Addressing global needs is a critical part of NIST’s work in the evolution of the Cybersecurity Framework, especially as we continue to see international adaptions and use cases to address emerging risks. Recently translated into French and Ukrainian , the Framework is now available in 10 languages , and additional translations are in the works. With a growing user base around the world, the Framework is primed for an update that draws more deeply on international viewpoints. The recently released Request for Information (RFI) on “Evaluating and Improving NIST Cybersecurity Resources: The

As part of NIST’s 50 th anniversary of cybersecurity, this month’s blog post is centered on privacy at NIST. Since many of you have become familiar with the Privacy Engineering Program ’s popular Venn diagram showing the relationship between cybersecurity and privacy risks, let’s use it to show how NIST has expanded and matured its understanding of privacy over the last 50 years. If we go back in time to the 1960s, data privacy really came into focus when the growing use of computers created concerns about secret databases of people’s information. The report, Records, Computers, and the Rights

NIST has a history of collaboration between its programs, which helps maximize project impacts and practicality to industry. One great example is between NIST’s National Cybersecurity Center of Excellence ( NCCoE ) and the Cybersecurity for the Internet of Things (IoT) Program . Recent project reports from the NCCoE include mappings of relevant IoT device cybersecurity capabilities and nontechnical supporting capabilities; these three mappings align NIST’s IoT cybersecurity guidance with real-world implementation approaches: Securing Telehealth Remote Patient Monitoring Ecosystem Securing

The NIST Cybersecurity for IoT program published Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks ( NISTIR 8228 ) in June 2019, nearly 3 years ago. Since then, IoT technology has continued to develop and be adopted across sectors and markets. NIST’s own work, both in and outside IoT, has also progressed since the publication of NISTIR 8228. These developments warrant a new look at the contents of NISTIR 8228 and at future IoT cybersecurity priorities at NIST. As the Cybersecurity for IoT program has progressed through guidance for IoT device manufacturers (

In today’s connected digital world, cryptographic algorithms are implemented in every device and applied to every link to protect information in transmission and in storage. Over the past 50 years, the use of cryptographic tools has expanded dramatically, from limited environments like ATM encryption to every digital application used today. Throughout this long journey, NIST has played a unique leading role in developing critical cryptographic standards. Data Encryption Standard (DES) In the early 1970s, there was little public understanding of cryptography, although most people knew that

Over the past few months, NIST has been seeking feedback on the use and improvements to its cybersecurity resources through the Request for Information (RFI) on “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management.” In this RFI, NIST asked about evaluating and improving the NIST Cybersecurity Framework (CSF or Framework), use of the Framework in conjunction with other resources, and improving supply chain cybersecurity risk management. The RFI garnered 134 comments (at date of publication) from a diverse range of

With the update to the Cybersecurity Framework in full swing, NIST continues to prioritize international engagement through conversations and collaborations on cybersecurity. This work is critical to NIST’s efforts to ensure international alignment on cybersecurity and privacy resources. Here’s a quick summary of some recent engagements, with more to come in the next few weeks! Under Secretary of Commerce for Standards and Technology and NIST Director Laurie Locascio participated virtually in the G7 Digital Ministers meeting on May 10 th alongside the State Department. She spoke about current

Digital identity for access control is a fundamental and critical cybersecurity capability that ensures the right people and things have the right access to the right resources at the right time. NIST has a rich history in digital identity standardization spanning more than 50 years. We have conducted research, developed prototypes and reference implementations, and supported pilots to better understand new and emerging technologies that inform our digital identity standards, guidelines, and resources. Also, NIST participates and leads in the development of national and international standards

Given the increasing reliance of organizations on technologies over the past 50 years, a number of risk disciplines have evolved into full-fledged risk programs. In recent years, cybersecurity, supply chain, and privacy risk management programs have formalized best practices. Yet the rapid evolution of these disciplines sometimes has led to miscommunication and inefficiencies between those risk programs and overarching enterprise risk management (ERM) portfolio. The years ahead will focus on optimizing coordination and communication between all risk programs and ERM. To be supportive of

