Month: June 2022

 Submit Comments on Draft
NIST SP 1800-34, Validating
the Integrity of Computing Devices

The National Cybersecurity Center of Excellence (NCCoE) has
published for public comment a draft of NIST SP 1800-34, Validating the Integrity of
Computing Devices.

What Is This Guide About?

Technologies today rely on complex, globally distributed and
interconnected supply chain ecosystems to provide reusable solutions.
Organizations are increasingly at risk of cyber supply chain compromise,
whether intentional or unintentional. Managing cyber supply chain risks
requires, in part, ensuring the integrity, quality, and resilience of the
supply chain and its products and services. This project demonstrates how
organizations can verify that the internal components of their computing
devices are genuine and have not been altered during the manufacturing or
distribution processes.

Share Your Expertise

Please download the document and share your
expertise with us to strengthen the draft practice guide. The public
comment period for this draft is now open and will close on July 25^th,
2022. You can stay up to date on this project by sending an email to supplychain-nccoe@nist.gov to join our
Community of Interest. Also, if you have any project ideas for our team, please
let us know by sending an email to the email address above. We look forward to
your feedback.

Additional NIST Supply Chain Work

NIST is also working on an important effort, the National
Initiative for Improving Cybersecurity in Supply Chains (NIICS) with the
private sector and others in government to improve cybersecurity in supply
chains. This initiative will help organizations to build, evaluate, and assess
the cybersecurity of products and services in their supply chains, an area of
increasing concern. For more information on this effort, you can click here.

Comment Now

 NIST is releasing the final public draft of a major revision
to Special
Publication (SP) 800-160 Volume 1, Engineering Trustworthy Secure Systems.
This final public draft offers significant content and design changes that
include a renewed emphasis on the importance of systems engineering and viewing
systems security engineering as a critical subdiscipline necessary to achieving
trustworthy secure systems. This perspective treats security as an emergent
property of a system. It requires a disciplined, rigorous engineering process
to deliver the security capabilities necessary to protect stakeholders’ assets
from loss while achieving mission and business success.

Bringing security out of its traditional stovepipe and viewing it
as an emergent system property helps to ensure that only authorized system
behaviors and outcomes occur, much like the engineering processes that address
safety, reliability, availability, and maintainability in building spacecraft,
airplanes, and bridges. Treating security as a subdiscipline of systems
engineering also facilitates making comprehensive trade space decisions as
stakeholders continually address cost, schedule, and performance issues, as
well as the uncertainties associated with system development efforts.

In particular, this final public draft:

• Provides a renewed focus on the
  design principles and concepts for engineering trustworthy secure systems,
  distributing the content across several redesigned initial chapters
• Relocates the detailed system
  life cycle processes and security considerations to separate appendices
  for ease of use
• Streamlines the design
  principles for trustworthy secure systems by eliminating two previous
  design principle categories
• Includes a new introduction to
  the system life cycle processes and describes key relationships among
  those processes
• Clarifies key systems
  engineering and systems security engineering terminology
• Simplifies the structure of the
  system life cycle processes, activities, tasks, and references
• Provides additional references
  to international standards and technical guidance to better support the
  security aspects of the systems engineering process

NIST is interested in your feedback on the specific changes made
to the publication during this update, including the organization and structure
of the publication, the presentation of the material, its ease of use, and the
applicability of the technical content to current or planned systems
engineering initiatives.

 

The public comment period is open through July 8, 2022. See
the publication details for instructions on submitting
comments, including a template for preparing comments.

NOTE: A call for patent claims is included on page v of this
draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy–Inclusion of
Patents in ITL Publications.

Read
More

 Today, NIST is seeking public comments on NIST IR 8409 ipd (initial public
draft), Measuring the
Common Vulnerability Scoring System Base Score Equation.

Calculating the severity of information technology vulnerabilities
is important for prioritizing vulnerability remediation and helping to
understand the risk of a vulnerability. The Common Vulnerability Scoring System
(CVSS) is a widely used approach to evaluating properties that lead to a
successful attack and the effects of a successful exploitation. CVSS is managed
under the auspices of the Forum of Incident Response and Security Teams (FIRST)
and is maintained by the CVSS Special Interest Group (SIG). Unfortunately,
ground truth upon which to base the CVSS measurements has not been available.
Thus, CVSS SIG incident response experts maintain the equations by leveraging
CVSS SIG human expert opinion.

This work evaluates the accuracy of the CVSS “base score”
equations and shows that they represent the CVSS maintainers’ expert opinion to
the extent described by these measurements. NIST requests feedback on the
approach, the significance of the results, and any CVSS measurements that
should have been conducted but were not included within the initial scope of this
work. Finally, NIST requests comments on sources of data that could provide
ground truth for these types of measurements.

The public comment review period for this draft is open through
July 29, 2022. See the publication
details for instructions on how to submit comments.

 

NOTE: A call for patent claims is included on page iv of this
draft. For additional information, see Information
Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL
Publications.

Read
More

The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has published Volume A of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is seeking the public’s comments on its contents. This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. As the project progresses, the preliminary draft will be updated, and additional volumes will also be released for comment.
As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general purpose enterprise IT infrastructure on premises and in the cloud.

We Want to Hear from You!
The NCCoE is making Volume A available as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments online on or before (July 5th, 2022). 

Comment Here