CMVP Security Policy Requirements: NIST SP 800-140B Rev. 1 (Second Public Draft)

 The second public draft of NIST Special Publication (SP)
800-140Br1 (Revision 1),
CMVP Security
Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and
ISO/IEC 19790 Annex B
, is now available for public
comment.

The initial public draft introduced four significant changes to
NIST SP 800-140B:

  1. Defines a more detailed
    structure and organization for the Security Policy
  2. Captures Security Policy
    requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
  3. Builds the Security Policy
    document as a combination of the subsection information
  4. Generates the approved
    algorithm table based on lab/vendor selections from the algorithm tests

This second draft addresses the comments made on the initial
draft, including concerns with the structure of the Security Policy and the
process for creating it. Appendix B provides details on these changes.

The NIST SP 800-140x series supports Federal Information
Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules,
and its associated validation testing program, the Cryptographic Module
Validation Program (CMVP). The series specifies modifications to ISO/IEC 19790
Annexes and ISO/IEC 24759 as permitted by the validation authority.

The public comment period is open through December 5, 2022. See
the publication
details
for instructions on submitting comments.

Read
More

Public Comment Period Extended to 10/5 | Implementing the HIPAA Security Rule: Draft NIST SP 800-66, Rev. 2

 The public comment period has been extended for the initial public
draft of NIST Special Publication (SP) 800-66r2 (Revision 2),
Implementing the
Health Insurance Portability and Accountability Act (HIPAA) Security Rule
: A Cybersecurity Resource Guide.
The new comment deadline
is October 5, 2022.

The HIPAA Security Rule specifically focuses on protecting the
confidentiality, integrity, and availability of electronic protected health
information (ePHI), as defined by the Security Rule. All HIPAA-regulated
entities must comply with the requirements of the Security Rule.

This draft:

  • Includes a brief overview of
    the HIPAA Security Rule
  • Provides guidance for regulated
    entities on assessing and managing risks to ePHI
  • Identifies typical activities
    that a regulated entity might consider implementing as part of an
    information security program
  • Lists additional resources that
    regulated entities may find useful in implementing the Security Rule

Please submit comments to [email protected] through October 5, 2022.
See the publication
details
for a copy of the draft and instructions for submitting
comments.

NOTE: A call for patent claims is included on page v of this
draft. For additional information, see the
Information Technology Laboratory (ITL) Patent Policy –
Inclusion of Patents in ITL Publications
.

Read
More

New York Metro Joint Cyber Security Conference

 Created in 2014, this collaborative event is cooperatively
developed, organized and sponsored by the leading information security industry
organizations and chapters, including NY Metro ISSA. The strength of
organizational membership, the provision of desirable CPE credits and the
concurrence of National Cyber Security Awareness Month, is always well-attended
by members of the information technology, information security, audit,
academic, and business communities.










Agenda is at InfoSecurity.NYC 

Register for free Infosecurity-NYC-2022.EventBrite.com

Hurricane-Related Scams

CISA warns users to remain on alert for malicious cyber activity targeting
potential disaster victims and charitable donors following a hurricane. Fraudulent
emails—often containing malicious links or attachments—are common after major
natural disasters. Exercise caution in handling emails with hurricane-related
subject lines, attachments, or hyperlinks. In addition, be wary of social media
pleas, texts, or door-to-door solicitations relating to severe weather
events. 

To avoid becoming victims of malicious activity, users and administrators
should review the following resources and take preventative measures. 

Staying
Alert to Disaster-related Scams
 

Before Giving to
a Charity 

Staying Safe on
Social Networking Sites
  

Avoiding Social
Engineering and Phishing Attacks
 

Using Caution with
Email Attachments 

If you believe you have been a victim of cybercrime, file a complaint with
Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) at www.ic3.gov.