Workshop Shines Light on Role of Standards in Cybersecurity for IoT What do Chief Product Security Officers (CPSOs) want to make their job easier? As it turns out, standards. This insight was one of many shared at a public virtual workshop NIST held June 22, 2022, to discuss the next steps for the Cybersecurity for the Internet of Things (IoT) program. As we move forward in developing cybersecurity guidance for IoT products, NIST remains committed to an open and transparent process that builds on input from stakeholders, including industry and the broader public. Our June 22 workshop explored

In providing a foundation for cybersecurity advancements over the years, NIST has taken the global context into account when determining priorities and approaches. Our participation in Standards Developing Organizations (SDOs) has expanded steadily, and we encourage international participation in the development of our own programs and resources. As we celebrate the 50 th anniversary of cybersecurity at NIST, it is more important than ever that we work with our partners around the world. NIST’s growing impact on the international stage is reflected in the many translations of our signature

Today’s blog will jumpstart NIST’s celebration of Cybersecurity Awareness Month 2022! We have a lot in store for October and are looking forward to sharing our work, progress, events, and news with you. This year’s theme is "See Yourself In Cyber" and will cover four key behaviors: Enabling multi-factor authentication Using strong passwords and a password manager Updating software Recognizing and reporting phishing As a repeat Cybersecurity Awareness Month Champion, NIST is dedicated to promoting a safer online environment and helping others learn and understand the complex world of

The subject of international alignment and alignment with international resources continues to be an important focus for NIST, particularly with the process for the Cybersecurity Framework (CSF) 2.0 update. This was an important area for many of our stakeholders, as described in the summary of analysis of the Request for Information (RFI) from February. NIST hosted its first virtual workshop on the journey to the CSF 2.0 update process in August. During the workshop, NIST described the importance of international alignment as well as the feedback we heard on continuing our international

In celebration of Cybersecurity Awareness Month, NIST will be publishing a dedicated blog series throughout October; we will be sharing blogs each week that will match up to four key behaviors identified by the National Cybersecurity Alliance (NCA). Today’s interview-style blog features two NIST experts —Bill Newhouse and Ryan Galluzzo—discussing different reasons to enable multi-factor authentication (a mechanism to verify an individual’s identity by requiring them to provide more information than just a username and password). Here are the questions they both were asked, along with their

The key behavior that we are highlighting this week for Cybersecurity Awareness Month is using strong passwords and a password manager. In today’s blog we interviewed NIST’s Connie LaSalle, a senior technology policy advisor, and she offers four specific ways to mitigate your cybersecurity risks online while discussing the importance of adopting strong passwords. Take a look at her responses to our questions below… This week’s Cybersecurity Awareness Month theme is using strong passwords and a password manager. How does your work/specialty area at NIST tie into this behavior? As a senior

Cybersecurity Awareness Month is flying by, and today’s blog identifies different security vulnerabilities that can be exposed if you are unable to keep up with your software updates. We interviewed NIST’s Michael Ogata, a computer scientist in the Applied Cybersecurity Division, and he walked us through different strategies to minimize your cybersecurity risks. Michael also was able to provide cyber tips to improve online safety. This week’s Cybersecurity Awareness Month theme is updating software. How does your work/specialty area at NIST tie into this behavior? Today, mobile applications

Hi, our names are Aubrie, Kyle, and Lindsey! We participated in internships at the National Initiative for Cybersecurity Education (NICE) Program Office this past year. This is a career pivot for Aubrie, meaning this is her introduction to cybersecurity from another career; she is earning her master’s with a concentration in cybersecurity. Kyle was an undergraduate intern majoring in Computer Engineering. He is almost finished with his education and will soon be transitioning into the workforce. Lindsey is a high school member of the program. The three of us come from different academic and

This blog will officially wrap up our 2022 Cybersecurity Awareness Month blog series — today we have a special interview from Marian Merritt, deputy director, lead for industry engagement for the National Initiative for Cybersecurity Education (NICE)! Marian will be discussing the importance of recognizing and reporting phishing incidents in detail. A phishing attack is an attempt to fool an individual into sharing private information or taking an action that gives criminals access to your accounts, your computer, login credentials or even your network. This week’s Cybersecurity Awareness

