controls employed within systems and organizations as part of an effective risk management framework. The assessment procedures are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. Security and privacy control assessments are the principal vehicle used to verify that selected controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security and privacy requirements. The procedures are customizable and can be tailored to provide organizations with the flexibility to conduct assessments that support their risk management processes and align with their stated risk tolerance. Control assessment results provide organizational officials with evidence of control effectiveness, an indication of the quality of risk management processes, and information about the security and privacy strengths and weaknesses of systems. These findings are used to determine the overall effectiveness of controls and to provide credible inputs to the organization’s risk management process, facilitating a cost-effective approach to managing risk by identifying weaknesses and enabling appropriate risk responses."
Technical ID
assessing-security-privacy-controls
Australia ACSC Essential Eight Mitigation Strategies Maturity Model (2023 Update)
"The Australian Cyber Security Centre's (ACSC) Essential Eight is a prioritized baseline of eight mitigation strategies designed to help organizations protect their systems against a range of cyber threats. Compliance, measured across three maturity levels as detailed in the model, is mandatory for Australian Government non-corporate Commonwealth entities and strongly recommended for all other organizations to achieve a baseline security posture."
Technical ID
australia-essential-eight-2023
Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation
"This special publication on Resilient Interdomain Traffic Exchange (RITE) includes initial guidance on securing the interdomain routing control traffic, preventing IP address spoofing, and certain aspects of DoS/DDoS detection and mitigation. The primary focus of these recommendations are the points of interconnection between enterprise networks, or hosted service providers, and the public internet. The primary audience includes information security officers and managers of federal enterprise networks. The guidance also applies to the network services of hosting providers and internet service providers (ISPs) when they are used to support federal IT systems. The core recommendations reduce the risk of accidental and malicious attacks in the routing control plane, and they help detect and prevent IP address spoofing and resulting DoS/DDoS attacks. Technologies recommended for securing interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS/DDoS attacks include prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms."
Technical ID
bgp-security-ddos-mitigation
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
"This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. It integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach. Organizations are concerned about risks associated with products and services that may contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices. These risks arise from decreased visibility into how technology is developed, integrated, and deployed. The core obligation is for enterprises to implement a systematic process for managing exposure to these risks by developing appropriate response strategies, policies, procedures, and controls. The guidance is intended for a diverse audience, including individuals with system, information security, risk management, system development, acquisition, procurement, and operational responsibilities. C-SCRM is presented as an enterprise-wide activity requiring coordination across various disciplines. This publication empowers enterprises to develop C-SCRM strategies tailored to their specific mission needs, threats, and operational environments, while balancing the costs and benefits of implementation. The guidance is not one-size-fits-all and should be adopted and tailored to the unique size, resources, and risk circumstances of each enterprise."
Technical ID
c-scrm-practices-systems-organizations
Least Privilege for AI Agents (CIS Companion Guide)
"Autonomous AI agents must be managed as Non-Human Identities (NHIs) with task-scoped, ephemeral privileges. The principle of Least Privilege ensures that an agent's access is restricted to the specific data and tools required for its current atomic task."
Technical ID
cis-ai-least-privilege
CIS Critical Security Controls Version 8
"Compliance with the Center for Internet Security (CIS) Critical Security Controls Version 8 provides a prioritized, risk-based framework for cyber defense, with this node mandating the foundational requirements of Implementation Group 1. Adherence necessitates maintaining a complete enterprise asset inventory and a detailed software asset inventory, alongside an active data classification program. The required operational security posture specifies automated vulnerability scans must occur at a maximum interval of 30 days, with critical patch deployment completed within a 14-day window. Secure access controls are paramount; multi-factor authentication is required for all administrative functions and any remote network access. For forensic and investigative readiness, audit logs must be preserved for a minimum of 90 days. Organizational resilience is further bolstered by requiring a formal incident response plan and ensuring all personnel complete security awareness training within a 365-day cycle. While this configuration does not explicitly require penetration testing, its implementation offers significant legal and regulatory advantages. Conformance may afford a legal safe harbor under state legislation like the Ohio Data Protection Act and Utah’s Cybersecurity Affirmative Defense Act. Moreover, these safeguards align heavily with federal enforcement under the FTC Safeguards Rule and are directly mapped to authoritative standards, including NIST Special Publication 800-53 and the NIST Cybersecurity Framework."
Technical ID
cis-controls-v8
Cross-Sector Cybersecurity Performance Goals
"The Cross-Sector Cybersecurity Performance Goals (CPGs) provide an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks. These goals are applicable across all critical infrastructure sectors and are informed by the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. They are a minimum set of practices that all critical infrastructure entities—from large to small—should implement to get started on their path toward a strong cybersecurity posture. The CPGs are intended to be a floor, not a ceiling, for what cybersecurity protections organizations should implement to reduce their cyber risk. The CPGs do not constitute a comprehensive cybersecurity program but rather represent a minimum baseline of cybersecurity practices with known risk-reduction value. They are designed to be easy to understand and communicate with non-technical audiences, including senior business leadership, to help organizations focus investment toward the most impactful security outcomes. The goals are voluntarily adopted and can be used as a quick-start guide, particularly for small and medium organizations, to prioritize security investments in conjunction with broader frameworks like the NIST Cybersecurity Framework (NIST CSF)."
Technical ID
cisa-cross-sector-cybersecurity-goals
RANSOMWARE GUIDE
"This guide provides ransomware best practices and recommendations based on operational insight from the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It is intended for information technology (IT) professionals and others involved in developing or coordinating cyber incident response. Ransomware is a form of malware designed to encrypt files on a device, rendering them and the systems that rely on them unusable, after which malicious actors demand a ransom for decryption. Ransomware incidents have become increasingly prevalent and can severely impact business processes, leaving organizations without the data needed to operate and deliver mission-critical services. Malicious actors have adjusted tactics to include threatening to release stolen data and publicly naming victims as secondary forms of extortion. The monetary value of demands has also increased, with some exceeding $1 million. These actors often engage in lateral movement to target critical data, propagate ransomware across entire networks, and use tactics like deleting system backups to make restoration more difficult. This guide is composed of two parts: Ransomware Prevention Best Practices and a Ransomware Response Checklist."
Technical ID
cisa-ms-isac-ransomware-guide
Contingency Planning Guide for Federal Information Systems
"This guide provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a disruption. It supports the requirement that identified services provided by information systems are able to operate effectively without excessive interruption. This guideline has been prepared for use by federal agencies but may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. The core obligation for applicable organizations is to develop and maintain a viable contingency planning program through a seven-step process integrated into the system development life cycle. This process includes: 1) developing a formal contingency planning policy statement; 2) conducting a business impact analysis (BIA) to identify and prioritize critical systems; 3) identifying preventive controls to reduce disruption effects; 4) creating thorough recovery strategies; 5) developing a detailed information system contingency plan; 6) ensuring the plan is tested, personnel are trained, and exercises are conducted to validate capabilities; and 7) maintaining the plan as a living document. The guide presents sample formats based on low-, moderate-, or high-impact levels as defined by FIPS 199."
Technical ID
contingency-planning-federal-information-systems
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1, provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption, which may include relocation to an alternate site, recovery using alternate equipment, or performance of functions using manual methods. The guide defines a seven-step contingency planning process for organizations to develop and maintain a viable program: 1) Develop the contingency planning policy statement; 2) Conduct the business impact analysis (BIA) to identify and prioritize critical systems; 3) Identify preventive controls to reduce disruption effects; 4) Create thorough recovery strategies; 5) Develop a detailed information system contingency plan; 6) Ensure plan testing, training, and exercises to validate capabilities and improve preparedness; and 7) Ensure the plan is a living document, updated regularly. This guidance is for federal agencies and may be used by non-governmental organizations on a voluntary basis. It addresses specific contingency planning recommendations for client/server systems, telecommunications systems, and mainframe systems. The guidance presents sample formats for developing a contingency plan based on low-, moderate-, or high-impact levels as defined by FIPS 199. The core obligation is to establish thorough plans, procedures, and technical measures that enable a system to be recovered as quickly and effectively as possible following a service disruption, integrating these steps into each stage of the system development life cycle."
Technical ID
contingency-planning-guide-federal-systems
System Information Discovery (MITRE ATT&CK T1082)
"Adversaries attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture."
Technical ID
cyber-mitre-t1082
Account Management (NIST SP 800-53 AC-2)
"The Account Management control establishes a comprehensive framework, consistent with NIST Special Publication 800-53 AC-2, for managing the full lifecycle of information system accounts. This governance is essential for satisfying the identity management and access rights principles of ISO/IEC 27001, supporting the security of processing measures under GDPR Article 32, and meeting the logical access security criteria specified by SOC 2 CC6.3 and PCI DSS Requirement 8.1. System configuration mandates that all account provisioning actions must `require_manager_approval` and strictly `enforce_least_privilege`. To maintain operational integrity, the platform will `audit_account_creation_and_modification` activities, `alert_on_privileged_role_assignment`, and `enforce_separation_of_duties`. Access rights undergo a `periodic_review_interval_days` of every 90 days, while dormant accounts are subject to `auto_disable_inactive_days` after 35 days of inactivity. Temporary accounts are constrained by a `max_temporary_account_validity_hours` of 72 hours. Deprovisioning procedures are executed swiftly, with a mandate to `terminate_access_on_departure_hours` within 24 hours of notification and to `auto_remove_orphaned_accounts` systematically. Security is hardened by limiting `max_failed_login_attempts` to 3 and ensuring administrative functions `require_mfa_for_account_management`, thereby creating a robust, auditable system for managing identities and permissions."
Technical ID
cyber-nist-800-53-ac2
Asset Management Strategy (NIST CSF 2.0 ID.AM)
"Effective governance over the enterprise environment necessitates a comprehensive asset management strategy grounded in the NIST Cybersecurity Framework 2.0 Identify function. This approach mandates the maintenance of detailed hardware and software inventories, achieving a minimum coverage threshold of 95 percent for each category, consistent with CIS Controls v8. To ensure inventory integrity, asset discovery scans must execute at a maximum frequency of every 24 hours, and automated CMDB synchronization is required. Security posture is reinforced by enabling unauthorized asset alerting, with a strict mandate to quarantine any discovered rogue device within 60 minutes. In alignment with ISO/IEC 27001:2022 principles, mandatory data classification tags are required for all assets, facilitating risk-based management and supporting GDPR Article 30 record-keeping obligations. All designated critical assets must undergo a formal review at a maximum interval of 30 days. The strategy addresses the full asset lifecycle by requiring end-of-life and end-of-support tracking. Adherence to SOC 2 criteria and modern security practices like those in PCI DSS v4.0 is achieved through enforced mobile device management, enabled shadow IT discovery, and continuous external attack surface mapping, ensuring all logical and physical components are identified and managed."
Technical ID
cyber-nist-csf-2
Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN)
"This Cybersecurity Profile identifies an approach to assess the cybersecurity posture of Hybrid Satellite Networks (HSN) that provide services such as satellite-based systems for communications, position, navigation, and timing (PNT), remote sensing, weather monitoring, and imaging. The Profile will consider the cybersecurity of all the interacting systems that form the HSN rather than the traditional approach of a single organization acquiring the entire satellite system. It applies to organizations that have already adopted the NIST Cybersecurity Framework (CSF), are familiar with it, or are unfamiliar but need to implement HSN services in a risk-informed manner. The purpose of the Profile is to provide practical guidance for organizations and stakeholders engaged in the design, acquisition, and operation of satellite buses or payloads that involve HSN. The core objectives are to help organizations identify systems, assets, data and threats that pertain to HSN; protect HSN services by adhering to basic principles of resiliency; detect cybersecurity-related disturbances or corruption of HSN services and data; respond to HSN service or data anomalies in a timely, effective, and resilient manner; and recover the HSN to proper working order at the conclusion of a cybersecurity incident."
Technical ID
cybersecurity-profile-hsn
NIST SPECIAL PUBLICATION 1800-26 Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
"This guide focuses on data integrity: the property that data has not been altered in an unauthorized manner, covering data in storage, during processing, and while in transit. Destructive malware, ransomware, malicious insider activity, and even honest mistakes all necessitate that organizations detect and respond to an event that impacts data integrity in a timely fashion. Attacks against an organization’s data can compromise emails, employee records, financial records, and customer information—impacting business operations, revenue, and reputation. Examples of data integrity attacks include unauthorized insertion, deletion, or modification of data. This NIST Cybersecurity Practice Guide demonstrates how organizations can develop and implement appropriate actions during a detected data integrity cybersecurity event. The National Cybersecurity Center of Excellence (NCCoE) at NIST built a laboratory environment to explore methods to effectively detect and respond to a data integrity event in various IT enterprise environments. The guide demonstrates a solution that incorporates multiple systems working in concert to detect an ongoing data integrity cybersecurity event and provides guidance on how to respond to the detected event, enabling organizations to have the necessary tools to act during a data integrity attack."
Technical ID
data-integrity-detecting-responding-ransomware
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve the protection of information system resources. This guide provides an overview of the security requirements for a system and describes the controls, either in place or planned, for meeting those requirements. The completion of system security plans is a requirement under the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA), applicable to all federal systems which have some level of sensitivity and require protection. The system security plan delineates responsibilities and expected behavior of all individuals who access the system, and should reflect input from managers with system responsibilities, including information owners, the system owner, and the senior agency information security officer (SAISO). Management authorization to operate a system is based on an assessment of management, operational, and technical controls, for which the system security plan forms the basis. By authorizing a system, a manager accepts its associated risk. This authorization must be periodically reviewed and re-authorization should occur whenever there is a significant change in processing, and at a minimum of every three years. The plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system and is a living document that requires periodic review and modification."
Technical ID
developing-security-plans-federal-systems
ENISA Threat Landscape 2024
"The ENISA Threat Landscape 2024 is an annual intelligence report identifying the top 8 cybersecurity threats to the European Union, requiring organizations to use this analysis for their risk assessments and to prioritize security controls. The report highlights ransomware, AI abuse, and supply chain attacks as prime threats impacting critical sectors, as detailed in the 'Key Findings' section."
Technical ID
enisa-threat-landscape-2024
ETSI EN 304 223 - Securing AI (SAI)
"European telecommunications standards for mitigating attacks against AI models, including data poisoning, model evasion, and supply chain vulnerabilities."
Technical ID
etsi-en-304-223-sai
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC
"The EU Critical Entities Resilience (CER) Directive requires designated critical entities across 11 sectors to implement technical, security, and organizational measures to enhance their physical resilience against non-cyber threats. As per Article 13, these entities must conduct regular risk assessments and establish a resilience plan to prevent, protect against, respond to, resist, mitigate, absorb, accommodate, and recover from disruptive incidents."
Technical ID
eu-critical-entities-resilience-2022
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 11 October 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents (EU Cyber Solidarity Act)
"This regulation establishes a European Cyber Shield and a Cyber Emergency Mechanism to enhance the EU's collective ability to detect, prepare for, and respond to significant cybersecurity threats. It mandates the deployment of a network of Security Operations Centres (SOCs) and creates a Cyber Reserve of trusted private providers to support Member States during major incidents, as outlined in Articles 3 and 13."
Technical ID
eu-cyber-solidarity-act-2024
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)
"This regulation establishes a permanent mandate for ENISA, the EU Agency for Cybersecurity, and creates a voluntary, EU-wide cybersecurity certification framework for ICT products, services, and processes as outlined in Title III. The framework aims to harmonize certification schemes across Member States to enhance trust and security in the Digital Single Market."
Technical ID
eu-cybersecurity-act-2019
Commission Implementing Regulation (EU) 2024/2690 laying down rules for the application of Directive (EU) 2022/2555 as regards the technical and methodological requirements for cybersecurity risk-management measures
"This regulation establishes the specific technical and methodological requirements for the cybersecurity risk-management measures that essential and important entities must implement under Article 21 of the NIS2 Directive. It mandates a minimum set of ten baseline measures, covering areas from risk analysis and incident handling to supply chain security and cryptography, as detailed in Article 2."
Technical ID
eu-nis2-implementing-regulation-2024
Directive 2014/53/EU on Radio Equipment (RED) — Cybersecurity, Privacy, and Fraud Protection Requirements (Article 3.3 d, e, f)
"The EU Radio Equipment Directive (RED), through Delegated Regulation (EU) 2022/30 activating Article 3.3 (d), (e), and (f), mandates that internet-connected radio equipment and certain wearables incorporate safeguards to protect network integrity, personal data, privacy, and prevent monetary fraud before being placed on the EU market, with enforcement beginning August 1, 2025."
Technical ID
eu-radio-equipment-directive-2014
FedRAMP — US Federal Cloud Authorization
"The Federal Risk and Authorization Management Program (FedRAMP), established by OMB Memorandum M-11-33 (June 2011) and codified into law by the FedRAMP Authorization Act (December 2022, part of NDAA FY2023), is the US federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All cloud services (IaaS, PaaS, SaaS) used by federal agencies must be FedRAMP authorized. FedRAMP defines three impact levels based on FIPS 199 categorization: Low (125 controls), Moderate (325 controls, most common — covers 80%+ of federal use cases), and High (421 controls, for sensitive unclassified data including law enforcement, financial, and health data). Two authorization paths: (1) Agency ATO (Authority to Operate) — a federal agency sponsors and issues an ATO, usable government-wide; (2) JAB (Joint Authorization Board) P-ATO — reviewed by GSA, DoD, and DHS CIOs, highest prestige. Third-Party Assessment Organizations (3PAOs) — accredited by the American Association for Laboratory Accreditation (A2LA) — conduct independent assessments. FedRAMP Rev 5 baselines (aligned to NIST SP 800-53 Rev 5) released January 2024. Continuous monitoring: monthly vulnerability scanning, annual penetration testing, and significant change reporting are mandatory post-authorization."
Technical ID
fedramp-authorization
Advanced Encryption Standard (AES)
"The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) digital information. The standard specifies three members of the Rijndael family: AES-128, AES-192, and AES-256. Each transforms data in blocks of 128 bits, and the numerical suffix indicates the bit length of the associated cryptographic keys. The algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. This standard applies to information systems used or operated by federal agencies, a contractor of an agency, or other organization on behalf of an agency, but not to national security systems. It may be used by federal agencies to protect information when they have determined that encryption is appropriate. The algorithm specified in this Standard may be implemented in software, firmware, hardware, or any combination thereof and shall be used in conjunction with a FIPS-approved or NIST-recommended mode of operation. This standard may also be adopted and used by non-Federal Government organizations."
Technical ID
fips-197-advanced-encryption-standard
Standards for Security Categorization of Federal Information and Information Systems
"FIPS Publication 199 establishes standards for categorizing federal information and information systems to provide a common framework for expressing security. The categorization is based on the objectives of providing appropriate levels of information security according to a range of risk levels. This is accomplished by assessing the potential impact (Low, Moderate, or High) on organizational operations, assets, or individuals should a breach of security occur, defined as a loss of confidentiality, integrity, or availability. These standards apply to all information within the federal government (other than classified national security information) and all federal information systems. The core obligation for agency officials is to use these security categorizations whenever a federal requirement exists to categorize information or systems. The security category for an information system is determined by taking the highest potential impact value ('high water mark') from all information types resident on that system for each of the three security objectives: confidentiality, integrity, and availability."
Technical ID
fips-199-security-categorization
Minimum Security Requirements for Federal Information and Information Systems
"This standard, mandated by the Federal Information Security Management Act (FISMA) of 2002, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government. It is applicable to all federal information and information systems, excluding those designated as national security systems or containing classified information. The core obligation for federal agencies is to develop, document, and implement an enterprise-wide program to provide information security for their systems and assets. This involves a risk-based process that begins with categorizing information systems as low, moderate, or high impact based on the security objectives of confidentiality, integrity, and availability, as defined in FIPS Publication 199. Following categorization, agencies must meet the minimum security requirements across seventeen security-related areas, including access control, incident response, configuration management, and contingency planning. The standard mandates the use of security controls from NIST Special Publication 800-53. Agencies must select and tailor a baseline of security controls corresponding to their system's impact level (low, moderate, or high). The goal is to establish minimum levels of due diligence for information security and facilitate a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems that meet these minimum requirements."
Technical ID
fips-200-minimum-security-requirements
Personal Identity Verification (PIV) of Federal Employees and Contractors
"This document establishes a standard for a Personal Identity Verification (PIV) system that meets the control and security objectives of Homeland Security Presidential Directive-12 (HSPD-12). It is based on secure and reliable forms of identity credentials issued by the Federal Government to its employees and contractors. These credentials are used by mechanisms that authenticate individuals who require access to federally controlled facilities, information systems, and applications. The standard is applicable to all federal departments and agencies for identification issued to federal employees and contractors, except for national security systems. The core obligation is to implement a PIV system that issues credentials based on sound criteria for verifying an individual's identity, including prerequisite background investigations and in-person identity proofing. The credentials must be strongly resistant to fraud and tampering, be rapidly authenticated electronically, and be issued only by providers whose reliability has been established by an official accreditation process. The Standard specifies implementation and processes for binding identities to authenticators, such as integrated circuit cards (PIV Cards) and derived PIV credentials, and outlines the lifecycle activities for PIV identity accounts, from initial proofing and registration to issuance, maintenance, and termination."
Technical ID
fips-201-3-piv-federal-employees
Post-Quantum Cryptography (FIPS 203)
"National standards for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM), ensuring security in the era of Cryptographically Relevant Quantum Computers (CRQC)."
Technical ID
fips-203-quantum-kem
Post-Quantum DSA (FIPS 204)
"Compliance with Federal Information Processing Standard 204 mandates a strict implementation of the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). Systems must exclusively employ one of the three standardized parameter sets—ML-DSA-44, ML-DSA-65, or ML-DSA-87—and satisfy a minimum security strength where the selected set corresponds to NIST security category 3 or 5, reflecting a policy threshold where the value must be greater than or equal to 3. The foundational cryptographic operations are equally prescribed: the internal hash function must be SHAKE-256 per FIPS 202, and randomness for key generation or randomized signing must originate from a DRBG compliant with NIST SP 800-90A. For utilization in U.S. Federal contexts, the entire cryptographic implementation needs to be encapsulated within a FIPS 140-3 validated module. Verification requires that the implementation correctly process all relevant Known Answer Test vectors from the NIST CAVP for its claimed parameter set. Furthermore, component sizes are non-negotiable; the public key, private key, and signature dimensions must exactly match byte specifications detailed in FIPS 204, such as the 4000-byte private key for ML-DSA-65. Finally, operational security dictates that generated ML-DSA keys are single-purpose and must be disallowed for any other cryptographic function."
Technical ID
fips-204-quantum-dsa
Quantum SPHINCS+ (FIPS 205)
"Compliance with Federal Information Processing Standard 205 is affirmed through the correct implementation of the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). The system utilizes a cryptographic module formally validated for FIPS 205 compliance, employing a NIST-approved parameter set that achieves security level 3. This algorithm is properly restricted exclusively to digital signature generation and verification operations, precluding its use for encryption or key establishment purposes. A critical security control is met, as the implementation is confirmed to be stateless, thereby preventing catastrophic key reuse vulnerabilities associated with stateful hash-based schemes. The underlying cryptographic primitives, specifically the hash functions, are FIPS-approved. Furthermore, private key lifecycle management is contained within a FIPS 140-3 validated cryptographic boundary. Randomness for key generation adheres to NIST Special Publication 800-90A by using a compliant deterministic random bit generator. System architecture has been verified to accommodate the characteristically large signature sizes produced by SPHINCS+, and as part of a prudent transitional strategy outlined in NIST Special Publication 800-208, this SLH-DSA implementation is deployed within a hybrid scheme, operating alongside a classical signature algorithm to ensure robust security during migration to post-quantum cryptography."
Technical ID
fips-205-quantum-sphincs
Guide to Computer Security Log Management
"A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network. This document provides guidance on computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. This guidance is primarily for Federal agencies to comply with legislation like the Federal Information Security Management Act of 2002 (FISMA), but may also be useful for non-governmental organizations subject to regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS). A fundamental problem with log management is effectively balancing limited resources with a continuous supply of log data. This involves challenges in log generation and storage, protection, and analysis. Implementing the recommendations should assist in facilitating more efficient and effective log management."
