NIST Releases Draft NIST IR 8460

NIST Releases Draft NIST IR 8460: State Machine Replication and Consensus with Byzantine Adversaries

Most applications on the internet are run by centralized service providers that are a single point of failure: if the provider crashes or is malicious, users may lose access to the application, or it may return erroneous or inconsistent results. Consensus algorithms and state machine replication enable a set of mutually distrusting parties to emulate a centralized service in a fault-tolerant and distributed manner. Although the study of these algorithms began in the 1980s, research has accelerated dramatically since the advent of Bitcoin in 2008.

NIST announces the release of draft NIST IR 8460, State Machine Replication and Consensus with Byzantine Adversaries, which is now available for public comment. This document provides a survey on consensus algorithms, state machine replication, and distributed ledger technology for readers who already possess a high-level understanding of distributed ledgers, such as that provided by NIST IR 8202, Blockchain Technology Overview. After introducing the properties of these systems, the models they operate in, and the subprotocols used to implement them, this document provides a detailed look at many of the most prominent permissioned and permissionless algorithms in the literature with a focus on performance and security considerations. Finally, a variety of related topics are discussed, including state machine design, interoperability, scalability mechanisms such as sharding and “layer 2” technologies, and how incentives can impact system security.

The public comment period is open through September 1, 2023. See the publication details for a copy of the draft and instructions for submitting comments.

Read more here

NIST small business webinars

Celebrate National Small Business Week with the NCCoE! 

NIST’s National Cybersecurity Center of Excellence (NCCoE) will be hosting two virtual events during National Small Business Week (April 30–May 6, 2023) as part of its NCCoE Learning Series. The webinars will feature new and existing NIST small business resources and will give attendees the opportunity to share ideas, ask questions, and engage with NIST subject matter experts. View and register below:


Overview of the NIST Small Business Cybersecurity Corner

Date: Tuesday, May 2, 2023

Time: 2:00–2:45 PM (ET)

Event Description:

Join us on May 2, 2023 for a 30-minute overview of the NIST Small Business Cybersecurity Corner. We’ll not only provide an overview of what resources are currently available on the site, but will give attendees an opportunity to express what resources they want to see there. Additionally, attendees will be introduced to the new NIST Small Business Community of Interest, which will convene companies, trade associations, and others who can share business insights, expertise, challenges, and perspectives to guide our work and assist NIST to better meet the cybersecurity needs the small businesses community.  

Register Here

Data Analytics for Small Businesses: How to Manage Privacy Risks

Date: Thursday, May 4, 2023

Time: 3:00–3:45 PM (ET)

Event Description:

Data analytics are being promoted as a method to help small businesses increase innovation, enhance customer experience, save money, and improve their brand. If your small business is using data analytics—whether in-house or relying on a service provider to do it for you—it is important to be aware of the privacy implications of these activities.

Join us for an interactive discussion about how to manage privacy risks associated with data analytics.

During the webinar we will cover:

  • A brief introduction to data analytics
  • Common privacy risks that arise from data analytics practices
  • Tips to help you meet your privacy objectives
  • Resources for enhancing privacy risk management within your small business

Register Here

Abuse of the Service Location Protocol May Lead to DoS Attacks

The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.

Researchers from Bitsight and Curesec have discovered a way to abuse SLP—identified as CVE-2023-29552—to conduct high amplification factor DoS attacks using spoofed source addresses.

As noted by Bitsight, many SLP services visible on the internet appear to be older and likely abandoned systems. Administrators should consider disabling or restricting network access to SLP servers. Some organizations such as VMware have evaluated CVE-2023-29552 and have provided a response, see VMware Response to CVE-2023-29552 – reflective Denial-of-Service (DoS) amplification vulnerability in SLP for more information. CISA urges organizations to review Bitsight’s blog post for more details and see CISA’s article on Understanding and Responding to Distributed Denial-of-Service Attacks for guidance on reducing the likelihood and impact of DoS attacks

Update on the Revision of NIST SP 800-66, Implementing the HIPAA Security Rule

NIST to Finalize Special Publication (SP) 800-66 Revision 2 and Collaborate on Resources for Small, Regulated Entities 

For the past 18+ months NIST, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has been working to update NIST Special Publication (SP) 800-66, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, from Revision 1 to Revision 2.

Thank you to all who provided feedback during the open comment period; in total, over 250 unique comments were received from dozens of individuals and organizations. Many commenters suggested that more resources be developed for small, regulated entities. We agree and anticipate follow-on work in this area—but we can’t do it alone and plan to work collaboratively with other agencies, entities, and colleagues to produce useful resources (stay tuned for more information about this in the coming months).

NIST and OCR are still in the process of carefully adjudicating the comments received. Once all comments are adjudicated, NIST plans to publish a blog or whitepaper detailing the proposed changes to SP 800-66 Rev. 2 (with the goal being to publish a final version of SP 800-66 Rev. 2 later this year).

Thank you for the opportunity to share this update. Reach out with any questions or comments via [email protected] (and follow us on Twitter  via @NISTcyber and subscribe to our Cybersecurity Insights blog to stay updated in the future).

To read more go here

NIST Cybersecurity Framework 2.0 Core DRAFT

Feedback Appreciated | NIST CSF 2.0 Core – Discussion Draft

NIST is updating the Cybersecurity Framework (CSF) which is widely used to help organizations better understand, manage, reduce, and communicate cybersecurity risks. This recently released CSF 2.0 Core discussion draft identifies the potential Functions, Categories, and Subcategories (also called cybersecurity outcomes) of the NIST CSF 2.0 Core.

