Skip to content

NIST SP 800 series

The SP 800 series is a set of technical guidelines on computer security, and it is widely referenced as the basis for the U.S. federal government’s information security requirements (FISMA). Of the full official set (220 documents), this page organizes the current Final editions plus key companions by category, excluding annual reports, items slated for withdrawal, and extremely niche sub-specifications (the PIV test guides, etc.).

For complete publication and revision information, see NIST CSRC SP 800. This page is a curated version; CSRC is always the primary source.

General / introductory

NumberTitleEditionOverview
SP 800-12 Rev.1An Introduction to Information SecurityRev.1 (2017)Introduction to information security
SP 800-100Information Security Handbook: A Guide for ManagersUpd1 (2007)Handbook for managers

Risk management / frameworks / measurement

NumberTitleEditionOverview
SP 800-18 Rev.1Guide for Developing Security Plans for Federal Information SystemsRev.1 (2006)System Security Plan (SSP)
SP 800-30 Rev.1Guide for Conducting Risk AssessmentsRev.1 (2012)How to conduct risk assessments
SP 800-37 Rev.2Risk Management Framework for Information Systems and OrganizationsRev.2 (2018)The 6-step RMF
SP 800-39Managing Information Security RiskFinal (2011)Organization-wide risk management
SP 800-53 Rev.5Security and Privacy Controls for Information Systems and OrganizationsRev.5 (2020, Upd1 2023)Security/privacy control catalog
SP 800-53A Rev.5Assessing Security and Privacy ControlsRev.5 (2022)Procedures for assessing SP 800-53 controls
SP 800-53BControl Baselines for Information Systems and OrganizationsUpd1 (2023)Low/Moderate/High baselines
SP 800-55 Vol.1Measurement Guide for Information Security Vol.1 — Identifying and Selecting MeasuresFinal (2024)Selecting measurement metrics
SP 800-55 Vol.2Measurement Guide for Information Security Vol.2 — Developing a Measurement ProgramFinal (2024)Building a measurement program
SP 800-160 Vol.1 Rev.1Engineering Trustworthy Secure SystemsRev.1 (2022)Systems security engineering
SP 800-160 Vol.2 Rev.1Developing Cyber-Resilient SystemsRev.1 (2021)Cyber resilience engineering
SP 800-221Enterprise Impact of Information and Communications Technology RiskFinal (2023)Enterprise ICT risk
SP 800-221AICT Risk OutcomesFinal (2023)Outcome metrics for 800-221

Contingency / training

NumberTitleEditionOverview
SP 800-34 Rev.1Contingency Planning Guide for Federal Information SystemsRev.1 (2010)Business continuity/recovery planning
SP 800-84Guide to Test, Training, and Exercise Programs for IT Plans and CapabilitiesFinal (2006)Testing/training/exercises

CUI / FISMA / federal regulation / education

NumberTitleEditionOverview
SP 800-50 Rev.1Building a Cybersecurity and Privacy Learning ProgramRev.1 (2024)Security education program
SP 800-59Guideline for Identifying an Information System as a National Security SystemFinal (2003)NSS identification guide
SP 800-60 Vol.1 Rev.1Guide for Mapping Types of Information and Systems to Security CategoriesRev.1 (2008)Information categorization
SP 800-60 Vol.2 Rev.1Mapping (Vol.2 — Appendices)Rev.1 (2008)Appendices to 800-60 Vol.1
SP 800-66 Rev.2Implementing the HIPAA Security RuleRev.2 (2024)HIPAA Security Rule
SP 800-171 Rev.3Protecting CUI in Nonfederal Systems and OrganizationsRev.3 (2024)CUI protection requirements
SP 800-171A Rev.3Assessing Security Requirements for CUIRev.3 (2024)Procedures for assessing 800-171
SP 800-172Enhanced Security Requirements for Protecting CUIFinal (2021)Enhanced requirements assuming APTs
SP 800-172AAssessing Enhanced Security Requirements for CUIFinal (2022)Procedures for assessing 800-172
SP 800-181 Rev.1Workforce Framework for Cybersecurity (NICE Framework)Rev.1 (2020)NICE workforce framework

Authentication / identity (PIV / Digital Identity)

