Author: blogmirnet
The NCCoE Healthcare Team is Seeking Collaborators for the Smart Home Integration Project
Collaborate with the NCCoE Healthcare Team on the Mitigating Cybersecurity Risk in Telehealth Smart Home Integration Project
Back in April 2023, the National Cybersecurity Center of Excellence (NCCoE) issued a Federal Register Notice (FRN) inviting interested organizations to participate in the Mitigating Cybersecurity Risk in Telehealth Smart Home Integration project.
This NCCoE project will develop guidance on smart home devices integrating with healthcare information systems. The project’s objective is to identify and mitigate cybersecurity and privacy risks based on patient use of smart home devices interfacing with patient information systems.
Collaborate With Us!
Collaborators are members of the project team that work alongside the NCCoE Healthcare team to build the demonstration by contributing products, services, and technical expertise.
If you are interested in collaborating with us on this project, first review the requirements identified in the Federal Register Notice. Then, visit the project page to access the final project description and request a Letter of Interest (LOI) template–you will then receive a link to download the LOI template. Complete the LOI template and send it to the NCCoE Healthcare team at [email protected].
Don’t hesitate to reach out to our project team at [email protected] with any questions. If you would like to join our community of interest, please visit our project page.
Respectfully,
The NCCoE Healthcare Team
Project Page
The NCCoE Buzz: Steering Toward Mobile Driver’s Licenses
Steering Toward Mobile Driver’s Licenses The NCCoE Buzz: Mobile Security Edition is a recurring email on timely topics in mobile device cybersecurity and privacy from the National Cybersecurity Center of Excellence’s (NCCoE’s) Mobile Device Security project team. ![]() |
Comment on Proposed Competency Areas
Final reminder to submit comments! Last month, NICE released a new proposed list of NICE Framework Competency Areas for comment. This list includes updates that were made based on feedback received during the comment period for a previously released draft list. Comments on the proposed Competency Areas should be submitted by email to [email protected] by 11:59 pm ET on August 5, 2023. Take Action: Read the Summary of Updates and proposed List of Competency Areas Submit comments to [email protected] Visit the NICE Framework Resource Center |
RELATED DOCUMENTS |
NICE also recently published NIST Internal Report (NISTIR) 8355, NICE Framework Competencies: Preparing a Job-Ready Cybersecurity Workforce. This publication describes Competency Areas as included in the NICE Framework, providing information on how Competency Areas are defined and how they can be used. Additionally, a Competency Areas Authoring Guide is now available. The publication accompanies the previously released Task Knowledge Skill (TKS) Statements Authoring Guide for Workforce Frameworks. These authoring guides and other materials that support a standard approach to developing workforce frameworks can be found in the Playbook for Workforce Framework, which details workforce framework components and provides developers with supporting resources. |
NIST Requests Public Comments on SP 800-135 Revision 1, Recommendation for Existing Application-Specific Key Derivation Functions
NIST Requests Public Comments on SP 800-135 Revision 1, Recommendation for Existing Application-Specific Key Derivation Functions
NIST is in the process of a periodic review and maintenance of its cryptography standards and guidelines.
Currently, we are requesting public comments on the following publication:
- NIST Special Publication (SP) 800-135 Rev. 1, Recommendation for Existing Application-Specific Key Derivation Functions, 2011.
NIST requests feedback on all aspects of SP 800-135 Rev. 1.
The public comment period is open through September 27, 2023. Send comments to [email protected] with “Comments on SP 800-135 Rev. 1” in the subject line.
Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.
Read More
NIST Requests Public Comments on FIPS 202, “SHA-3 Standard,” and SP 800-185, “SHA-3 Derived Functions”
NIST is in the process of a periodic review and maintenance of its cryptography standards and guidelines.
Currently, we are requesting public comments on the following publication:
- Federal Information Processing Standard (FIPS) 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, 2015, and
- NIST Special Publication (SP) 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash, 2016.
