Month: July 2025

On November 17-20, 2025, the NIST Workshop on Multi-Party Threshold Schemes (MPTS) 2025 will bring together multiple perspectives on Threshold Cryptography in a learning and collaborative environment. Organized under the NIST Multi-Party Threshold Cryptography (MPTC) project, this virtual workshop will gather insights about the state of the art. Within scope are topics related to the specification, implementation, analysis, and deployment of threshold schemes (and threshold-friendly primitives). The event will include invited and externally proposed talks, including previews of upcoming submissions in reply to the NIST Threshold Call.

Event Information

• Event webpage (and free registration):
   https://csrc.nist.gov/events/2025/mpts2025
• Event dates: November 17–20, 2025
• Featured topics: Threshold Cryptography, NIST Threshold Call, Fully-Homomorphic Encryption (FHE), Multi-Party Computation (MPC), Threshold Schemes, Zero-Knowledge Proofs (ZKP)
• Webinar Format: Virtual talks (invited and externally proposed), with Q&A
• Talk proposals: Submit by September 10, 2025
• Host program: NIST Multi-party Threshold Cryptography:
  https://csrc.nist.gov/projects/threshold-cryptography

Read More

Date: August 14, 2025

Time: 2:00PM – 3:00PM EDT

Location: Virtual

Description: 

Phishing is one of the most common types of cyber crime. These scams use convincing emails or other messages, such as text messages or social media messages, to trick users into opening harmful links, downloading malicious software, or submitting sensitive information, such as credentials. These messages are often disguised as coming from a trusted source, such as a bank, credit card company, or even a leader within the business.

Small and medium-sized businesses are not immune to phishing. They are at risk just like their larger counterparts—only smaller organizations typically have fewer resources to prepare for and mitigate phishing risks. However, even with fewer resources, there are still proactive steps organizations of all sizes can take to reduce phishing risks. 

During this NIST small business cybersecurity webinar, we will convene a panel to highlight:

• An overview of different types of phishing attacks in addition to modern, real-world examples;
• Why it’s important to be proactive in protecting your business against phishing;
• Tips for how to spot a phishing attempt;
• Steps to take if you become the victim of a phishing scam;
• Practical steps small businesses can take to reduce your likelihood of falling victim to phishing attempts; and
• Free phishing resources available to businesses for staff training.

Speakers:

• Shanée Dawkins, Computer Scientist, Visualization and Usability Group, NIST
• Lessie Skiba, Deputy Managing Director, Cyber Readiness Institute
• Daniel Eliot, Lead for Small Business Engagement, Applied Cybersecurity Division, NIST

Register Here

There are two weeks left to comment on the Initial Public Draft (IPD) of NIST Special Publication 800-18 Revision 2, Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for System. The comment period closes at 11:59 p.m. EDT on July 30, 2025. 

---

NIST invites comments on the initial public draft (ipd) of Special Publication (SP) 800-18r2 (Revision 2), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems.

The system security plan, privacy plan, and cybersecurity supply chain risk management plan consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. These system plans serve as a centralized point of reference for information about the system and risk management decisions, including data being created, collected, disseminated, used, stored, and disposed of; the individuals responsible for system risk management efforts; details about the internal and external environments of operation, system components, and data flows; and controls that are planned or in place to manage risks.

The major changes for this revision include:

• Expanded guidance to address the development of system plans within the context of the NIST Risk Management Framework, the NIST Privacy Framework, and SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• Insights into the development of a consolidated system plan that encompasses security, privacy, and cybersecurity supply chain risk management plan elements
• Updated descriptions of system plan elements
• Considerations for automating the development and maintenance of system plans using information management tools, such as governance, risk, and compliance (GRC) applications

Additionally, the following supplemental materials are available:

• Security Plan Example Outline
• Privacy Plan Example Outline
• C-SCRM Plan Example Outline
• System Plan Related Roles and Responsibilities

The comment period is open through July 30, 2025. See the publication details for a copy of the draft, supplemental files, and a comment template. Commenters are encouraged to use that template and submit feedback to sec-cert@nist.gov with “SP 800-18r2 ipd comments” in the subject.

Read More

In light of several recent natural disasters, the NJCCIC reminds users to exercise caution and conduct due diligence before donating funds. Cybercriminals often exploit the compassion and generosity of the public by conducting fraudulent schemes to steal funds and credentials in the aftermath of tragic events. Individuals seeking to donate to relief efforts are targeted in charity scams initiated by threat actors using social engineering tactics through emails, SMS text messaging, phone calls, and direct messages via social media. They often create a sense of urgency and may impersonate reputable organizations. For example, display name spoofing may be used in phishing emails to appear as though they are sent from a known or trusted charity in an attempt to convince the potential donor to open an attachment or a link that directs them to a spoofed website impersonating the legitimate charity.

Although many legitimate organizations call to solicit donations, potential donors are advised to take the time to research the charity properly, understand who they are and their cause, and where the funds are directed before donating. Also, search the name of the charity to determine if there are any bad reviews, complaints, scams, or fraud associated with the charity. Credit card payments offer more consumer protections and are easier to track than payments of gift cards, wire transfers, cash, or cryptocurrency. Additionally, donations are not recommended through payment apps, such as Venmo, CashApp, or Zelle, as funds through these apps should only be sent to known and familiar individuals, such as family and friends.

Advances in computing capabilities, cryptographic research, and cryptanalytic techniques necessitate the replacement of cryptographic algorithms that no longer provide adequate security. A typical algorithm transition is costly, takes time, raises interoperability issues, and disrupts operations. Cryptographic (crypto) agility refers to the capabilities needed to replace and adapt cryptographic algorithms in protocols, applications, software, hardware, firmware, and infrastructures while preserving security and ongoing operations.

The initial public draft (ipd) of NIST Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility: Strategies and Practices, was released on March 5, 2025. It offered a common understanding of challenges and identified existing approaches related to crypto agility.  The first draft was based on discussions that NIST conducted with various organizations and stakeholders and provided read-ahead material for a virtual Crypto Agility workshop hosted by NIST on April 17-18, 2025.

This second public draft (2pd) reflects the workshop findings and the feedback received during the first draft’s public comment period. It includes sections on crypto agility for security protocols and applications, crypto agility strategic plans, and considerations for future work.

To advance crypto agility, NIST encourages ongoing dialogue among stakeholders to establish strategies, frameworks, requirements, and metrics tailored to specific sectors and environments. This will help inform a maturity model with key performance indicators (KPIs) and facilitate the development of common crypto Application Programming Interfaces (APIs) and tools.

The public comment period for this second draft is open through August 15, 2025. See the publication details for a copy of the draft and instructions for submitting comments.

Read More

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.

These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.

Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. Customers should apply these updates immediately to ensure they’re protected.

Go here for full details