Technical ID
guide-computer-security-log-management
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. The protection of a system must be documented in a system security plan, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. This guidance applies to federal agencies and is designed for program managers, system owners, and security personnel. It provides basic information on how to prepare a system security plan, which should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Since the system security plan establishes and documents the security controls, it should form the basis for the authorization to operate, supplemented by an assessment report and a plan of actions and milestones. Management authorization should be based on an assessment of management, operational, and technical controls. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
guide-developing-security-plans
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. This guidance is a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). All federal systems have some level of sensitivity and require protection as part of good management practice, and the protection of a system must be documented in a system security plan. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. It should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. The plan establishes and documents security controls, forming the basis for authorization by a senior management official, who accepts the associated risk by authorizing the system to operate. This authorization should be based on an assessment of management, operational, and technical controls. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
guide-developing-security-plans-federal
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection, which must be documented in a system security plan as required by OMB Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Management authorization for a system to operate is based on an assessment of management, operational, and technical controls documented in the system security plan. By authorizing processing, a manager accepts the system's associated risk. The plan forms the basis for this authorization, supplemented by an assessment report and a plan of actions and milestones. Re-authorization should occur whenever there is a significant change in processing, but at least every three years. This guidance applies to federal agencies, program managers, system owners, and security personnel, and may be used by non-governmental organizations on a voluntary basis."
Technical ID
guide-developing-security-plans-federal-information-systems
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources, as all federal systems have some level of sensitivity and require protection. The protection of a system must be documented in a system security plan, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system, reflecting input from various managers including information owners, the system owner, and the senior agency information security officer (SAISO). Management authorization to operate a system is based on an assessment of management, operational, and technical controls documented in the system security plan. By authorizing processing, a manager accepts the associated risk. The system security plan, supplemented by an assessment report and a plan of actions and milestones, forms the basis for this authorization. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
guide-developing-security-plans-federal-systems
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. The protection of a system must be documented in a system security plan, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. It should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system and reflect input from various managers, including information owners, the system owner, and the senior agency information security officer (SAISO). This guidance is for federal agencies and is intended for program managers, system owners, and security personnel. The system security plan establishes and documents the security controls and forms the basis for the authorization to operate, granted by a management official who accepts the associated risk. A senior management official must authorize a system to operate based on an assessment of management, operational, and technical controls. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
guide-for-developing-security-plans
Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories
"This guideline has been developed to assist Federal government agencies to categorize information and information systems. The guideline’s objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system. It addresses the Federal Information Security Management Act (FISMA) direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. This guideline applies to all Federal information systems other than national security systems. This publication is intended to serve a diverse federal audience of information system and information security professionals including individuals with oversight responsibilities (e.g., chief information officers), organizational officials (e.g., mission and business area owners), individuals with development responsibilities, and individuals with implementation and operational responsibilities. It provides a structured, yet flexible framework for satisfying the requirements of FISMA. Security categorization is the key first step in the Risk Management Framework because of its effect on all other steps, from the selection of security controls to the level of effort in assessing security control effectiveness."
Technical ID
guide-mapping-information-types-security
Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
"For many organizations, their employees, contractors, business partners, vendors, and other users utilize enterprise telework technologies to perform work from external locations, using remote access technologies to interface with an organization’s non-public computing resources. The nature of telework and remote access technologies—permitting access to protected resources from external networks and often externally controlled hosts—generally places them at higher risk. All components of these solutions, including organization-issued and bring your own device (BYOD) client devices, remote access servers, and internal resources, should be secured against expected threats as identified through threat models. Major security concerns include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks, and the availability of internal resources to external hosts. This publication provides information on security considerations for several types of remote access solutions and makes recommendations for securing telework, remote access, and BYOD technologies. It also gives advice on creating related security policies, which should be based on the assumption that external environments contain hostile threats. An organization should assume that external facilities, networks, and devices contain hostile threats that will attempt to gain access to the organization’s data and resources. Organizations should plan policies that define permitted forms of remote access, restrictions on client devices, and how servers are secured and configured to enforce these policies."
Technical ID
guide-telework-remote-access-byod
Guide to Storage Encryption Technologies for End User Devices
"This publication assists organizations in understanding, planning, implementing, and maintaining storage encryption technologies for end user devices, including personal computers, consumer devices like smart phones, and removable storage media. It addresses threats to information confidentiality such as device loss or theft, insider attacks, and malware. The primary security controls discussed for restricting access to sensitive information, particularly personally identifiable information (PII), are encryption and authentication. The guide provides practical, real-world guidance for three classes of storage encryption: full disk encryption, volume and virtual disk encryption, and file/folder encryption. It makes recommendations for implementing and using each type. Key recommendations for Federal departments and agencies include using centralized management for most deployments to ensure policy verification, key management, and data recovery. Organizations should ensure all cryptographic keys are secured and managed properly throughout their lifecycle, from generation to destruction, to support data recovery. Appropriate user authenticators should be selected, with a preference for two-factor authentication, as using a single-factor authenticator for both OS login and encryption significantly weakens protection. Storage encryption by itself is considered insufficient; it must be complemented by other security controls, such as securing device operating systems, revising organizational policies, and making users aware of their responsibilities."
Technical ID
guide-to-storage-encryption-technologies
Guidelines for Securing Wireless Local Area Networks (WLANs)
"A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area that exchange data through radio communications, based on the IEEE 802.11 standard. The security of each WLAN is heavily dependent on how well each WLAN component—including client devices, access points (APs), and wireless switches—is secured throughout the WLAN lifecycle. This publication provides recommendations for improving the security of their WLANs through security configuration and monitoring, supplementing other NIST publications by consolidating and strengthening their key recommendations. Core obligations for organizations include having standardized security configurations for common WLAN components, considering how a WLAN may affect the security of other networks, and implementing logically separated WLANs for internal and guest use. Organizations should have policies that clearly state which forms of dual connections are permitted or prohibited for WLAN client devices and enforce these policies through appropriate security controls. It is crucial to ensure that the organization’s WLAN client devices and APs have configurations at all times that are compliant with the organization’s WLAN policies. To support this, organizations must perform both attack monitoring and vulnerability monitoring, and conduct regular periodic technical security assessments for their WLANs, at least annually, to evaluate overall security."
Technical ID
guidelines-securing-wireless-local-area-networks
Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN)
"The objective of this Cybersecurity Profile is to identify an approach to assess the cybersecurity posture of Hybrid Satellite Networks (HSN) that provide services such as satellite-based systems for communications, position, navigation, and timing (PNT), remote sensing, weather monitoring, and imaging. The Profile considers the cybersecurity of all the interacting systems that form the HSN rather than the traditional approach of a single organization acquiring the entire satellite system. It is intended to provide practical guidance for organizations and stakeholders engaged in the design, acquisition, and operation of satellite buses or payloads that involve HSN. The Profile applies to organizations that have already adopted the NIST Cybersecurity Framework (CSF), are familiar with the CSF and want to improve their cybersecurity postures, or are unfamiliar with the CSF but need to implement HSN services in a risk-informed manner. Use of the HSN Profile will help organizations identify systems, assets, data and threats that pertain to HSN; protect HSN services by adhering to basic principles of resiliency; detect cybersecurity-related disturbances; respond to service anomalies in a timely manner; and recover the HSN to proper working order following a cybersecurity incident. The Profile does not prescribe regulations or mandatory practices, nor does it carry any statutory authority."
Technical ID
hsn-cybersecurity-framework-profile
Identity and Access Management for Electric Utilities
"The National Cybersecurity Center of Excellence (NCCoE) developed this example solution for electric utilities to more securely and efficiently manage access to the networked devices and facilities on which power generation, transmission, and distribution depend. The guidance is informed by best practices from standards organizations, including the North American Electric Reliability Corporation’s (NERC’s) Critical Infrastructure Protection (CIP) Version 5 standards. As the electric power industry increases operational technology (OT) and information technology (IT) convergence, it challenges departments to efficiently manage identities and access. Many utilities run fragmented Identity and Access Management (IdAM) systems, leading to a lack of traceability, increased risk of attack, and an inability to identify problem sources. This NIST Cybersecurity Practice Guide demonstrates how to implement a converged IdAM platform using multiple commercially available products. The goal is to provide a comprehensive view of all users within the electric utility, across all silos (OT, IT, and physical access), and of the access rights that they have been granted. The core objective is to provide the right person with the right degree of access to the right resources at the right time. This allows for rapid provisioning and de-provisioning of access from a converged platform, reducing the risk of malicious or untrained people gaining unauthorized access to critical infrastructure components."
Technical ID
identity-and-access-management-electric-utilities
ISO/IEC 27001:2022 — Information Security Management
"ISO/IEC 27001:2022 (published October 2022, replacing ISO 27001:2013) is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It applies to any organization regardless of size or sector and is administered by ISO/IEC Joint Technical Committee 1, Subcommittee 27. The standard uses the Annex SL high-level structure shared with ISO 9001 and ISO 14001. Annex A contains 93 controls organized into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). The 2022 revision added 11 new controls including threat intelligence (A.5.7), ICT readiness for business continuity (A.5.30), web filtering (A.8.23), data masking (A.8.11), data leakage prevention (A.8.12), and secure coding (A.8.28). Certification is achieved through a Stage 1 documentation review and Stage 2 on-site audit by an IAF-accredited certification body, with 3-year recertification and annual surveillance audits. Non-compliance with contractual ISMS requirements can result in contract termination and regulatory liability under GDPR, NIS2, and DORA."
Technical ID
iso-27001-2022
ISO/IEC 27005:2022 Information Security Risk Management — Guidance on Managing InfoSec Risks
"This standard provides guidelines for establishing, implementing, maintaining, and continually improving an information security risk management process. It details the iterative process from context establishment (Clause 7) through risk assessment (Clause 8) and risk treatment (Clause 9), applicable to all organizations managing information security risks."
Technical ID
iso-27005-risk-management-2022
Guide to Malware Incident Prevention and Handling for Desktops and Laptops
"Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. This revision of the publication updates material throughout to reflect the changes in threats and incidents. Unlike most malware threats several years ago, which tended to be fast-spreading and easy to notice, many of today’s malware threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts. Organizations should develop and implement an approach to malware incident prevention based on current and future attack vectors, incorporating policy, awareness programs, vulnerability and threat mitigation, and defensive architecture."
Technical ID
malware-incident-prevention-handling
Impair Defenses (MITRE T1562)
"MITRE ATT&CK Technique T1562 (Impair Defenses) describes adversary behaviors aimed at disabling, tampering with, or reducing the effectiveness of security tools and controls — including antivirus, endpoint detection and response (EDR), logging systems, firewalls, and audit trails — to reduce detection probability and extend dwell time after initial compromise. T1562 has 12 sub-techniques including disabling Windows Defender (T1562.001), tampering with audit/log policies (T1562.002), disabling or modifying system firewalls (T1562.004), and disabling cloud logs (T1562.008). This technique is highly relevant to AI agent security because a maliciously prompted or jailbroken AI agent with tool execution capabilities could programmatically disable security monitoring tools as part of an adversary's kill chain. Detection requires continuous integrity monitoring of security tool state, immutable logging, and configuration baseline enforcement."
Technical ID
mitre-t1562
NIS2 Directive — EU Critical Infrastructure Cybersecurity
"Directive (EU) 2022/2555 (NIS2), published December 27, 2022 and mandatorily transposed into national law by EU member states by October 17, 2024, replaces the original NIS Directive (2016/1148) and dramatically expands both the scope and enforcement regime for network and information security across the EU. NIS2 covers 18 sectors in two tiers: Essential Entities (EE) — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space — and Important Entities (IE) — postal/courier, waste management, chemicals, food production, manufacturing, digital providers, and research. The size threshold is medium enterprises (50+ employees, €10M+ annual revenue) in covered sectors with some exceptions. Key NIS2 innovations: mandatory management body accountability and personal liability for board members who fail to oversee cybersecurity measures; 24-hour early warning / 72-hour incident notification / 1-month final report obligation; harmonized minimum security measures including supply chain security and vulnerability disclosure; penalties up to €10M or 2% of global annual turnover for EE, €7M or 1.4% for IE. Supervised by national competent authorities (NCAs) with ENISA coordination."
Technical ID
nis2-directive
NIS2 Directive: Article 23 - Reporting Obligations for Significant Incidents
"Under Article 23 of the NIS2 Directive, essential and important entities must notify their competent authority or CSIRT of any significant incident without undue delay, following a multi-stage process: an early warning within 24 hours, an incident notification within 72 hours, and a final report no later than one month after the incident notification."
Technical ID
nis2-incident-reporting-article-23
Cybersecurity Risk-Management Measures (Article 21, NIS2 Directive 2022/2555)
"Under Article 21 of the NIS2 Directive, essential and important entities must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks to their network and information systems, based on an all-hazards approach to protect against incidents."
Technical ID
nis2-security-measures-article-21
NIS2 Directive: Cybersecurity in Supply Chains and Supplier Relationships (Article 22)
"Under Article 22 of the NIS2 Directive, Member States must ensure that essential and important entities manage cybersecurity risks within their supply chains by assessing and considering the cybersecurity practices of their direct suppliers and service providers, including incorporating security measures into contractual agreements."
Technical ID
nis2-supply-chain-security-article-22
Audit Event Logging (NIST 800-53)
"NIST SP 800-53 Rev 5 Control AU-2 (Event Logging) requires organizations to identify the types of events that the system is capable of logging in support of the audit function, coordinate the event logging function with other organizations requiring audit-related information, and specify the types of events to be logged — establishing the foundational event taxonomy upon which all subsequent audit controls (AU-3 through AU-16) depend. AU-2 is a HIGH baseline control required for all federal systems at the MODERATE and HIGH impact levels, and FedRAMP and CMMC 2.0 both mandate AU-2 implementation. The control is critical for AI agent deployments because AI agents generate high volumes of events across multiple systems and APIs; without a comprehensive AU-2 event taxonomy that explicitly includes AI agent actions (tool calls, API invocations, data access, decision outputs), audit trails will be insufficient for forensic investigation of AI-related incidents, regulatory compliance, and attack reconstruction. Failure to implement AU-2 in AI systems undermines the detectability of MITRE T1562 (Impair Defenses) attacks targeting audit infrastructure and creates undetectable gaps in the audit trail."
Technical ID
nist-800-53-au2
Contingency Planning (NIST 800-53)
"NIST SP 800-53 Rev 5 Control CP-2 (Contingency Plan) requires organizations to develop a contingency plan for the information system that identifies essential missions and business functions, provides recovery objectives, priorities, and metrics, addresses contingency roles, responsibilities, and assigned individuals, addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure, and provides a plan to restore operations within defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). CP-2 is a HIGH baseline control mandatory for federal systems at MODERATE and HIGH impact levels, and it is a foundational FedRAMP requirement. For AI agent systems, CP-2 is particularly critical because AI agents may be executing multi-step autonomous workflows at the time of a disruption — the contingency plan must address how in-flight agent tasks are safely halted, how agent state is captured for recovery, and how the restored system prevents duplicate actions from resumed agents. Failure to implement CP-2 for AI systems risks data integrity corruption, financial transaction duplication, and extended mission outage during recovery."
Technical ID
nist-800-53-cp2
Ident & Auth (NIST 800-53)
"NIST SP 800-53 Rev 5 Control IA-2 (Identification and Authentication — Organizational Users) requires information systems to uniquely identify and authenticate organizational users (including processes acting on behalf of users) and mandates multi-factor authentication (MFA) for all access to privileged accounts and all network access to non-privileged accounts on federal systems — a requirement that OMB Memorandum M-22-09 (Zero Trust Strategy) extended to require phishing-resistant MFA (FIDO2/WebAuthn, PIV/CAC) for all federal agency users by fiscal year 2024. IA-2 is a HIGH baseline control required for all federal systems, FedRAMP, and CMMC 2.0 Level 2, and it represents one of the highest-impact single controls in reducing credential-based attack success: CISA reports that MFA blocks more than 99% of automated credential-stuffing and phishing attacks. For AI agent systems, IA-2 extends to non-human identities (NHIs) — AI agent service accounts and API credentials must be uniquely identified, use certificate-based authentication where feasible, and have their authentication events logged for the AU-2 audit trail. AI agents that invoke downstream services must propagate their authenticated identity to those services rather than using shared service accounts."
Technical ID
nist-800-53-ia2
Boundary Protection (NIST 800-53)
"NIST SP 800-53 Rev 5 Control SC-7 (Boundary Protection) requires organizations to monitor and control communications at the external boundary of the system and at key internal boundaries, implement subnetworks for publicly accessible system components, and connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. SC-7 is a HIGH baseline control mandatory for all federal systems at MODERATE and HIGH impact levels, FedRAMP High/Moderate, and CMMC 2.0 Level 2, and it is the foundational network security control upon which egress filtering, intrusion detection, and data loss prevention depend. For AI agent deployments, SC-7 is critical because AI agents executing tool calls and API invocations create dynamic outbound network flows that can exfiltrate data, communicate with attacker-controlled infrastructure, or access unauthorized external services — SC-7 egress controls must explicitly govern which external endpoints AI agents are permitted to connect to, and any agent connection attempt to an unapproved endpoint must be blocked and alerted."
Technical ID
nist-800-53-sc7
NIST AI RMF: Governance & Accountability (Govern 1.1)
"The NIST AI Risk Management Framework (RMF) 'Govern' function establishes the institutional foundation for safe AI. Sub-category Govern 1.1 specifically mandates that legal and regulatory AI requirements are identified, documented, and actively managed."
Technical ID
nist-ai-rmf-govern
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1, provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption, which may include relocation to an alternate site, recovery using alternate equipment, or performance of functions using manual methods. This guidance addresses contingency planning recommendations for client/server, telecommunications, and mainframe systems. The guide defines a seven-step contingency planning process to develop and maintain a viable program. These steps are: 1. Develop the contingency planning policy statement to provide authority and guidance. 2. Conduct the business impact analysis (BIA) to identify and prioritize critical information systems. 3. Identify preventive controls to reduce the effects of system disruptions. 4. Create thorough recovery strategies to ensure the system may be recovered quickly and effectively. 5. Develop an information system contingency plan containing detailed guidance and procedures. 6. Ensure plan testing, training, and exercises to validate recovery capabilities and identify gaps. 7. Ensure plan maintenance, treating the plan as a living document that is updated regularly."
Technical ID
nist-contingency-planning-federal-systems
The NIST Cybersecurity Framework (CSF) 2.0 - GOVERN Function
"The GOVERN (GV) function, new in NIST CSF 2.0, establishes and communicates the organization's cybersecurity risk management strategy, expectations, and policy. It ensures that cybersecurity strategy is aligned with organizational objectives and that roles, responsibilities, and authorities are clearly defined to support a culture of security."
Technical ID
nist-csf-2-0-govern-function
Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration
"Hospital-at-Home (HaH) solutions, a form of telehealth providing in-patient level care within patients' residences, introduce significant privacy and cybersecurity risks by placing hospital-grade medical or biometric devices and information systems outside of a hospital's direct control. These risks are compounded by the increasing presence of consumer Internet of Things (IoT) devices, such as voice assistants (e.g., smart speakers), in patients' homes. Such devices may lack robust security and privacy capabilities and can serve as pivot points for attackers to gain access to a hospital’s information systems. This white paper introduces a notional high-level smart home integration reference architecture to analyze these risks, focusing on voice assistants as a representative IoT device. This document is intended for technologists and information security professionals in healthcare delivery organizations (HDOs) implementing HaH solutions. It leverages the NIST Cybersecurity Framework 2.0, the NIST Privacy Framework Version 1.0, and the NIST IoT Core Baseline to outline mitigation efforts for HDOs. The core obligations and recommended mitigations include implementing robust access control, authentication, continuous monitoring, data security through encryption, comprehensive governance, and network segmentation. A key recommendation is to isolate HaH equipment from other personally owned devices within the patient's home to safeguard sensitive data from unauthorized access, which could result from compromised personal devices."
Technical ID
nist-cswp-34-telehealth-smart-home
Applying 5G Cybersecurity and Privacy Capabilities Introduction to the White Paper Series
"This document introduces the white paper series titled Applying 5G Cybersecurity and Privacy Capabilities, published by the National Cybersecurity Center of Excellence (NCCoE) 5G Cybersecurity project. The series addresses the challenge that 5G introduced new security capabilities in the standards focusing on securing interoperable interfaces rather than the underlying IT infrastructure. This creates gaps and options in specified cybersecurity and privacy protections that complicate how organizations assess, deploy, and supplement security for 5G systems. The 5G standards do not specify protections for the underlying IT components, and the security controls that are defined are left to implementation and deployment decisions. This lack of specification increases complexity for organizations planning to leverage 5G. The series is intended for technology, security, and privacy program managers, including potential private 5G network operators, commercial mobile network operators, and organizations using and managing 5G-enabled technology. The core obligation for these organizations is to make cybersecurity risk management decisions regarding the use, management, and maintenance of 5G. To address this, the NCCoE is developing example solution approaches for safeguarding 5G standalone networks. Each paper in the series provides implementation guidelines and testbed-derived findings for individual technical cybersecurity or privacy capabilities, intended to support risk-based decisions for organizations deploying, operating, or relying on 5G networks."
Technical ID
nist-cswp-36-5g-cybersecurity-capabilities
Using Hardware-Enabled Security to Ensure 5G System Platform Integrity: Applying 5G Cybersecurity and Privacy Capabilities
"This white paper provides an overview and an example of employing hardware-enabled security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system’s server infrastructure. As 5G systems adopt cloud-native technologies on commodity servers, the threat landscape has evolved to include attacks against platform firmware and hardware below the operating system. Traditional cybersecurity protections rooted in software or firmware are inadequate against such threats. This document discusses how leveraging hardware roots of trust (HRoT) and remote attestation can mitigate these specific threats by establishing and maintaining platform trust. The core obligation for mobile network operators is to ensure the integrity of the 5G server configuration, including hardware, firmware, and software. This is achieved by cryptographically measuring these components at boot time, saving the measurements to a secure storage element like a Trusted Platform Module (TPM), and using a Remote Attestation Server (RAS) to compare these measurements against a list of allowed values. The 5G Cloud-native Network Function (CNF) orchestrator must then communicate with the RAS to ensure that workloads are only deployed to servers with a current status of trusted. This provides assurance that the hardware infrastructure where 5G workloads are executing has not been tampered with. The guidance is intended for technology, cybersecurity, and privacy professionals involved in using, managing, or providing 5G-enabled services."
Technical ID
nist-cswp-36b-hardware-enabled-security-5g
The NIST Cybersecurity Framework (CSF) 2.0
"The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It is designed to help organizations of all sizes and sectors—including industry, government, academia, and nonprofit—to manage and reduce their cybersecurity risks, regardless of the maturity level and technical sophistication of their cybersecurity programs. The framework offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize, and communicate its cybersecurity efforts. The core obligation is for an organization to use the CSF components—the Core, Organizational Profiles, and Tiers—to understand their current and target cybersecurity posture, identify gaps, and prioritize actions to manage risks in alignment with their mission and stakeholder expectations. The CSF does not prescribe how outcomes should be achieved, but rather links to resources that provide guidance on practices and controls. Its use is voluntary unless otherwise mandated by governmental policies."
Technical ID
nist-cybersecurity-framework-2-0
Digital Signature Standard (DSS)
"This standard specifies a suite of algorithms that can be used to generate a digital signature for applications requiring a digital signature rather than a written signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. The recipient of signed data can also use a digital signature as evidence to a third party that the signature was generated by the claimed signatory, a concept known as non-repudiation. This standard is applicable to all federal departments and agencies for the protection of sensitive unclassified information and shall be used in designing and implementing public key-based signature systems that federal departments and agencies operate or that are operated for them under contract. The core obligation involves a signature generation process and a signature verification process. Signature generation uses a private key, which must be kept secret, to create a digital signature represented as a string of bits. Signature verification uses a corresponding public key, which may be known to the public, to verify the signature. The standard approves three techniques: the RSA digital signature algorithm, the Elliptic Curve Digital Signature Algorithm (ECDSA), and the Edwards Curve Digital Signature Algorithm (EdDSA). The security of a digital signature system is dependent on maintaining the secrecy of the signatory’s private keys, and key pairs used for signatures under this standard shall not be used for any other purpose."