NIST requests feedback on all aspects of these publications, including the security and usefulness of the specified functions and their various parameterizations.
The public comment period is open through October 27, 2023. Send comments to [email protected] with “Comments on FIPS 202″ or “Comments on SP 800-185” in the subject.
Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.
Read More
Microsoft Security Virtual Training Day: Security, Compliance, and Identity Fundamentals
Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: Wednesday, August 30, 2023 | 9:00 AM – 12:40 PM (GMT-08:00) Pacific Time (US & Canada) Thursday, August 31, 2023 | 9:00 AM – 11:10 AM (GMT-08:00) Pacific Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
REGISTER TODAY > |
Microsoft Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments
Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: Tuesday, August 22, 2023 | 2:00 PM – 4:45 PM | (GMT-05:00) Eastern Time (US & Canada) Wednesday, August 23, 2023 | 2:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
REGISTER TODAY > |
Apple Releases Security Updates for Multiple Products
Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.
CISA encourages users and administrators to review the following advisories and apply the necessary updates.
Become a Microsoft Purview Data Lifecycle and Records Management Ninja
What is Data Lifecycle Management and Records Management?
Microsoft Purview Data Lifecycle Management and Microsoft Purview Records Management help to govern your Microsoft 365 data for compliance or regulatory requirements.
Microsoft Purview Data Lifecycle Management manages risk and liability by only keeping what you need and deleting what you don’t across your entire digital estate, whereas Records Management manages high value content following the specialized workflows required to meet legal, business, or regulatory recordkeeping obligations.
- Simplify the lifecycle of sensitive data (Blog)
- Simplify the lifecycle of sensitive data (video)
- Manage information protection and governance (Learning path)
- Govern your data with Microsoft Purview (Docs)
- Deploy a data governance solution (Docs)
Getting Started
Microsoft Purview Data Lifecycle and Records Management retains and deletes data. It manages content where users collaborate to prevent productivity loss and reduce risks with defensible disposal and rich audit trails. Learn about how to get started below.
Solution Guide
- Interactive Guide for Data Lifecycle and Records Management (Guide)
- Get started with Data Lifecycle Management in Microsoft 365 (Docs)
- Get started with Records Management in Microsoft 365 (Docs)
- Common Scenarios for Data Lifecycle and Records Management (Docs)
Do you need some inspiration? Check out these customer success stories.
- FSA helps keep UK food supply safe with Microsoft Purview Records Management
- Visionary Wealth Advisors helps safeguard mobile communications with Microsoft Purview Data Lifecycle Management and CellTrust SL2
- City of Marion government powers customer-centric transformation with Microsoft Purview Records Management
- Global bank deploys Microsoft 365 data connectors for more secure, compliant use of popular apps
Which license and permissions do I need for Data Lifecycle and Records Management?
- Licensing guide for Data Lifecycle and Records Management (Docs)
- Permissions for Data Lifecycle and Records Management (Docs)
- Permissions for disposition management (Docs)
Trials and setup guide
- Microsoft 365 Compliance E5 one month trial
- Microsoft Purview Data Lifecycle and Records Management set-up guide (available to public)
- Microsoft Purview Data Lifecycle and Records Management admin set-up guide (tenant admins only)
Retain and delete your data
How long to retain data and when to delete them is important, as keeping data longer or shorter than your business, legal, or regulatory requirements can cause you to be noncompliant. With Microsoft Purview Data Lifecycle and Records Management, you can apply retention policies and retention labels to locations across Microsoft 365 to keep your data compliant.
