Year: 2023

The NIST National Cybersecurity Center of Excellence (NCCoE) has released for public comment Draft NIST Internal Report (NIST IR) 8496, Data Classification Concepts and Considerations for Improving Data Protection. The comment period is open now through January 9, 2024.  

About the Report 

This publication defines basic terminology and explains fundamental concepts in data classification so there is a common language for all to use. It can also help organizations improve the quality and efficiency of their data protection approaches by becoming more aware of data classification considerations and taking them into account in business and mission use cases, such as secure data sharing, compliance reporting and monitoring, zero-trust architecture, and large language models. 

We Want to Hear from You! 

The comment period for this draft is open until 11:59 p.m. EST on Tuesday, January 9, 2024. Visit our project page for a copy of the draft and comment form.  

To receive the latest project news and updates, consider joining the NCCoE Data Classification Community of Interest (COI). You can sign up to become a COI member via the webform here. 

View the Publication

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released this Joint Cybersecurity Advisory in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.

Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of a cyberattack by Scattered Spider actors.

The incidence of zero-day exploitation has shown an alarming increase on a global scale, significantly affecting federal government agencies, particularly over the last month, as emphasized by the Cybersecurity and Infrastructure Security Agency (CISA). Despite an overall decline in these vulnerabilities, federal government analysts observed an increase in zero-day exploits. This uptick indicates evolving tactics among cyber threat actors, particularly in sophisticated nation-state-backed campaigns that continue to leverage these previously unknown vulnerabilities in sophisticated cyberattacks.

Over the past six months, the NJCCIC observed similar patterns in which advanced persistent threat (APT) groups rapidly developed and deployed zero-day exploits impacting public and private NJ organizations. These exploits include the Citrix Bleed vulnerability, which was most recently used in LockBit ransomware attacks impacting Boeing and the Industrial and Commercial Bank of China (ICBC). Similarly, the Atlassian and SysAid zero-days have been widely used in significant cyberattacks.

There is a critical need for enhanced collaboration across public and private sectors to combine cybersecurity defense efforts and develop rapid response mechanisms, including the Defense Industrial Base sector, according to Darren Turner, the National Security Agency’s (NSA’s) cybersecurity directorate chief of critical networks defense. The NJCCIC has actively pursued efforts to increase collaboration with local and state agencies, most recently supporting these endeavors by hosting a multi-state cyber range incident response exercise. More information regarding this live-fire exercise can be found in the below announcement.

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. Enterprise Risk Management (ERM) programs should consider ICT risks alongside those in other risk disciplines like financial or legal which consider the impact on mission and business objectives, strategic planning, and oversight. To aid in this endeavor, NIST is providing guidance, especially for executive decision-makers, risk officers, and those responsible for governance and risk management practices.

Today, NIST is issuing best practices on how to better integrate ICT risk programs into an overarching ERM portfolio—given special attention to coordination and communication across risk programs. These resources will help ICT risk practitioners at all levels of the enterprise and across private and public sectors to better understand and practice ICT risk management in coordination with ERM. 

• NIST Special Publication 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk PortfolioThis publication helps in understanding the relationship between ICT risk management and ERM—and the benefits of integrating those approaches.  This includes ICT risk guidance on how all ICT risk programs, including individual programs such as privacy, supply chain, and cybersecurity, integrate into ERM.
• NIST Special Publication 800-221A Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio 
  This publication provides desired outcomes and applicable references common across all types of ICT risk; it offers a common language for understanding, managing, and expressing ICT risk to internal and external stakeholders and can help identify and prioritize actions to reduce ICT risk.  The core of this publication can be browsed and downloaded in popular formats such as JavaScript Object Notation (JSON) and Microsoft Excel (XSLS) using the NIST Cybersecurity and Privacy Tool (CPRT).

These publications were developed in close collaboration with private and public sector experts. NIST appreciates and looks forward to further collaboration and feedback from the community. Questions or ideas? Reach out to us via ictrm@nist.gov.

The final version of NIST Special Publication (SP) 800-140Br1 (Revision 1), CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B, is now available.

This document introduces four significant changes to NIST SP 800-140B:

1. Defines a more detailed structure and organization for the Security Policy
2. Captures Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
3. Builds the Security Policy document as a combination of the subsection information
4. Generates the approved algorithm table based on lab/vendor selections from the algorithm tests

This final version addresses the comments made on the initial and second public drafts, including concerns with the structure of the Security Policy and the process for creating it.

The NIST SP 800-140x series supports Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP). The series specifies modifications to ISO/IEC 19790 Annexes and ISO/IEC 24759 as permitted by the validation authority.