Technical ID
nist-fips-186-5-dss
Guidelines on Mobile Device Forensics
"Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. This guide discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital evidence. The guide is intended to help organizations evolve appropriate policies and procedures for dealing with mobile devices and to prepare forensic specialists to conduct forensically sound examinations. It focuses mainly on the characteristics of cellular mobile devices, including feature phones, smartphones, and tablets with cellular voice capabilities. This information is relevant to law enforcement, incident response, and other types of investigations. The key to answering questions about evidence preservation and data extraction begins with a firm understanding of the hardware and software characteristics of mobile devices. Organizations should use this guide as a starting point for developing a forensic capability in conjunction with proper technical training and guidance provided by legal advisors, officials, and management."
Technical ID
nist-guidelines-mobile-device-forensics
Notional Supply Chain Risk Management Practices for Federal Information Systems
"This publication provides a notional set of repeatable and commercially reasonable supply chain assurance methods and practices to help federal departments and agencies mitigate supply chain risk to federal information systems. It is intended for a diverse federal audience, including mission/business owners, acquisition staff, and information system security personnel responsible for acquiring, delivering, and operating ICT systems. The document specifically targets all federal departments and agencies that acquire Information and Communication Technology (ICT) products and services, with practices recommended for systems categorized at the FIPS 199 high-impact level, although agencies may apply them to lower-impact systems based on risk. The core obligation for federal agencies is to integrate ICT Supply Chain Risk Management (SCRM) considerations into the procurement and entire life cycle of ICT systems, products, and services. Federal departments and agencies currently lack a consistent or comprehensive way of understanding the opaque processes used to create and deliver hardware and software. This lack of visibility, traceability, and control increases the risk of exploitation through counterfeit materials, malicious software, or untrustworthy products. This document organizes specific ICT SCRM practices for acquirers, integrators, and suppliers to improve the ability of federal agencies to strategically manage associated supply chain risks and build greater assurance into the ICT systems they procure and manage."
Technical ID
nist-ir-7622-scrm-practices
Guidelines for Smart Grid Cybersecurity, Volume 1 - Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements
"This three-volume report, Guidelines for Smart Grid Cybersecurity, presents an analytical framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of smart grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of smart grid stakeholders—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization’s cybersecurity requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify. The document development strategy requires the definition and implementation of an overall cybersecurity risk assessment process for the smart grid, based on existing approaches developed by both the private and public sectors. This includes identifying assets, vulnerabilities, and threats and specifying impacts to produce an assessment of risk. While integrating information technologies is essential to building the smart grid and realizing its benefits, the same networked technologies add complexity and also introduce new interdependencies and vulnerabilities. Approaches to secure these technologies must be designed and implemented early in the transition to the smart grid."
Technical ID
nist-ir-7628-smart-grid-cybersecurity
Automation Support for Security Control Assessments Volume 1: Overview
"This volume introduces concepts to support automated assessment of security controls detailed in NIST Special Publication (SP) 800-53. The ability to assess all implemented information security controls as frequently as needed using manual procedural methods is impractical for most organizations due to the size, complexity, and scope of their IT footprint. This document provides an operational approach for automating assessments of selected and implemented security controls to support and facilitate near real-time information security continuous monitoring (ISCM) and ongoing security authorizations. The approach is designed to be consistent with NIST guidance, including SP 800-53A, and supports programs like the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program. The core methodology involves automating the 'Test' assessment method by comparing a system's actual state or behavior with a defined desired state specification. This comparison is used to perform 'defect checks', which correspond to security sub-capabilities and test for the absence or failure of a control. The document organizes controls into ISCM security capabilities, which are logical groupings that fulfill a specific purpose, such as Hardware Asset Management or Vulnerability Management. This framework supports organizations in transitioning from static, periodic security authorizations to a more dynamic, ongoing authorization process."
Technical ID
nist-ir-8011-v1-automated-assessments
NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems
"This publication provides an introduction to how systems engineering and risk management can be used to develop more trustworthy systems that include privacy as an integral attribute. It is intended for federal agencies that need repeatable and measurable approaches to bridge the distance between high-level privacy principles, such as the Fair Information Practice Principles (FIPPs), and their effective implementation in systems. While unauthorized access to personally identifiable information (PII) is a critical aspect of privacy, there is a less developed understanding of how to address risks that extend beyond unauthorized access. The core obligation is for agencies to adopt a specialty discipline of systems engineering focused on achieving freedom from conditions that create problems for individuals with unacceptable consequences arising from the system as it processes PII. To support this, the publication introduces key components for privacy engineering: a set of privacy engineering objectives (predictability, manageability, and disassociability) to help focus on necessary system capabilities, and a privacy risk model to enable more consistent privacy risk assessments. This model is based on the likelihood that a system operation creates a problematic data action and the impact of that action. The concepts are intended to provide a roadmap for actionable guidance to help agencies meet their obligations under Circular A-130 and other relevant policies."
Technical ID
nist-ir-8062-privacy-engineering
Security Assurance Requirements for Linux Application Container Deployments
"This document outlines security assurance requirements for security solutions implemented in Linux application container platforms. To assess the effectiveness of security solutions, it is necessary to analyze those solutions and detail the metrics they must satisfy in the form of security assurance requirements. Building upon the NIST Application Container Security Guide (SP 800-190), which identified threats and countermeasures for six entities including Hardware, Host OS, Container Runtime, Image, Registry, and Orchestrator, this document focuses specifically on application containers hosted on Linux. The analysis covers security solutions that can be configured using features provided by Linux, such as namespaces, Cgroups, and capabilities, as well as kernel loadable modules. The target audience includes system security architects and administrators responsible for the design and deployment of security solutions in enterprise infrastructures hosting containerized applications. The document examines hardware-based roots of trust, host OS protection measures against container escape, secure container runtime configurations for isolation and resource limiting, and requirements for image integrity and registry protection. The objective is to provide a detailed analysis of security solutions to ensure they effectively meet their intended security objectives within the container ecosystem."
Technical ID
nist-ir-8176-linux-container-security
IoT Non-Technical Supporting Capability Core Baseline
"This publication defines an Internet of Things (IoT) device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose is to provide organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This publication is intended to be used in conjunction with NISTIR 8259 and NISTIR 8259A. The document describes four recommended non-technical supporting capabilities for the full lifecycle of cybersecurity management: 1) Documentation, to capture information potential customers need about the device and how it can be secured; 2) Information and Query Reception, to allow customers and others to submit questions and vulnerability information; 3) Information Dissemination, to flow information to customers about vulnerabilities and updates; and 4) Education and Awareness, to provide content supporting the secure use and safeguarding of IoT devices. The main audience is IoT device manufacturers, but it may also help IoT device customers or integrators."
Technical ID
nist-ir-8259b-iot-non-technical-baseline
Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
"In today’s highly connected, interdependent world, all organizations rely on others for critical products and services. The reality of globalization has resulted in a world where organizations no longer fully control—and often do not have full visibility into—the supply ecosystems of the products that they make or the services that they deliver. That is why identifying, assessing, and mitigating cyber supply chain risks is a critical capability to ensure business resilience. The multidisciplinary approach to managing these types of risks is called Cyber Supply Chain Risk Management (C-SCRM). This document provides the ever-increasing community of digital businesses a set of Key Practices that any organization can use to manage cybersecurity risks associated with their supply chains. The audience is any organization—regardless of its size, scope, or complexity—that wants to manage the cybersecurity risks stemming from extended supply chains and supply ecosystems. The Key Practices are: 1. Integrate C-SCRM Across the Organization; 2. Establish a Formal C-SCRM Program; 3. Know and Manage Critical Suppliers; 4. Understand the Organization’s Supply Chain; 5. Closely Collaborate with Key Suppliers; 6. Include Key Suppliers in Resilience and Improvement Activities; 7. Assess and Monitor Throughout the Supplier Relationship; and 8. Plan for the Full Life Cycle."
Technical ID
nist-ir-8276-cyber-scrm-practices
Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management
"This document supplements NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. The report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context. It describes the documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets, and the use of cybersecurity risk registers (CSRRs) to prioritize and communicate enterprise cybersecurity risk. The goal is to provide supplemental guidance for aligning cybersecurity risks within an organization’s overall ERM program, helping enterprises to apply, improve, and monitor the quality of cooperation and communication between Cybersecurity Risk Management (CSRM) and ERM functions. The primary audience for this publication includes both federal and non-federal government cybersecurity, privacy, and cyber supply chain professionals who may be unfamiliar with ERM details. A secondary audience includes corporate officers, high-level executives, and ERM staff who may be unfamiliar with cybersecurity specifics. The core obligation detailed is for enterprises to establish a top-down, collaborative management approach where senior leaders set expectations through risk appetite, which is then interpreted into specific risk tolerance levels. This framework ensures that CSRM activities, including risk identification, analysis, and response, are directly aligned with and support the overarching mission and business objectives of the enterprise."
Technical ID
nist-ir-8286a-cybersecurity-risk
Prioritizing Cybersecurity Risk for Enterprise Risk Management
"This document provides supplemental guidance for aligning cybersecurity risks with an organization’s overall Enterprise Risk Management (ERM) program. It is the second publication in a series that supplements NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This report describes the need for determining the priorities of each cybersecurity risk in light of their potential impact on enterprise objectives, as well as options for properly treating that risk. The guidance applies to all organizations and enterprises, defined as an entity of any size, complexity, or positioning within a larger organizational structure. The core obligation is for all participants in the enterprise who play a role in Cybersecurity Risk Management (CSRM) and/or ERM to use consistent methods to prioritize and respond to risk. This includes applying risk analysis to help prioritize cybersecurity risk, evaluate and select appropriate risk responses, and communicate risk activities using a cybersecurity risk register (CSRR) as part of an enterprise CSRM strategy. To minimize the extent to which cybersecurity risks impede enterprise missions and objectives, there must be effective collaboration among CSRM and ERM managers."
Technical ID
nist-ir-8286b-prioritizing-cybersecurity-risk
Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight
"This document supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). It explores methods for integrating disparate cybersecurity risk management (CSRM) information from throughout an enterprise to create a composite Enterprise Risk Profile (ERP) that informs enterprise risk management (ERM) deliberations, decisions, and actions. The report describes how information recorded in cybersecurity risk registers (CSRRs) can be integrated into a holistic approach, ensuring that risks to information and technology are properly considered within the enterprise risk portfolio. This cohesive understanding supports an enterprise risk register (ERR) and an ERP, which in turn support the achievement of enterprise objectives. The guidance provided is voluntary and non-binding for the private sector, but references government-mandated requirements to demonstrate alignment. Key activities described include the aggregation and normalization of CSRRs, integration of cybersecurity risk into the ERR/ERP, adjustments to risk direction based on governance, and the continuous monitoring, evaluation, and adjustment of the CSRM program."
Technical ID
nist-ir-8286c-staging-cybersecurity-risks
Using Business Impact Analysis to Inform Risk Prioritization and Response
"This publication describes how a business impact analysis (BIA), historically used for determining availability requirements for business continuity, can be extended to provide a broad understanding of the potential impacts of any type of loss on an enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions and the potential risk scenarios that jeopardize those functions. The process described helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on these factors, enterprise leaders provide risk directives, such as risk appetite and tolerance, as input to the BIA. The BIA examines the potential impacts associated with the loss or degradation of an enterprise’s technology-related assets based on a qualitative or quantitative assessment of the criticality and sensitivity of those assets, storing the results in a BIA Register. Expanding the use of the BIA to include confidentiality and integrity considerations supports comprehensive risk analysis and helps to better align risk decisions to enterprise risk strategy. The output of the BIA is the foundation for the Enterprise Risk Management (ERM) and Cybersecurity Risk Management (CSRM) integration process, enabling consistent prioritization, response, and communication regarding information security risk for both public- and private-sector enterprises."
Technical ID
nist-ir-8286d-bia-for-risk
Ransomware Risk Management: A Cybersecurity Framework Profile
"Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events, helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences. The Ransomware Profile is intended for any organization with cyber resources that could be subject to ransomware attacks, regardless of sector or size, including small to medium-sized businesses (SMBs), small federal agencies, and operators of industrial control systems (ICS) or operational technologies (OT). It maps security objectives from the Framework for Improving Critical Infrastructure Cybersecurity to security capabilities and measures. It should help organizations to identify and prioritize opportunities for improving their security and resilience against ransomware attacks. The guidance in this report addresses best practices rather than a set of legal or regulatory requirements."
Technical ID
nist-ir-8374-ransomware-risk-management
Profile of the IoT Core Baseline for Consumer IoT Products
"This publication documents the consumer profile of NIST’s Internet of Things (IoT) core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for businesses to consider in the purchase of IoT products. The consumer profile was developed as part of NIST’s response to Executive Order 14028. The consumer profile capabilities are phrased as cybersecurity outcomes that are intended to apply to the entire IoT product. An IoT product is defined as an IoT device or IoT devices and any additional product components that are necessary to use the IoT device beyond basic operational features, such as backends or companion applications. The intended audience for this report consists of manufacturers of consumer products, especially product security officers, retailers and related integrators and technical support firms serving the consumer and business sectors, and testing and certification bodies interested in establishing baselines of IoT cybersecurity capabilities."
Technical ID
nist-ir-8425-iot-core-baseline-profile
Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN)
"The space sector is transitioning towards Hybrid Satellite Networks (HSN), which are an aggregation of independently owned and operated terminals, antennas, satellites, payloads, or other components that comprise a satellite system. An HSN may interact with government systems and critical infrastructure, requiring a framework to assess the security posture of individual components while enabling the HSN to provide its function. This report, the HSN Cybersecurity Framework Profile (HSN Profile), applies the NIST Cybersecurity Framework to HSNs with an emphasis on the interfaces between participants. Developed by the National Institute of Standards and Technology (NIST) in collaboration with subject matter experts, the HSN Profile provides voluntary, practical guidance for organizations and stakeholders engaged in the design, acquisition, and operation of HSN components. It serves as a starting point for stakeholders assessing their cybersecurity posture. The profile helps organizations to identify systems, assets, data, and risks; protect HSN services through self-assessments; detect cybersecurity-related disturbances; respond to data anomalies in a timely manner; and recover the HSN to proper working order after an incident. It is suitable for applications involving multiple stakeholders in imagery, sensing, broadcast, communications, or other space-based architectures."
Technical ID
nist-ir-8441-hsn-profile
Guidelines for Managing the Security of Mobile Devices in the Enterprise
"This publication assists organizations in managing and securing mobile devices by describing available technologies and strategies. As mobile devices perform everyday enterprise tasks, they regularly process, modify, and store sensitive data, bringing unique threats to the enterprise. To reduce the risk to sensitive data and systems, enterprises need to institute appropriate policies and infrastructure to manage and secure mobile devices, applications, content, and access. Recommendations are provided for the selection, implementation, and management of devices throughout their life cycle via centralized management technologies, covering both organization-provided and personally owned deployment scenarios. The guidance addresses security concerns inherent to mobile devices, explores mitigation strategies, and is intended for information security officers, system administrators, and others responsible for planning, implementing, and maintaining mobile device security. Mobile devices often need additional protections due to their portability, small size, and common use outside of an organization’s network, which places them at higher exposure to threats than other endpoint devices. The scope of this publication includes mobile phones, tablets, and other devices running a modern mobile OS, alongside centralized device management and endpoint protection technologies. Organizations can use the guidance to inform risk assessments, build threat models, enumerate the attack surface of their mobile infrastructure, and identify mitigations for mobile deployments."
Technical ID
nist-mobile-device-security-enterprise
Recommendation for Key Management Part 3: Application-Specific Key Management Guidance
"NIST Special Publication 800-57 Part 3 provides application-specific cryptographic key management guidance, intended primarily for system administrators, system installers, and end users to adequately secure applications based on product availability and organizational needs. This document addresses the key management issues associated with currently available cryptographic mechanisms for a select set of applications, including Public Key Infrastructures (PKI), IPsec, TLS, S/MIME, Kerberos, DNSSEC, and Encrypted File Systems (EFS). It provides recommended algorithm suites, key sizes, and security considerations to support organizational decisions about future procurements and the configuration of existing systems. This guidance has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA) for developing information security standards and guidelines for Federal information systems. For each key management infrastructure, protocol, and application addressed, the document provides a description of the system, security and compliance issues, and general recommendations for purchasing decision-makers, system installers, administrators, and end users. While mandatory for Federal agencies, this publication may also be used by non-governmental organizations on a voluntary basis."
Technical ID
nist-recommendation-key-management-pt3
NIST SPECIAL PUBLICATION 1800-1 Securing Electronic Health Records on Mobile Devices
"This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design demonstrating how healthcare organizations can more securely share patient information among caregivers using mobile devices. It shows how security engineers and IT professionals, using commercially available and open-source tools consistent with cybersecurity standards, can help healthcare providers better protect electronic health records (EHRs). The guidance applies to healthcare organizations of varying sizes and IT sophistication that use mobile devices to store, process, and transmit patient information. When this information is stolen, made public, or altered, organizations can face penalties, lose consumer trust, and compromise patient care and safety. The core obligation is for organizations to implement safeguards to ensure the security of patient information when practitioners use mobile devices with an EHR system. This is achieved through a layered security strategy addressing key risks such as lost or stolen devices, deliberate misuse by users, and inadequate privilege management. The guide maps security characteristics like access control, device integrity, and transmission security to standards and best practices from the NIST Cybersecurity Framework and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It recommends a continuous risk management process as a starting point for adopting the proposed solutions to account for the dynamic nature of business processes, technologies, and the threat landscape."
Technical ID
nist-sp-1800-1-securing-ehr-mobile
Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector
"Many manufacturing organizations rely on industrial control systems (ICS) to monitor and control their machinery, production lines, and other physical processes that produce goods. As OT and IT systems become increasingly interconnected, manufacturers have become a major target of more widespread and sophisticated cybersecurity attacks, which can disrupt these processes and cause damage to equipment and/or injuries to workers. To address these challenges, this guide demonstrates how manufacturing organizations can protect the integrity of their data from destructive malware, insider threats, and unauthorized software within manufacturing environments that rely on ICS. The solutions implement standard cybersecurity capabilities such as behavioral anomaly detection (BAD), application allowlisting (AAL), file integrity-checking, change control management, and user authentication and authorization. An organization interested in protecting the integrity of a manufacturing system and information should first conduct a risk assessment to determine the appropriate security capabilities required. This guide provides example implementations using standards-based, commercially available products to detect and prevent unauthorized software installation, protect ICS networks from potentially harmful applications, determine changes made to a network, detect unauthorized use of systems, continuously monitor network traffic, and leverage anti-malware tools."
Technical ID
nist-sp-1800-10-ics-integrity
NIST SPECIAL PUBLICATION 1800-11 Data Integrity Recovering from Ransomware and Other Destructive Events
"Destructive malware, ransomware, malicious insider activity, and even honest mistakes all set the stage for why organizations need to quickly recover from an event that alters or destroys data. Businesses must be confident that recovered data is accurate and safe. When data integrity events occur, organizations must be able to recover quickly from the events and trust that the recovered data is accurate, complete, and free of malware. This NIST Cybersecurity Practice Guide demonstrates how organizations can develop and implement appropriate actions following a detected cybersecurity event, encouraging effective monitoring and detection of data corruption in commodity components, as well as custom applications and data composed of open-source and commercially available components. The guide assists organizations of all types and sizes in developing a strategy for recovering from a cybersecurity event to facilitate a smoother recovery, maintain operations, and ensure the integrity and availability of data critical to supporting business operations. The goals are to help organizations confidently restore data to its last known good configuration, identify the correct backup version free of malicious code, identify altered data as well as the date and time of alteration, determine the identity of those who alter data, identify other coinciding events, and determine the impact of the data alteration."
Technical ID
nist-sp-1800-11-data-integrity
Derived Personal Identity Verification (PIV) Credentials
"Access to federal information systems relies on strong authentication of the user with a Personal Identity Verification (PIV) Card, a smart card containing identifying information. However, access to information systems is increasingly from mobile phones and tablets that lack integrated smart card readers, forcing organizations to have separate authentication processes for these devices. Derived PIV Credentials (DPCs) address this challenge by leveraging the identity proofing and vetting results of current and valid credentials used in PIV Cards to issue credentials that are securely stored on devices without PIV Card readers. This enables stronger authentication to federal facilities, information systems, and applications from mobile devices. In accordance with Homeland Security Presidential Directive 12, the PIV standard was created to enhance national security. With the federal government’s increased reliance on mobile computing devices that cannot accommodate PIV Card readers, the mandate to use PIV has created the need to derive credentials for use in mobile devices in a manner that enforces the same security policies established for the life-cycle of credentials in a PIV Card. This NIST Cybersecurity Practice Guide demonstrates how organizations can provide multifactor authentication for users to access PIV-enabled websites from mobile devices that lack PIV Card readers, covering the issuance, maintenance, and termination of the DPC."
Technical ID
nist-sp-1800-12-derived-piv
Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders
"On-demand access to public safety data is critical to ensuring that public safety and first responders (PSFRs) can protect life and property during an emergency. This information, often accessed via mobile devices, includes sensitive data requiring robust authentication. In collaboration with industry stakeholders, the National Cybersecurity Center of Excellence (NCCoE) at NIST developed this practice guide to help PSFR personnel efficiently and securely gain access to mission data. The guide describes a reference design for implementing standards-based technologies, including single sign-on (SSO) to reduce the number of credentials managed, identity federation to authenticate personnel across organizational boundaries, and multifactor authentication (MFA) to provide a high level of assurance. This NIST Cybersecurity Practice Guide explains how organizations can implement these technologies to enhance public safety mission capabilities using standards-based, commercially available, or open-source products. The described architecture leverages protocols such as OAuth 2.0 for Native Apps (RFC 8252), FIDO Universal Authentication Framework (UAF) and Universal Second Factor (U2F), Security Assertion Markup Language (SAML) 2.0, and OpenID Connect (OIDC) 1.0. The goal is to facilitate interoperability among diverse mobile platforms, applications, and identity providers, allowing a PSFR to authenticate once at the beginning of a shift and gain cross-jurisdictional access to multiple applications, thereby reducing the time needed for authentication while improving security."
Technical ID
nist-sp-1800-13-mobile-sso
NIST SPECIAL PUBLICATION 1800-14 Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation
"This NIST Cybersecurity Practice Guide demonstrates how networks can protect Border Gateway Protocol (BGP) routes from vulnerability to route hijacks by using available security protocols, products, and tools to perform BGP route origin validation (ROV). BGP, the protocol used by internet service providers (ISPs) and enterprises to exchange route information, was not designed with security in mind, making it vulnerable to route hijacks which can deny access to services, misdeliver traffic, and cause instability. The guide addresses the challenge of using existing protocols to improve the security of inter-domain routing traffic exchange in a manner that mitigates accidental and malicious attacks associated with route hijacking. A route prefix hijack occurs when an autonomous system (AS) accidentally or maliciously originates a BGP update for a route prefix that it is not authorized to originate. The solution presented is a proof-of-concept implementation of BGP ROV using the Resource Public Key Infrastructure (RPKI). This practice guide is for any organization providing or using internet routing services, including ISPs, enterprises, address holders, and network operators. The core obligations involve two main activities: first, for address holders to protect their own internet addresses from route hijacking by registering them with trusted sources through the creation of Route Origin Authorizations (ROAs); and second, for network operators to perform BGP ROV on received BGP route updates to validate whether the entity that originated the route is in fact authorized to do so. The guide provides detailed deployment guidance, identifies implementation issues, and generates best practices for both hosted and delegated RPKI models."
