Karen Scarfone's Publications and Blog
Here are links to my online publications and blog posts! Sign up to get a weekly email update when I release a new pub or blog post.
Have questions about CSF 2.0?
Building a Cybersecurity Concept System with CSF 2.0
NIST's release of the CSF 2.0 and related resources means that we as a community can work together to create a cybersecurity concept system that benefits us all.
Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings
This document describes NIST’s approach to mapping the elements of documentary standards, regulations, frameworks, and guidelines to a particular NIST publication, such as CSF Subcategories or SP 800-53r5 controls. This approach is to be used to map relationships involving NIST cybersecurity and privacy publications that will be submitted via the NIST OLIR process and hosted on CPRT.
National OLIR Program: Submission Guidance for OLIR Developers
The National Online Informative References (OLIR) Program is a NIST effort to facilitate standardized definitions of Online Informative References (OLIRs) by subject matter experts. This document assists OLIR Developers in understanding the processes and requirements for participating in the Program.
National OLIR Program: Overview, Benefits, and Use
An Online Informative Reference (OLIR) provides a standardized expression of the relationships between concepts in documents. This report provides an overview of the National OLIR Program, explains the basics of OLIRs and the benefits they can provide, and shows how anyone can access and use OLIRs.
NIST CSF 2.0: Quick-Start Guide for C-SCRM
The CSF can help an organization become a smart acquirer and supplier of technology products and services. This guide focuses on two ways the CSF can help you: 1)Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability. 2) Define and communicate supplier requirements using the CSF.
NIST CSF 2.0: A Guide to Creating Community Profiles
This guide provides considerations for creating and using Community Profiles to implement the CSF 2.0. Communities can build on the ideas in this guide to create a Community Profile that supports their needs where they share common priorities.
NIST CSF 2.0: Quick-Start Guide for Using the CSF Tiers
This Quick-Start Guide describes how to apply the CSF 2.0 Tiers. CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes.
NIST CSF 2.0: Quick-Start Guide for Creating and Using Organizational Profiles
This Quick-Start Guide gives an overview of creating and using organizational profiles for NIST CSF 2.0. An Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of cybersecurity outcomes from the Cybersecurity Framework (CSF) Core.
The NIST Cybersecurity Framework (CSF) 2.0
The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.
9 secure email gateway options for 2024
Here's a look at some popular email security gateways and similar products.
SP 1800-37, Addressing Visibility Challenges with TLS 1.3 within the Enterprise
The NCCoE is demonstrating options for maintaining visibility within the TLS 1.3 protocol within an enterprise. The project demonstrates several standards-compliant architectural options for use within enterprises to provide both real-time and post-facto systems monitoring and analytics capabilities. This publication describes the approach, architecture, and security characteristics for the demonstrated proofs of concept.
How to create an incident response playbook
Here's a crash course on what incident response playbooks are, why they are important, how to use them and how to build them.
SP 800-221A, Information and Communications Technology Risk Outcomes
Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication provides desired outcomes and applicable references common across all types of ICT risk; it offers a common language for understanding, managing, and expressing ICT risk to internal and external stakeholders and can help identify and prioritize actions to reduce ICT risk. The core of this publication can be browsed and downloaded in popular formats such as JSON and Excel using the NIST Cybersecurity and Privacy Tool (CPRT).
SP 800-221, Enterprise Impact of Information and Communications Technology Risk
Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication helps in understanding the relationship between ICT risk management and ERM—and the benefits of integrating those approaches. This includes ICT risk guidance on how all ICT risk programs, including individual programs such as privacy, supply chain, and cybersecurity, integrate into ERM.
Data Classification Concepts and Considerations for Improving Data Protection
Data classification is the process an organization uses to characterize its data assets using persistent labels so those assets can be managed properly. This publication defines basic terminology and explains fundamental concepts in data classification so there is a common language for all to use. It can also help organizations improve the quality and efficiency of their data protection approaches by becoming more aware of data classification considerations and taking them into account in business and mission use cases, such as secure data sharing, compliance reporting and monitoring, ZTA, and LLMs.
Improved Cybersecurity Logging Gives Agencies Better Network Visibility
Each agency should use logging in conjunction with various tools for finding vulnerabilities on each of its IP network-connected technology assets, including missing patches, outdated software versions in need of upgrading, and misconfigured software and services. Most agencies will need to use several tools in combination to achieve the necessary visibility for all of their assets, no matter where each asset is located at any time. Let’s take a closer look at some of these tools.
Draft SP 800-92r1, Cybersecurity Log Management Planning Guide
This document defines a playbook to help any organization plan improvements to its cybersecurity log management practices in support of regulatory requirements and recommended practices. While the playbook is not comprehensive, the listed plays are noteworthy and generally beneficial for cybersecurity log management planning by organizations.
How to Develop a Cybersecurity Strategy: Step-by-Step Guide
A cybersecurity strategy isn't meant to be perfect, but it must be proactive, effective, actively supported and evolving. Here are the four steps required to get there.
3 phases of the third-party risk management lifecycle
Supply chain vulnerabilities in services can be managed with a third-party risk management program, of which the third-party management lifecycle is key. This lifecycle is composed of three phases: before the contract, during the contract and contract termination. Let's examine each phase, as well as steps to take during each phase to better manage risk.
Developing Cybersecurity and Privacy Concept Mappings
NIST Internal Report (IR) 8477 ipd, Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings, explains NIST’s proposed approach for identifying and documenting relationships between concepts such as controls, requirements, recommendations, outcomes, technologies, functions, processes, techniques, roles, and skills.
NIST Cybersecurity Framework 2.0 Draft
NIST has released a Draft of The NIST Cybersecurity Framework (CSF) 2.0 for public comment! This draft represents a major update to the CSF—a resource first released in 2014 to help organizations reduce cybersecurity risk. The draft update reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice for all organizations.
8 vulnerability management tools to consider in 2023
Once an organization implements a vulnerability management program, the next step is providing the program's team with powerful vulnerability management tools to automate as many tasks as possible. Evaluate these eight open source and vendor-supported vulnerability management tools.
Setting Up a Secure Multifactor Authentication Solution
Attackers frequently target authentication solutions, including MFA services, and a poorly secured MFA implementation can provide a way for an attacker to compromise many accounts at once. You can take the following steps to help ensure that your university’s MFA solution is properly secured — and stays that way.
Load More