ANNUAL REPORT 2017 NIST/ITL CYBERSECURITY PROGRAM NIST SPECIAL PUBLICATION 800-203 THIS PAGE IS INTENTIONALLY LEFT BLANK ANNUAL REPORT 2017 NIST/ITL CYBERSECURITY PROGRAM PATRICK O’REILLY, EDITOR KRISTINA RIGOPOULOS, EDITOR Computer Security Division Applied Cybersecurity Division Information Technology Laboratory Information Technology Laboratory CO-EDITORS: Larry Feldman Greg Witte G2, Inc. Annapolis Junction, Maryland THIS PUBLICATION IS AVAILABLE FREE OF CHARGE FROM https:/ /doi.org/10.6028/NIST.SP.800-203 JULY 2018 U.S. DEPARTMENT OF COMMERCE Wilbur L. Ross, Jr., Secretary NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology NIST/ITL CYBERSECURITY PROGRAM ANNUAL REPORT 2017 AUTHORITY This publication has been developed by the National Institute of Standards and Technology (NIST) in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3541 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal ofcials exercising policy authority over such systems. This guideline is consistent with the requirements of the Ofce of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal ofcial. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. National Institute of Standards and Technology Special Publication 800-203 Natl. Inst. Stand. Technol. Spec. Publ. 800-203, 175 pages (July 2018) CODEN: NSPUE2 This publication is available free of charge from: https:/ /doi.org/10.6028/NIST.SP.800-203 REPORTS ON COMPUTER SYSTEMS TECHNOLOGY The Information Technology Laboratory (ITL) at NIST promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-efective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach eforts in information system security, and its collaborative activities with industry, government, and academic organizations. I ACKNOWLEDGMENTS The editors, Patrick O’Reilly of the Computer Security Division (CSD) and Kristina Rigopoulos of the Applied Cybersecurity Division (ACD), would like to thank their ITL colleagues who provided write-ups on their project highlights and accomplishments for this annual report (their names are mentioned after each project write-up). The editors would also like to acknowledge Elaine Barker (CSD) a Lisa Carnahan (Standards Coordination Ofce, NIST), for reviewing and providing valuable feedback for this annual report. The editors would also like to acknowledge Natasha Hanacek (Graphic Designer, NIST Public Afairs Ofce) for designing the cover and inside layout for this annual report. DISCLAIMER Any mention of commercial prod