NIST • 2nd April 2024

Incident Response Recommendations and Considerations

This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0.

Blog • 5th March 2024

The CSF 2.0 FAQ

Have questions about CSF 2.0?

Blog • 27th February 2024

Building a Cybersecurity Concept System with CSF 2.0

NIST's release of the CSF 2.0 and related resources means that we as a community can work together to create a cybersecurity concept system that benefits us all.

NIST • 26th February 2024

Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings

This document describes NIST’s approach to mapping the elements of documentary standards, regulations, frameworks, and guidelines to a particular NIST publication, such as CSF Subcategories or SP 800-53r5 controls. This approach is to be used to map relationships involving NIST cybersecurity and privacy publications that will be submitted via the NIST OLIR process and hosted on CPRT.

NIST • 26th February 2024

National OLIR Program: Submission Guidance for OLIR Developers

The National Online Informative References (OLIR) Program is a NIST effort to facilitate standardized definitions of Online Informative References (OLIRs) by subject matter experts. This document assists OLIR Developers in understanding the processes and requirements for participating in the Program.

NIST • 26th February 2024

National OLIR Program: Overview, Benefits, and Use

An Online Informative Reference (OLIR) provides a standardized expression of the relationships between concepts in documents. This report provides an overview of the National OLIR Program, explains the basics of OLIRs and the benefits they can provide, and shows how anyone can access and use OLIRs.

NIST • 26th February 2024

NIST CSF 2.0: Quick-Start Guide for C-SCRM

The CSF can help an organization become a smart acquirer and supplier of technology products and services. This guide focuses on two ways the CSF can help you: 1)Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability. 2) Define and communicate supplier requirements using the CSF.

NIST • 26th February 2024

NIST CSF 2.0: A Guide to Creating Community Profiles

This guide provides considerations for creating and using Community Profiles to implement the CSF 2.0. Communities can build on the ideas in this guide to create a Community Profile that supports their needs where they share common priorities.

NIST • 26th February 2024

NIST CSF 2.0: Quick-Start Guide for Using the CSF Tiers

This Quick-Start Guide describes how to apply the CSF 2.0 Tiers. CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes.

NIST • 26th February 2024

NIST CSF 2.0: Quick-Start Guide for Creating and Using Organizational Profiles

This Quick-Start Guide gives an overview of creating and using organizational profiles for NIST CSF 2.0. An Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of cybersecurity outcomes from the Cybersecurity Framework (CSF) Core.

NIST • 26th February 2024

The NIST Cybersecurity Framework (CSF) 2.0

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.

TechTarget • 31st January 2024

9 secure email gateway options for 2024

Here's a look at some popular email security gateways and similar products.

NIST • 30th January 2024

SP 1800-37, Addressing Visibility Challenges with TLS 1.3 within the Enterprise

The NCCoE is demonstrating options for maintaining visibility within the TLS 1.3 protocol within an enterprise. The project demonstrates several standards-compliant architectural options for use within enterprises to provide both real-time and post-facto systems monitoring and analytics capabilities. This publication describes the approach, architecture, and security characteristics for the demonstrated proofs of concept.

TechTarget • 5th January 2024

How to create an incident response playbook

Here's a crash course on what incident response playbooks are, why they are important, how to use them and how to build them.

NIST • 16th November 2023

SP 800-221A, Information and Communications Technology Risk Outcomes

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication provides desired outcomes and applicable references common across all types of ICT risk; it offers a common language for understanding, managing, and expressing ICT risk to internal and external stakeholders and can help identify and prioritize actions to reduce ICT risk. The core of this publication can be browsed and downloaded in popular formats such as JSON and Excel using the NIST Cybersecurity and Privacy Tool (CPRT).

NIST • 16th November 2023

SP 800-221, Enterprise Impact of Information and Communications Technology Risk

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication helps in understanding the relationship between ICT risk management and ERM—and the benefits of integrating those approaches. This includes ICT risk guidance on how all ICT risk programs, including individual programs such as privacy, supply chain, and cybersecurity, integrate into ERM.

NIST • 14th November 2023

Data Classification Concepts and Considerations for Improving Data Protection

Data classification is the process an organization uses to characterize its data assets using persistent labels so those assets can be managed properly. This publication defines basic terminology and explains fundamental concepts in data classification so there is a common language for all to use. It can also help organizations improve the quality and efficiency of their data protection approaches by becoming more aware of data classification considerations and taking them into account in business and mission use cases, such as secure data sharing, compliance reporting and monitoring, ZTA, and LLMs.

FedTech • 17th October 2023

Improved Cybersecurity Logging Gives Agencies Better Network Visibility

Each agency should use logging in conjunction with various tools for finding vulnerabilities on each of its IP network-connected technology assets, including missing patches, outdated software versions in need of upgrading, and misconfigured software and services. Most agencies will need to use several tools in combination to achieve the necessary visibility for all of their assets, no matter where each asset is located at any time. Let’s take a closer look at some of these tools.

NIST • 11th October 2023

Draft SP 800-92r1, Cybersecurity Log Management Planning Guide

This document defines a playbook to help any organization plan improvements to its cybersecurity log management practices in support of regulatory requirements and recommended practices. While the playbook is not comprehensive, the listed plays are noteworthy and generally beneficial for cybersecurity log management planning by organizations.

TechTarget • 28th September 2023

How to Develop a Cybersecurity Strategy: Step-by-Step Guide

A cybersecurity strategy isn't meant to be perfect, but it must be proactive, effective, actively supported and evolving. Here are the four steps required to get there.

TechTarget • 26th September 2023

3 phases of the third-party risk management lifecycle

Supply chain vulnerabilities in services can be managed with a third-party risk management program, of which the third-party management lifecycle is key. This lifecycle is composed of three phases: before the contract, during the contract and contract termination. Let's examine each phase, as well as steps to take during each phase to better manage risk.

NIST • 17th August 2023

Developing Cybersecurity and Privacy Concept Mappings

NIST Internal Report (IR) 8477 ipd, Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings, explains NIST’s proposed approach for identifying and documenting relationships between concepts such as controls, requirements, recommendations, outcomes, technologies, functions, processes, techniques, roles, and skills.

NIST • 8th August 2023

NIST Cybersecurity Framework 2.0 Draft

NIST has released a Draft of The NIST Cybersecurity Framework (CSF) 2.0 for public comment! This draft represents a major update to the CSF—a resource first released in 2014 to help organizations reduce cybersecurity risk. The draft update reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice for all organizations.

TechTarget • 4th August 2023

8 vulnerability management tools to consider in 2023

Once an organization implements a vulnerability management program, the next step is providing the program's team with powerful vulnerability management tools to automate as many tasks as possible. Evaluate these eight open source and vendor-supported vulnerability management tools.