- Retention Policies
- Retention Labels
- Learn about retention labels (Docs)
- Use file plan to manage retention labels (Docs)
- Use retention label policies to publish retention labels (Docs)
- Understand locations where you can publish retention labels (Docs)
- You can only use one retention label at a time (Docs)
- Use retention labels to manage a SharePoint document lifecycle (Docs)
- Better together: use both Retention policies and Retention labels
- Principles of retention
- How retention works for SharePoint, OneDrive, Teams, Yammer, and Exchange
- Learn about retention for SharePoint and OneDrive (Docs)
- Learn about retention for Teams (Docs)
- Learn about retention for Yammer (Docs)
- Learn about retention for Exchange (Docs)
- Understand the recoverable Items folder in Exchange Online (Docs)
- Learn about archive mailboxes for Microsoft Purview (Docs)
- Learn about inactive mailboxes (Docs)
- earn about importing organization PST files (Docs)
- Using adaptive policy scopes to apply Microsoft 365 retention to shared, resource, and inactive mailboxes (Blog)
- Other retention settings
Other uses for retention labels
Other than applying retention and deletion to content with retention labels, you can also use retention labels to:
- Classifying content without applying any actions (Docs)
- Using a retention label as a condition in a DLP policy (Docs)
Use file plan to create and manage your retention labels
After you’ve decided to use retention labels to help you keep or delete files and emails in Microsoft 365, you might have realized that you have many and possibly hundreds of retention labels to create and publish.
Learn about how to use the file plan to bulk create and manage your retention labels.
- Use file plan to manage retention labels (Docs)
- How to access the file plan (Docs)
- How to navigate your file plan (Docs)
- Export all retention labels to analyze or enable offline reviews (Docs)
- Import retention labels into your file plan (Docs)
- Information about the label properties for import (Docs)
- Understanding the file plan descriptors columns (Docs)
Other ways to create and manage your retention labels
Although the recommended method to create retention labels at scale is by using the file plan from the Microsoft Purview compliance portal, you can also choose to use PowerShell and Graph API.
- PowerShell cmdlets for retention policies and retention labels (Docs)
- Create and publish retention labels by using PowerShell (Docs)
- se the Microsoft Graph records management API – Microsoft Graph v1.0 (Docs)
- se the Microsoft Graph records management API – Microsoft Graph beta (Docs)
Trigger retention based on an event
Many times, retention is triggered not based the age of the content, but when a specific event occurs, such as when an employee departs, a contract expires, or when a project closes, learn about how to use event triggered retention to manage content across your organization related to the same employee, contract, or project.
Record retention label vs. Regulatory retention label
You can use retention labels to mark items as a record, or a regulatory record.
- Learn about Records (Docs)
The difference between retention labels, and retention labels that mark an item as a record or regulatory record, are explained below:
By using retention labels to mark items as a record, you can implement a single and consistent strategy for managing immutable files across your Microsoft 365 environment.
- Declare records by using retention labels (Docs)
- Use record versioning in SharePoint or OneDrive (Docs)
- Resources to help you meet regulatory requirements for Data Lifecycle and Records Management (Docs)
- Validating migrated records (Docs)
Automatically apply a retention label to retain or delete content
One of the most powerful features of retention labels is the ability to apply them automatically to content that matches specified conditions. In this case, people in your organization don’t need to apply the retention labels, Microsoft 365 does the work for them.
You can automatically apply a retention label using:
- Keywords or searchable properties (Docs)
- Specific types of sensitive information (Docs)
- Trainable classifiers (Docs)
- Cloud attachments (Docs)
- Microsoft 365 compliance connectors (Docs)
- Microsoft Syntex (Docs)
Before you auto-apply your retention label to content, you can also use simulation mode for Data Lifecycle and Records Management to simulate the results as if the auto-labeling policy had applied your selected label, using the conditions that you defined. You can then refine your conditions for accuracy if needed and rerun the simulation.
Targeted retention to users, groups, and sites using adaptive scopes
Have you always wanted to apply retention dynamically based on common attributes and properties, rather than choosing specific users, groups, and sites and having to manually update them they change over time? Then adaptive scope is what you are looking for!