This draft Core is preliminary and is intended to increase the overall transparency of the CSF update process, while also provoking discussion about improvements to potential changes to the CSF. Progress updates about NIST’s CSF 2.0 effort, as well as ways to engage, FAQs, and resources can be found on the NIST CSF 2.0 webpage.

Feedback on this Core discussion draft can be submitted via [email protected] at any time and will inform the NIST CSF 2.0 Draft, which is anticipated this summer.

Read the draft Here


Getting started with the CDMC framework – Microsoft’s guide to cloud data management

It provides a checklist for regulators and auditors

Organizations need confidence that their sensitive data is properly protected, no matter where it resides. However, too many businesses have to contend with the lack of a common language for discussing requirements for cloud data management—the CDMC framework provides this. Certification allows organizations to balance data sovereignty controls with generating business value from their data, wherever it resides. Most importantly, certification assures regulators that privacy laws are being followed for data such as:

  • Personally Identifiable Information.
  • Personal Health Information.
  • Company- or client-identifiable information.
  • Material Non-public Information.
  • Information with sensitivity classifications, such as “Highly Restricted” or “Confidential.”
  • Critical data elements used for business processes.
  • Licensed data.

To read the Full Article go Here

Free Security Virtual Training Day

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event:
Tuesday, May 16, 2023 | 11:00 AM – 2:30 PM | (GMT-08:00) Pacific Time (US & Canada)
Wednesday, May 17, 2023 | 11:00 AM – 1:00 PM | (GMT-08:00) Pacific Time (US & Canada)

Delivery Language: English
Closed Captioning Language(s): English

Go here

NIST NCCoE Migration to Post-Quantum Cryptography Preliminary Draft 1800-38A

Submit Your Comments

The National Cybersecurity Center of Excellence (NCCoE) has published for comment Preliminary Draft NIST SP 1800-38A, Migration to Post-Quantum Cryptography. 

The public comment period for this draft closes at 11:59 p.m. ET on June 8, 2023.

  1. View the publication.
  2. Submit comments via the webform on the project page.
  3. Email questions to [email protected].

All comments that are received will be reviewed and adjudicated to inform a future draft of the publication. 

We value and welcome your input and look forward to your comments.


Project Description

Advances in quantum computing could compromise many of the current cryptographic algorithms being widely used to protect digital information, necessitating replacement of existing algorithms with quantum-resistant ones. Previous initiatives to update or replace installed cryptographic technologies have taken many years, so it is critical to begin planning for the replacement of hardware, software, and services that use affected algorithms now so that data and systems can be protected from future quantum computer-based attacks. 

NIST has been soliciting, evaluating, and standardizing quantum-resistant public-key cryptographic algorithms (https://csrc.nist.gov/projects/post-quantum-cryptography). To complement this effort, the NIST National Cybersecurity Center of Excellence (NCCoE) is engaging with industry collaborators and regulated industry sectors and the U.S. Federal Government to bring awareness to the issues involved in migrating to post-quantum algorithms and to prepare the crypto community for migration.  

As the project progresses, this preliminary draft will be updated, and additional volumes will also be released for comment. 

Three steps to master information governance in your organization.

This month’s episode of Uncovering Hidden Risks will discuss Information Governance and the industry trends we are seeing in this space. This is a Post from Microsoft. Information governance is the overall strategy for managing information at an organization. It is a discipline that spans several markets, including data governance, security, compliance, data privacy, content services, and more. Recently, these markets have begun to converge, highlighting the sometimes conflicting requirements between these disciplines.

Joining our host Erica Toelle is our guest, Randolph Kahn. Mr. Kahn is a globally recognized leader in Information Governance, with his consulting team advising major multinational corporations and governments on various information management issues. He has been an expert witness in major court cases and is a trusted advisor to corporations and governmental agencies. Mr. Kahn is also an accomplished author, speaker, and adjunct professor of Law and Policy of Electronic Information and The Politics of Information.

Natalie Noonan joins us as our guest host. Natalie is one of Microsoft’s top information governance experts, and helps our customers to define and plan their strategies. She is also a former program manager in financial services.

Together, we’ll explore how you can master information governance in your organization. 

In this episode, we’ll cover the following: 

  • Trends around the convergence of security, data governance, privacy, and compliance.
  • How the increase in laws and regulations around the management of data, especially regarding privacy, affected these trends.
  • How people can approach a data governance solution.
  • What requirements as important for data governance.
  • Options for implementing these requirements.
  • Looking ahead to the future, what is coming for data governance.

Listen to this episode on your favorite podcast platform:

NIST Identity & Access Management Roadmap

Identity and Access Management (IAM) represents the complex orchestration of multiple technologies, standards, and protocols that enable someone to access services, benefits, and data—and it’s a key component to creating trusted, modern digital services. NIST has long played a leadership role in advancing critical research, standards, and technology in support of IAM efforts—and this role continues to be a major priority today.

NIST’s multi-disciplinary Identity Program is committed to the advancement of a more secure, privacy-enhancing, and inclusive Identity Ecosystem. We invite you to join us as co-creators of this envisioned end state by contributing to our draft IAM Roadmap, which presents a set of strategic objectives, priorities, and initiatives that we intend to pursue alongside our community of collaborators like you.

Comments received on this initial draft will help NIST gain detailed input and feedback from the public so that our efforts are prioritized to address the most relevant and impactful problems facing our world today.

Please submit comments to [email protected] by Thursday, June 1st, 2023. All relevant comments will be made publicly available on the IAM program page [1].

See the Roadmap! [2]