NumberTitleEditionOverview
SP 800-63-4Digital Identity GuidelinesRev.4 (2025)Overall digital identity policy (latest)
SP 800-63A-4Identity Proofing and EnrollmentRev.4 (2025)Identity proofing / verification
SP 800-63B-4Authentication and Authenticator ManagementRev.4 (2025)Authenticator / MFA / passphrase requirements
SP 800-63C-4Federation and AssertionsRev.4 (2025)Federation / SAML / OIDC
SP 800-73-5 Pt.1PIV Card Application NamespaceRev.5 (2024)PIV card namespace
SP 800-73-5 Pt.2Card Command InterfaceRev.5 (2024)PIV command interface
SP 800-73-5 Pt.3Client Application Programming InterfaceRev.5 (2024)PIV client API
SP 800-76-2Biometric Specifications for PIVFinal (2013)PIV biometric specification
SP 800-78-5Cryptographic Algorithms and Key Sizes for PIVRev.5 (2024)PIV cryptographic algorithms (latest)
SP 800-116 Rev.1PIV Credentials in Facility AccessRev.1 (2018)PIV for physical access
SP 800-157Derived PIV CredentialsFinal (2014)Derived PIV credentials
SP 800-162Attribute Based Access Control (ABAC)Upd2 (2019)Attribute-based access control
SP 800-205Attribute Considerations for Access Control SystemsFinal (2019)Considerations for selecting attributes

Cryptography / key management / random numbers

NumberTitleEditionOverview
SP 800-22 Rev.1aStatistical Test Suite for RNGsRev.1a (2010)RNG statistical tests
SP 800-38ABlock Cipher Modes — Methods and TechniquesFinal (2001)ECB/CBC/CFB/OFB/CTR
SP 800-38A Sup.Three Variants of Ciphertext StealingFinal (2010)CTS-1/2/3
SP 800-38BCMAC Mode for AuthenticationFinal (2016)CMAC specification
SP 800-38CCCM Mode for Authentication and ConfidentialityFinal (2007)CCM specification
SP 800-38DGCM and GMACFinal (2007)GCM / GMAC
SP 800-38EXTS-AES for Storage DevicesFinal (2010)XTS for storage
SP 800-38FMethods for Key WrappingFinal (2012)Key wrapping (KW/KWP)
SP 800-38GFormat-Preserving Encryption (FPE)Final (2016)FF1 / FF3-1 (FF3 withdrawn)
SP 800-56A Rev.3Pair-Wise Key Establishment Using Discrete LogarithmRev.3 (2018)DH/ECDH key exchange
SP 800-56B Rev.2Pair-Wise Key Establishment Using Integer FactorizationRev.2 (2019)RSA key exchange
SP 800-56C Rev.2Key Derivation in Key-Establishment SchemesRev.2 (2020)KDF after key exchange
SP 800-57 Pt.1 Rev.5Key Management — GeneralRev.5 (2020)Key management in general
SP 800-57 Pt.2 Rev.1Key Management — Best Practices for OrganizationsRev.1 (2019)Key management for organizations
SP 800-57 Pt.3 Rev.1Key Management — Application-Specific GuidanceRev.1 (2015)Per-application key management
SP 800-89Obtaining Assurances for Digital Signature ApplicationsFinal (2006)Assurance for signature verification
SP 800-90A Rev.1DRBGRev.1 (2015)Deterministic random bit generation
SP 800-90BEntropy Sources Used for Random Bit GenerationFinal (2018)Entropy source assessment
SP 800-90CRBG ConstructionsFinal (2025)RBG constructions (latest)
SP 800-107 Rev.1Recommendation for Applications Using Approved Hash AlgorithmsRev.1 (2012)Using approved hashes
SP 800-108 Rev.1Key Derivation Using PRFsRev.1 Upd1 (2024)PRF-based KDF
SP 800-130Framework for Designing CKMSFinal (2013)Designing key management systems
SP 800-131A Rev.2Transitioning Cryptographic Algorithms and Key LengthsRev.2 (2019)Algorithm migration
SP 800-132Password-Based Key DerivationFinal (2010)PBKDF2
SP 800-133 Rev.2Cryptographic Key GenerationRev.2 (2020)Cryptographic key generation
SP 800-135 Rev.1Application-Specific KDFsRev.1 (2011)KDFs for TLS / IKE, etc.
SP 800-152Profile for U.S. Federal CKMSFinal (2015)Federal CKMS profile
SP 800-175ACryptographic Standards: Directives, Mandates and PoliciesFinal (2016)Federal cryptographic standards directives
SP 800-175B Rev.1Cryptographic Standards: MechanismsRev.1 (2020)Guidance on using cryptographic standards
SP 800-185SHA-3 Derived Functions: cSHAKE / KMAC / TupleHash / ParallelHashFinal (2016)SHA-3 derived functions
SP 800-186Discrete Logarithm-based Cryptography: Elliptic Curve Domain ParametersFinal (2023)ECC domains (P-256/P-384/Edwards, etc.)
SP 800-208Stateful Hash-Based Signature SchemesFinal (2020)LMS / XMSS
SP 800-227Recommendations for Key-Encapsulation MechanismsFinal (2025)KEM (PQC context)
SP 800-232Ascon-Based Lightweight Cryptography Standards for Constrained DevicesFinal (2025)Lightweight cryptography Ascon