Technical ID
nist-sp-1800-14-bgp-rov
NIST SPECIAL PUBLICATION 1800-15 Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)
"The rapid growth of Internet of Things (IoT) devices is a cause for concern because they are tempting targets for attackers, often having minimal security, unpatched software flaws, and constraints that make them challenging to secure. The consequences can be catastrophic, as malicious actors can detect and attack an IoT device within minutes, exploiting weaknesses at scale to create botnets for large-scale distributed denial of service (DDoS) attacks. To address this, the National Cybersecurity Center of Excellence (NCCoE) demonstrated the use of the Manufacturer Usage Description (MUD) standard to reduce both the vulnerability of IoT devices and the potential for harm from compromised devices. The core obligation is for networks to use MUD to automatically permit each IoT device to send and receive only the traffic it requires to perform its intended function, and to prohibit all other communication with the device. This approach applies to IoT device manufacturers, network equipment developers, service providers, and organizations relying on the internet. By prohibiting unauthorized traffic, this solution reduces the opportunity for a device to be compromised and limits the ability of an already-compromised device to participate in network-based attacks. This guide details the MUD-based reference solution to help stakeholders protect internet availability, prevent reputational damage, and secure internal networks."
Technical ID
nist-sp-1800-15-iot-mud
NIST SPECIAL PUBLICATION 1800-16 Securing Web Transactions TLS Server Certificate Management
"Transport Layer Security (TLS) server certificates are critical to the security of both internet-facing and private web services. Many organizations, especially large- or medium-scale enterprises with thousands of certificates, lack a formal TLS certificate management program and do not have the ability to centrally monitor and manage them. Instead, certificate management tends to be spread across different groups, leading to a lack of central oversight. This puts the organization at risk because once certificates are deployed, they require regular monitoring and maintenance. Organizations that improperly manage their certificates risk system outages and security breaches, which can result in revenue loss, harm to reputation, and exposure of confidential data to attackers. This NIST Cybersecurity Practice Guide is designed to help large and medium enterprises better manage TLS server certificates by employing a formal management program. The core recommendations include defining operational and security policies with clear roles and responsibilities; establishing comprehensive certificate inventories and ownership tracking; conducting continuous monitoring of certificates’ operational and security status; automating certificate management to minimize human error; and enabling rapid migration to new certificates and keys when certificate authorities or cryptographic mechanisms are compromised or found to be vulnerable. Executive leadership should establish these formal programs and set organization-specific implementation milestones to address certificate-based risks and challenges."
Technical ID
nist-sp-1800-16-tls-certificate-management
NIST SPECIAL PUBLICATION 1800-17 Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers
"This NIST Cybersecurity Practice Guide demonstrates how online retailers can implement multifactor authentication (MFA) to help reduce electronic commerce (e-commerce) fraud. MFA is a security enhancement that allows a user to present several pieces of evidence when logging into an account, which must come from at least two different categories: something you know (e.g., password), something you have (e.g., smart card), and something you are (e.g., fingerprint). The guide documents a system in which risk determines when to trigger MFA challenges to existing customers. As in-store security advances have pushed malicious actors to perform payment card fraud online, this guide describes implementing stronger user-authentication techniques to reduce this risk. The project’s example implementations analyze risk to prompt returning purchasers with additional authentication requests when risk elements are exceeded during the online shopping session. Risk elements may include contextual data related to the returning purchaser and the current shopping transaction. The example implementations will prompt a returning purchaser to present another distinct authentication factor—something the purchaser has—in addition to the username and password, when automated risk assessments indicate an increased likelihood of fraudulent activity. The MFA capabilities are based upon the Fast IDentity Online (FIDO) Universal Second Factor (U2F) authentication specification."
Technical ID
nist-sp-1800-17-mfa-ecommerce
Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments
"This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide demonstrates how organizations can implement trusted compute pools to safeguard the security and privacy of their applications and data being run within a cloud or being transferred between a private cloud and a hybrid or public cloud. The guide addresses core concerns about cloud technology adoption, such as protecting information and virtual assets in the cloud and having sufficient visibility to conduct oversight and ensure compliance with applicable laws and business practices. The intended audience includes organizations in regulated sectors like finance and healthcare, as well as cloud computing practitioners, system integrators, and IT and security managers. The core objective is to develop a trusted cloud solution demonstrating how trusted compute pools leveraging hardware roots of trust can provide necessary security capabilities. These capabilities provide assurance that cloud workloads are running on trusted hardware and in a trusted geolocation or logical boundary, and improve the protections for data in the workloads and data flows between workloads. This enables organizations to monitor, track, apply, and enforce security and privacy policies on cloud workloads in a consistent, repeatable, and automated way, ensuring consistent compliance with legal and business requirements."
Technical ID
nist-sp-1800-19-trusted-cloud
NIST SPECIAL PUBLICATION 1800-21 Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)
"This NIST Cybersecurity Practice Guide demonstrates how organizations can use standards-based, commercially available products to help meet their Corporate-Owned Personally-Enabled (COPE) mobile device security and privacy needs. COPE devices are owned by the enterprise, issued to the employee, and allow both parties to install applications onto the device. While mobile devices can increase efficiency and productivity, they can also leave sensitive data vulnerable, and securing them is essential to continuity of business operations. Organizations are challenged with ensuring these devices process, modify, and store sensitive data securely, as they bring unique threats to the enterprise and should be managed in a manner distinct from desktop platforms. To address this challenge, this guide provides a reference architecture and a detailed example solution demonstrating how various mobile security technologies can be integrated within an enterprise’s network. The core capabilities sought include enhanced protection of data on the mobile device, centralized management systems to deploy policies, evaluation of mobile application security, prevention of eavesdropping on device data, configuration of privacy settings to protect end-user data, and protection from phishing attempts. The foundation of the architecture is based on federal U.S. guidance, including NIST 800 series publications, to help ensure the confidentiality, integrity, and availability of enterprise data on mobile systems."
Technical ID
nist-sp-1800-21-cope
NIST SPECIAL PUBLICATION 1800-22 Mobile Device Security: Bring Your Own Device (BYOD)
"This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide provides an example solution demonstrating how organizations can use standards-based, commercially available products to enhance security and privacy for Bring Your Own Device (BYOD) deployments on Android and Apple phones and tablets. Allowing employees to use personal mobile devices for work introduces unique challenges, including supporting a diverse ecosystem of devices, reducing risks to enterprise data from loss or malware, and protecting employee privacy. An ineffectively secured personal device could expose an organization or employee to data loss or a privacy compromise. The guide's example solution leverages technologies such as enterprise mobility management (EMM), mobile threat defense (MTD), application vetting, and virtual private network (VPN) services. The core obligations focus on detecting and protecting against mobile malware and phishing, enforcing passcode usage, separating organizational and personal data, enabling selective wipe of corporate data from lost or stolen devices, and protecting data in transit via encryption. The solution aims to help organizations benefit from BYOD's flexibility while mitigating critical security and privacy challenges, providing step-by-step implementation guidance for enterprises to enhance their data protection posture."
Technical ID
nist-sp-1800-22-byod
Energy Sector Asset Management For Electric Utilities, Oil & Gas Industry
"As critical infrastructures, the incapacitation or destruction of assets in the energy sector, including electric utilities and the oil and gas industry, could have serious negative effects on the economy, public health, and safety. A primary challenge for these organizations is maintaining an updated operational technology (OT) asset inventory, as it is difficult to protect what is not seen or known. Without an effective asset management solution, organizations are unnecessarily exposed to cybersecurity risks from malicious actors targeting vulnerabilities within interconnected industrial control systems (ICS). Many energy organizations rely on manual processes and static, point-in-time snapshots for asset inventories, which makes it challenging to quickly identify and respond to potential threats. This NIST Cybersecurity Practice Guide provides detailed, practical steps on how energy organizations can identify, control, and monitor their OT assets to reduce the risk of cybersecurity incidents. It demonstrates an example solution for establishing, enhancing, and automating OT asset management by leveraging existing or implementing new capabilities. The core obligation is to establish a comprehensive OT asset management baseline that includes discovering assets, identifying attributes, monitoring for changes, determining asset criticality, and alerting on deviations from expected operations. The goal is to provide an automated inventory that can be viewed in near real time, enabling organizations to strengthen their cybersecurity posture and respond faster to security alerts."
Technical ID
nist-sp-1800-23-energy-asset-management
NIST SPECIAL PUBLICATION 1800-24 Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector
"This guide details how the National Cybersecurity Center of Excellence (NCCoE) at NIST built a laboratory environment to emulate a medical imaging environment, performed a risk assessment, and identified controls from the NIST Cybersecurity Framework to secure a medical imaging ecosystem. The project addresses the cybersecurity challenges of Picture Archiving and Communication Systems (PACS), which centralize medical imaging workflows and serve as authoritative repositories within a highly complex healthcare delivery organization (HDO) environment. This complexity, involving various interconnected systems, diverse users, and potential cloud storage, creates a large attack surface and presents vulnerabilities that could impact patient care and privacy through data loss, ransomware attacks, or unauthorized network access. This NIST Cybersecurity Practice Guide demonstrates how organizations can securely configure and deploy PACS using a standards-based, example solution. The architecture features a defense-in-depth approach, including network zoning, microsegmentation, and robust access control mechanisms like multifactor authentication for providers and certificate-based authentication for devices. It also promotes a holistic risk management approach that incorporates medical device asset management and behavioral analytics for near real-time threat detection. The guide is intended to help HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk, protect patient privacy, and improve resilience, while maintaining the performance and usability of the PACS ecosystem."
Technical ID
nist-sp-1800-24-securing-pacs
NIST SPECIAL PUBLICATION 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
"This NIST Cybersecurity Practice Guide demonstrates how organizations can develop and implement appropriate actions before a detected data integrity cybersecurity event. The guide focuses on data integrity: the property that data has not been altered in an unauthorized manner, covering data in storage, during processing, and while in transit. Destructive malware, ransomware, malicious insider activity, and even honest mistakes all set the stage for why organizations need to properly identify and protect against events that impact data integrity. Attacks against an organization’s data can compromise emails, employee records, financial records, and customer information, impacting business operations, revenue, and reputation. The National Cybersecurity Center of Excellence (NCCoE) built a laboratory environment to explore methods to effectively identify and protect against data integrity attacks. The solution incorporates multiple systems working in concert to identify and protect assets by isolating opportunities that would allow for cybersecurity events to occur and implementing strategies to remediate them. The approach is aligned with the NIST Cybersecurity Framework functions of Identify (develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities) and Protect (develop and implement appropriate safeguards to ensure delivery of critical services). Key capabilities sought include inventory, policy enforcement, logging, backups, vulnerability management, secure storage, and integrity monitoring."
Technical ID
nist-sp-1800-25-data-integrity
NIST SPECIAL PUBLICATION 1800-28 Data Confidentiality: Identifying and Protecting Assets Against Data Breaches
"This guide helps organizations implement strategies to prevent data confidentiality attacks by demonstrating how to develop and implement appropriate actions to identify and protect data against a confidentiality cybersecurity event. An organization must protect its information from unauthorized access and disclosure, as data breaches can have far-reaching operational, financial, and reputational impacts. In the event of a breach, data confidentiality can be compromised via unauthorized exfiltration, leaking, or spills of data. It is essential for an organization to identify and protect assets to prevent breaches and, should a breach occur, to detect it and execute a response and recovery plan. This practice guide focuses on data confidentiality, defined as the property that data has not been disclosed in an unauthorized fashion, concerning data in storage, during processing, and while in transit. It applies these principles through the lens of the NIST Cybersecurity Framework Functions of Identify and Protect. It informs organizations on how to identify and protect assets against a data confidentiality attack, manage associated risks, and implement appropriate safeguards. The guidance assists organizations in inventorying data storage and flows, protecting against confidentiality attacks on hosts and networks, protecting data at rest, in transit, and in use, configuring logging, and implementing access controls and authentication mechanisms."
Technical ID
nist-sp-1800-28-data-confidentiality
NIST SPECIAL PUBLICATION 1800-29 Data Confidentiality: Detect, Respond to, and Recover from Data Breaches
"An organization must protect its information from unauthorized access and disclosure, as data breaches can have far-reaching operational, financial, and reputational impacts. In the event of a data breach, data confidentiality can be compromised via unauthorized exfiltration, leaking, or spills of data to unauthorized parties. It is essential for an organization to not only identify and protect assets to prevent breaches, but also to be able to detect an ongoing breach and execute a response and recovery plan that leverages security technology and controls. This NIST Cybersecurity Practice Guide, developed by the National Cybersecurity Center of Excellence (NCCoE), demonstrates how organizations can develop and implement appropriate actions to detect, respond to, and recover from a data confidentiality cybersecurity event. The guide, which applies principles through the lens of the NIST Cybersecurity Framework, helps organizations to monitor user and data activity, detect unauthorized data flows and access, analyze and mitigate the impact of breaches, contain their effects, and facilitate recovery by providing detailed information on the scope and severity of the incident."
Technical ID
nist-sp-1800-29-data-breaches
Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity
"This practice guide from the National Cybersecurity Center of Excellence (NCCoE) applies standards, best practices, and commercially available technology to protect the digital communication, data, and control of cyber-physical grid-edge devices. It addresses the challenge that the growing use of small-scale distributed energy resources (DERs), which often rely on Industrial Internet of Things (IIoT) technologies, represents a growing cyber threat to the distribution grid. A distribution utility may need to remotely communicate with thousands of DERs, and many companies are not equipped to offer secure access or to monitor and trust the rapidly growing amount of data. Any attack that can deny, disrupt, or tamper with DER communications could prevent a utility from performing necessary control actions and could diminish grid resiliency. The core obligation demonstrated is a risk-based approach for connecting and managing DERs, built on National Institute of Standards and Technology (NIST) and industry standards. The guide shows how to monitor and detect unusual behavior of connected IIoT devices, build a comprehensive audit trail of trusted IIoT data flows, protect data and communications traffic of grid-edge devices, and support secure edge-to-cloud data flows. It provides an example solution for authenticating systems, ensuring data integrity, detecting malware, maintaining an immutable command register, and implementing behavioral monitoring."
Technical ID
nist-sp-1800-32-securing-ders
NIST SPECIAL PUBLICATION 1800-35 Implementing a Zero Trust Architecture: High-Level Document
"A zero trust architecture (ZTA) is an enterprise cybersecurity architecture based on zero trust principles, such as those outlined in NIST Special Publication (SP) 800-207, designed to prevent data breaches and limit internal lateral movement. This guide is intended to help organizations gradually evolve existing environments and technologies into a ZTA over time by providing practical implementation details. The primary audience includes organizations looking to implement ZTA, assuming an existing level of cybersecurity knowledge and capabilities. The core obligation is to enable secure authorized access to enterprise resources distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device. This is achieved through a risk-based approach to cybersecurity—continuously evaluating and verifying conditions and requests to decide which access requests should be permitted, then ensuring that each access is properly safeguarded commensurate with risk. The guide documents 19 example ZTA implementations built with 24 technology collaborators, providing models that organizations can emulate and best practices for leveraging existing technology infrastructure."
Technical ID
nist-sp-1800-35-zero-trust-architecture
NIST SPECIAL PUBLICATION 1800-4 Mobile Device Security Cloud and Hybrid Builds
"This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide addresses the challenge of securely deploying and managing mobile devices in an enterprise. In many organizations, mobile devices are adopted on an ad hoc basis, possibly without the appropriate policies and infrastructure to manage and secure the enterprise data they process and store. This guide demonstrates how commercially available technologies can enable secure access to an organization’s sensitive email, contacts, and calendar information from users’ mobile devices. The solutions and architectures presented are built upon standards-based, commercially available products and can be used by any organization deploying mobile devices in the enterprise. This project contains two distinct builds: a cloud build that uses cloud-based data storage and management services, and a hybrid build that achieves the same functionality but hosts a portion of the data and services within an enterprise’s own infrastructure. The guide demonstrates how security can be supported throughout the mobile device life cycle. This includes how to configure a device to be trusted by the organization, how to maintain adequate separation between the organization’s data and the employee’s personal data, and how to handle de-provisioning a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company). The guide identifies the security characteristics needed to reduce the risks from mobile devices storing or accessing sensitive enterprise data, maps these characteristics to standards and best practices, and describes detailed example solutions for implementation."
Technical ID
nist-sp-1800-4-mobile-device-security
NIST SPECIAL PUBLICATION 1800-5 IT Asset Management
"This NIST Cybersecurity Practice Guide offers a proof-of-concept solution for financial services companies to more securely and efficiently monitor and manage their information technology (IT) assets. The guide details an example solution using open source and commercially available products that can be included alongside current products in an existing infrastructure. It is designed for those responsible for tracking assets, configuration management, and cybersecurity, including system administrators, IT managers, and security managers. The core objective is to provide a centralized, comprehensive view of networked hardware and software across an enterprise. An effective IT asset management (ITAM) solution, as described, is foundational to an effective cybersecurity strategy. It enables organizations to know and control which assets are connected to the network, automatically detect and alert on unauthorized devices, enforce software restriction policies, and audit and monitor asset changes. The solution aims to span traditional physical asset tracking, IT asset information, physical security, and vulnerability and compliance information, allowing users to query one system for a complete IT asset portfolio view. This enhanced visibility leads to better asset utilization, reduced vulnerabilities, faster response times to security alerts, and increased cybersecurity resilience by allowing security analysts to focus on the most valuable or critical assets."
Technical ID
nist-sp-1800-5-it-asset-management
Domain Name System-Based Electronic Mail Security
"This guide details proof-of-concept security platforms that demonstrate trustworthy email exchanges across organizational boundaries for both public and private-sector business operations. The project's goals include the authentication of mail transfer agents, signing and encryption of email, and binding cryptographic key certificates to servers. The Domain Name System Security Extension (DNSSEC) protocol is used to authenticate server addresses and certificates for Transport Layer Security (TLS) to DNS names, while DNS-Based Authentication of Named Entities (DANE) securely associates domain names with cryptographic certificates. The platforms enable end-to-end security through Secure/Multipurpose Internet Mail Extensions (S/MIME). This NIST Cybersecurity Practice Guide provides a standards-based reference design for any organization deploying email services to implement certificate-based cryptographic key management and DNS Security Extensions. The solutions and architectures presented are built upon standards-based, commercially available products. The guide aims to help organizations reduce risks so that employees can exchange information via email with significantly reduced risk of disclosure or compromise by enabling the use of existing security protocols more efficiently and with minimal impact to email service performance."
Technical ID
nist-sp-1800-6-email-security
NIST SPECIAL PUBLICATION 1800-7 Situational Awareness For Electric Utilities
"Through direct dialogue between NCCoE staff and members of the energy sector it became clear that energy companies need to create and maintain a high level of visibility into their operating environments to ensure the security of their operational resources (operational technology [OT]), including industrial control systems (ICS), buildings, and plant equipment. However, energy companies, as well as all other utilities with similar infrastructure and situational awareness challenges, also need insight into their corporate or information technology (IT) systems and physical access control systems (PACS). The convergence of data across these three often self-contained silos (OT, IT, and PACS) can better protect power generation, transmission, and distribution. Real-time or near real-time situational awareness is a key element in ensuring this visibility across all resources. Situational awareness, as defined in this use case, is the ability to comprehensively identify and correlate anomalous conditions pertaining to ICS, IT resources, and access to buildings, facilities, and other business mission-essential resources. For energy companies, having mechanisms to capture, transmit, view, analyze, and store real-time or near-real-time data from ICS and related networking equipment provides energy companies with the information needed to deter, identify, respond to, and mitigate cyber attacks against their assets."
Technical ID
nist-sp-1800-7-electric-utilities
NIST SPECIAL PUBLICATION 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
"Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. With technological improvements, these devices now connect wirelessly to a variety of systems within a healthcare delivery organization (HDO), contributing to the Internet of Medical Things (IoMT). As IoMT grows, cybersecurity risks have risen. The wireless infusion pump ecosystem faces threats including unauthorized access to protected health information (PHI), changes to prescribed drug doses, and interference with a pump’s function. This can expose a healthcare provider’s enterprise to serious risks such as access by malicious actors, loss of enterprise information, a breach of PHI, and disruption of healthcare services. This NIST Special Publication provides cybersecurity guidance for HDOs and medical device manufacturers who share responsibility for reducing these risks. It details how organizations can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem. The core obligation involves performing a questionnaire-based risk assessment and then applying security controls to create a “defense-in-depth” solution. This guidance shows biomedical, networking, and cybersecurity engineers how to securely configure and deploy wireless infusion pumps to reduce cybersecurity risk, manage assets, protect against threats, and mitigate vulnerabilities."
Technical ID
nist-sp-1800-8-infusion-pumps
Information Security Handbook: A Guide for Managers
"This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. The guidance is intended for agency heads, chief information officers (CIOs), senior agency information security officers (SAISOs), and security managers. The topics are selected based on laws and regulations including the Federal Information Security Management Act (FISMA) of 2002 and Office of Management and Budget (OMB) Circular A-130. The core obligation is for federal agencies to establish a formal information security governance structure to proactively implement appropriate information security controls, support their mission in a cost-effective manner, and manage evolving risks. This governance is defined as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with business objectives, consistent with applicable laws, and provide assignment of responsibility to manage risk. While this guideline has been prepared for use by federal agencies, it may also be used by nongovernmental organizations on a voluntary basis. Agencies are expected to tailor this guidance according to their specific security posture and business requirements. The handbook summarizes and augments existing NIST standards and guidance, covering topics such as the System Development Life Cycle, risk management, security planning, incident response, and performance measures. It provides a framework for developing, documenting, and implementing an agency-wide information security program, ensuring protections are commensurate with the risk and magnitude of potential harm."
Technical ID
nist-sp-800-100-security-handbook
Recommendation for Key Derivation Using Pseudorandom Functions
"This Recommendation specifies techniques for the derivation of additional keying material from a secret key, either established through a key-establishment scheme or shared through some other manner, using pseudorandom functions (PRFs): HMAC, CMAC, and KMAC. The key-derivation functions (KDFs) can be used to derive additional keys from an existing cryptographic key that was previously established through an automated key-establishment scheme, generated, and/or previously shared. The key-derivation functions specified provide key expansion functionality, where key derivation is a process that may require randomness extraction and key expansion. This publication defines several families of KDFs that use PRFs, including a counter mode, a feedback mode, and a double-pipeline mode as iteration methods, as well as a non-iterative KDF using KMAC. The key input to a KDF is called a key-derivation key (KDK) and must be a cryptographic key. The output is called derived keying material, which may be segmented into multiple keys for intended cryptographic algorithms."
Technical ID
nist-sp-800-108r1-key-derivation
Guide to SSL VPNs
"Secure Sockets Layer (SSL) virtual private networks (VPN) provide secure remote access to an organization’s resources. A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and other information transmitted between two endpoints. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers, with the traffic between the browser and the device encrypted with the SSL protocol. SSL VPNs provide remote users with access to Web applications, client/server applications, and connectivity to internal networks, offering versatility and ease of use because they use the SSL protocol included with all standard Web browsers. There are two primary types of SSL VPNs. SSL Portal VPNs allow a user to use a single standard SSL connection to a Web site to securely access multiple network services from a single portal page. SSL Tunnel VPNs allow a user's web browser to securely access multiple network services, including applications and protocols that are not web-based, through a tunnel running under SSL. For Federal agencies, SSL VPNs must be configured to only allow FIPS-compliant cryptographic algorithms, cipher suites, and versions of SSL. Organizations should use a phased approach to SSL VPN planning and implementation, including identifying requirements, designing the solution, testing a prototype, deploying, and managing the solution."
