Karen Scarfone

Karen is dedicated to helping federal agencies and others communicate technical cybersecurity info to external and internal audiences. Karen founded her company on the belief that security professionals will continue to fall behind attackers until we become more adept at communication.

Karen was formerly a Senior Computer Scientist at NIST, where she developed security publications for federal agencies and the public. She holds master's degrees in computer science and technical writing, and she's worked in IT for over 30 years.

Karen Scarfone's Publications and Blog

Welcome! This site has links to my online publications and blog posts. Sign up to get a weekly email update when I release a new pub or blog post. And if you love what I do and want to support it, feel free to buy me a coffee!

NIST • 13th January 2025

Ransomware Risk Management CSF 2.0 Profile

NIST IR 8374 reflects changes made to the Cybersecurity Framework (CSF) from CSF 1.1 to CSF 2.0 which identifies security objectives that support managing, detecting, responding to, and recovering from ransomware events. You can use this publication to gauge your organization’s readiness to counter ransomware threats, mitigate potential consequences of a ransomware event, and to develop a ransomware countermeasure playbook.

NIST • 4th December 2024

SP 1800-35 (Draft), Implementing a Zero Trust Architecture

This publication outlines results and best practices from the NCCoE effort working with 24 vendors to demonstrate end-to-end zero trust architectures.

NIST • 6th November 2024

Reallocation of Temporary Identities: Applying 5G Cybersecurity and Privacy Capabilities

This publication provides additional details regarding how 5G protects subscriber identities (IDs). It focuses on how the network reallocates temporary IDs to protect users from being identified and located by an attacker.

NIST • 31st October 2024

Automation of the NIST CMVP

The NIST NCCoE has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to support improvement in the efficiency and timeliness of CMVP operations and processes. The goal is to demonstrate a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols.

NIST • 21st October 2024

CSF 2.0: Quick-Start Guide for C-SCRM

This guide focuses on two ways the CSF can help you: 1) Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability. 2) Define and communicate supplier requirements using the CSF.

NIST • 21st October 2024

CSF 2.0: Quick-Start Guide for Using the CSF Tiers

This Quick-Start Guide describes how to apply the CSF 2.0 Tiers. CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes. This can help provide context on how an organization views cybersecurity risks and the processes in place to manage those risks.

NIST • 30th September 2024

Using Hardware-Enabled Security to Ensure 5G System Platform Integrity

This publication provides an overview of employing hardware-enabled security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system’s server infrastructure.

NIST • 29th September 2024

Supplemental CSF Spreadsheet

NIST is providing users with a resource to compare and contrast CSF 1.1 and CSF 2.0. This new supplemental document is intended as an aid to anyone who is transitioning a CSF 1.1 Organizational Profile, conducting mapping, or converting other CSF 1.1 Core content to use the CSF 2.0 Core.

NIST • 15th August 2024

Protecting Subscriber Identifiers with Subscription Concealed Identifier (SUCI)

This publication describes enabling SUCI protection, an optional capability new in 5G which provides important security and privacy protections for subscribers. 5G network operators are encouraged to enable SUCI on their 5G networks and subscriber SIMs and to configure SUCI to use a non-null encryption cipher scheme; this provides their customers with the advantages of SUCI’s protections.

NIST • 15th August 2024

Applying 5G Cybersecurity and Privacy Capabilities: Introduction to the White Paper Series

This publication explains what you can expect from each part of the white paper series: information, guidance, recommended practices, and research findings for a specific technical cybersecurity or privacy-supporting capability available in 5G systems or their supporting infrastructures.

NIST • 26th July 2024

Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile

This publication augments the secure software development practices and tasks defined in SSDF Version 1.1. It adds practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle.

Blog • 2nd May 2024

Making myself dispensable

Making yourself dispensable--by sharing what you've learned with others--enables others to do what you do.

NIST • 29th April 2024

SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile

This publication augments the secure software development practices and tasks defined in SSDF Version 1.1. SP 800-218A adds practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle.

NIST • 2nd April 2024

Incident Response Recommendations and Considerations

This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0.

Blog • 5th March 2024

The CSF 2.0 FAQ

Have questions about CSF 2.0?

Blog • 27th February 2024

Building a Cybersecurity Concept System with CSF 2.0

NIST's release of the CSF 2.0 and related resources means that we as a community can work together to create a cybersecurity concept system that benefits us all.

NIST • 26th February 2024

Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings

This document describes NIST’s approach to mapping the elements of documentary standards, regulations, frameworks, and guidelines to a particular NIST publication, such as CSF Subcategories or SP 800-53r5 controls. This approach is to be used to map relationships involving NIST cybersecurity and privacy publications that will be submitted via the NIST OLIR process and hosted on CPRT.

NIST • 26th February 2024

National OLIR Program: Submission Guidance for OLIR Developers

The National Online Informative References (OLIR) Program is a NIST effort to facilitate standardized definitions of Online Informative References (OLIRs) by subject matter experts. This document assists OLIR Developers in understanding the processes and requirements for participating in the Program.

NIST • 26th February 2024

National OLIR Program: Overview, Benefits, and Use

An Online Informative Reference (OLIR) provides a standardized expression of the relationships between concepts in documents. This report provides an overview of the National OLIR Program, explains the basics of OLIRs and the benefits they can provide, and shows how anyone can access and use OLIRs.

NIST • 26th February 2024

NIST CSF 2.0: Quick-Start Guide for C-SCRM

The CSF can help an organization become a smart acquirer and supplier of technology products and services. This guide focuses on two ways the CSF can help you: 1)Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability. 2) Define and communicate supplier requirements using the CSF.

NIST • 26th February 2024

NIST CSF 2.0: A Guide to Creating Community Profiles

This guide provides considerations for creating and using Community Profiles to implement the CSF 2.0. Communities can build on the ideas in this guide to create a Community Profile that supports their needs where they share common priorities.

NIST • 26th February 2024

NIST CSF 2.0: Quick-Start Guide for Using the CSF Tiers

This Quick-Start Guide describes how to apply the CSF 2.0 Tiers. CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes.

NIST • 26th February 2024

NIST CSF 2.0: Quick-Start Guide for Creating and Using Organizational Profiles

This Quick-Start Guide gives an overview of creating and using organizational profiles for NIST CSF 2.0. An Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of cybersecurity outcomes from the Cybersecurity Framework (CSF) Core.

NIST • 26th February 2024

The NIST Cybersecurity Framework (CSF) 2.0

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.

Load More