14,932
edits
Changes
mLine 25:
Line 25: − + Line 41:
Line 41: − + Line 57:
Line 57: − + + + + + + + + + + + + + + + + + + Line 64:
Line 81: − + Line 76:
Line 93: + + − +
removed Category:DNS Abuse Responses using HotCat
The Computer Security Resource Center (CSRC) has two subdivisions, the CSD and the ACD.<ref>[https://csrc.nist.gov/about About CSRC, NIST]</ref>
The Computer Security Resource Center (CSRC) has two subdivisions, the CSD and the ACD.<ref>[https://csrc.nist.gov/about About CSRC, NIST]</ref>
===Computer Security Division===
===Computer Security Division===
The CSD is focused on information systems and specializes in [[Cryptographic Technology]]; Secure Systems and Applications; Security Components and Mechanisms; Security Engineering and Risk Management; and Security Testing, Validation, and Measurement.
The CSD is focused on information systems and specializes in [[Cryptography#Cryptographic Technologies|cryptographic technologies]]; secure systems and applications; security components and mechanisms; security engineering and risk management; and security testing, validation, and measurement.
===Applied Cybersecurity Division===
===Applied Cybersecurity Division===
# Reference design users deploy example solutions and provide feedback to validate/improve them.
# Reference design users deploy example solutions and provide feedback to validate/improve them.
# Other government agencies work with NCCoE through the National Cybersecurity Federally Funded Research and Development Center (NCF).<ref>[https://www.nccoe.nist.gov/sites/default/files/library/fact-sheets/work-for-others-fact-sheet.pdf NCF Fact Sheet, NCCoE]</ref>
# Other government agencies work with NCCoE through the National Cybersecurity Federally Funded Research and Development Center (NCF).<ref>[https://www.nccoe.nist.gov/sites/default/files/library/fact-sheets/work-for-others-fact-sheet.pdf NCF Fact Sheet, NCCoE]</ref>
# Core partners provide hardware, software, knowledge, and personnel. The current group of partners includes:
# Core partners provide hardware, software, knowledge, and personnel. The current group of partners includes:<ref>[https://www.nccoe.nist.gov/partners Partners, NCCoE]</ref>
::* [[Amazon|Amazon Web Services]]
::* [[Amazon|Amazon Web Services]]
::* [[CableLabs]]
::* [[CableLabs]]
::* [[Microsoft]]
::* [[Microsoft]]
::* [[Motorola Solutions]]
::* [[Motorola Solutions]]
::* [[NextLabs]]
::* [[NextLabs]]
::* [[VMware]]
::* [[ZIMPERIUM]]
<br/>
''NCCoE Projects'':<ref>[https://www.nccoe.nist.gov/projects/building-blocks Building Blocks, NCCoE]</ref><br/>
{| class="wikitable; "border="0"
| * [[5G Security]] || * [[Patching the Enterprise]]
|-
| * [[Adversarial Machine Learning]] || * [[Cryptography#Post-Quantum Cryptography|Post-Quantum Cryptography]]
|-
| * [[Data Security]] || * [[Supply Chain Assurance]]
|-
| * [[Derived PIV Credentials]] || * [[TLS]] Server Certificate Management
|-
| * Internet of Things ([[IoT]]) || * [[Trust]]ed Geolocation in the Cloud
|-
| * [[Mobile Device Security]] || * [[Zero Trust Architecture]]
|}
====NICE====
====NICE====
NIST’s Special Publication (SP) 800 series shares computer security information. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and collaborations with industry, government, and academic organizations.<ref>[https://www.nist.gov/itl/publications-0/nist-special-publication-800-series-general-information SP 800, NIST]</ref>
NIST’s Special Publication (SP) 800 series shares computer security information. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and collaborations with industry, government, and academic organizations.<ref>[https://www.nist.gov/itl/publications-0/nist-special-publication-800-series-general-information SP 800, NIST]</ref>
==SP 800-37==
===SP 800-37===
The “Guide for Applying the Risk Management Framework to Federal Information Systems” promotes near real-time risk management, encourages the use of automation, integrates information security, emphasizes the selection, implementation, assessment, and overall monitoring of information security controls, links risk management at the information systems level to risks at the organizational level, and establishes responsibility and accountability for security controls.<ref>[https://flank.org/faqs/what-is-nist-sp-800-37 About SP 800-37, Flank]</ref>
The “Guide for Applying the Risk Management Framework to Federal Information Systems” promotes near real-time risk management, encourages the use of automation, integrates information security, emphasizes the selection, implementation, assessment, and overall monitoring of information security controls, links risk management at the information systems level to risks at the organizational level, and establishes responsibility and accountability for security controls.<ref>[https://flank.org/faqs/what-is-nist-sp-800-37 About SP 800-37, Flank]</ref>
* reduces the complexity of the IT infrastructure; and
* reduces the complexity of the IT infrastructure; and
* provides methods to identify, prioritize and focus resources based on risk/value analysis.<ref>[https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2019-02.pdf RMF 2.0 Bulletin pg. 4]</ref>
* provides methods to identify, prioritize and focus resources based on risk/value analysis.<ref>[https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2019-02.pdf RMF 2.0 Bulletin pg. 4]</ref>
===SP 800-171===
==Cybersecurity Framework==
==Cybersecurity Framework==
===Version 1.0===
===Version 1.0===
====History====
====History====
In February 2013, recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, President [[Barak Obama]] issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," ordering NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber-risks to [[Critical Infrastructure]]. On December 18, 2014, the Cybersecurity Enhancement Act of 2014 (CEA) authorized the Department of Commerce, through NIST, to develop voluntary standards to reduce cyber-risks to critical infrastructure.<ref>[https://itlaw.wikia.org/wiki/Cybersecurity_Enhancement_Act_of_2014 CEA, IT Law Wiki]</ref> The law also ordered the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan. Section 502 required the Director of NIST to ensure interagency coordination toward the development of international technical standards for IT security and transmit to Congress a plan.
In February 2013, recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, President [[Barak Obama]] issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," ordering NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber-risks to [[CISA#Critical Infrastructure|Critical Infrastructure]]. On December 18, 2014, the Cybersecurity Enhancement Act of 2014 (CEA) authorized the Department of Commerce, through NIST, to develop voluntary standards to reduce cyber-risks to critical infrastructure.<ref>[https://itlaw.wikia.org/wiki/Cybersecurity_Enhancement_Act_of_2014 CEA, IT Law Wiki]</ref> The law also ordered the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan. Section 502 required the Director of NIST to ensure interagency coordination toward the development of international technical standards for IT security and transmit to Congress a plan.
=====Framework Development=====
=====Framework Development=====
February 26, 2013: RFI to Develop a Framework to Improve Critical Infrastructure Cybersecurity - February 12, 2014: Framework 1.0 Publication.
February 26, 2013: RFI to Develop a Framework to Improve Critical Infrastructure Cybersecurity - February 12, 2014: Framework 1.0 Publication.