Technical ID
nist-sp-800-113-guide-ssl-vpns
User’s Guide to Telework and Bring Your Own Device (BYOD) Security
"This publication provides recommendations for securing Bring Your Own Device (BYOD) devices used for telework and remote access, as well as those directly attached to the enterprise’s own networks. It applies to an organization’s employees, contractors, business partners, vendors, and other users who perform work from locations other than the organization’s facilities using devices like desktop and laptop computers, smartphones, and tablets. The core obligation is to ensure that telework devices are properly secured to mitigate risks not only to the information the teleworker accesses but also to the organization’s other systems and networks. When a telework device uses remote access, it is essentially a logical extension of the organization’s own network. Therefore, if the telework device is not secured properly, it poses additional risk. Key security recommendations include using security software such as antivirus and personal firewalls, restricting device access through user accounts and passwords, regularly applying updates to operating systems and applications, disabling unneeded networking features, securing home networks, and maintaining the device's security on an ongoing basis. Organizations may limit the types of BYOD devices that can be used and which resources they can access to limit the risk they incur."
Technical ID
nist-sp-800-114-r1-byod-security
Technical Guide to Information Security Testing and Assessment
"An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person) meets specific security objectives. This document provides a guide to the basic technical aspects of conducting information security assessments, presenting technical testing and examination methods and techniques that an organization might use, and offering insights to assessors on their execution and potential impact. The guidance enables organizations to develop an assessment policy, accurately plan assessments by addressing logistical and legal considerations, safely execute testing, appropriately handle technical data, and conduct analysis and reporting to translate technical findings into risk mitigation actions. To accomplish technical security assessments and ensure they provide maximum value, organizations are recommended to establish an information security assessment policy, implement a repeatable and documented assessment methodology, determine the objectives of each assessment and tailor the approach accordingly, and analyze findings to develop risk mitigation techniques. The guide is intended for use by computer security staff, program managers, system and network administrators, and other technical staff responsible for securing systems and network infrastructures."
Technical ID
nist-sp-800-115-security-testing
Guide to Bluetooth Security
"Bluetooth wireless technology is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs), and has been integrated into many types of business and consumer devices. This publication provides information on the security capabilities of Bluetooth and gives recommendations to organizations employing Bluetooth wireless technologies on securing them effectively. The Bluetooth versions within the scope of this publication are versions 1.1 through 4.2. Bluetooth wireless technology and associated devices are susceptible to general wireless networking threats, such as denial of service (DoS) attacks, eavesdropping, man-in-the-middle (MITM) attacks, message modification, and resource misappropriation. To improve security, organizations should use the strongest Bluetooth security mode available for their devices. For devices version 4.1 and later, Security Mode 4, Level 4 is recommended for Basic Rate/Enhanced Data Rate (BR/EDR) as it requires Secure Connections. For the low energy feature, Security Mode 1, Level 4 is the strongest. Organizations should address Bluetooth in their security policies, change default settings, and ensure users are aware of their responsibilities, such as performing pairing in physically secure areas and turning off devices when not in use."
Technical ID
nist-sp-800-121r2-bluetooth-security
Special Publication 800-123 Guide to General Server Security
"This publication addresses the general security issues of typical servers, assisting organizations in installing, configuring, and maintaining them securely. Servers are frequently targeted by attackers due to the value of their data and services, which can include personally identifiable information. Common threats include exploitation of software bugs, denial of service attacks, unauthorized access to sensitive information, and using a compromised server to attack other entities. This document provides guidance for securing the server's underlying operating system, the server software itself, and maintaining a secure configuration through ongoing practices. The core obligations involve careful security planning prior to deployment, including addressing human resource requirements. Organizations must secure the server operating system by patching, removing unnecessary services, configuring user authentication, and performing security testing. Similarly, server applications must be securely deployed, configured, and managed to meet organizational security requirements. Maintaining server security is an ongoing process that requires constant effort and vigilance, involving actions such as configuring and analyzing log files, backing up critical information, establishing recovery procedures, and periodically testing security controls."
Technical ID
nist-sp-800-123-server-security
Guide for Security-Focused Configuration Management of Information Systems
"This guide provides guidelines for organizations responsible for managing and administering the security of federal information systems and associated environments of operation. The focus of this document is on implementation of the information system security aspects of configuration management, referred to as security-focused configuration management (SecCM), which is defined as the management and control of configurations for information systems to enable security and facilitate the management of information security risk. The goal of SecCM activities is to manage and monitor the configurations of information systems to achieve adequate security and minimize organizational risk while supporting the desired business functionality and services. SecCM builds on the general concepts of configuration management by focusing on the implementation and maintenance of established security requirements. These guidelines are applicable to all federal information systems other than those designated as national security systems. Federal agencies are responsible for including policies and procedures that ensure compliance with minimally acceptable system configuration requirements. State, local, and tribal governments, as well as private sector organizations, are encouraged to consider using these guidelines. The core obligation involves a disciplined approach for providing adequate security through a process that includes planning, identifying and implementing secure configurations, controlling configuration changes, and monitoring configurations to ensure they are not inadvertently altered from the approved baseline."
Technical ID
nist-sp-800-128-config-management
An Introduction to Information Security (NIST Special Publication 800-12 Revision 1)
"This publication serves as a starting-point for those new to information security and for those unfamiliar with NIST information security publications and guidelines. Its intent is to provide a high-level overview of information security principles by introducing related concepts and the security control families (as defined in NIST SP 800-53) that organizations can leverage to effectively secure their systems and information. The target audience includes any person tasked with or interested in understanding how to secure systems, seeking a better understanding of information security basics, or a high-level view on the topic. The tips and techniques described may be applied to any type of information or system in any organization. Information security is defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability. The basic principles of information security are applicable to federal organizations, academia, and the private sector."
Technical ID
nist-sp-800-12r1-intro-infosec
Transitioning the Use of Cryptographic Algorithms and Key Lengths
"This Recommendation (SP 800-131A) provides specific guidance for transitions to the use of stronger cryptographic keys and more robust algorithms for Federal Government agencies protecting sensitive, but unclassified information. The document addresses the use of algorithms and key lengths specified in Federal Information Processing Standards (FIPS) and NIST Special Publications (SPs), outlining the timelines and approval statuses for various cryptographic functions. A core requirement is the transition to a minimum security strength of 112 bits for applying cryptographic protection, such as encrypting or signing data. This supersedes the previous 80-bit requirement. The guidance details acceptable, deprecated, disallowed, and legacy-use statuses for block ciphers (e.g., TDEA, AES), digital signatures (DSA, ECDSA, RSA), random bit generators, key agreement schemes (DH, MQV, RSA), key wrapping, key derivation functions, hash functions (SHA-1, SHA-2, SHA-3), and message authentication codes (HMAC, CMAC). The publication establishes deadlines for phasing out weaker algorithms and key lengths, such as the use of three-key TDEA for encryption after 2023, and encourages implementers to plan for cryptographic agility to facilitate future transitions to quantum-resistant algorithms."
Technical ID
nist-sp-800-131a-rev-2-crypto-transitions
NIST Special Publication 800-132 Recommendation for Password-Based Key Derivation Part 1: Storage Applications
"This Recommendation specifies techniques for the derivation of master keys from passwords or passphrases to protect stored electronic data or data protection keys. Due to the low entropy and possibly poor randomness of passwords, they are not suitable to be used directly as cryptographic keys. This document specifies a family of password-based key derivation functions (PBKDFs) for deriving cryptographic keys from passwords or passphrases for the protection of electronically-stored data or for the protection of data protection keys. The derived keying material is called a Master Key (MK). This Recommendation has been prepared for use by Federal agencies, though it may be used by non-governmental organizations on a voluntary basis. The core obligation is to use a PBKDF, specifically PBKDF2 using HMAC with an approved hash function, to derive a master key from a password. The inputs to the function include the password (P), a salt (S), an iteration count (C), and the desired key length (kLen). The randomly-generated portion of the salt shall be at least 128 bits, the master key length shall be at least 112 bits, and a minimum iteration count of 1,000 is recommended. The derived MK shall only be used to generate one or more Data Protection Keys (DPKs) or to protect existing DPKs."
Technical ID
nist-sp-800-132-pbkdf
FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759
"NIST Special Publication (SP) 800-140 specifies the modifications of the Derived Test Requirements (DTR) for Federal Information Processing Standard (FIPS) 140-3. It modifies the test (TE) and vendor (VE) evidence requirements of International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 24759. As a validation authority, the Cryptographic Module Validation Program (CMVP) may modify, add or delete TEs and/or VEs as specified under paragraph 5.2 of ISO/IEC 24759. This document is focused toward vendors, testing labs, and the CMVP for the purpose of addressing CMVP specific requirements in ISO/IEC 24759 for cryptographic modules. This publication should be used in conjunction with ISO/IEC 24759 as it modifies only those requirements identified in this document. The core obligation is for Cryptographic and Security Testing Laboratories (CSTLs) to use the methods specified to demonstrate conformance, and for vendors to provide the required documentation as supporting evidence."
Technical ID
nist-sp-800-140-dtr
Guidelines on Security and Privacy in Public Cloud Computing
"This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment. The primary purpose of this report is to describe the threats, technology risks, and safeguards surrounding public cloud environments, and their treatment. It is recommended to federal departments and agencies to help them apply the guidelines when performing their own analysis of requirements. The core obligation for organizations is to take a risk-based approach in analyzing available options and to assess, select, engage, and oversee the public cloud services that can best fulfill their requirements. Organizations should carefully plan the security and privacy aspects of cloud solutions, understand the provider's environment, ensure the solution satisfies organizational requirements, secure the client-side environment, and maintain accountability over the data and applications deployed."
Technical ID
nist-sp-800-144-cloud-computing
A Profile for U.S. Federal Cryptographic Key Management Systems
"This Profile for U.S. Federal Cryptographic Key Management Systems (FCKMSs) contains requirements for their design, implementation, procurement, installation, configuration, management, operation, and use by U.S. Federal organizations. It is intended to assist CKMS designers and implementers in selecting features, and to assist federal organizations and their contractors when procuring, installing, configuring, operating, and using FCKMSs. An FCKMS can be owned and operated by a federal organization or by a private contractor that provides key management services for federal organizations. The core obligation is for agencies to adopt, adapt, and migrate their FCKMSs to comply with the Profile requirements over time, particularly when creating or procuring new systems or services. These requirements establish minimum security strengths and cryptographic module standards based on the information system impact-levels defined in FIPS 200: Low, Moderate, and High. The Profile specifies that information rated at a Low impact-level must be protected with at least 112 bits of security strength, Moderate with at least 128 bits, and High with at least 192 bits. It also mandates the use of FIPS 140-validated cryptographic modules at specific security levels corresponding to each impact level."
Technical ID
nist-sp-800-152-key-management
Engineering Trustworthy Secure Systems
"This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. These can be effectively applied within systems engineering efforts to foster a common mindset to deliver security for any system, regardless of its purpose, type, scope, size, complexity, or stage of its system life cycle. The objective is to address security issues from the perspective of stakeholder requirements and protection needs and to use established engineering processes to ensure that such requirements and needs are addressed with appropriate fidelity and rigor across the entire life cycle of the system. Managing the complexity of trustworthy secure systems requires achieving the appropriate level of confidence in the feasibility, correctness-in-concept, philosophy, and design of a system to produce only the intended behaviors and outcomes. A trustworthy system provides compelling evidence to support claims that it meets its requirements to deliver the protection and performance needed by stakeholders, functioning only as intended while subjected to different types of adversity. Adversities can include attacks from determined and capable adversaries, human errors of omission and commission, accidents and incidents, component faults and failures, abuses and misuses, and natural and human-made disasters."
Technical ID
nist-sp-800-160-v1r1
NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach
"NIST Special Publication (SP) 800-160, Volume 2, focuses on cyber resiliency engineering—an emerging specialty systems engineering discipline applied in conjunction with resilience engineering and systems security engineering to develop more survivable, trustworthy systems. Cyber resiliency engineering intends to architect, design, develop, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources. From a risk management perspective, cyber resiliency is intended to reduce the mission, business, organizational, or sector risk of depending on cyber resources. This publication presents a cyber resiliency engineering framework to aid in understanding and applying cyber resiliency, a concept of use for the framework, and the engineering considerations for implementing cyber resiliency in the system life cycle. The framework constructs include goals, objectives, techniques, implementation approaches, and design principles. Organizations can select, adapt, and use some or all of the cyber resiliency constructs in this publication and apply the constructs to the technical, operational, and threat environments for which systems need to be engineered. The guidance can be applied to new systems, modifications to fielded systems, and systems identified for retirement."
Technical ID
nist-sp-800-160-v2r1
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
"This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. It addresses concerns about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices. The guidance is for a diverse audience, including individuals with system, information security, risk management, acquisition, and system development responsibilities across public and private sector entities. The core obligation is to integrate cybersecurity supply chain risk management (C-SCRM) into enterprise-wide risk management activities. This is achieved by applying a multilevel, C-SCRM-specific approach which includes the development of C-SCRM strategy and implementation plans, C-SCRM policies, C-SCRM plans for specific systems, and conducting risk assessments for products and services. The guidance emphasizes that C-SCRM is a systematic process for managing exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures, which should be tailored to the unique size, resources, and risk circumstances of each enterprise."
Technical ID
nist-sp-800-161r1-csrm-practices
Guide to Attribute Based Access Control (ABAC) Definition and Considerations
"This document provides Federal agencies with a definition of attribute based access control (ABAC), a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. It provides planning, design, implementation, and operational considerations for employing ABAC within an enterprise with the goal of improving information sharing while maintaining control of that information. ABAC is distinguishable because it controls access to objects by evaluating rules against the attributes of entities (subject and object), operations, and the environment relevant to a request. The access control policies that can be implemented in ABAC are limited only by the computational language and the richness of the available attributes. This flexibility enables the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object. As new subjects join an organization, rules and objects do not need to be modified as long as the subject is assigned the necessary attributes. This benefit is often referred to as accommodating the external (unanticipated) user and is one of the primary benefits of employing ABAC."
Technical ID
nist-sp-800-162-abac
NIST Special Publication 800-163 Revision 1: Vetting the Security of Mobile Applications
"As both public and private organizations rely more on mobile applications, ensuring that they are reasonably free from vulnerabilities and defects is paramount. Mobile apps can pose serious security risks to an organization and its users due to vulnerabilities that may be exploited to steal information, control a user’s device, or result in unexpected app or device behavior. To mitigate these risks, organizations should employ a software assurance process, referred to as an app vetting process, that ensures a level of confidence that software is free from vulnerabilities and functions in the intended manner. This document defines such an app vetting process and is intended for public- and private-sector organizations that seek to improve the software assurance of mobile apps deployed on their mobile devices. The core obligation is for organizations to determine if a mobile app is acceptable for deployment by vetting it against the organization's security requirements. This process involves a sequence of activities: app intake, app testing, app approval/rejection, and results submission. The process may be manual or automated and aims to be repeatable, efficient, and consistent, ensuring that mobile applications conform to defined security requirements before deployment. Organizations should not assume an app has been fully vetted or conforms to their security requirements simply because it is available through an official app store."
Technical ID
nist-sp-800-163r1-mobile-app-vetting
Guide to Application Whitelisting
"An application whitelist is a list of applications and application components that are authorized to be present or active on a host according to a well-defined baseline. Application whitelisting technologies use these lists to control which applications are permitted to install or execute, with the primary goal of stopping the execution of malware and other unauthorized software. Unlike traditional antivirus software that uses blacklists to block known bad activity, whitelisting technologies operate on a 'permit known good' model, blocking all other activity by default. The guidance is intended for organizations to understand the basics of application whitelisting and plan for its implementation throughout the security deployment lifecycle. This framework applies to centrally managed hosts, including desktops, laptops, and servers, where consistent application workloads make implementation more practical. It is strongly recommended for high-risk environments where security outweighs unrestricted functionality. The core obligation for an organization is to establish and maintain the whitelist using attributes such as digital signatures, publishers, or cryptographic hashes. A successful deployment requires a clear, step-by-step planning and implementation process, beginning with a prototype in monitoring mode to evaluate its behavior before moving to an enforcement mode. Organizations will need dedicated staff to manage and maintain the solution, similar to handling an enterprise antivirus or intrusion detection system."
Technical ID
nist-sp-800-167-application-whitelisting
NIST SP 800-171 Rev 3 — Protecting Controlled Unclassified Information (CUI) in Non-Federal Systems
"This standard provides security requirements for non-federal systems and organizations to protect the confidentiality of Controlled Unclassified Information (CUI). Compliance is mandatory for entities handling CUI for U.S. federal agencies, as outlined in Chapter 1, and is foundational for frameworks like the DoD's CMMC."
Technical ID
nist-sp-800-171-cui-protection
Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
"The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with recommended enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI when the information is resident in nonfederal systems, the nonfederal organization is not operating on behalf of an agency, and no other specific safeguarding requirements exist for the CUI category. These enhanced requirements supplement the basic security requirements in NIST Special Publication 800-171 and are specifically designed to respond to the advanced persistent threat (APT). The core obligation applies to components of nonfederal systems that process, store, or transmit CUI associated with a critical program or high value asset. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established with nonfederal organizations. The security measures promote penetration-resistant architectures, damage-limiting operations, and designs to achieve cyber resiliency and survivability. Federal agencies will select the specific set of enhanced requirements based on mission needs and risk assessments, and there is no expectation that all of the enhanced security requirements will be selected in every situation."
Technical ID
nist-sp-800-172-enhanced-security
Assessing Enhanced Security Requirements for Controlled Unclassified Information
"This publication provides federal agencies and nonfederal organizations with assessment procedures to carry out assessments of the requirements in NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI). The protection of CUI in nonfederal systems and organizations is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions. The purpose of this publication is to describe procedures for assessing these enhanced security requirements, which are designed to respond to the advanced persistent threat (APT) for CUI associated with a high value asset or critical program. The assessment procedures are flexible and can be tailored to the needs of organizations and assessors. Assessments can be conducted as self-assessments, independent third-party assessments, or government-sponsored assessments. The findings and evidence produced can be used to facilitate risk-based decisions, identify security weaknesses, prioritize risk mitigation, and support continuous monitoring."
Technical ID
nist-sp-800-172a-assessment
NIST Special Publication 800-177 Revision 1 Trustworthy Email
"This document provides recommendations and guidelines for enhancing trust in email, applicable to federal IT systems and also useful for small or medium-sized organizations. The primary audience includes enterprise email administrators, information security specialists, and network managers. Given that the core email protocol, Simple Mail Transport Protocol (SMTP), is susceptible to attacks like man-in-the-middle content modification and surveillance, this guide details adaptations to mitigate these threats. The guidelines cluster into techniques for authenticating a sending domain, assuring email transmission security, and ensuring email content security. Technologies recommended in support of core SMTP and the Domain Name System (DNS) include mechanisms for authenticating a sending domain: Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). For email transmission security, recommendations cover Transport Layer Security (TLS) and associated certificate authentication. For email content security, the guide recommends encryption and authentication of message content using Secure/Multipurpose Internet Mail Extensions (S/MIME) and associated protocols. Many of these security enhancements rely on records stored in a secured DNS, particularly through the deployment of DNS Security Extensions (DNSSEC)."
Technical ID
nist-sp-800-177-trustworthy-email
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system and should reflect input from information owners, the system owner, and the senior agency information security officer (SAISO). Management authorization to operate a system is based on an assessment of management, operational, and technical controls documented in the security plan. By authorizing processing in a system, a manager accepts its associated risk. The system security plan forms the basis for this authorization, supplemented by an assessment report and a plan of actions and milestones. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
nist-sp-800-18-r1
Guide for Developing Security Plans for Federal Information Systems
"This guide provides direction for developing system security plans for federal information systems, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of a system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. It is intended to be a living document, reflecting input from information owners, system owners, and the senior agency information security officer (SAISO), that forms the basis for the authorization of a system to operate. The document applies to all federal agencies and their information systems, which must be categorized as either a major application or a general support system. The protection of a system must be documented in a system security plan, which supports the system development life cycle (SDLC) and should be updated when events trigger the need for revision. Management authorization for a system to process information is based on an assessment of management, operational, and technical controls documented in the security plan. Re-authorization is required whenever there is a significant change in processing, and at least every three years."
Technical ID
nist-sp-800-18-r1-security-plans
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice, and the protection of a system must be documented in a system security plan. This is a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA), which requires each federal agency to develop, document, and implement an agency-wide information security program. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It reflects input from various managers, including information owners, the system owner, and the senior agency information security officer (SAISO). A senior management official must authorize a system to operate, accepting its associated risk based on an assessment of management, operational, and technical controls documented in the plan. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
nist-sp-800-18-security-plans
Workforce Framework for Cybersecurity (NICE Framework)
"This publication from the National Initiative for Cybersecurity Education (NICE) describes the Workforce Framework for Cybersecurity (NICE Framework), a fundamental reference for describing and sharing information about cybersecurity work. It provides a reference taxonomy—a common language—of cybersecurity work and of the individuals who carry out that work. As a common, consistent lexicon that categorizes and describes cybersecurity work, the NICE Framework improves communication about how to identify, recruit, develop, and retain cybersecurity talent. The NICE Framework provides a set of building blocks for describing the tasks, knowledge, and skills (TKS) that are needed to perform cybersecurity work. Through these building blocks, the framework enables organizations to develop their workforces to perform cybersecurity work, and it helps learners to explore cybersecurity work and to engage in appropriate learning activities to develop their knowledge and skills. This development, in turn, benefits employers and employees through the identification of career pathways that document how to prepare for cybersecurity work using the data of TKS statements bundled into Work Roles and Competencies. This publication may be used by nongovernmental organizations on a voluntary basis."
Technical ID
nist-sp-800-181r1-nice-framework
NIST Special Publication 800-183 Networks of ‘Things’
"This document offers an underlying and foundational understanding of the Internet of Things (IoT) based on the realization that IoT involves sensing, computing, communication, and actuation. It presents five core primitives as the basic building blocks for a Network of ‘Things’ (NoT), which includes IoT. These primitives apply well to systems with large amounts of data, scalability concerns, heterogeneity concerns, temporal concerns, and elements of unknown pedigree with possible nefarious intent. This model and vocabulary defines principles common to most, if not all, networks of things, allowing for comparisons between NoTs and providing a unifying vocabulary for composition and information exchange. The material presented is generic to all distributed systems that employ IoT technologies. The document uses the acronyms IoT and NoT (Network of Things) interchangeably, where IoT is an instantiation of a NoT with its ‘things’ tethered to the Internet. The intended audience includes computer scientists, IT managers, networking specialists, and networking and cloud computing software engineers. The model aims to expose the ingredients that can express how the IoT behaves, without defining IoT, offering insights into issues specific to trust."
Technical ID
nist-sp-800-183-networks-of-things
Guide for Cybersecurity Event Recovery
"In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Although there are existing federal policies, standards, and guidelines on cyber event handling, none of them focuses solely on improving cybersecurity recovery capabilities. This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning to help organizations plan and prepare recovery from a cyber event and integrate the processes and procedures into their enterprise risk management plans. This guidance is not an operational playbook but is intended for individuals with decision making responsibilities to develop customized playbooks. Recovery can be described in two phases: an immediate tactical recovery phase achieved through a pre-planned playbook, and a more strategic phase focused on continuous improvement of all Cybersecurity Framework (CSF) functions based on lessons learned. The document supports organizations in a technology-neutral way in improving their cyber event recovery plans, processes, and procedures, with the goal of resuming normal operations more quickly. While the scope is primarily US federal agencies, the information is useful to any organization wishing to have a more flexible and comprehensive approach to recovery."
Technical ID
nist-sp-800-184-event-recovery
SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash
"This Recommendation specifies four types of SHA-3-derived functions: cSHAKE, KMAC, TupleHash, and ParallelHash, each defined for a 128- and 256-bit security strength. This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014 and is intended for developing information security standards and guidelines, including minimum requirements for federal information systems. This publication may be used by nongovernmental organizations on a voluntary basis. cSHAKE is a customizable variant of the SHAKE function defined in FIPS 202. KMAC (KECCAK Message Authentication Code) is a variable-length message authentication code algorithm that can also be used as a pseudorandom function. TupleHash is a variable-length hash function designed to hash tuples of input strings without trivial collisions. ParallelHash is a variable-length hash function that can hash very long messages in parallel. The core obligation is the correct implementation and use of these cryptographic functions as specified, ensuring domain separation through function names and customization strings to prevent collisions and maintain security properties."
