NCCoE Releases Draft Project Description for DevSecOps

The National Cybersecurity Center of Excellence (NCCoE) has
released a new draft project description, Software Supply Chain and DevOps Security
Practices: Implementing a Risk-Based Approach to DevSecOps
Publication of this project description begins a process to solicit public
comments for the project requirements, scope, and hardware and software
components for use in a laboratory environment.

We want your feedback on this draft to help refine the project.
The comment period is now open and will close on August 22, 2022.

The project will focus initially on developing and documenting an
applied risk-based approach and recommendations for secure DevOps and software
supply chain practices consistent with the Secure Software Development
Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and
other NIST, government, and industry guidance. This project will apply these
practices in proof-of-concept use case scenarios that are each specific to a
technology, programming language, and industry sector. Both commercial and open
source technology will be used to demonstrate the use cases. This project will
result in a freely available NIST Cybersecurity Practice Guide.

We Want to Hear from You!

Review the project description and submit comments online on or
before August 22, 2022. You can also help shape and contribute to this project
by joining the NCCoE’s DevSecOps Community of Interest. Send an email to detailing your

We value and welcome your input and look forward to your comments.



Implementing the HIPAA Security Rule: NIST Releases Draft NIST SP 800-66, Rev. 2 for Public Comment

 The initial public draft of NIST Special Publication (SP) 800-66r2
(Revision 2),
Implementing the
Health Insurance Portability and Accountability Act (HIPAA) Security Rule
: A
Cybersecurity Resource Guide
, is now available for public comment.

The HIPAA Security Rule specifically focuses on protecting the
confidentiality, integrity, and availability of electronic protected health
information (ePHI), as defined by the Security Rule. All HIPAA-regulated
entities must comply with the requirements of the Security Rule.

This draft update:

  • Includes a brief overview of
    the HIPAA Security Rule
  • Provides guidance for regulated
    entities on assessing and managing risks to ePHI
  • Identifies typical activities
    that a regulated entity might consider implementing as part of an
    information security program
  • Lists additional resources that
    regulated entities may find useful in implementing the Security Rule

A public comment period is open
through September 21, 2022.
See the publication
for a copy of the draft and instructions for submitting

A call for patent claims is included on page v of this draft. For additional
information, see the Information
Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL


Submit Comments on NIST SP 1800-34, Validating the Integrity of Computing Devices

 Comment Period Extended
for NIST SP 1800-34, Validating the Integrity of Computing Devices

The National Cybersecurity Center of Excellence (NCCoE) has
published, for public comment, a draft of NIST SP 1800-34, Validating the
Integrity of Computing Devices. Please download the document and share your
with us to strengthen the draft practice guide. The public
comment period for this draft has been extended and will now close on August 8th,

The NCCoE relies on developers, providers, and users of
cybersecurity technology and information to provide comments on our practice
guides. The public is encouraged to review the draft and provide feedback for
possible incorporation into the final version before the public comment period

If you have any questions or would like to join our Supply Chain
Community of Interest, please email us at

Comment Now

NIST Releases Draft IR 8409: Measuring the Common Vulnerability Scoring System Base Score Equation

 Today, NIST is seeking public comments on NIST IR 8409 ipd (initial public
draft), Measuring the
Common Vulnerability Scoring System Base Score Equation

Calculating the severity of information technology vulnerabilities
is important for prioritizing vulnerability remediation and helping to
understand the risk of a vulnerability. The Common Vulnerability Scoring System
(CVSS) is a widely used approach to evaluating properties that lead to a
successful attack and the effects of a successful exploitation. CVSS is managed
under the auspices of the Forum of Incident Response and Security Teams (FIRST)
and is maintained by the CVSS Special Interest Group (SIG). Unfortunately,
ground truth upon which to base the CVSS measurements has not been available.
Thus, CVSS SIG incident response experts maintain the equations by leveraging
CVSS SIG human expert opinion.

This work evaluates the accuracy of the CVSS “base score”
equations and shows that they represent the CVSS maintainers’ expert opinion to
the extent described by these measurements. NIST requests feedback on the
approach, the significance of the results, and any CVSS measurements that
should have been conducted but were not included within the initial scope of
this work. Finally, NIST requests comments on sources of data that could
provide ground truth for these types of measurements.

The public comment review period for this draft is open through
July 29, 2022.
See the publication
for instructions on how to submit comments.