Read More

The NIST Phish Scale User Guide is Now Available!

The National Institute of Standards and Technology Human-Centered Cybersecurity program is pleased to announce the release of the NIST Phish Scale User Guide.  

The Phish Scale is a method designed to rate an email’s human phishing detection difficulty. It has been adopted by organizations globally to provide an additional metric in their phishing awareness training programs. Phishing training implementers, who run these programs, use the Phish Scale to provide context to the click rate and report rate results from their simulated phishing exercises. 

This Phish Scale User Guide is intended for use by practitioners and provides instructional step-by-step guidance on how to apply the Phish Scale in their phishing awareness training programs. It provides background and components of the NIST Phish Scale, detailed cue descriptions, interpretation of phish scale results, and an interactive NIST Phish Scale Worksheet to apply the Phish Scale to phishing emails.  

Email human-cybersec@nist.gov with any questions. Learn more about the NIST Phish Scale and the Human-Centered Cybersecurity program’s phishing research.

Read More

When social media platforms were first created, some companies had lofty goals of bringing people together.

To some extent, they succeeded. Social media has allowed people to connect. But it has also led to hate speech, violence, bullying, self-esteem issues in teenagers and other harms.

Decades into the social media era, it’s clear that new technologies come with both upsides and downsides.

Read More

Our Cybersecurity Awareness Month may have come to a close at the end of October — but the importance of enhancing cybersecurity and engaging with our international partners to enhance cybersecurity is at the forefront of our minds all year long.

Here are some updates on our international work:

• Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0, and NIST hosted its final workshop on September 19 and 20 with in-person and hybrid attendance featuring international participation (via both speakers and panelists). While formal comments on the current Draft CSF 2.0 were due on November 6, please continue to provide us your valuable feedback.
• NIST is also currently working with industry partners to amplify our international outreach — as an example…

Read More on the Blog

Identify, remediate, and limit data risks at Security Virtual Training Day: Protect Data and Mitigate Risk from Microsoft Learn. At this free event, you’ll learn how to secure data and reduce risks with Microsoft Purview Information Protection and risk management solutions. You’ll also explore how to manage data protection policies across your organization to help protect people and data against cyberthreats. You will have the opportunity to: Manage and monitor data in new, comprehensive ways to help prevent data loss with Microsoft Purview. Identify privacy risks and help protect personal data using Microsoft Priva. Discover sensitive data and respond to inquiries efficiently with Microsoft Purview. Join us at an upcoming two-part event: December 04, 2023 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) December 05, 2023 | 12:00 PM – 2:30 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Featured Announcing .NET 8 > .NET releases are one of the many ways your .NET apps get better over time. .NET 8 is here, and it’s packed with updates that help you customize your development and app experience.

What’s New What’s new in .NET 8 > Find out what is new for .NET developers across all workloads including cloud, mobile, desktop, web, AI, IoT, and so much more.   On.NET weekly show > Join members from the .NET team each week as they host and interview amazing .NET contributors from the .NET team and the community.   Announcing Microsoft Playwright Testing Preview> Microsoft Playwright Testing enables faster test runs and broader scenario coverage, speeding up the delivery of features without sacrificing coverage.

Events See local events > Microsoft Ignite sessions are now available on demand > Catch up on the latest announcements on AI/Copilot advancements, demos, and insights into the trajectory of tech developments.   .NET Conf 2023 sessions available on demand > Celebrate the release of .NET 8! Watch on-demand sessions to catch up on all the latest features and functions.   Global AI Conference 23 / Dec.12, 2023 / Virtual > Jump into the worldwide livestream, check out a local conference in person, or chat and connect with AI experts on the Discord Channel.   Microsoft for Startups: Discovery Day / Dec.14 / Virtual > Learn about Microsoft for Startups Founders Hub and how to get started building on Azure and OpenAI for free.   Quantum Innovator webinar series / On demand > Get a firsthand account of the Microsoft strategy for scaled quantum computing.

Learning Microsoft Ignite Cloud Skills Challenge > Validate your skills in real time and earn a new Microsoft Applied Skills credential. This special edition tests your skills across new innovations announced at Ignite.   Visit the Microsoft Learn Exam Readiness Zone > In this video learning series, Microsoft experts provide tips, tricks, and strategies for preparing for a Microsoft Certification exam.   Let’s Learn: .NET beginner video series > This monthly series will walk through the fundamentals of using C# and .NET for everyday living. Leave with something built together, live with experts.