Technical ID
nist-sp-800-185-sha3-derived-functions
Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters
"This Recommendation specifies the set of elliptic curves recommended for U.S. Government use. It provides updated specifications of elliptic curves appropriate for digital signatures and key agreement schemes, intended for implementers of cryptographic systems. In addition to previously recommended Weierstrass curves defined over prime and binary fields, this document includes newly specified Montgomery and Edwards curves, which can provide increased performance, side-channel resistance, and simpler implementation. The new curves are interoperable with those specified by the Crypto Forum Research Group (CFRG) of the Internet Engineering Task Force (IETF). The core obligation is to use the specified elliptic curves in conjunction with other NIST publications for applications like digital signatures and key agreement. This document deprecates curves over binary fields due to limited adoption, recommending new implementations select a curve over a prime field. Furthermore, curves from FIPS 186-4 that do not meet current bit security requirements are designated for legacy-use only; they may be used to process already protected information (e.g., decrypt or verify) but not to apply new protection (e.g., encrypt or sign). Key pairs generated using these specifications are strictly for digital signature and key agreement purposes."
Technical ID
nist-sp-800-186-elliptic-curves
De-Identifying Government Datasets: Techniques and Governance
"De-identification is a general term for any process of removing the association between a set of identifying data and the data subject. This document, NIST SP 800-188, provides specific guidance to U.S. government agencies that wish to use de-identification to make government datasets available while protecting the privacy of individuals. The guidance aims to prevent or limit disclosure risks to individuals and establishments while still allowing for the production of meaningful statistical analysis. The intended audience includes government system engineers, security officers, data scientists, privacy officers, and disclosure review boards. Before using de-identification, agencies should evaluate their goals and the potential risks that releasing de-identified data might create. Core obligations include deciding upon a data-sharing model, such as publishing de-identified data, publishing synthetic data, providing a query interface, or using non-public protected enclaves. The guidance recommends that agencies create a Disclosure Review Board (DRB) to oversee the de-identification process, adopt a de-identification standard with measurable performance levels, and perform re-identification studies to gauge risk. It emphasizes that formal privacy methods like k-anonymity and differential privacy should be preferred over informal ad hoc methods when available and sufficient for the task."
Technical ID
nist-sp-800-188-de-identification
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. The protection of a system must be documented in a system security plan, a requirement of OMB Circular A-130 and the Federal Information Security Management Act (FISMA). This guidance applies to all federal agencies, but may be used by non-governmental organizations on a voluntary basis. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements, and to delineate responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Management authorization to operate a system is based on an assessment of management, operational, and technical controls. The system security plan establishes and documents these security controls and should form the basis for the authorization. By authorizing processing, a manager accepts the system's associated risk. Re-authorization should occur whenever there is a significant change in processing, but at least every three years. The plan should reflect input from various managers, including information owners, the system owner, and the senior agency information security officer (SAISO)."
Technical ID
nist-sp-800-18r1-security-plans
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection, which must be documented in a system security plan. This is a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should reflect input from various managers, including information owners, the system owner, and the senior agency information security officer. A senior management official must authorize a system to operate, accepting its associated risk. This management authorization should be based on an assessment of management, operational, and technical controls documented in the security plan, supplemented by an assessment report and a plan of actions and milestones. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
nist-sp-800-18r1-security-plans-federal-systems
Application Container Security Guide
"Application container technologies are a form of operating system virtualization combined with application software packaging that provide a portable, reusable, and automatable way to package and run applications. This publication explains the potential security concerns associated with the use of containers and provides practical recommendations for addressing those concerns for system administrators, security managers, developers, and others responsible for the security of application container technologies. The core risks involve vulnerabilities and misconfigurations within container images, insecure connections to registries, unbounded administrative access to orchestrators, and the inherent risks of a shared kernel on the host OS. To mitigate these risks, organizations should tailor their operational culture and technical processes for containerized environments. Key recommendations include using minimalist, container-specific host operating systems to reduce attack surfaces; grouping containers by purpose, sensitivity, and threat posture on a single host for defense-in-depth; adopting container-specific vulnerability management tools and processes to scan images for flaws; considering hardware-based countermeasures like a Trusted Platform Module (TPM) to establish a root of trust; and deploying container-aware runtime defense tools to monitor and respond to anomalous activity."
Technical ID
nist-sp-800-190-container-security
NIST Special Publication 800-193 Platform Firmware Resiliency Guidelines
"This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a system. A successful attack on platform firmware could render a system inoperable, perhaps permanently, or requiring reprogramming by the original manufacturer, resulting in significant disruptions to users. The guidelines promote resiliency by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and recovering from attacks rapidly and securely. The guidelines are based on three core principles: Protection, involving mechanisms to ensure platform firmware code and critical data remain in a state of integrity; Detection, involving mechanisms to detect when firmware or data have been corrupted; and Recovery, involving mechanisms for restoring firmware and data to a state of integrity. The intended audience includes system and platform device vendors of computer systems, including manufacturers of clients, servers, and networking devices, as well as developers and engineers responsible for implementing firmware-level security technologies. The security principles and recommendations are broadly applicable to other classes of systems with updatable firmware, including Internet of Things devices, embedded systems, and mobile devices. System administrators and security professionals can use this document to guide procurement strategies and priorities for future systems."
Technical ID
nist-sp-800-193-firmware-resiliency
Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines
"This document outlines strategies for integrating Software Supply Chain (SSC) security assurance measures into Continuous Integration/Continuous Delivery (CI/CD) pipelines to protect the integrity of the underlying activities. The overall goal is to ensure that the CI/CD pipeline activities that take source code through the build, test, package, and deployment stages are not compromised. Cloud-native applications, often composed of multiple loosely coupled microservices, are generally developed using the DevSecOps paradigm, which utilizes CI/CD pipelines. Threats to the SSC can arise from attack vectors unleashed by malicious actors as well as defects introduced when due diligence practices are not followed by legitimate actors during the Software Development Life Cycle (SDLC). The guidance is intended for a broad group of practitioners including site reliability engineers, software engineers, project managers, and security architects. It focuses on actionable measures to integrate various building blocks for SSC security assurance into CI/CD pipelines to enhance the preparedness of organizations. This includes securing the developer environment, mitigating attack vectors, and protecting assets like source code and build systems. While artifacts like Software Bill of Materials (SBOM) are foundational, this document concentrates on the workflow tasks within CI/CD pipelines to meet the objectives of frameworks such as NIST’s Secure Software Development Framework (SSDF)."
Technical ID
nist-sp-800-204d-sssc-devsecops
NIST Special Publication 800-205 Attribute Considerations for Access Control Systems
"This document provides federal agencies with a guide for implementing attributes in access control systems. Attributes enable a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and environmental conditions against policy. Attribute-based access control systems rely upon attributes to not only define access control policy rules but also enforce the access control. Confidence in access control decisions is dependent on the accuracy, integrity, and timely availability of attributes. The core obligation is to ensure attributes shared across organizations provide assurance via proper location, retrieval, publication, validation, update, security, and revocation capabilities. To achieve this assurance, an Attribute Evaluation Scheme needs to be established, which brings confidence based on five principal areas of interest: Preparation, which involves planning attribute creation and sharing mechanisms; Veracity, which establishes semantic and syntactic correctness and trustworthiness; Security, which considers standards for secure transmission and storage of attributes; Readiness, which addresses the frequency of attribute refresh, caching, and backup; and Management, which provides mechanisms for maintaining attributes efficiently, including metadata, hierarchies, and logging."
Technical ID
nist-sp-800-205-access-control
NIST SP 800-207 — Zero Trust Architecture
"NIST Special Publication 800-207 (August 2020) defines Zero Trust Architecture (ZTA) — the security paradigm that shifts from perimeter-based ('castle and moat') defenses to identity-centric, per-session access decisions on all resources. The core principle is 'never trust, always verify': no implicit trust is granted based on network location. NIST 800-207 defines seven tenets of zero trust including that all data sources are resources, all communication is secured regardless of location, and access is granted per-session based on dynamic policy. The architecture defines three logical components: Policy Engine (PE) — makes access grant/deny decisions; Policy Administrator (PA) — establishes/terminates communication paths; Policy Enforcement Point (PEP) — gates access between subjects and enterprise resources. Three implementation approaches are defined: Enhanced Identity Governance (EIG), Micro-segmentation, and Software-Defined Perimeter (SDP)/Network Infrastructure. U.S. federal agencies were mandated to adopt ZTA principles by OMB Memorandum M-22-09 (January 2022), with specific maturity targets for identity, device, network, application, and data pillars per CISA ZT Maturity Model."
Technical ID
nist-sp-800-207
Recommendation for Stateful Hash-Based Signature Schemes
"This recommendation specifies two stateful hash-based signature (HBS) schemes, the Leighton-Micali Signature (LMS) system and the eXtended Merkle Signature Scheme (XMSS), along with their multi-tree variants, as supplements to FIPS 186. The security of these schemes depends on the security of the underlying hash functions and is believed to be resistant to attacks from large-scale quantum computers. Stateful HBS schemes are primarily intended for applications where a digital signature scheme must be implemented in the near future, the implementation will have a long lifetime, and transitioning to a different scheme after deployment is impractical, such as for authenticating firmware updates for constrained devices. A core obligation is the proper maintenance of state; an HBS private key consists of a large set of one-time signature (OTS) private keys, and the signer must ensure that no individual OTS key is ever used to sign more than one message. Reusing an OTS key would make it computationally feasible for an attacker to forge signatures. This recommendation requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported."
Technical ID
nist-sp-800-208-stateful-hbs
Security Guidelines for Storage Infrastructure
"This document provides an overview of the evolution of the storage technology landscape, current security threats, and the resultant risks. The primary purpose is to provide a comprehensive set of security recommendations for the current landscape of storage infrastructure, which consists of a mixture of legacy and advanced systems. The recommendations and security focus areas span those that are common to the entire IT infrastructure, such as physical security, authentication and authorization, change management, configuration control, incident response, and recovery. Within these areas, security controls that are specific to storage technologies, such as network-attached storage (NAS) and storage area networks (SAN), are also covered. In addition, security recommendations specific to storage technologies are provided for the following areas of operation: data protection, isolation, restoration assurance, and encryption. The guidance applies to traditional storage services (block, file, and object), storage virtualization, storage architectures for virtualized server environments, and storage resources hosted in the cloud."
Technical ID
nist-sp-800-209-storage-infrastructure
NIST Special Publication 800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements
"As organizations increasingly use Internet of Things (IoT) devices, care must be taken in their acquisition and implementation. This publication contains background and recommendations to help federal organizations consider how an IoT device they plan to acquire can integrate into a system. It provides guidance on considering system security from the device perspective, allowing for the identification of device cybersecurity requirements—the abilities and actions an organization will expect from an IoT device and its manufacturer or third parties. This guidance is intended for information security professionals, system administrators, and others tasked with managing security on a system. The publication applies to organizations incorporating IoT devices as system elements into an existing information system. In-scope devices have at least one transducer (sensor or actuator) for interacting with the physical world and at least one network interface. The core obligation is for organizations to assess the security impact of integrating IoT devices, understand the device's relationship to the system to properly define cybersecurity requirements, and manage risks that arise when devices do not meet those requirements, potentially through compensating controls or by deciding not to incorporate the device."
Technical ID
nist-sp-800-213-iot-guidance
NIST Special Publication 800-213A IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog
"This publication provides a catalog of internet of things (IoT) device cybersecurity capabilities and non-technical supporting capabilities to help federal organizations determine and establish device cybersecurity requirements. The guidance applies to federal organizations, including information security professionals and system administrators, tasked with assessing, applying, and maintaining security for IoT devices used with federal information systems. The core obligation is for these organizations to use this catalog in conjunction with SP 800-213 and the NIST Risk Management Framework (RMF) to determine appropriate device cybersecurity requirements needed to support the security controls implemented on their systems. Device cybersecurity capabilities are features or functions provided through device hardware and software, such as data protection using encryption. Non-technical supporting capabilities are actions performed by manufacturers or other entities, such as providing notifications for software updates. The catalog details seven technical capabilities including Device Identification, Device Configuration, Data Protection, Logical Access, Software Update, Cybersecurity State Awareness, and Device Security. It also outlines four non-technical capabilities related to Documentation, Information Reception, Information Dissemination, and Education. By using this catalog, federal organizations can better describe the requirements needed to integrate an IoT device into a system securely, increasing the security posture of systems and their elements."
Technical ID
nist-sp-800-213a-iot-catalog
NIST SP 800-215 Guide to a Secure Enterprise Network Landscape
"The enterprise network landscape has undergone tremendous changes due to enterprise access to multiple cloud services, the geographical spread of on-premises IT resources, and the architectural shift from monolithic applications to microservices. These drivers have resulted in the disappearance of a protectable network perimeter, an increased attack surface, and the potential for rapid escalation of attacks across network boundaries. This document provides guidance for this new landscape from a secure operations perspective, intended for network design and security solution architects in organizations with hybrid IT environments. This guide examines the limitations of current network access technologies and illustrates how solutions have evolved from specific security functions to comprehensive security frameworks and infrastructure. It addresses feature enhancements to traditional network security appliances, secure networking configurations for specific functions, security frameworks like Zero Trust Network Access (ZTNA) that integrate these configurations, and the evolution of Wide Area Network (WAN) infrastructure to provide a holistic set of security services. The core obligation is for organizations to move defenses from static, network-based perimeters to focus on users, assets, and resources, assuming no implicit trust based on physical or network location."
Technical ID
nist-sp-800-215-secure-enterprise-network
Recommendations for Federal Vulnerability Disclosure Guidelines
"This document provides guidelines for managing vulnerability disclosure for information systems within the Federal Government, following the IoT Cybersecurity Improvement Act of 2020. It recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. The framework is designed to be applied to all software, hardware, and digital services under federal control, including government-developed, commercial, and open-source software used by government systems. The framework defines two primary government entities: the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs). The FCB serves as the primary interface for vulnerability disclosure reporting, oversight, and coordination among government agencies. VDPOs are operational units, ideally part of existing information technology security offices, responsible for coordinating with actors to identify, resolve, and issue advisories on reported vulnerabilities for products and services. The core obligation is for federal agencies to establish and maintain a unified and flexible process for receiving, coordinating, publishing, and resolving security vulnerabilities to minimize the unintended exposure of government information, data corruption, and loss of services."
Technical ID
nist-sp-800-216-vulnerability-disclosure-guidelines
NIST SP 800-218 Secure Software Development Framework (SSDF)
"Compliance with the NIST SP 800-218 Secure Software Development Framework (SSDF) necessitates a holistic, risk-based approach to software security throughout its lifecycle. This assessment validates the establishment of organizational preparedness (PO) by confirming that `has_defined_security_requirements` are documented and that `has_defined_ssd_roles` are formally assigned, while also ensuring the organization `uses_automated_security_tools` within its development pipelines. Protections for software integrity (PS) are scrutinized, requiring verification that `uses_version_control_access_controls` are enforced, that the enterprise `generates_cryptographic_signatures_for_releases`, and that a `has_secure_artifact_repository` is maintained. The production of well-secured software (PW) is measured by mandating activities like `performs_threat_modeling` and having `has_vulnerability_management_for_dependencies`. A critical metric, `secure_compiler_flags_coverage_percent`, quantifies the application of security-hardening build configurations. Lastly, the framework evaluates vulnerability response (RV) capabilities, stipulating a maximum `vulnerability_scan_frequency_days` between scans, ensuring a `has_vulnerability_remediation_sla` exists, and confirming the organization `performs_root_cause_analysis_for_vulns` to prevent weakness recurrence."
Technical ID
nist-sp-800-218
NIST Special Publication 800-218 Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities
"This document describes the Secure Software Development Framework (SSDF), a core set of fundamental, sound, high-level practices for secure software development. The framework is intended to be integrated into any existing software development life cycle (SDLC) implementation. The primary audiences for this document are software producers—including commercial-off-the-shelf (COTS) product vendors, government-off-the-shelf (GOTS) software developers, custom software developers, and internal development teams, regardless of size or sector—and software acquirers, such as federal agencies and other organizations. The SSDF's core objective is for organizations to follow its practices to reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. The framework is organized into four groups of practices: preparing the organization by ensuring people, processes, and technology are ready for secure development; protecting all components of the software from tampering and unauthorized access; producing well-secured software with minimal vulnerabilities; and identifying and responding to vulnerabilities in software releases. The SSDF focuses on the outcomes of practices rather than on specific tools or techniques, making it broadly applicable across different technologies, platforms, and development models."
Technical ID
nist-sp-800-218-ssdf
Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)
"This publication introduces the macOS Security Compliance Project (mSCP), an open-source initiative by the National Institute of Standards and Technology (NIST) designed to provide security configuration guidance for Apple macOS in a machine-consumable format. The mSCP provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. The project, hosted on GitHub, offers practical, actionable recommendations through secure baselines and associated rules, which are continuously curated and updated to support new macOS releases. The mSCP seeks to simplify the macOS security development cycle by reducing the effort required to implement security baselines, which are groups of settings used to configure a system to meet a target level or set of requirements. This specific publication, NIST SP 800-219, has been formally withdrawn as of July 20, 2023, and is provided for historical purposes only. It has been superseded in its entirety by SP 800-219r1. The project's content maps macOS settings to various security standards, including NIST SP 800-53, NIST SP 800-171, and the DISA Security Technical Implementation Guide (STIG). Organizations are advised to use the mSCP's content with a risk-based approach, selecting appropriate settings and tailoring baselines to meet their specific security requirements."
Technical ID
nist-sp-800-219-macos-mscp
Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio
"This publication helps individual organizations within an enterprise improve their Information and Communications Technology (ICT) risk management (ICTRM) to better identify, assess, and manage ICT risks in the context of broader mission and business objectives. It applies to both Federal Government and non-Federal Government professionals, including corporate officers and executives, who may be familiar with either ICTRM or Enterprise Risk Management (ERM), but not the integration of both. The core obligation is to integrate ICTRM within the overall sphere of ERM. This involves rolling up and integrating risks that are addressed at lower system and organizational levels to the broader enterprise level by focusing on the use of ICT risk registers as input to the enterprise risk profile. This integrated approach ensures that ICT risks are considered part of an interrelated portfolio, rather than in silos. Effective integration requires coordination, communication, and collaboration to address risks that extend beyond individual program boundaries, such as those related to cybersecurity, privacy, supply chain, IoT, and AI. By applying a consistent approach to identify, assess, respond to, and communicate risk, leaders and executives can be accurately informed and make effective strategic and tactical decisions. This allows ICT risks to be quantified in financial, mission, and reputation metrics similar to other enterprise risks, enabling prudent resource allocation. The goal is to balance the benefits of technology with potential risks and consequences, supporting a comprehensive ERM approach that safeguards the enterprise's mission, finances, and reputation."
Technical ID
nist-sp-800-221-ict-risk
Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio
"The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communications technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, but are not limited to, cybersecurity, privacy, and supply chain. This document provides a framework of outcomes that applies to all types of ICT risk, providing a common language for understanding, managing, and expressing ICT risk to internal and outside stakeholders. It is a tool for aligning policy, business, and technological approaches to managing that risk, and can be used to help identify and prioritize actions for reducing ICT risk. The primary audience for this publication includes both Federal Government and non-Federal Government professionals at all levels who understand ICT but may be unfamiliar with the details of ERM. The secondary audience includes both Federal and non-Federal Government corporate officers, high-level executives, ERM officers and staff members, and others who understand ERM but may be unfamiliar with the details of ICT. Using the framework for each type of ICT risk will help organizations improve the quality and consistency of ICT risk information they provide as inputs to their ERM programs."
Technical ID
nist-sp-800-221a-ict-risk-outcomes
Guidelines for Evaluating Differential Privacy Guarantees
"This publication describes differential privacy — a PET that quantifies privacy risk to individuals when their data appears in a dataset. Differential privacy was first defined in 2006 as a theoretical framework and is still making the transition from theory to practice. This publication is intended to help those who need to manage the risks of data analytics and data sharing — including business owners, product managers, privacy personnel, security personnel, software engineers, data scientists, and academics — understand, evaluate, and compare differential privacy guarantees. Differential privacy promises that a reduction in privacy caused by a data analysis or published dataset will be bounded for all individuals about whom data are found in the dataset. In other words, any privacy reduction to an individual that results from a differentially private analysis could have happened even if the individual had not contributed their data. Differential privacy is generally achieved by adding random noise to analysis results. More noise yields better privacy but degrades the utility of the result. This privacy-utility tradeoff can make it difficult to achieve both high utility and strong privacy protection."
Technical ID
nist-sp-800-226-differential-privacy
Guide for Conducting Risk Assessments
"This guide provides a structured approach for conducting risk assessments of federal information systems and organizations, amplifying the guidance in NIST Special Publication 800-39. Risk assessments are a fundamental component of an organizational risk management process, used to identify, estimate, and prioritize risk to organizational operations, assets, individuals, and the Nation resulting from the use of information systems. The purpose of a risk assessment is to inform decision makers and support risk responses by identifying relevant threats, internal and external vulnerabilities, the potential impact or harm that may occur, and the likelihood of that harm occurring. The end result is a determination of risk, which is typically a function of the degree of harm and the likelihood of its occurrence. The guidelines are applicable to all federal information systems other than those designated as national security systems, and are intended for a diverse audience of risk management professionals. The core obligation is to conduct risk assessments on an ongoing basis throughout the system development life cycle and across all tiers of the risk management hierarchy: the organization level, mission/business process level, and information system level. The guide provides a detailed process for preparing for an assessment, conducting the assessment, communicating the results, and maintaining the assessment over time to ensure it remains relevant as systems, threats, and operational environments change."
Technical ID
nist-sp-800-30-risk-assessment
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1 provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures and a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a service disruption. Interim measures may include relocation of information systems to an alternate site, recovery using alternate equipment, or performance of functions using manual methods. This guidance is prepared for use by federal agencies but may be used by nongovernmental organizations on a voluntary basis. It applies to managers, CIOs, security officers, system engineers, and administrators responsible for designing, managing, operating, or securing information systems. The core obligation for federal organizations is to apply a seven-step process to develop and maintain a viable contingency planning program for their information systems. This process includes: developing a formal contingency planning policy statement; conducting a business impact analysis (BIA) to identify and prioritize critical systems; identifying preventive controls to reduce disruption effects; creating thorough recovery strategies; developing a detailed information system contingency plan (ISCP); ensuring the plan is validated through testing, training, and exercises; and maintaining the plan as a living document. These progressive steps are designed to be integrated into each stage of the system development life cycle, ensuring that systems can be recovered quickly and effectively following a disruption."
Technical ID
nist-sp-800-34-contingency-planning
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1, provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. These measures may include relocation of information systems to an alternate site, recovery of functions using alternate equipment, or performance of functions using manual methods. This guide is applicable to federal agencies and may be used by non-governmental organizations on a voluntary basis. It defines a seven-step contingency planning process designed to be integrated into each stage of the system development life cycle. The core obligation for organizations is to develop and maintain a viable contingency planning program for their information systems. This process includes developing a formal policy, conducting a business impact analysis (BIA) to identify and prioritize critical systems, identifying preventive controls, creating thorough recovery strategies, developing a detailed information system contingency plan, ensuring the plan is tested and personnel are trained, and maintaining the plan as a living document. The guide presents sample formats for contingency plans based on the low, moderate, or high-impact levels defined by FIPS 199, covering activation, recovery, and reconstitution phases."
