Security White Papers

From the National Institute of Standards and Technology U.S. Department of Commerce http://www.nist.gov



Security Assessment & Testing

Guide to Intrusion Detection and Prevention Systems
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

Guide for Conducting Risk Assessments (Draft)
http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf

Understanding Insecure IT: Practical Risk Assessment
http://csrc.nist.gov/groups/SNS/rbac/documents/liu-kuhn-rossman-v11-n3.pdf

Model-based Approach to Security Test Automation
http://csrc.nist.gov/groups/SNS/asft/documents/Issre_2002.pdf

Technical Guide to Information Security Testing and Assessment
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

Intro to Information Security Testing and Assessment:
http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-6_kscarfone-rmetzer_security-testing-assessment.pdf

Security Assessment Provider Requirements and Customer Responsibilities
http://csrc.nist.gov/publications/drafts/nistir-7328/NISTIR_7328-ipdraft.pdf



Risk Management

Risk Management Guide for Information Technology Systems
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Risk Management Framework FAQs
http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/

Guide for Applying the Risk Revision 1 Management Framework to Federal Information Systems
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf



Insider Threats

Mitigating the Insider Threat - Building a Secure Workforce - by Deloitte
http://csrc.nist.gov/organizations/fissea/2012-conference/presentations/fissea-conference-2012_mahoutchian-and-gelles.pdf

FBI: The Insider Threat
https://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat

FBI: How to Spot a Possible Insider Threat
https://www.fbi.gov/news/stories/2012/may/insider_051112/insider_051112



Network Security

Guidelines on Firewalls and Firewall Policy
http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

Guide to IPsec VPNs
http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf

System and Network Security Acronyms and Abbreviations
http://csrc.nist.gov/publications/nistir/ir7581/nistir-7581.pdf

Guide to Securing Legacy IEEE 802.11 Wireless Networks
http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf

Simulation-based Approaches to Studying Effectiveness of Moving-Target Network Defense
http://csrc.nist.gov/staff/Singhal/mtd_paper_final.pdf



Security Incident Handling

Computer Security Incident Handling Guide
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

Guide to Malware Incident Prevention and Handling for Desktops and Laptops
http://csrc.nist.gov/publications/drafts/800-83-rev1/draft_sp800-83-rev1.pdf

Establishing a Secure Framework
http://csrc.nist.gov/groups/SMA/fisma/ron_ross_continuous_monitoring_article_july2012.pdf



Encryption

Guide to Storage Encryption Technologies for End User Devices
http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

A Cautionary Note Regarding Evaluation of AES Candidates
http://csrc.nist.gov/archive/aes/round1/conf2/papers/chari.pdf

Cryptography Key Management
http://csrc.nist.gov/groups/ST/key_mgmt/documents/June09_Presentations/Joe_Skehan_KMWJune09_KM_Lifecycle.pdf

Enterprise Key Management Challenges and Framework
http://csrc.nist.gov/groups/ST/CETA_2011/abstracts/TSAI_Enterprise_Key_Management_Challenges.pdf

Cryptographic Module Validation Program FIPS
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf

Requirements and Desirable Features of U.S. Federal Cryptographic Key Management Systems
http://csrc.nist.gov/publications/drafts/800-152/draft-sp-800-152.pdf



Securing Web Servers

Guidelines on Securing Public Web Servers
http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf



Mobile Computing Security

Guidelines for Managing and Securing Mobile Devices in the Enterprise
http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf

Security of Bluetooth Systems and Devices
http://csrc.nist.gov/publications/nistbul/august-2012_itl-bulletin.pdf



Cloud Computing Security

Cloud Computing Synopsis and Recommendations
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911075

Cloud Computing Synopsis and Recommendations
http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf

Guidelines on Security and Privacy in Public Cloud Computing
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf



Hardware Security & Biometrics

BIOS Integrity Measurement Guidelines
http://csrc.nist.gov/publications/drafts/800-155/draft-SP800-155_Dec2011.pdf

Biometric Specifications for Personal Identity Verification
http://csrc.nist.gov/publications/drafts/800-76-2/draft-sp-800-76-2_revised.pdf



General Security

History of Computer Security
http://csrc.nist.gov/publications/history/

Guide to Protecting the Confidentiality of Personally Identifiable Information
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

Guide to Using Vulnerability Naming Schemes
http://csrc.nist.gov/publications/nistpubs/800-51-rev1/SP800-51rev1.pdf

Guide to Secure Web Services
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

Surviving Insecure IT: Effective Patch Management
http://csrc.nist.gov/staff/Kuhn/liu-kuhn-rossman-v11-n2.pdf

Common Remediation Enumeration
http://csrc.nist.gov/publications/drafts/nistir-7831/Draft-NISTIR-7831.pdf

The National Cybersecurity Workforce Framework (Overview)
http://csrc.nist.gov/nice/framework/documents/NICE-Cybersecurity-Workforce-Framework-printable.pdf

Applying the Continuous Monitoring Technical Reference Model
http://csrc.nist.gov/publications/drafts/nistir-7800/Draft-NISTIR-7800.pdf

Guide to Information Technology Security Services
http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf

The Technical Specification for the Security Content Automation Protocol
http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf

Guide to General Server Security
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

Guide to Enterprise Password Management
http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf