Karen Scarfone's Publications and Blog
Here are links to my online publications and blog posts! Sign up to get a weekly email update when I release a new pub or blog post.
Making yourself dispensable--by sharing what you've learned with others--enables others to do what you do.
SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile
This publication augments the secure software development practices and tasks defined in SSDF Version 1.1. SP 800-218A adds practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle.
Incident Response Recommendations and Considerations
This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0.
The CSF 2.0 FAQ
Have questions about CSF 2.0?
Building a Cybersecurity Concept System with CSF 2.0
NIST's release of the CSF 2.0 and related resources means that we as a community can work together to create a cybersecurity concept system that benefits us all.
Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings
This document describes NIST’s approach to mapping the elements of documentary standards, regulations, frameworks, and guidelines to a particular NIST publication, such as CSF Subcategories or SP 800-53r5 controls. This approach is to be used to map relationships involving NIST cybersecurity and privacy publications that will be submitted via the NIST OLIR process and hosted on CPRT.
National OLIR Program: Submission Guidance for OLIR Developers
The National Online Informative References (OLIR) Program is a NIST effort to facilitate standardized definitions of Online Informative References (OLIRs) by subject matter experts. This document assists OLIR Developers in understanding the processes and requirements for participating in the Program.
National OLIR Program: Overview, Benefits, and Use
An Online Informative Reference (OLIR) provides a standardized expression of the relationships between concepts in documents. This report provides an overview of the National OLIR Program, explains the basics of OLIRs and the benefits they can provide, and shows how anyone can access and use OLIRs.
NIST CSF 2.0: Quick-Start Guide for C-SCRM
The CSF can help an organization become a smart acquirer and supplier of technology products and services. This guide focuses on two ways the CSF can help you: 1)Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability. 2) Define and communicate supplier requirements using the CSF.
NIST CSF 2.0: A Guide to Creating Community Profiles
This guide provides considerations for creating and using Community Profiles to implement the CSF 2.0. Communities can build on the ideas in this guide to create a Community Profile that supports their needs where they share common priorities.
NIST CSF 2.0: Quick-Start Guide for Using the CSF Tiers
This Quick-Start Guide describes how to apply the CSF 2.0 Tiers. CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes.
NIST CSF 2.0: Quick-Start Guide for Creating and Using Organizational Profiles
This Quick-Start Guide gives an overview of creating and using organizational profiles for NIST CSF 2.0. An Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of cybersecurity outcomes from the Cybersecurity Framework (CSF) Core.
The NIST Cybersecurity Framework (CSF) 2.0
The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.
9 secure email gateway options for 2024
Here's a look at some popular email security gateways and similar products.
SP 1800-37, Addressing Visibility Challenges with TLS 1.3 within the Enterprise
The NCCoE is demonstrating options for maintaining visibility within the TLS 1.3 protocol within an enterprise. The project demonstrates several standards-compliant architectural options for use within enterprises to provide both real-time and post-facto systems monitoring and analytics capabilities. This publication describes the approach, architecture, and security characteristics for the demonstrated proofs of concept.
How to create an incident response playbook
Here's a crash course on what incident response playbooks are, why they are important, how to use them and how to build them.
SP 800-221A, Information and Communications Technology Risk Outcomes
Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication provides desired outcomes and applicable references common across all types of ICT risk; it offers a common language for understanding, managing, and expressing ICT risk to internal and external stakeholders and can help identify and prioritize actions to reduce ICT risk. The core of this publication can be browsed and downloaded in popular formats such as JSON and Excel using the NIST Cybersecurity and Privacy Tool (CPRT).
SP 800-221, Enterprise Impact of Information and Communications Technology Risk
Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication helps in understanding the relationship between ICT risk management and ERM—and the benefits of integrating those approaches. This includes ICT risk guidance on how all ICT risk programs, including individual programs such as privacy, supply chain, and cybersecurity, integrate into ERM.
Data Classification Concepts and Considerations for Improving Data Protection
Data classification is the process an organization uses to characterize its data assets using persistent labels so those assets can be managed properly. This publication defines basic terminology and explains fundamental concepts in data classification so there is a common language for all to use. It can also help organizations improve the quality and efficiency of their data protection approaches by becoming more aware of data classification considerations and taking them into account in business and mission use cases, such as secure data sharing, compliance reporting and monitoring, ZTA, and LLMs.
Improved Cybersecurity Logging Gives Agencies Better Network Visibility
Each agency should use logging in conjunction with various tools for finding vulnerabilities on each of its IP network-connected technology assets, including missing patches, outdated software versions in need of upgrading, and misconfigured software and services. Most agencies will need to use several tools in combination to achieve the necessary visibility for all of their assets, no matter where each asset is located at any time. Let’s take a closer look at some of these tools.
Draft SP 800-92r1, Cybersecurity Log Management Planning Guide
This document defines a playbook to help any organization plan improvements to its cybersecurity log management practices in support of regulatory requirements and recommended practices. While the playbook is not comprehensive, the listed plays are noteworthy and generally beneficial for cybersecurity log management planning by organizations.
How to Develop a Cybersecurity Strategy: Step-by-Step Guide
A cybersecurity strategy isn't meant to be perfect, but it must be proactive, effective, actively supported and evolving. Here are the four steps required to get there.
3 phases of the third-party risk management lifecycle
Supply chain vulnerabilities in services can be managed with a third-party risk management program, of which the third-party management lifecycle is key. This lifecycle is composed of three phases: before the contract, during the contract and contract termination. Let's examine each phase, as well as steps to take during each phase to better manage risk.
Developing Cybersecurity and Privacy Concept Mappings
NIST Internal Report (IR) 8477 ipd, Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings, explains NIST’s proposed approach for identifying and documenting relationships between concepts such as controls, requirements, recommendations, outcomes, technologies, functions, processes, techniques, roles, and skills.
Load More