There is a growing movement toward increasing the use of competency and skills-based education and hiring practices in both the public and private sectors. For example, the Executive Order on Modernizing and Reforming the Assessment and Hiring of Federal Job Candidates calls upon the Federal Government to “ensure that the individuals most capable of performing the roles and responsibilities required of a specific position are those hired for that position”—resulting in “merit-based reforms that will replace degree-based hiring with skills- and competency-based hiring.” Similarly, the

NIST has continued to collaborate into the fall season with partners throughout the world on the Cybersecurity Framework 2.0 update. International engagement and alignment with international standards are important themes for the 2.0 update and will drive changes to ensure global relevance. As part of this ongoing international engagement, NIST welcomed visitors to the NCCoE and NIST headquarters to discuss various cybersecurity topics and explore areas for mutual collaboration. In the past few weeks, NIST met with visitors from Italy, Singapore, New Zealand, Germany, and Brazil at the NCCoE

Perhaps you’ve been hearing about data analytics, which is being promoted as a way for even small businesses to analyze communications with customers, enhance customer experience, save money, and ultimately improve your brand. However, data analytics can have big privacy implications. You may think of managing privacy risk as protecting sensitive customer information, such as credit cards. As the Venn diagram to the right demonstrates, data security is certainly one aspect of privacy risk, but privacy risks can also arise by means unrelated to cybersecurity incidents. People can experience

If you own a computer, watch the news, or spend virtually any time online these days you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself. Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple

Who needs to know ‘What,’ ‘When,’ and ‘How’ to tell them The Challenge There are many challenges to providing and maintaining cybersecurity in today’s connected world. While product developers increasingly consider security as they design and build products, they may not always communicate critical cybersecurity information about their connected products. Information gaps present a challenge to stakeholders—especially customers—who have limited insight into the security processes, functions and features that protect connected products, components, and services. Effective communication is the

Did you know that 99.9% of businesses in America are small businesses? [1] Small businesses are a major source of innovation for our country—but they’re often faced with limited resources and budgets. Many of them need cybersecurity solutions, guidance, and training so they can cost-effectively address and manage their cybersecurity risks. Hmmm…where can you find guidance like this all in one place? Voila! The Small Business Cybersecurity Corner ! This website was created by NIST in 2019 in response to the NIST Small Business Cybersecurity Act, which directed us to “disseminate clear and

RSA Conference week is always a whirlwind. NIST was there front and center last month, and we learned a lot, shared a lot, and made a big announcement during the festivities… We were excited to announce that NIST’s DRAFT Identity and Access Management Roadmap was released for public comment on Friday, April 14 th and that the comment period will be extended to June 16 th. What is the Roadmap? The Roadmap provides a consolidated view of NIST’s planned identity efforts over the coming years and serves as a vehicle to communicate our priorities. It provides guiding principles, strategic

In January 2023, the American Council for Technology-Industry Advisory Council conducted its Blockchain Use Case Summit . NIST researcher Michael Pease presented in its panel, “Operationalizing, Blockchain – Manufacturing, Supply Chains, Stablecoins

Fascination with technological innovation is built into America’s DNA. Today’s legions of U.S. scientific and engineering researchers are directly connected to the independent mechanics, artisans, and tinkerers of colonial and pre-industrial times

NIST will hold a virtual workshop on Standards and Performance Metrics for On-Road Automated Vehicles (AV), September 5-8, 2023. Free registration and schedule are available online . The workshop aims to: Connect the AV community Provide a holistic

Draft Revision 3 aligns the publication’s language with NIST’s 800-53 catalog of cybersecurity safeguards.