NOTE: A call for patent claims is included on page iv of this
draft. For additional information, see Information
Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL


NIST Requests Public Comments on FIPS 180-4, Secure Hash Standard (SHS)

 NIST is in the process of a periodic review and maintenance of its
cryptography standards and guidelines.   

This announcement initiates the review of Federal Information Processing
Standard (FIPS) 180-4
Secure Hash
Standard (SHS)
, 2015.

NIST requests public
comments on all aspects of FIPS 180-4
. Additionally, NIST would
appreciate feedback on the following two areas of particular concern:

  1. SHA-1. In recent years, the cryptanalytic attacks on the SHA-1
    hash function have become increasingly severe and practical (see, e.g., the 2020
    paper “SHA-1 is a Shambles” by Leurent and Peyrin
    NIST, therefore, plans to remove SHA-1 from a revision of FIPS 180-4 and
    to deprecate and eventually disallow all uses of SHA-1. The Cryptographic
    Module Validation Program
     will establish a validation
    transition schedule.

     *  How will this plan impact fielded and
planned SHA-1 implementations?

 *  What should NIST consider in establishing the timeline for
disallowing SHA-1?

  1. Interface. The “Init, Update, Final” interface was part
    of the SHA-3 Competition submission requirements. Should a revision of
    FIPS 180-4 discuss the “Init, Update, Final” hash function interface?

 The public comment period is open through September 9, 2022. Comments
may address the concerns raised in this announcement or other issues around
security, implementation, clarity, risk, or relevance to current

Send comments to with
“Comments on FIPS 180-4” in the Subject. 

For more information about the review process, visit the Crypto
Publication Review Project page


Using Business Impact Analysis to Inform Risk Prioritization and Response: NIST IR 8286D available for public comment

 Traditional business impact analyses (BIAs) have been successfully
used for business continuity and disaster recovery (BC/DR) by triaging damaged
infrastructure recovery actions that are primarily based on the duration and
cost of system outages (i.e., availability compromise). However, BIA analyses
can be easily expanded to consider other cyber-risk compromises and remedies.

This initial
public draft of NIST IR 8286D,
Using Business Impact Analysis to Inform Risk Prioritization and
, provides comprehensive asset confidentiality and
integrity impact analyses to accurately identify and manage asset risk
propagation from system to organization and from organization to enterprise,
which in turn better informs Enterprise Risk Management deliberations. This document
adds expanded BIA protocols to inform risk prioritization and response by
quantifying the organizational impact and enterprise consequences of
compromised IT Assets.

The public comment period for this draft is open through July 18,
See the publication
for a copy of the draft and instructions for submitting


NOTE: A call for patent claims is included on page iii of this
draft. For additional information, see
Information Technology Laboratory (ITL) Patent Policy–Inclusion
of Patents in ITL Publications


NIST opens first online comment period using the SP 800-53 Public Comment Site

NIST is leveraging the new Special Publication (SP) 800-53 Public
Comment Site for its first round of public comments. Participate in the
inaugural 30-day 
public comment period
for a 
minor (errata) release of SP 800-53, Revision 5, Security and Privacy Controls for
Information Systems and Organizations
. The minor release will
result in corrections to the current publication but will not introduce new
technical information or requirements. 
Submit your comments on proposed changes using the Public Comment
 through August 12, 2022.

All proposed changes to SP 800-53 (“candidates”) for
review and comment are available online.
Candidates can be filtered by control family, control name, and submission
date. To view the specific changes for each control or control enhancement and
provide your feedback, select the Tracking Number on the Candidates page.

The SP 800-53 Public Comment Site is designed to:

  • Reduce the level of effort
    needed for stakeholders to review and comment on proposed changes
  • Feature new and updated
    controls and control enhancements and highlight specific changes
  • Increase transparency and
    promote community engagement by making comments on candidates publicly
  • Provide traceability on
    submitted feedback through automatic updates

Learn more about
the SP 800-53 Comment Site, and leverage the online User Guide for
step-by-step instructions on how to participate in the public comment process,
available under “View Candidates” and “Provide comments on

NIST looks forward to stakeholder feedback on the proposed changes
(“candidates”) for the first minor release using the online platform.
The end result of this effort will be the second update of SP 800-53 Rev. 5.
Please direct your questions to


Protecting Controlled Unclassified Information: Pre-Draft Call for Comments on the CUI Series

Protecting Controlled
Unclassified Information: Pre-Draft Call for Comments on the CUI Series

NIST is seeking information for a planned update of the Controlled
Unclassified Information (CUI) series of publications, starting with Special
Publication (SP) 800-171, Protecting
Controlled Unclassified Information in Nonfederal Systems and Organizations. 
This Pre-Draft
Call for Comments
 solicits feedback from interested parties to
improve SP 800-171 and its supporting publications, SP 800-171A, SP 800-172,
and SP 800-172A.