CMVP / FIPS 140-3 test requirements

NumberTitleEditionOverview
SP 800-140FIPS 140-3 Derived Test Requirements (DTR)Final (2020)DTR
SP 800-140ACMVP Documentation RequirementsFinal (2020)Documentation requirements
SP 800-140B Rev.1CMVP Security Policy RequirementsRev.1 (2023)Security policy requirements
SP 800-140C Rev.2CMVP Approved Security FunctionsRev.2 (2023)Approved cryptographic functions
SP 800-140D Rev.2CMVP Approved SSP Generation/Establishment MethodsRev.2 (2023)SSP generation/establishment
SP 800-140ECMVP Approved Authentication MechanismsFinal (2020)Authentication mechanisms
SP 800-140FCMVP Approved Non-Invasive Attack Mitigation Test MetricsFinal (2020)Non-invasive attack mitigation tests

Logs / incident / forensics / audit

NumberTitleEditionOverview
SP 800-61 Rev.3Incident Response Recommendations and Considerations for Cybersecurity Risk ManagementRev.3 (2025)Incident response (latest)
SP 800-83 Rev.1Malware Incident Prevention and Handling for Desktops and LaptopsRev.1 (2013)Malware response
SP 800-86Integrating Forensic Techniques into Incident ResponseFinal (2006)Integrating forensics
SP 800-88 Rev.2Guidelines for Media SanitizationRev.2 (2025)Secure media disposal (latest)
SP 800-92Computer Security Log ManagementFinal (2006)Log management
SP 800-94Intrusion Detection and Prevention Systems (IDPS)Final (2007)IDS / IPS
SP 800-101 Rev.1Mobile Device ForensicsRev.1 (2014)Mobile device forensics
SP 800-137Information Security Continuous Monitoring (ISCM)Final (2011)Continuous monitoring
SP 800-137AAssessing ISCM ProgramsFinal (2020)Assessing ISCM programs
SP 800-150Cyber Threat Information SharingFinal (2016)Threat information sharing
SP 800-184Cybersecurity Event RecoveryFinal (2016)Post-incident recovery

Networks / protocols / communications

NumberTitleEditionOverview
SP 800-41 Rev.1Firewalls and Firewall PolicyRev.1 (2009)Firewall policy
SP 800-44 V2Securing Public Web ServersV2 (2007)Web servers
SP 800-45 V2Electronic Mail SecurityV2 (2007)Email security
SP 800-46 Rev.2Enterprise Telework, Remote Access, BYOD SecurityRev.2 (2016)Remote access / BYOD
SP 800-47 Rev.1Managing the Security of Information ExchangesRev.1 (2021)Inter-system information exchange
SP 800-52 Rev.2TLS ImplementationsRev.2 (2019)TLS implementation guide
SP 800-77 Rev.1IPsec VPNsRev.1 (2020)IPsec
SP 800-81 Rev.3Secure DNS Deployment GuideRev.3 (2026)DNS / DNSSEC (latest)
SP 800-95Secure Web ServicesFinal (2007)Web services
SP 800-113SSL VPNsFinal (2008)SSL VPN
SP 800-114 Rev.1User’s Guide to Telework and BYOD SecurityRev.1 (2016)BYOD for users
SP 800-115Information Security Testing and AssessmentFinal (2008)Penetration / vulnerability testing
SP 800-119Secure Deployment of IPv6Final (2010)IPv6
SP 800-177 Rev.1Trustworthy EmailRev.1 (2019)DMARC / DKIM / SPF / STARTTLS
SP 800-189Resilient Interdomain Traffic Exchange (BGP / RPKI)Final (2019)BGP security
SP 800-215Guide to a Secure Enterprise Network LandscapeFinal (2022)Enterprise networks

Patching / configuration management / validation / SCAP

NumberTitleEditionOverview
SP 800-40 Rev.4Enterprise Patch Management PlanningRev.4 (2022)Patch management planning
SP 800-51 Rev.1Vulnerability Naming SchemesRev.1 (2011)CVE / CWE / CPE naming
SP 800-70 Rev.5National Checklist Program for IT ProductsRev.5 (2026)NCP (latest)
SP 800-126 Rev.3SCAP Version 1.3 Technical SpecificationRev.3 (2018)SCAP 1.3
SP 800-128Security-Focused Configuration ManagementUpd1 (2019)SecCM
SP 800-167Application WhitelistingFinal (2015)Application allowlisting
SP 800-193Platform Firmware Resiliency GuidelinesFinal (2018)Firmware protection (NIST PFR)

Virtualization / hypervisors

NumberTitleEditionOverview
SP 800-125Security for Full Virtualization TechnologiesFinal (2011)Virtualization in general
SP 800-125A Rev.1Server-based Hypervisor PlatformsRev.1 (2018)Hypervisors
SP 800-125BSecure Virtual Network Configuration for VM ProtectionFinal (2016)VM networking

