Today, NIST has published an update of Federal Information Processing Standards Publication (FIPS) 197, Advanced Encryption Standard (AES). This update makes no technical changes to the algorithm specified in the standard, which was originally published in 2001.
However, this update includes extensive editorial improvements to the original version, including the following:
The front matter is modernized (e.g., a foreword and abstract are added).
Terms and symbols are defined more comprehensively and consistently.
Formatting/typesetting is improved in a variety of ways.
Unnecessary formalism is removed.
Diagrams for the three key schedules are included.
Some references were updated, and additional references are provided.
The changes are documented in greater detail in Appendix D of the updated FIPS. NIST originally proposed to update FIPS 197 in this manner on December 19, 2022. The proposal included the release of a draft of the FIPS update for public comment, as well as a summary of the determination that no technical revisions were necessary. No public comments were received on the proposal nor the draft.
In January 2023, NIST’s Crypto Publication Review Board initiated a review process for NIST Special Publication (SP) 800-132, Recommendation for Password-Based Key Derivation – Part 1: Storage Applications (December 2010). In March 2023, NIST proposed revising SP 800-132, in response to the public comments received.
NIST has decided to revise SP 800-132.See the full announcement for more details, links to comments received, and ways to monitor future developments.
Our new Certificate builds on our existing Google Career Certificates in Data Analytics, Digital Marketing & E-commerce, IT Support, Project Management and UX Design. The Google Cybersecurity Certificate will teach learners how to identify common risks, threats and vulnerabilities, as well as the techniques to mitigate them. The program will prepare people for entry-level cybersecurity roles by providing hands-on experience with industry standard tools including Python, Linux and an array of security tools, including Security Information and Event Management (SIEM) programs. The certificate will also help prepare learners for the CompTIA Security+ exam, the industry-leading certification for cybersecurity roles. Learners will earn a dual credential when they complete both, improving their hireability.
To help bridge the opportunity gap and bring more diverse talent to cybersecurity, Google.org grantees like NPower and Hiring our Heroes, as well as nonprofits like Cyversity, Raices Cyber and Women in CyberSecurity (WiCyS), will offer the Google Cybersecurity Certificate. They’ll also provide learners with support such as professional coaching, interview prep and job placement assistance.
On June 6, 2023, from 1:00 – 2:00 PM EDT, NIST will host a webinar to provide an overview of the significant changes in NIST Special Publication (SP) 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
This revision to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI).
Please join us in an author-led discussion of the changes proposed, the drivers behind the changes, and the critical areas where more input is needed. Space is limited, so register today! The webinar will be recorded and posted online after the event.
Today, NIST has published an update of Federal Information Processing Standards Publication (FIPS) 197, Advanced Encryption Standard (AES). This update makes no technical changes to the algorithm specified in the standard, which was originally published in 2001.
However, this update includes extensive editorial improvements to the original version, including the following:
The front matter is modernized (e.g., a foreword and abstract are added).
Terms and symbols are defined more comprehensively and consistently.
Formatting/typesetting is improved in a variety of ways.
Unnecessary formalism is removed.
Diagrams for the three key schedules are included.
Some references were updated, and additional references are provided.
The changes are documented in greater detail in Appendix D of the updated FIPS. NIST originally proposed to update FIPS 197 in this manner on December 19, 2022. The proposal included the release of a draft of the FIPS update for public comment, as well as a summary of the determination that no technical revisions were necessary. No public comments were received on the proposal nor the draft.
Access control based on attribute encryption addresses an issue with traditional public-key encryption (PKE) wherein keys need to dynamically change whenever access policies and/or attributes change, which could cause inefficient system performance.
Access control based on attribute encryption supports fine-grained access control for encrypted data and is a cryptographic scheme that goes beyond the all-or-nothing approach of public-key encryption. This document reviews the interplay between cryptography and the access control of attribute-based encryption, including the fundamental theories on which the scheme is based; the various main algorithms of IBE, CP-ABE, and KP-ABE; and considerations for deploying access control systems based on encryption.
The public comment period is open through June 23, 2023. See the publication details for a copy of the draft and instructions for submitting comments.
, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability.
This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.
To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections. Customers will need to carefully follow manual steps to update bootable media and apply revocations before enabling this update.
We will be enforcing the protections in three phases to reduce customer and industry partner impact with existing Secure Boot while applying this change.
May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to fully implement the protections.
July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.
First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce bootmanager revocations on all Windows devices.
If these timelines change for any reason, this blog will be updated.
Why is Microsoft taking a phased approach to address this vulnerability?
The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up. The technical documentation referenced below provides implementation and testing guidance to limit potential impact at this time, and future release plans will allow Microsoft to simplify deployment without disruption.
How do customers know if they are using Secure Boot?
From a Windows command prompt, enter msinfo32. If it shows Secure Boot State is ON, the system.
Note: The publicly known vulnerability does not present any additional risk if secure boot is not enabled, and no additional steps are required. We recommend that customers use Secure Boot to protect systems from tampering and bootkit class exploits and to keep their systems up to date with the latest Windows Updates. For more information about the benefits of Secure Boot, see: Secure Boot and Trusted Boot.
Acknowledgement
We appreciate the opportunity to investigate the findings reported by Tomer Sne-or with SentinelOne and Martin Smolár from ESET which helped us harden the service, and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.
NIST Revises SP 800-171 Guidelines for Protecting Sensitive Information The National Institute of Standards and Technology (NIST) has updated its draft guidelines for protecting sensitive unclassified information, in an effort to help federal agencies and government contractors more consistently implement cybersecurity requirements. The revised draft guidelines, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171 Revision 3), will be of particular interest to the many thousands of businesses that contract with the federal government. Federal rules that govern the protection of controlled unclassified information (CUI), which includes such sensitive data as health information, critical energy infrastructure information and intellectual property, reference the SP 800-171 security requirements. Systems that store CUI often support government programs containing critical assets, such as design specifications for weapons systems, communications systems and space systems. Read More
The updates in this draft publication have been guided and informed by the public comments received and NIST’s responsibility to meet the requirements of the Federal Information Security Modernization Act, Executive Order (EO) 13556, the CUI federal regulation, and Office of Management and Budget (OMB) Circular A-130. Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.
In addition to the draft publication, NIST has issued an FAQ, a detailed analysis of the changes between Revision 2 and Revision 3, and a prototype CUI Overlay. These supporting materials are available on the publication details page.
NIST will also host a webinar on June 6, 2023, to provide an overview of the significant changes made to NIST SP 800-171, Revision 3. Registration information will be announced separately through a GovDelivery announcement and on the Protecting CUI project site.
Submit Your Comments
The public comment period is open through July 14, 2023. See the publication details for a copy of the draft and instructions for submitting comments. Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171, Revision 3. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. Please direct questions and comments to [email protected].
During this one hour webinar, the team will give an overview of their newest Cybersecurity White Paper, which outlines a six-step approach that manufacturers can follow to implement security segmentation and mitigate cyber vulnerabilities in their manufacturing environments.
In addition, the team will discuss the progress on the Respond and Recover project, including a discussion of the planned scenarios. We look forward to feedback from the COI to make sure the needs of manufacturers are covered in these projects.
Event Agenda:
Discussion: Security Segmentation in a Small Manufacturing Environment
Discussion: Responding to and Recovering from a Cyber Attack
Audience Q&A / Closing
If you have any questions, please reach out to the NCCoE Manufacturing team at [email protected].