- Configuration information for adaptive scopes (Docs)
- Adaptive or static policy scopes for retention (Docs)
- Microsoft Build video covering APIs, Power Automate integration, adaptive policy scopes (video)
- Enhancing Existing Data Lifecycle Management Policies by Migrating to Adaptive Policy Scopes (Blog)
- Using Adaptive Policy Scopes to Apply Microsoft 365 Retention to Shared, Resource, and Inactive Mailboxes (Blog)
- Using Custom SharePoint Site Properties to Apply Microsoft 365 Retention with Adaptive Policy Scopes (Blog)
- Enhancing Existing Data Lifecycle Management Policies by Migrating to Adaptive Policy Scopes (Blog)
Scope the administration of Data Lifecycle Management
Microsoft Purview Data lifecycle management supports administrative units that have been configured in Azure Active Directory.
Customize what happens at the end of the retention period
When you configure a retention label to retain items for a specific period, you can specify what action to take at the end of that retention period.
You can choose from the built-in actions of permanently deleting the item, relabeling the item to a different retention label, deactivating the label, starting a disposition review, or running a Power Automate flow.
Review and manage the disposition of your records
Disposition review ensures that the correct retention has been applied to the content, and to identify if there are reasons to suspend the deletion due to litigation or that the content should be archived and retained instead.
- Announcing Multi-Stage Disposition in Microsoft Records Management (Blog)
- Disposition of content (Docs)
- Learn about disposition reviews (Docs)
- Prerequisites for viewing content dispositions (Docs)
- Workflow for a disposition review (Docs)
- Auto-approval for disposition (Docs)
- How to configure a retention label for disposition review (Docs)
- How to customize email messages for disposition review (Docs)
- Viewing and disposing of content (Docs)
- Disposition of records (Docs)
Running a Power Automate flow at the end of the retention period
If you choose to run a Power Automate flow at the end of the retention period, you can customize notifications and approval processes.
- Customize what happens at the end of the retention period (Docs)
- Overview of using retention labels with a Power Automate flow (Docs)
- How to configure a retention label to run a Power Automate flow (Docs)
- Microsoft Build video covering APIs, Power Automate integration, adaptive policy scopes (Video)
Monitoring your retention labels and activities
After you have deployed your retention policies and retention labels, you can use the built in content explorer and activity explorer to monitor and understand retention activities.
- Monitoring retention labels (Docs)
- sing Content Search to find all content with a specific retention label (Docs)
- Policy Lookup (Docs)
- Auditing retention configuration and actions (Docs)
When to use retention policies and retention labels instead of older features
If you need to proactively retain or delete content in Microsoft 365 for data lifecycle management, we recommend that you use Microsoft 365 retention policies and retention labels instead of the following older features.
- When to use retention policies and retention labels or eDiscovery holds (Docs)
- Use retention policies and retention labels instead of older features (Docs)
Integration with Microsoft Syntex
Microsoft Syntex is a set of AI-powered cloud content management services. Microsoft Syntex puts content to work – optimizing your business processes and managing your content better. With Microsoft Syntex, you can apply retention labels to the documents that your models identify.
- Overview of Microsoft Syntex (Docs)
- Document compliance with Microsoft Syntex (Docs)
- Apply a retention label to a model in Microsoft Syntex (Docs)
- Discover opportunities in Microsoft Syntex by using the Microsoft 365 Assessment tool (Docs)
What’s next?
Now that you know about Data Lifecycle and Records Management, take the SC-400 exam to become a certified Microsoft Information Protection Administrator.
- Exam SC-400: Microsoft Information Protection Administrator (Exam)
- SC-400: Implement Data Lifecycle and Records Management (Learning path)
Additional Resources
- Data Lifecycle and Records Management roadmap: Roadmap of upcoming features and changes
- Message Center: Notifications and details of updated changes to Microsoft 365
- How to resolve common Data Lifecycle and Records Management errors
- Sign up for the Data Lifecycle and Records Management Customer Connection Program
- Data Lifecycle and Records Management Feedback portal
- Microsoft Purview Data Lifecycle Management website
- What is new in Microsoft Purview
- Tech Community – Security and Compliance: Blogs, community forums, and more