This year’s Multi-Cloud Conference hosted by NIST, Department of Commerce (DOC), and Tetrate will focus on delivering Zero Trust Architecture (ZTA) through application-tier and network-tier policies in a high-assurance service mesh operating

This week, NIST released the newly redesigned and streamlined Special Publication 800-225, Fiscal Year (FY) 2022 Cybersecurity and Privacy Annual Report. In FY 2022, the NIST Information Technology Laboratory’s (ITL) Cybersecurity and Privacy Program

On June 1, NIST and OMB will host a workshop to discuss next steps for implementation of M-22-18, Enhancing the Security the Software Supply Chain through Secure Software Development Practices , the intended impact on the security of the Federal

CYBERSECURITY EDUCATION AND WORKFORCE DEVELOPMENT FUNDING OPPORTUNITY Today at the annual NICE Conference & Expo, Rodney Petersen, the Director of NICE, announced a new Notice of Funding Opportunity (NOFO) from the National Institute of Standards and

The presentation slides are available here . Download the Continuing Education Units form . Provide event feedback here . Speakers: Danielle Santos Manager of Communications and Operations NICE (Moderator) Francie Genz Co-Principal and Co-Founder

The presentations slides are available here . Download the Continuing Education Units form . Provide event feedback here . The FISSEA Forums are quarterly meetings to provide opportunities for policy and programmatic updates, the exchange of best

NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218) describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide

International engagement is an integral part of many ongoing NIST efforts, including the Journey to the Cybersecurity Framework (CSF 2.0) update , our update to the digital identity guidelines, and increasing awareness of the NIST Privacy Framework and IoT cybersecurity work. In the update to NIST CSF 2.0, NIST continues to work with the international community. At NIST’s February 2023 virtual workshop on the CSF 2.0 update, participants from Italian and New Zealand governments and Mexican industry spoke on panels. In addition, participants joined from several countries. We are continuing to

As NCCoE director, Cherilyn will provide strategic direction and technical leadership for the NCCoE, continue to align the NCCoE's work with the industry, government, and NIST priorities, and strengthen and grow relationships with key stakeholders

Recent research by scientists at NIST suggests that a good strategy is to talk to your kids directly.

NIST has revised the framework to help benefit all sectors, not just critical infrastructure.

The presentation slides are available here. Speaker: Davina Pruitt-Mentle Lead for Academic Engagement NICE Susana Barraza Program Manager NICE Synopsis: Cybersecurity Career Week will take place on October 16-21, 2023, and you’re invited to

The collaborative process to update the NIST Cybersecurity Framework (CSF), toward CSF 2.0 , continues! This final two-day NIST Journey to CSF 2.0 Workshop will be an opportunity to discuss the newly released Draft CSF 2.0 . This event will build on

Three new algorithms are expected to be ready for use in 2024. Others will follow.

In a June 2023 presentation, NIST Networked Control Systems Group Leader, Keith Stouffer, described resources that could aid the Cybersecurity Workgroup supporting the Manufacturing Extension Partnership (MEP), which serves small and medium-sized

Background: NIST Special Publication (SP) 800-66 Healthcare organizations face many challenges from cybersecurity threats. This can have serious impacts on the security of patient data, the quality of patient care, and even the organization’s financial status. Healthcare organizations also must comply with regulatory requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, which focuses on safeguarding the electronic protected health information (ePHI) held or maintained by HIPAA covered entities and business associates (collectively,

The NIST workshop on Multi-Party Threshold Schemes (MPTS) 2023 will gather diverse public feedback about the process envisioned in the NIST First Call for Multi-Party Threshold Schemes [NISTIR 8214C ipd (2023)]. The process includes an exploration of

With a mention in the new National Cyber Workforce and Education Strategy and even a dedicated state law , K–12 cybersecurity education clearly has the eye of policymakers. However, despite public attention and new opportunities for high school students to pursue cybersecurity coursework, high schools often struggle to provide students with a clear understanding of what cybersecurity careers actually look like. Hands-on learning experiences, like those we’ve had at our schools and during our internship with NICE at NIST, can help bring cybersecurity education and career pathways into focus for

Between Sept. 18-20, Laurie E. Locascio, director of the Department of Commerce’s National Institute of Standards and Technology (NIST), will lead a cybersecurity business development mission to Taiwan. As the mission lead, Locascio will serve as the

The presentation slides are available here. Provide event feedback here. Speakers: Danielle Santos Manager of Communications and Operations and Lead for International Engagement NICE (Moderator) Jonathan Joynt Cybersecurity Instructor Learning Hub