Technical ID
nist-sp-800-34-contingency-planning-guide
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1 provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to a coordinated strategy involving interim measures to recover information system services after a disruption. These measures may include relocation of systems to an alternate site, recovery using alternate equipment, or performing functions using manual methods. This guide is prepared for use by federal agencies but may be used by nongovernmental organizations on a voluntary basis. The core obligation is a seven-step contingency planning process: 1. Develop a formal contingency planning policy statement to provide authority and guidance. 2. Conduct a business impact analysis (BIA) to identify and prioritize critical information systems and components. 3. Identify preventive controls to reduce the effects of system disruptions. 4. Create thorough recovery strategies to ensure the system may be recovered quickly and effectively. 5. Develop a detailed information system contingency plan. 6. Ensure plan testing, training, and exercises to validate recovery capabilities and prepare personnel. 7. Ensure the plan is a living document that is updated regularly to remain current with system enhancements and organizational changes."
Technical ID
nist-sp-800-34-r1
NIST Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View
"This publication provides guidance for an integrated, organization-wide program for managing information security risk to organizational operations, assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. The guidance applies to all federal information systems other than those designated as national security systems. The core obligation is for leaders at all levels to understand their responsibilities and be held accountable for managing information security risk as a fundamental mission and business requirement. This is achieved through a multitiered risk management approach addressing risk at the organization level (Tier 1), the mission/business process level (Tier 2), and the information system level (Tier 3). The risk management process itself is comprised of four components: framing risk by establishing the context for risk-based decisions and creating a risk management strategy; assessing risk by identifying threats, vulnerabilities, harm, and likelihood; responding to risk by developing and implementing courses of action (accept, avoid, mitigate, share, or transfer); and monitoring risk on an ongoing basis to verify implementation and determine effectiveness. Effective risk management requires that organizations operate in highly complex, interconnected environments, and this publication provides a structured, yet flexible approach to integrate risk-based decision making into every aspect of the organization, ensuring that missions and business functions are successfully executed."
Technical ID
nist-sp-800-39-managing-information-security-risk
Managing Information Security Risk: Organization, Mission, and Information System View
"This guidance provides an integrated, organization-wide program for managing information security risk to organizational operations, assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. It establishes a multi-tiered approach that addresses risk at the organization, mission/business process, and information system levels, fostering a climate where risk is considered within mission design, enterprise architecture, and system development life cycles. The core obligation for leaders and managers at all levels is to understand their responsibilities and be held accountable for managing this risk. The process is a comprehensive activity requiring organizations to frame risk by establishing context, assess risk by identifying threats and vulnerabilities, respond to risk once determined, and monitor risk on an ongoing basis. The guidelines are applicable to all federal information systems other than those designated as national security systems. The guidance is intended for a diverse audience, including senior leaders with oversight responsibilities, mission/business owners, acquisition officials, information security professionals, system developers, and assessors. While developed for federal agencies under the Federal Information Security Management Act (FISMA), state, local, and tribal governments, as well as private sector organizations, are encouraged to use these guidelines. The risk management guidance is complementary to and should be used as part of a more comprehensive Enterprise Risk Management (ERM) program."
Technical ID
nist-sp-800-39-managing-risk
Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology
"Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization. This process is more important than ever because of the increasing reliance on technology and the shift towards zero trust architectures where the perimeter largely does not exist anymore. This guide applies to all types of computing technology assets, including information technology (IT), operational technology (OT), Internet of Things (IoT), mobile, cloud, virtual machine, and container assets. There is often a divide between business/mission owners, who may believe that patching negatively affects productivity, and security/technology management. This publication frames patching as a critical component of preventive maintenance for computing technologies—a cost of doing business and a necessary part of what organizations need to do to achieve their missions. The core obligation is for leadership, business/mission owners, and security/technology management teams to jointly create an enterprise patch management strategy that simplifies and operationalizes patching while also improving its reduction of risk. This involves maintaining up-to-date software and asset inventories, defining risk response scenarios (routine patching, emergency patching, emergency mitigation, unpatchable assets), assigning assets to maintenance groups, and defining maintenance plans for each group. Preventive maintenance through enterprise patch management helps prevent compromises, data breaches, operational disruptions, and other adverse events."
Technical ID
nist-sp-800-40r4-enterprise-patch-management
Guidelines on Firewalls and Firewall Policy
"Firewalls are devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures. This guidance provides an overview of firewall technologies, discusses their security capabilities, and makes recommendations for establishing firewall policies and for selecting, configuring, testing, deploying, and managing firewall solutions. It is intended for technical IT personnel responsible for firewall design, selection, deployment, and management. The core recommendations for organizations are to create a firewall policy that specifies how firewalls should handle inbound and outbound network traffic. A firewall policy should define how firewalls handle traffic for specific IP addresses, protocols, and applications based on risk analysis. Generally, all inbound and outbound traffic not expressly permitted by the firewall policy should be blocked. Organizations should also create rulesets that implement the firewall policy while supporting performance, and manage firewall architectures, policies, and software throughout their lifecycle. This includes using a formal change management control process for rulesets, performing periodic reviews, monitoring logs and alerts, and patching firewall software as vendors provide updates."
Technical ID
nist-sp-800-41-r1-firewalls
Managing the Security of Information Exchanges
"This publication provides guidance for managing the security of information exchanges between systems that are owned and operated by different organizations or are within the same organization but with different authorization boundaries. An organization often has mission and business-based needs to exchange information with other internal or external organizations via various information exchange channels, and the information being exchanged requires the same or similar level of protection as it moves from one organization to another, commensurate with risk. This guidance defines the scope of information exchange, describes the benefits of secure management, identifies types of exchanges, and discusses potential security risks and the types of agreements that may be applied by organizations. The core obligation is a four-phased approach for securely managing information exchange. The phases are: 1) Planning the information exchange, where organizations perform preliminary activities, examine all relevant issues, and develop an appropriate agreement; 2) Establishing the information exchange, where organizations execute a plan, implement security controls, and sign agreements; 3) Maintaining the exchange, where organizations actively maintain security and ensure agreement terms are met; and 4) Discontinuing the information exchange in a manner that avoids disruption. Agreements specify the responsibilities of participating organizations and the technical and security requirements for the exchange."
Technical ID
nist-sp-800-47-information-exchanges
Building a Cybersecurity and Privacy Learning Program
"This publication provides guidance for federal agencies and organizations to develop and manage a life cycle approach to building a Cybersecurity and Privacy Learning Program (CPLP). The program is intended to address the needs of large and small organizations and includes cybersecurity and privacy awareness campaigns, role-based training, and other workforce education programs. The CPLP is designed to be part of a larger organizational effort to reduce cybersecurity and privacy risks, supporting federal requirements such as the Federal Information Security Management Act (FISMA) and incorporating industry-recognized best practices for risk management. The core obligation is for an organization to create a strategic program plan that ensures appropriate resources are available to meet learning goals for all personnel, including employees and contractors. The overarching goal of a CPLP is to provide opportunities for learning at all levels, encourage behavior change as part of risk management, and lead to developing a privacy and security culture in the organization. The guidance provides steps to build an effective CPLP, identify personnel who require advanced training, create a methodology for program evaluation, and engage in ongoing improvement to minimize privacy and security risks to the organization."
Technical ID
nist-sp-800-50r1-learning-program
Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
"Transport Layer Security (TLS) provides mechanisms to protect data during electronic dissemination across the Internet. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. It requires that TLS 1.2 configured with FIPS-based cipher suites be supported by all government TLS servers and clients and requires support for TLS 1.3 by January 1, 2024. This Special Publication also provides guidance on certificates and TLS extensions that impact security. The guidelines in this document are specifically targeted towards U.S. federal departments and agencies. While these guidelines are primarily designed for federal users and system administrators to adequately protect sensitive but unclassified U.S. Federal Government data, they may also be used by non-governmental organizations on a voluntary basis. The guidance promotes more consistent use of authentication, confidentiality, and integrity mechanisms; consistent use of recommended cipher suites that encompass NIST-approved algorithms; and protection against known and anticipated attacks on the TLS protocol."
Technical ID
nist-sp-800-52r2-tls-guidelines
Security and Privacy Controls for Information Systems and Organizations
"This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. The consolidated control catalog addresses security and privacy from both a functionality perspective and an assurance perspective. Revision 5 of this foundational NIST publication represents a multi-year effort to develop the next generation of security and privacy controls. The objectives are to make the information systems we depend on more penetration-resistant, limit the damage from attacks when they occur, make the systems cyber-resilient and survivable, and protect individuals’ privacy. It includes changes to make the controls more outcome-based, integrating information security and privacy controls into a seamless, consolidated catalog, establishing a new supply chain risk management control family, and separating control selection processes from the controls themselves to allow use by different communities of interest."
Technical ID
nist-sp-800-53-r5
Control Baselines for Information Systems and Organizations
"This publication provides security and privacy control baselines for the Federal Government. It establishes three security control baselines, one for each system impact level—low-impact, moderate-impact, and high-impact—as well as a privacy baseline that is applied to systems irrespective of impact level. These control baselines serve as a starting point for organizations in the security and privacy control selection process. The document provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process, allowing organizations to customize their security and privacy control baselines to protect their critical and essential operations and assets. The guidance is applicable to any organization that processes, stores, or transmits information, including federal, state, local, and tribal governments, as well as private sector organizations. For federal information systems, implementation of a minimum set of controls selected from NIST SP 800-53 is mandatory in accordance with the Federal Information Security Modernization Act (FISMA) and OMB Circular A-130. The core obligation involves categorizing systems by impact level, selecting the appropriate predefined control baseline, and then applying a tailoring process to align the controls more closely with specific organizational mission needs and risk assessments. This proactive and systematic approach helps ensure systems are sufficiently trustworthy and resilient to support the economic and national security interests of the United States."
Technical ID
nist-sp-800-53b-control-baselines
Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography
"This Recommendation specifies key-establishment schemes using integer factorization cryptography, in particular, RSA. The schemes are appropriate for use by the U.S. Federal Government to support cryptographic algorithms used in modern applications with automated key-establishment. Both key-agreement and key transport schemes are specified for pairs of entities, and methods for key confirmation are included to provide assurance that both parties share the same keying material. A key-establishment scheme can be characterized as either a key-agreement scheme, where the resultant secret keying material is a function of information contributed by two participants, or a key-transport scheme, whereby one party selects a value for the secret keying material and then securely distributes that value. This document is intended for vendors implementing secure key-establishment using asymmetric algorithms in FIPS 140 validated modules. The security of the schemes relies on the intractability of factoring integers that are products of two sufficiently large, distinct prime numbers. The recommendation details the entire process, including the generation and validation of RSA key pairs, the establishment of a shared secret, derivation of keying material, and optional key confirmation. It also mandates security practices, such as the destruction of sensitive locally stored data after use, to limit opportunities for unauthorized access."
Technical ID
nist-sp-800-56b-key-establishment
Recommendation for Key Management: Part 1 – General
"This Recommendation provides cryptographic key-management guidance, focusing on general best practices for the management of cryptographic keying material. The proper management of cryptographic keys is essential to the effective use of cryptography for security, as poor key management may easily compromise strong algorithms. This guidance covers the management of a cryptographic key throughout its entire lifecycle, including its secure generation, storage, distribution, use, and destruction. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of associated cryptographic mechanisms and protocols, and the protection afforded to the keys. Secret and private keys must be protected against unauthorized disclosure, and all keys need protection against modification. This guidance applies to U.S. government agencies protecting sensitive, unclassified information and may be used by non-governmental organizations on a voluntary basis. It is intended for developers and system administrators to support appropriate decisions when selecting and using cryptographic mechanisms, ensuring that real security is achieved rather than an illusion of it."
Technical ID
nist-sp-800-57-key-management
Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations
"NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. Part 2 of this recommendation identifies the concepts, functions, and elements common to effective systems for the management of symmetric and asymmetric keys. It details the security planning requirements and documentation necessary for effective institutional key management, describes Key Management Specification requirements, and outlines the cryptographic Key Management Policy and Key Management Practice Statement documentation needed by organizations that use cryptography. The primary audience for this guidance is U.S. government system owners and managers who are setting up or acquiring cryptographic key management capabilities. However, it is also intended to provide voluntary cybersecurity guidelines to the private sector. The document emphasizes that responsible key management is essential to the effective use of cryptographic mechanisms for protecting information technology systems. It requires that any organization employing cryptography to provide security services must have key management policy, practices, and planning documentation to ensure assurance that keys are authentic, belong to the asserted entity, and have not been accessed by unauthorized parties."
Technical ID
nist-sp-800-57-p2-r1
Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories
"Developed by the National Institute of Standards and Technology (NIST) in response to the Federal Information Security Management Act (FISMA), this guideline assists Federal government agencies in categorizing their information and information systems. Its primary objective is to facilitate the provision of appropriate levels of information security according to a range of impact levels that might result from the unauthorized disclosure, modification, or loss of availability of information. The guidance is intended for use by federal agencies but may also be used by non-governmental organizations on a voluntary basis. This document, Volume II, contains the appendices which include security categorization recommendations and rationale for a wide range of mission-based, management, and support information types. The core process outlined involves reviewing security categorization terms from FIPS 199, following a recommended categorization process, and using a methodology to identify types of Federal information. The appendices provide suggested provisional security impact levels for these common information types. The guideline also discusses information attributes that may lead to variances from these provisional assignments and describes how to establish an overall system security categorization based on the system’s use, connectivity, and the aggregate information it contains. The provisional impact level assignments are intended as the first step in a broader risk assessment process, not as a definitive checklist for auditors."
Technical ID
nist-sp-800-60-v2r1-appendices
Computer Security Incident Handling Guide
"Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively by providing guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications. The Federal Information Security Management Act (FISMA) requires Federal agencies to establish incident response capabilities. Organizations must create, provision, and operate a formal incident response capability, including creating an incident response policy and plan, developing procedures for incident handling, and establishing relationships with other groups. Federal law also requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT). This guideline is prepared for use by Federal agencies, but may be used by nongovernmental organizations on a voluntary basis. It is intended for computer security incident response teams (CSIRTs), system and network administrators, security staff, and management responsible for preparing for or responding to security incidents."
Technical ID
nist-sp-800-61r2-incident-handling
Digital Identity Guidelines: Authentication and Lifecycle Management
"These guidelines provide technical requirements for federal agencies implementing digital identity services, but may be used by non-governmental organizations on a voluntary basis. The guidelines focus on the authentication of subjects interacting with government systems over open networks, establishing that a given claimant is a subscriber who has been previously authenticated. The core obligation is to meet the requirements for a chosen Authenticator Assurance Level (AAL), which characterizes the strength of an authentication transaction. Stronger authentication, or a higher AAL, requires malicious actors to have better capabilities and expend greater resources to subvert the authentication process. The document defines three levels. AAL1 provides some assurance that the claimant controls an authenticator, requiring either single-factor or multi-factor authentication. AAL2 provides high confidence and requires proof of possession and control of two different authentication factors using approved cryptographic techniques. AAL3 provides very high confidence, requiring authentication based on proof of possession of a key through a cryptographic protocol. AAL3 specifically requires a hardware-based authenticator that provides verifier impersonation resistance. The guidelines detail permitted authenticator types, authenticator and verifier requirements, reauthentication rules, and security controls for each AAL."
Technical ID
nist-sp-800-63b-authentication
NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management
"These guidelines provide technical requirements for federal agencies implementing digital identity services, focusing on the authentication of subjects interacting with government systems over open networks. The core obligation is to establish that a given claimant is a subscriber who has been previously authenticated. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity, establishing that a subject is in control of the technologies used to authenticate. For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously. The strength of an authentication transaction is characterized by an ordinal measurement known as the Authenticator Assurance Level (AAL). AAL1 provides some assurance that the claimant controls an authenticator, requiring either single-factor or multi-factor authentication. AAL2 provides high confidence and requires proof of possession and control of two different authentication factors through secure protocols. AAL3 provides very high confidence, is based on proof of possession of a key through a cryptographic protocol, and requires a hardware-based authenticator that provides verifier impersonation resistance."
Technical ID
nist-sp-800-63b-digital-identity
National Checklist Program for IT Products – Guidelines for Checklist Users and Developers
"A security configuration checklist (also called a lockdown or hardening guide) is a series of instructions for configuring an IT product to a particular operational environment, verifying its configuration, and identifying unauthorized changes. Using well-written, standardized checklists can markedly reduce the vulnerability exposure of IT products. To facilitate the development and use of these checklists, NIST established the National Checklist Program (NCP), which maintains the National Checklist Repository, a publicly available resource containing information on a variety of security configuration checklists for specific IT products. This document is intended for users and developers of security configuration checklists in both the public and private sectors. For users, it provides recommendations on selecting checklists from the repository, evaluating, testing, and applying them. For developers, it sets forth the policies, procedures, and general requirements for participation in the NCP. A core obligation is that Federal agencies are required to use appropriate security configuration checklists from the NCP when available, as stated in the Federal Acquisition Regulation (FAR). FISMA also requires Federal agencies to determine minimally acceptable system configuration requirements and ensure compliance, which these checklists facilitate."
Technical ID
nist-sp-800-70-r4-ncp
Guide to Operational Technology (OT) Security
"This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems and devices that interact with the physical environment, such as industrial control systems (ICS), building automation systems, and transportation systems. It provides an overview of OT, identifies common threats and vulnerabilities, and recommends security countermeasures to mitigate associated risks. The guidance applies to organizations operating OT systems, including federal agencies and privately owned critical infrastructure, which are often highly interconnected and mutually dependent. The core obligation is to establish a robust OT cybersecurity program as part of broader safety and reliability programs. Major security objectives include: restricting logical access to the OT network and systems using architectures like a demilitarized zone (DMZ); restricting physical access to OT networks and devices; protecting individual OT components from exploitation through measures like patch management and disabling unused ports; detecting security events; maintaining functionality during adverse conditions through redundancy and graceful degradation; and having the capability to restore and recover the system after an incident. An effective program should apply a defense-in-depth strategy, layering security mechanisms to minimize the impact of any single failure."
Technical ID
nist-sp-800-82r3-ot-security
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
"This document provides guidance on designing, developing, conducting, and evaluating test, training, and exercise (TT&E) events so that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse events that may affect their missions. It is intended for organizations with information technology (IT) plans, such as contingency and computer security incident response plans, that must be maintained in a state of readiness. This includes having personnel trained to fulfill their roles, plans exercised to validate their content, and systems tested to ensure their operability. The core obligation is for organizations to establish a comprehensive TT&E program because tests, training, and exercises are closely related and offer different ways of identifying deficiencies in IT plans, procedures, and training. The guidance applies to single organizations, as opposed to large-scale events involving multiple entities. As part of creating a TT&E program, a plan should be developed that outlines the organization’s roadmap for ensuring a viable capability, including the development of a TT&E policy, identification of roles and responsibilities, establishment of an event schedule, and documentation of a TT&E event methodology. The types of events covered are tests (evaluation tools that use quantifiable metrics to validate IT system operability), training (informing personnel of their roles and responsibilities), tabletop exercises (discussion-based simulations), and functional exercises (performance-based simulations in a simulated operational environment)."
Technical ID
nist-sp-800-84-tte-programs
Guide to Integrating Forensic Techniques into Incident Response
"Digital forensics is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. This guide provides practical guidance on performing computer and network forensics to help organizations investigate computer security incidents and troubleshoot IT operational problems. Its focus is primarily on using forensic techniques to assist with computer security incident response, presenting forensics from an IT perspective rather than a law enforcement view. Practically every organization needs a capability to perform digital forensics; without it, an organization will have difficulty determining what events have occurred within its systems and networks, such as exposures of protected, sensitive data. The forensic process comprises four basic phases: Collection, Examination, Analysis, and Reporting. The guidance applies to incident response teams, forensic analysts, system and security administrators, and computer security program managers. It details establishing a forensic capability, including developing policies and procedures that define roles, responsibilities, and appropriate use of forensic tools. The guide covers data sources including files, operating systems, network traffic, and applications, and provides recommendations for how multiple data sources can be used together to gain a better understanding of an event. Organizations should use this guide as a starting point for developing a forensic capability in conjunction with guidance from legal advisors, law enforcement, and management."
Technical ID
nist-sp-800-86-forensic-techniques
Guidelines for Media Sanitization
"This guide assists organizations and system owners in making practical media sanitization decisions based on the categorization of their information's confidentiality. Sanitization is a process that renders access to target data on media infeasible for a given level of effort. As data passes through multiple organizations and storage media, particularly in distributed cloud-based architectures, the potential for sensitive data to be collected and retained increases. The application of effective sanitization techniques is a critical aspect of ensuring sensitive data is protected against unauthorized disclosure. The responsibility for efficient information management, from inception through disposition, falls on all parties who handle the data. This responsibility is amplified by legal and ethical obligations to protect data such as Personally Identifiable Information (PII). An organization must ensure that no easily re-constructible residual representation of data is stored on media after it has left the organization's control or is no longer protected at the data's original confidentiality categorization. This guideline specifies that an organization must sanitize or destroy information system digital media before its disposal or release for reuse. It provides a decision-making process and minimum recommendations for various media types, including hard copy, magnetic, flash-based, and optical media, categorizing sanitization actions as Clear, Purge, or Destroy."
Technical ID
nist-sp-800-88-media-sanitization
Recommendation for Random Number Generation Using Deterministic Random Bit Generators
"This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods provided are based on either hash functions or block cipher algorithms. A Deterministic Random Bit Generator (DRBG) is based on a DRBG mechanism and includes a source of randomness. A DRBG mechanism uses an algorithm that produces a sequence of bits from an initial value that is determined by a seed, which in turn is determined from the output of the randomness source. Once the seed is provided and the initial value is determined, the DRBG is said to be instantiated and may be used to produce output. The seed used to instantiate the DRBG must contain sufficient entropy to provide an assurance of randomness. If the seed is kept secret, and the algorithm is well designed, the bits output by the DRBG will be unpredictable, up to the instantiated security strength of the DRBG. This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, and may be used by non-governmental organizations on a voluntary basis."
Technical ID
nist-sp-800-90a-rev1-drbg
Guide to Computer Security Log Management
"A log is a record of the events occurring within an organization’s systems and networks. The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. Organizations also may store and analyze certain logs to comply with Federal legislation and regulations, including the Federal Information Security Management Act of 2002 (FISMA). This publication provides guidance for meeting log management challenges. Key recommendations include establishing policies and procedures for log management, prioritizing log management appropriately throughout the organization, creating and maintaining a secure log management infrastructure, and providing proper support for all staff with log management responsibilities. This guidance is for computer security staff, program managers, system administrators, and incident response teams responsible for performing duties related to computer security log management, particularly within Federal agencies."
Technical ID
nist-sp-800-92-log-management
Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
"This guide seeks to assist organizations in better understanding the Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of standards for wireless local area networks (WLANs), focusing on the security enhancements introduced in the IEEE 802.11i amendment. The IEEE 802.11i amendment introduces the concept of a Robust Security Network (RSN), a wireless security network that only allows the creation of Robust Security Network Associations (RSNAs). RSNAs are wireless connections providing moderate to high levels of assurance against WLAN security threats through cryptographic techniques. RSN components include stations (STAs) like laptops, access points (APs), and authentication servers (AS). NIST requires Federal agencies to use the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) for securing IEEE 802.11-based WLANs, as it uses the FIPS-approved Advanced Encryption Standard (AES). For legacy equipment without CCMP, auxiliary protection like an IPsec VPN is required. Organizations should carefully select authentication methods, using the Extensible Authentication Protocol (EAP) and the IEEE 802.1X standard instead of pre-shared keys (PSKs). The EAP-TLS method is recommended whenever possible. To ensure interoperability and security, organizations should procure WPA2 Enterprise certified products that use FIPS-approved encryption algorithms and have been FIPS-validated."
Technical ID
nist-sp-800-97-ieee-802-11i
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice, and the protection of a system must be documented in a system security plan. This is a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Management authorization to operate should be based on an assessment of management, operational, and technical controls documented in the security plan. By authorizing processing in a system, the manager accepts its associated risk. Re-authorization should occur whenever there is a significant change in processing, but at least every three years. This guidance applies to program managers, system owners, and security personnel responsible for developing, implementing, and managing federal information systems."
