INTRODUCTION THE NEED FOR CYBER RESILIENT SYSTEMS he need for trustworthy secure systems1 stems from a variety of stakeholder needs that are driven by mission, business, and other objectives and concerns. The principles, concepts, and practices for engineering trustworthy secure systems can be expressed in various ways, depending on which aspect of trustworthiness is of concern to stakeholders. [NIST 800-160, Vol.1] provides guidance on systems security engineering with an emphasis on protection against asset loss.2 In addition to security, other aspects of trustworthiness include, for example, reliability, safety, resilience, and privacy. Specialty engineering disciplines address different aspects of trustworthiness. While each specialty discipline frames the problem domain and the potential solution space for its aspect of trustworthiness somewhat differently, [NIST 800-160, Vol. 1] includes systems engineering processes to align the concepts, frameworks, and analytic processes from multiple disciplines to make trade-offs within and between the various aspects of trustworthiness applicable to a system-of-interest.3 NIST Special Publication 800-160, Volume 2 focuses on the property of cyber resiliency, which has a strong relationship to security and resilience, but which provides a distinctive framework for its identified problem domain and solution space. Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source.4 Cyber resiliency supports mission assurance in a contested environment, for missions which depend on systems which include cyber resources. A cyber resource is an information resource which creates, stores, processes, manages, transmits, or disposes of information in electronic form and which can be accessed via a network or using networking methods. A cyber resource which can be accessed via a
FIPS 201 originally required that all PIV credentials and associated keys be stored in a PIV Card. While the use of the PIV Card for electronic authentication works well with traditional desktop and laptop computers, it is not optimized for mobile devices. In response to the growing use of mobile devices within the Federal government, FIPS 201 was revised to permit the issuance of an additional credential, a Derived PIV Credential, for which the corresponding private key is stored in a cryptographic module with an alternative form factor to the PIV Card. Derived PIV Credentials leverage the current investment in the PIV infrastructure for electronic authentication and build upon the solid foundation of well-vetted and trusted identity of the PIV cardholder – achieving substantial cost savings by leveraging the identity-proofing results that were already performed to issue PIV cards. This document provides the technical guidelines for the implementation of Derived PIV Credentials. The use of a Derived PIV Credential is one possible way to PIV-enable a mobile device. In other cases it may be practical to use the PIV Card itself with the mobile device, using either the PIV Card’s contact or contactless interface, rather than issuing a Derived PIV Credential. Mobile devices are generally too small to integrate smart card readers into the device itself, requiring alternative approaches for communicating between the PIV Card and the mobile device. Some of these approaches are possible by today’s set of available products. Other, newer technologies are addressed by new guidelines in the existing set of PIV Special Publications. The current solution for PIV enablement directly uses PIV Cards with mobile devices through smart card readers. This has the advantage of avoiding the additional time and expense required to issue and manage Derived PIV Credentials. The approach requires smart card readers that are separate from, but attached to, the mobile device itself. These re
NIST SP800-30-Rev1 for risk assessment
1.1 Purpose and Scope The purpose of this guideline is to assist agencies in building security into their IT development processes. This should result in more cost-effective, risk-appropriate ...
procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.2 Threats and vulnerabilities created by malicious actors (individuals, ...
The protection of sensitive federal information while residing in nonfederal information systems2 and organizations is of paramount importance to federal agencies and can directly impact the ability ...
The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. The document explains the importance ...
Based on the results of categorization, the system owner should refer to NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, which specifies that, ...
NIST SP800-181 NICE 网络空间安全人才框架（NCWF）-中文2017-05-10
NIST SP800-181 网络空间安全人才框架 NCWF，National Initiative for CybersecurityEducation (NICE)中文译本
NIST SP800-60 Vol2 Rev1.pdf2020-02-18
Title III of the E-Government Act (Public Law 107-347), titled the Federal Information Security Management Act (FISMA), tasked the National Institute of Standards and Technology (NIST) to develop: ...
This recommendation provides technical guidance to Federal agencies implementing electronic authentication. The recommendation covers remote authentication of users over open networks....
When parties share a secret symmetric key (e.g., upon a successful execution of a key- establishment scheme as specified in  and ), it is often the case that additional keys will be needed (e.g....
T • Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems; • Promoting a better understanding of agency-related mission risks ...
The purpose of this document is to provide guidelines for organizations on planning and conducting ...This document replaces NIST Special Publication 800-42, Guideline on Network Security Testing.
This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code ...
Many U.S. Government Information Technology (IT) systems need to employ well-established cryptographic schemes to protect the integrity and confidentiality of the data that they process....
This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. This block cipher-based MAC algorithm, called CMAC, may be used to provide ...
NIST SP800-137 Final.pdf2020-02-25
2 The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security ...