Cloud / containers / microservices / supply chain / DevSecOps

NumberTitleEditionOverview
SP 800-144Security and Privacy in Public Cloud ComputingFinal (2011)Public cloud
SP 800-145The NIST Definition of Cloud ComputingFinal (2011)Definition of cloud
SP 800-161 Rev.1C-SCRM Practices for Systems and OrganizationsRev.1 Upd1 (2024)Supply chain risk
SP 800-190Application Container Security GuideFinal (2017)Containers
SP 800-201NIST Cloud Computing Forensic Reference ArchitectureFinal (2024)Cloud forensics
SP 800-204Security Strategies for Microservices-Based Application SystemsFinal (2019)Microservices
SP 800-204ABuilding Secure Microservices Using Service MeshFinal (2020)Service mesh
SP 800-204BABAC for Microservices using Service MeshFinal (2021)Service mesh ABAC
SP 800-204CDevSecOps for Microservices-based ApplicationFinal (2022)DevSecOps implementation
SP 800-204DSoftware Supply Chain Security in DevSecOps CI/CD PipelinesFinal (2024)SSC × CI/CD
SP 800-207Zero Trust ArchitectureFinal (2020)ZTA
SP 800-207AZTA Model for Access Control in Cloud-Native ApplicationsFinal (2023)Cloud-native ZTA
SP 800-209Security Guidelines for Storage InfrastructureFinal (2020)Storage
SP 800-210General Access Control Guidance for Cloud SystemsFinal (2020)Cloud access control
SP 800-218Secure Software Development Framework (SSDF)Ver.1.1 (2022)Secure development
SP 800-218ASSDF for Generative AI and Dual-Use Foundation ModelsFinal (2024)SSDF for generative AI
SP 800-228API Protection for Cloud-Native SystemsFinal (2026)API protection
SP 800-233Service Mesh Proxy Models for Cloud-Native ApplicationsFinal (2024)Proxy models

Mobile / IoT / OT / wireless / storage / firmware

NumberTitleEditionOverview
SP 800-82 Rev.3Operational Technology (OT) SecurityRev.3 (2023)ICS / OT
SP 800-98Securing Radio Frequency Identification (RFID) SystemsFinal (2007)RFID
SP 800-111Storage Encryption Technologies for End User DevicesFinal (2007)Full-disk / file encryption
SP 800-121 Rev.2Bluetooth SecurityRev.2 Upd1 (2022)Bluetooth
SP 800-123General Server SecurityFinal (2008)General servers
SP 800-124 Rev.2Managing Mobile Devices in the EnterpriseRev.2 (2023)Enterprise mobile
SP 800-147BIOS Protection GuidelinesFinal (2011)BIOS protection
SP 800-147BBIOS Protection Guidelines for ServersFinal (2014)Server BIOS
SP 800-153Securing Wireless Local Area Networks (WLANs)Final (2012)WLAN
SP 800-187LTE SecurityFinal (2017)LTE
SP 800-213IoT Device Cybersecurity Guidance for the Federal GovernmentFinal (2021)IoT guidance for federal use
SP 800-213AIoT Device Cybersecurity Requirement CatalogFinal (2021)IoT requirement catalog
SP 800-219 Rev.1Automated Secure Configuration Guidance from mSCP (macOS)Rev.1 (2023)macOS security

Data protection / privacy

NumberTitleEditionOverview
SP 800-122Protecting the Confidentiality of PIIFinal (2010)PII protection
SP 800-188De-Identifying Government Data SetsFinal (2023)Data de-identification
SP 800-226Evaluating Differential Privacy GuaranteesFinal (2025)Differential privacy evaluation

Vulnerability / disclosure

NumberTitleEditionOverview
SP 800-216Recommendations for Federal Vulnerability Disclosure GuidelinesFinal (2023)Vulnerability disclosure (federal)

Legend and the policy of this page

  • Edition: Final = finalized / Rev.N = Nth revision / Upd = update / Ver.X = version
  • All links in the tables are official NIST CSRC pages. Older documents may redirect to legacy URLs in the csrc.nist.gov/publications/detail/... form.
  • This page is a curated version of the official 220 documents. The following are intentionally excluded:
    • 13 Annual Reports (SP 800-170 / 176 / 182 / 195 / 203 / 206 / 211 / 214 / 220 / 225 / 229 / 236, etc.)
    • Revisions in Draft (the next edition of the SP 800-63 family, 172 Rev.3, 92 Rev.1, 133 Rev.3, 131A Rev.3, etc.) — to be incorporated once finalized
    • Extremely niche PIV test/identifier sub-specifications (SP 800-79-2 / 85A-4 / 85B / 87 Rev.2 / 96 / 156 / 163 Rev.1 / 166, etc.)
    • Withdrawn
  • For the complete list, withdrawn documents, and the Draft list, see NIST CSRC SP 800.