Technical ID
nist-sp800-18-developing-security-plans
Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration
"This paper introduces a notional high-level smart home integration reference architecture to better understand cybersecurity and privacy risks associated with Hospital-at-Home (HaH) deployments in the context of an integrated smart home environment, focusing on voice assistants (e.g., smart speakers) as a representative Internet of Things (IoT) device. The guidelines are intended for technologists and information security professionals who work in healthcare delivery organizations (HDOs), including hospitals, clinics, or other healthcare facilities that may implement HaH solutions for their patients. Adversaries may exploit patient-owned IoT devices and home network infrastructures as entry points into an HDO’s broader environment. To address these risks, this paper leverages the NIST Cybersecurity and Privacy Frameworks and NIST IoT Core Baseline to outline mitigation efforts for HDOs. The core obligations and recommended mitigations include access control, authentication, continuous monitoring, data security, governance, and network segmentation. A core theme calls upon HDOs to ensure network segmentation between medical or biometric devices and other environments to impede a threat actor’s ability to compromise an endpoint and impact other devices. Other key protections include implementing data security encryption for both data-in-transit and data-at-rest to maintain data confidentiality and integrity."
Technical ID
nist-telehealth-smart-home-integration
Glossary of Key Information Security Terms
"This publication, NISTIR 7298 Revision 3, describes an easily-accessible repository of terms and definitions extracted verbatim from National Institute of Standards and Technology (NIST) publications and Committee on National Security Systems (CNSS) Instruction 4009. The repository, referred to as 'the Glossary,' consists of an online user interface application and an underlying relational database. The database contains terms and definitions from NIST Federal Information Processing Standard Publications (FIPS), Special Publication (SP) 800 series, select NIST Interagency or Internal Reports (NISTIRs), and CNSSI-4009. It does not contain definitions without a source publication, and terms from draft documents are not included as they are not stable. The Glossary is intended to help users understand terminology, recognize when and where multiple definitions may exist, and identify a definition that they can use. By providing this central resource, NIST aims to help standardize terms and definitions, reducing confusion and the tendency to create unique definitions for different situations. The publication provides an overview of the Glossary's design, methodology, and the structure of its database. It is intended for a technical audience interested in the Glossary's structure or anyone interested in its purpose and development. Users interested only in the terms and definitions are encouraged to use the online application directly."
Technical ID
nistir-7298r3-glossary-security-terms
NISTIR 8114 Report on Lightweight Cryptography
"NIST-approved cryptographic standards were designed to perform well on general-purpose computers, but their performance may not be acceptable for the increasing number of small, resource-constrained computing devices found in areas like the Internet of Things (IoT), sensor networks, and healthcare. Many modern cryptographic algorithms cannot be implemented in these constrained devices. In response, NIST initiated a lightweight cryptography project to investigate the issues and develop a strategy for the standardization of lightweight cryptographic algorithms. This report provides an overview of the project and outlines NIST's plan to create a portfolio of lightweight algorithms through an open process. Instead of a one-size-fits-all standard, NIST will develop 'profiles' that capture the specific physical, performance, and security requirements imposed by various devices and applications. Algorithms will be evaluated and recommended for use only within the context of these specific profiles. The report solicits feedback from stakeholders to help define these requirements and profiles, marking the initial phase of a long-term effort to approve and maintain a portfolio of algorithms suitable for constrained environments."
Technical ID
nistir-8114-lightweight-cryptography
NISTIR 8183 Cybersecurity Framework Manufacturing Profile
"This document provides the Cybersecurity Framework (CSF) implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the Cybersecurity Framework can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing. The Profile gives manufacturers a method to identify opportunities for improving their current cybersecurity posture, an evaluation of their ability to operate the control environment at an acceptable risk level, and a standardized approach to preparing a cybersecurity plan. It is built around the five primary functional areas of the Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. There are 98 distinct security objectives within these areas that comprise a starting point from which to develop a manufacturer-specific Profile at defined risk levels of Low, Moderate, and High. The Profile focuses on desired cybersecurity outcomes and provides a prioritization of security activities to meet specific business and mission goals."
Technical ID
nistir-8183-manufacturing-profile
NISTIR 8228 Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
"The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. The purpose of this publication is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how these devices affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do. The primary audience for this publication is personnel at federal agencies with responsibilities related to managing cybersecurity and privacy risks for IoT devices, although personnel at other organizations and IoT device manufacturers may also find value in the content. This publication provides insights to inform organizations’ risk management processes, identifying three high-level considerations: 1) Many IoT devices interact with the physical world in ways conventional IT devices usually do not, requiring explicit recognition of impacts to physical systems. 2) Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can, necessitating new approaches. 3) The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices. Organizations should address these risk considerations and challenges throughout the IoT device lifecycle by adjusting organizational policies and processes and implementing updated mitigation practices."
Technical ID
nistir-8228-iot-cybersecurity-risks
NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline
"This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. The main audience for this publication is IoT device manufacturers, but it may also help IoT device customers or integrators. The core baseline has been derived from researching common cybersecurity risk management approaches and commonly used capabilities for addressing cybersecurity risks to IoT devices. These capabilities were developed in the context of NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers. This baseline is intended to give all organizations a starting point for IoT device cybersecurity risk management, but the implementation of all capabilities is not considered mandatory. It is left to the implementing organization to understand the unique risk context in which it operates and what is appropriate for its given circumstance."
Technical ID
nistir-8259a-iot-device-cybersecurity
Blockchain and Related Technologies to Support Manufacturing Supply Chain Traceability: Needs and Industry Perspectives
"This publication explores the issues surrounding supply chain traceability, assessing the role blockchain and related technologies can play in its improvement. It targets all stakeholders in the U.S. national manufacturing supply chain, including businesses, regulatory agencies, standards bodies, researchers, and consumers, particularly those involved with operational technology (OT) and industrial control systems (ICS). The core finding is that traceability, including pedigree and provenance records, must be shared via multi-lateral ecosystems of supply chain participants to overcome the limitations of traditional bi-lateral message exchanges. These ecosystems can leverage blockchain technology to cryptographically ensure that traceability records are properly attributed, tamper-evident, and cannot be deleted, thereby mitigating risks from logistical disruptions, fraud, and sabotage. The document proposes an ecosystem-oriented perspective layered atop the existing 'per acquirer' view in supply chain risk management. This approach is necessary to enable multi-lateral information sharing and migrate from linear information flows. By establishing ecosystem-wide agreement on traceability requirements, organizations can mitigate semantic gaps and issues with trust transitivity. Achieving this requires linking physical objects to cyber records, cooperation across the supply chain to read and write traceability records, and sufficient incentives to motivate adoption and achieve a Minimum Viable Ecosystem (MVE). The publication analyzes several case studies and identifies key areas for future research, including identity, message content standards, barriers to entry, and ecosystem interoperability."
Technical ID
nistir-8419-supply-chain-traceability
Ordered t-way Combinations for Testing State-based Systems
"This publication introduces a notion of ordered t-way combinations for testing state-based systems where the response depends on both input values and the current system state. In such systems, like network protocols or credit card transaction systems, internal states change as input values are processed, and fault detection often depends on the specific order of inputs that establish states which eventually lead to a failure. Standard combinatorial testing has deficiencies for these systems because it does not account for the order in which inputs occur. This white paper proposes a methodology to ensure that relevant combinations of input values have been tested with adequate diversity of ordering to ensure correct operation. The core concept is the 'ordered combination cover' (OCC), which covers all s-orders of t-way combinations of parameter values. The paper proves that a test set achieves this coverage if and only if it includes an ordered series containing a total of 's' covering arrays, each of strength 't'. This result provides a practical method for generating test suites that can detect faults only discoverable when a system is in a particular state, which can only be reached by a specific order of input combinations. This approach can be applied in runtime verification, assertion monitoring, and other methods that rely on checking program properties and states as code is executed."
Technical ID
ordered-t-way-combination-testing
Ordered t-way Combinations for Testing State-based Systems
"Fault detection in state-based systems often depends on the specific order of inputs that establish states which eventually lead to a failure. For systems where the response depends on both input values and the current system state, such as network protocols or credit card systems, it is often difficult to determine if code has been exercised sufficiently. Measures are needed to ensure that relevant combinations of input values have been tested with adequate diversity of ordering to ensure correct operation. Combinatorial testing has deficiencies for verifying state-based systems because internal states change as input values are processed, and the system may subsequently respond differently to the same input. This publication introduces a notion of ordered t-way combinations and an ordered combination cover (OCC) to address this gap. An OCC covers all s-orders of t-way combinations of the input parameters. The core finding is a proof that a test set covers s-orders of t-way combinations if and only if it includes an ordered series containing a total of s covering arrays, each of strength t. This result provides a practical and efficient method to produce tests that cover all orders of t-way combinations up to a necessary order length by concatenating t-way covering arrays, making it possible to detect faults that are only discoverable when a system is in a particular state reached by a specific order of input combinations."
Technical ID
ordered-t-way-combinations-testing
OWASP Top 10 for LLMs & Agents
"Operationalizing the security framework delineated by the Open Web Application Security Project's Top 10 for Large Language Model Applications, this compliance control set establishes stringent policies for mitigating critical vulnerabilities. The configuration mandates a proactive defense against Prompt Injection by enabling rules to block_direct_prompt_injection and filter_indirect_prompt_injection_from_web_sources, neutralizing both direct and embedded threats. To counter Insecure Output Handling, the policy to require_strict_output_parsing_for_downstream_plugins becomes mandatory, ensuring model-generated content is rigorously validated before interacting with subordinate systems or APIs. Furthermore, addressing risks of Excessive Agency and Supply Chain Vulnerabilities, the node enforces a directive to mandate_least_privilege_for_agent_roles. This constrains autonomous systems and their integrated tools to only their narrowest required operational scope. Lastly, safeguarding against Sensitive Information Disclosure, the framework institutes a control to prevent_training_data_extraction_attacks, which protects proprietary or confidential data within a model's training set from adversarial exfiltration. These combined measures constitute a robust security posture for artificial intelligence application development and deployment aligned with leading industry guidance."
Technical ID
owasp-agentic-top10
Prompt Injection Prevention (OWASP LLM01)
"Prompt Injection (LLM01) occurs when an attacker manipulates an LLM via crafted inputs to override system instructions. Prevention requires strict input sanitization, separation of data from instructions, and least-privilege tool access."
Technical ID
owasp-llm-1
Insecure Output Handling (OWASP LLM02)
"Insecure Output Handling (LLM02) occurs when an application trustingly processes LLM-generated output without validation, potentially leading to XSS, CSRF, or SSRF in downstream systems."
Technical ID
owasp-llm-2
Protecting Subscriber Identifiers with Subscription Concealed Identifier (SUCI)
"This white paper describes how Subscription Concealed Identifier (SUCI) protection can be enabled in 5G networks as an optional security capability defined by 5G standards. It addresses the problem of the Subscription Permanent Identifier (SUPI) being sent in the clear over the air, which allows eavesdroppers to intercept it, track a subscriber's location, and pose cybersecurity and privacy risks. The SUCI capability addresses this by encrypting the SUPI with the public key of the home operator. The resulting ciphered identity is always unique and cannot be correlated to the subscriber by an attacker. The guidance applies to technology, cybersecurity, and privacy professionals involved in 5G-enabled services, including private 5G network operators, commercial mobile network operators, and end-user organizations. The core obligation for network operators is to enable SUCI on their 5G networks and subscriber SIMs, and crucially, to configure SUCI to use a non-null encryption cipher scheme. If a null scheme is used, the SUPI is not actually encrypted. 5G devices and network functions compliant with 3GPP release 15 or later are required to support the SUCI capability, but enabling it is optional for network operators, who should evaluate the risks of not enabling this critical capability."
Technical ID
protecting-subscriber-identifiers-suci
Quantum Readiness Triage
"A quantum readiness assessment is the systematic process of identifying all cryptographic assets in an organization that are vulnerable to attack by a Cryptographically Relevant Quantum Computer (CRQC) and producing a prioritized migration roadmap to post-quantum cryptography (PQC). NIST finalized the first PQC standards (FIPS 203, 204, 205) in August 2024. NSA CNSA 2.0 mandates migration timelines with new systems adopting PQC by 2025 and legacy systems fully migrated by 2030. The 'harvest now, decrypt later' (HNDL) threat means adversaries are already collecting encrypted data today to decrypt once quantum computers mature — organizations with long-lived sensitive data (classified, health, financial, legal) must begin migration immediately regardless of when CRQCs become available."
Technical ID
quantum-risk-audit
Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
"This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman (DH) and Menezes-Qu-Vanstone (MQV) key establishment schemes. The specifications are appropriate for use by the U.S. Federal Government and are intended to provide sufficient information for a vendor to implement secure key establishment using asymmetric algorithms in FIPS 140-validated modules. The publication was developed by the National Institute of Standards and Technology (NIST) in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014. A key-establishment scheme can be characterized as either a key-agreement scheme or a key-transport scheme. During a pair-wise key-agreement scheme, the secret keying material to be established is not sent directly from one entity to another. Instead, the two parties exchange information from which they each compute a shared secret that is used to derive the secret keying material. This recommendation specifies the processes associated with key establishment, including procedures for generating domain parameters, generating static and ephemeral key pairs, providing assurance of public key validity, deriving secret keying material from a shared secret, and optionally performing key confirmation."
Technical ID
recommendation-for-pair-wise-key-establishment
Risk Management for Replication Devices
"This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on replication devices (RDs), which include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, and multifunction machines. The guidance is applicable to all RDs, including software applications for using tablets or cell phones as copiers/scanners, but only pertains to the copy/print/scan functions. As RDs are often connected to organizational networks, run commercial operating systems, and store information on nonvolatile media, they may be vulnerable to numerous exploits if risks are not mitigated. The document discusses vulnerabilities and exploits associated with RDs and provides a set of security practices and controls that can be implemented to mitigate risks. It suggests appropriate countermeasures in the context of the System Development Life Cycle (SDLC) — from initiation and acquisition to disposal. The target audience includes individuals responsible for the purchase, installation, configuration, maintenance, disposition, and security of RDs. The core obligation is for organizations to manage the risks associated with RDs by understanding threats, vulnerabilities, potential impact, and implementing appropriate security controls to protect information."
Technical ID
risk-management-for-replication-devices
Secure Hash Standard (SHS)
"This Standard specifies secure hash algorithms - SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 - for computing a condensed representation of electronic data (message) called a message digest. The digests are used to detect whether messages have been changed since the digests were generated. The hash algorithms specified are called secure because, for a given algorithm, it is computationally infeasible to find a message that corresponds to a given message digest, or to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. This Standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information. Either this Standard or Federal Information Processing Standard (FIPS) 202 must be implemented wherever a secure hash algorithm is required for Federal applications, including as a component within other cryptographic algorithms and protocols. The secure hash algorithms may be implemented in software, firmware, hardware or any combination thereof, but only algorithm implementations that are validated by NIST will be considered as complying with this standard."
Technical ID
secure-hash-standard-fips-180-4
Securing Property Management Systems
"In recent years criminals and other attackers have compromised the networks of several major hotel chains, exposing the information of hundreds of millions of guests. Hospitality organizations can reduce the likelihood of a hotel data breach by strengthening the cybersecurity of their property management system (PMS). This cybersecurity practice guide shows an approach to securing a PMS and the system of guest services it supports. It offers how-to guidance for building a reference design using commercially available products within a zero trust architecture to mitigate cybersecurity risk. The PMS is an attractive target for attackers because it serves as the information technology (IT) operations and data management hub of a hotel, interfacing with services like point-of-sale (POS) systems, physical access control, and Wi-Fi networks. An unsecured or poorly secured PMS could expose a hotel to a significant and costly data breach, which may result in financial penalties for violating state, federal, and international privacy and other regulatory regimes. This guide provides a reference design that uses technologies and security capabilities to protect data and limit user access. The principal recommendations include implementing cybersecurity concepts such as zero trust architecture, moving target defense, tokenization of credit card data, and role-based authentication. The solution supports security standards from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Hospitality Technology Next Generation, and the Payment Card Industry (PCI) Security Standards Council. The core objective is to prevent unauthorized access via role-based authentication, protect from unauthorized lateral movement, prevent theft of credit card data via tokenization, increase situational awareness through logging, and prevent unauthorized use of personal information."
Technical ID
securing-property-management-systems
Security Considerations in the System Development Life Cycle
"The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64, Security Considerations in the System Development Life Cycle, was developed to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This guideline applies to all federal IT systems other than national security systems and is intended for an audience of information system and information security professionals, including system owners, developers, and program managers. To be most effective, information security must be integrated into the SDLC from system inception. Early integration of security enables agencies to maximize return on investment in their security programs through the early identification and mitigation of security vulnerabilities, resulting in a lower cost of security control implementation. The core obligation is to incorporate security considerations into each phase of the SDLC—initiation, development/acquisition, implementation/assessment, operations/maintenance, and disposal—to facilitate informed executive decision-making through comprehensive risk management in a timely manner."
Technical ID
security-considerations-system-development-lifecycle
Guide for Security-Focused Configuration Management of Information Systems
"This guide provides guidelines for organizations responsible for managing and administering the security of federal information systems. It assumes that information security is an integral part of an organization’s overall configuration management, with a focus on implementing the security aspects of configuration management, termed security-focused configuration management (SecCM). SecCM is defined as the management and control of configurations for information systems to enable security, facilitate the management of information security risk, and minimize organizational risk while supporting desired business functionality and services. Implementing system changes almost always results in adjustments to the system configuration; therefore, a well-defined configuration management process that integrates information security is needed to ensure these adjustments do not adversely affect the security of the system. The process of applying SecCM practices involves managing and monitoring system configurations to achieve adequate security. This publication is applicable to all federal information systems, excluding national security systems, and is intended for a diverse audience, including individuals with system security management, development, implementation, and assessment responsibilities. The core obligation is to establish and maintain the integrity of systems through control of the processes for initializing, changing, and monitoring their configurations."
Technical ID
security-focused-configuration-management
Singapore Cybersecurity Act 2018 (Cap. 9D, 2024 Amendment) — CII Protection and Licensing
"This Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore, imposing duties on owners of Critical Information Infrastructure (CII) to secure their systems and report incidents (Part 3, Section 14), and requiring the licensing of specific cybersecurity service providers (Part 5, Section 24)."
Technical ID
sg-cybersecurity-act-2018
Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security
"This practice guide from the National Cybersecurity Center of Excellence (NCCoE) demonstrates various mechanisms for trusted network-layer onboarding of IoT devices in Internet Protocol-based environments. Establishing trust between a network and an Internet of Things (IoT) device prior to providing the device with the credentials it needs to join the network is crucial for mitigating the risk of potential attacks, which can occur when a device is convinced to join an unauthorized network or when a malicious device infiltrates a network. Trust is achieved by attesting and verifying the identity and posture of the device and the network before providing the device with its network credentials. The guide shows how to provide network credentials to IoT devices in a trusted manner and maintain a secure device posture throughout the device lifecycle, thereby enhancing IoT security. The guidance applies to IoT device users, manufacturers, and vendors of semiconductors, secure storage components, IoT devices, and network onboarding equipment. The core obligation is to use scalable, automated mechanisms to securely manage IoT devices, particularly through a trusted mechanism for providing IoT devices with unique network credentials and access policies at the time of deployment. This approach aims to safeguard IoT devices from being taken over by unauthorized networks, ensure networks are not put at risk as new IoT devices are added, and provide ongoing protection of IoT devices throughout their lifecycles."
Technical ID
trusted-iot-device-onboarding
UK NCSC Cyber Essentials Scheme — Five Technical Controls and Certification Requirements (2023)
"The UK NCSC Cyber Essentials scheme requires organizations to implement five fundamental technical security controls to protect against common cyber threats as a prerequisite for certification. As outlined in the 'Cyber Essentials Requirements for IT infrastructure', these controls cover firewalls, secure configuration, user access control, malware protection, and security update management."
Technical ID
uk-ncsc-cyber-essentials-2023
UK Product Security and Telecommunications Infrastructure Act 2022 — IoT Security Requirements
"This UK law requires manufacturers, importers, and distributors of consumer connectable products to meet minimum security standards, including a ban on universal default passwords, publishing a vulnerability disclosure policy, and defining a minimum support period for security updates, as outlined in Part 1 and Schedule 1 of the Act."
Technical ID
uk-psti-act-2022
CISA Cross-Sector Cybersecurity Performance Goals 2022 — Baseline Cybersecurity Practices for Critical Infrastructure
"This voluntary guidance from CISA establishes a common set of baseline cybersecurity goals for critical infrastructure owners and operators to reduce risks across both Information Technology (IT) and Operational Technology (OT) systems. The goals, such as Goal 2.H (Implement Phishing Protection), are designed to be clear, actionable, and prioritized to help organizations focus on the most significant risk reduction measures."
Technical ID
us-cisa-cpg-2022
CISA Known Exploited Vulnerabilities Catalog — Binding Operational Directive 22-01 and Mandatory Remediation Timelines
"Binding Operational Directive (BOD) 22-01 requires U.S. Federal Civilian Executive Branch (FCEB) agencies to remediate vulnerabilities listed in the CISA-managed Known Exploited Vulnerabilities (KEV) catalog within specified, aggressive timeframes to protect federal networks from active threats."
Technical ID
us-cisa-kev-catalog
National Cybersecurity Strategy of the United States of America (2023)
"This strategy establishes a whole-of-nation approach to US cybersecurity, shifting the burden of defense from end-users to the most capable organizations, including government and technology producers. It is organized around five core pillars, from defending critical infrastructure (Pillar One) to forging international partnerships (Pillar Five), to create a more defensible, resilient, and values-aligned digital ecosystem."
Technical ID
us-national-cybersecurity-strategy-2023
SEC Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules 2023
"Mandates U.S. public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality (Item 1.05) and to annually disclose their cybersecurity risk management, strategy, and governance processes in their Form 10-K (Item 106 of Regulation S-K)."
Technical ID
us-sec-cybersecurity-disclosure-2023
NIST SPECIAL PUBLICATION 1800-34 Validating the Integrity of Computing Devices
"The supply chains of information and communications technologies are increasingly at risk of compromise from counterfeiting, unauthorized production, tampering, theft, and insertion of unexpected software and hardware. This practice guide demonstrates how organizations can verify that the internal components and system firmware of the computing devices they acquire are genuine and have not been unexpectedly altered during manufacturing, distribution, or operational use. The approach relies on device vendors creating a verifiable artifact within each device that securely binds the device’s attributes to the device’s identity. The customer who acquires the device can then validate the artifact’s source and authenticity, and check the attributes stored in the artifact against the device’s actual attributes to ensure they match. This process, a critical foundation of cyber supply chain risk management (C-SCRM), helps organizations avoid using untrustworthy technology components, enable customers to verify product authenticity, and prevent system compromises caused by acquiring compromised technology. It leverages hardware roots of trust as a foundation to maintain trust in a computing device throughout its operational lifecycle. The guide addresses the creation of verifiable descriptions by manufacturers, the verification of devices during acceptance testing, and the continuous verification of components during subsequent stages in the operational environment."
Technical ID
validating-integrity-of-computing-devices
Cybercrimes Act 19 of 2020
"This Act criminalizes a wide range of cyber offenses in South Africa and imposes a mandatory reporting duty on electronic communications service providers and financial institutions to report specific offenses to the South African Police Service within 72 hours, as stipulated in Chapter 8, Section 54."
Technical ID
za-cybercrimes-act-2020
Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002
"This South African law regulates the interception of communications, requiring telecommunication service providers to verify and record the identity and address of all customers before activating a service, as mandated by Chapter IV, Sections 39 and 40. It also obligates providers to maintain capabilities for lawful interception when directed by a court order."
Technical ID
za-rica-2002
Technical Registry Export
Context: Cybersecurity / Total Filtered: 216 Nodes
This utility allows developers and AI architects to instantly extract technical identifiers for the current filtered view. Use these IDs to programmatically call the Bidda Sovereign Forest API. All exports respect the global Triple-Verification Pipeline.