NIST seeks your feedback on the use, potential updates, and
opportunities for ongoing improvement to the CUI series. Potential topics for
comments and feedback range from how organizations are currently using the CUI
series of publications – including how the series is being used with other
frameworks and standards (e.g., NIST Risk Management Framework, NIST
Cybersecurity Framework, GSA Federal Risk and Authorization Management Program
[FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.) – to
suggestions for features of the CUI series that should be modified, added, or

How to Comment?

View the
Pre-Draft Call for Comments
 for details on how to submit your comments by September
16, 2022

Questions about this call for comments?  Contact us at


Supply Chain Issue

A Florida-based CEO was charged with selling
$1 billion worth of counterfeit Cisco equipment imported from China, according
to the Department of Justice.

 The Justice Department announced in a release
on Friday that they arrested 38-year-old Onur Aksoy for allegedly running
multiple stores that sold fraudulent Cisco hardware. The DOJ alleged that Aksoy
imported the fake equipment from China and resold them to included hospitals,
schools, government agencies, and the military under the company name “Pro
Network” to make it appear legitimate.

 According to a DOJ complaint filed in 2013,
Aksoy bought counterfeit hardware at “95 to 98%” lower than authentic
Cisco products. The counterfeit hardware malfunctioned, damaging the users’
network and operations and costing them tens of thousands of dollars.

 Aksoyn”allegedly ran at least 19
companies formed in New Jersey and Florida as well as at least 15 Amazon
storefronts, at least 10 eBay storefronts, and multiple other entities,”

 According to the DOJ statement, between 2014
and 2022, Customs and Border Protection seized 180 shipments of counterfeit
Cisco devices being shipped to Pro Network. Under the alias of “Dave
Durden,” Aksoy falsely submitted paperwork to CBP to avoid investigation.
In July 2021, federal agents obtained a warrant to search Aksoy’s warehouse,
where they seized 1,156 counterfeit Cisco hardware valued at over 7 million

 “We are committed to maintaining the
integrity and quality of Cisco products and services. Cisco is grateful to law
enforcement and customs officials for their tremendous collaboration in this
investigation and to the DOJ for bringing the perpetrator to justice,”
Cisco said in a statement to PC Mag.

 According to the DOJ, Aksoy is charged with
conspiracy to traffic in counterfeit goods and to commit mail and wire fraud,
three counts of mail fraud, four counts of wire fraud, and three counts of
trafficking in counterfeit goods. Prosecutors have set up a website for anyone
who believed they were a victim of Aksoy’s companies.

NIST Preliminary Draft Practice Guide (Vol. B) From The Zero Trust Architecture Team

The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has
published volume B of a preliminary draft practice guide titled
“Implementing a Zero Trust Architecture” and is
seeking the public’s comments on its contents. This guide summarizes how the
NCCoE and its collaborators are using commercially available technology to
build interoperable, open standards-based ZTA example implementations that
align to the concepts and principles in NIST Special Publication (SP) 800-207,
Zero Trust Architecture. As the project progresses, the preliminary draft will
be updated, and additional volumes will also be released for comment.

As an enterprise’s data and resources have become distributed
across the on-premises environment and multiple clouds, protecting them has
become increasingly challenging. Many users need access from anywhere, at any
time, from any device. The NCCoE is addressing these challenges by
collaborating with industry participants to demonstrate several approaches to a
zero trust architecture applied to a conventional, general purpose
enterprise IT infrastructure on premises and in the cloud.

We Want to Hear from You!

The NCCoE is making volume B available as a preliminary draft for
public comment while work continues on the project. Review the preliminary
draft and submit comments online on or before August 8th, 2022.

Comment Here

We welcome your input and look forward to your comments. We invite
you to join to receive
news and updates about this project.  

– Zero Trust Architecture Project Team

Read More