NIST Privacy Enhancing Cryptography (PEC) — Special Topics on Privacy and Public Auditability, Event

         What: “Special
Topics on Privacy and Public Auditability” (STPPA) — Event 5.

STPPA: In the “Special Topics on Privacy and Public
Auditability” series, the NIST privacy-enhancing cryptography (PEC)
project, in the cryptographic technology group,
hosts talks on various interconnected topics related to privacy and public
auditability. The goal is to convey basic technical background, incite
curiosity, suggest research questions and discuss applications, with an
emphasis on the role of cryptographic tools.

For more information, contact: pec-stppa@nist.gov

Read
More

Ransomware Risk Management: A Cybersecurity Framework Profile an great document from NIST

 Ransomware is a type of malicious attack where attackers encrypt an
organization’s data and demand payment to restore access. Attackers may
also steal an organization’s information and demand an additional
payment in return for not disclosing the information to authorities,
competitors, or the public. This Ransomware Profile identifies the
Cybersecurity Framework Version 1.1 security objectives that support
identifying, protecting against, detecting, responding to, and
recovering from ransomware events. The profile can be used as a guide to
managing the risk of ransomware events. That includes helping to gauge
an organization’s level of readiness to counter ransomware threats and
to deal with the potential consequences of events.

 

to download the publications go here

NIST AI Risk Management Framework Aims to Improve Trustworthiness

NIST today released its Artificial
Intelligence Risk Management Framework
(AI RMF 1.0),
a guidance document for voluntary use by organizations designing, developing,
deploying or using AI systems to help manage the risks of AI technologies. The
Framework seeks to cultivate trust in AI technologies and promote AI innovation
while mitigating risk. The AI RMF follows a direction from
Congress 
for NIST to develop the framework and was produced in
close collaboration with the private and public sectors over the past 18
months.

AI RMF 1.0 was released at a livestreamed event today with Deputy
Secretary of Commerce Don Graves, Under Secretary for Technology and Standards
and NIST Director Laurie Locascio, Principal Deputy Director for Science and
Society in the White House Office of Science and Technology Policy Alondra Nelson,
House Science, Space, and Technology Chairman Frank Lucas and Ranking Member
Zoe Lofgren, and panelists representing businesses and civil society. A
recording of the event is available here.

NIST also today released, for public comment, a companion
voluntary AI RMF Playbook,
which suggests ways to navigate and use the framework, a Roadmap for future work to enhance the Framework and its
use, and the first two AI RMF 1.0 crosswalks with key AI standards and US and EU
documents.

NIST plans to work with the AI community to update the framework
periodically and welcomes suggestions for additions and improvements to the
Playbook at any time. Comments received through February 2023 will be
included in an updated version of the Playbook to be released in spring 2023.

Sign up to receive email notifications about NIST’s AI activities here or
contact us at: AIframework@nist.gov. Also, see information
about how to engage in NIST’s broader AI activities.

Read
More

Draft Call for Multi-Party Threshold Schemes: NIST IR 8214C ipd Available for Public Comment

 NIST requests public comments on NIST IR 8214C ipd (initial public
draft),
NIST First Call for Multi-Party Threshold Schemes,
for primitives organized into two categories:

  1. Cat1: selected NIST-specified
    primitives
  2. Cat2: other primitives not
    specified by NIST

The report specifies the various categories, subcategories, and
requirements for a successful submission, including security characterization,
technical description, open-source implementation, and performance evaluation.
The process intends to help the NIST cryptographic technology group collect
reference material to promote a public analysis of the viability of threshold
schemes and related primitives. This will support the NIST multi-party
threshold cryptography and privacy-enhancing cryptography projects in
developing future recommendations.

Threshold schemes should NOT be submitted until the final version
of this report is published. However, using the present draft as a baseline,
potential submitters are encouraged to prepare early for future submissions.

The public comment period is open through April 10, 2023. See
the publication
details
for a copy of the initial public draft and instructions for
submitting comments.

NOTE: A call for patent claims is included on page iii of this
draft. For additional information, see the 
Information Technology Laboratory (ITL) Patent Policy –
Inclusion of Patents in ITL Publications
.

Read
More

Here is a list of the new state data privacy statutes slated to come online in 2023:

 Here is a list of the new state data privacy statutes slated to come online in 2023:

(1) Most of the provisions of the California Privacy Rights Act (CPRA) become effective on Jan. 1, 2023. CPRA amended the California Consumer Privacy Act (CCPA), which had already created a number of individual rights modeled after the GDPR. CPRA created a new state agency, similar to data protection agencies in the EU countries charged with enforcing the GDPR.

(2) The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. In addition to creating rights patterned after the individual rights under GDPR, CPA requires data security and contract provisions for vendors and assessments for “high-risk” processing.

(3) The Connecticut Data Privacy Act (CDPA), like Colorado’s new privacy law, goes into effect on July 1, 2023. CDPA likewise creates a suite of GDPR-like individual rights, and requires data minimization, security, and assessments for “high risk” processing.

(4) The Utah Consumer Privacy Act (UCPA) becomes effective on Dec. 31, 2023. It provides for certain GDPR-like individual rights, and also requires data security and contract provisions. But UCPA does not include expressly required risk assessments.

(5) The Virginia Consumer Data Privacy Act (VCDPA) becomes effective Jan. 1, 2023. It provides for certain GDPR-like individual rights. But in 2022, the “right-to-delete” was replaced with a right to opt out from certain processing.

IPv6 Coming to Azure AD Important NOTICE

THIS IS A POST I FOUND ON MICROSOFT HERE


With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and IPv6 networks.  

 

Today, we’re excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD). This will allow customers to reach the Azure AD services over IPv4, IPv6 or dual stack endpoints.  

 

For most customers, IPv4 won’t completely disappear from their digital landscape, so we aren’t planning to require IPv6 or to de-prioritize IPv4 in any Azure AD features or services. However, it is important you start planning and prepare for IPv6 support by taking the actions recommended in this blog, and also checking in for updated guidance at https://aka.ms/azureadipv6. 

 

We’ll begin introducing IPv6 support into Azure AD services in a phased approach, starting March 31st, 2023 


We have guidance below which is specifically for Azure AD customers who use IPv6 addresses and also use Named Locations in their Conditional Access policies.  

 

Customers who use named locations to identify specific network boundaries in their organization need to:  

 

  1. Conduct an audit of existing named locations to anticipate potential impact; 
  2. Work with your network partner to identify egress IPv6 addresses in use in your environment; 
  3. Review and update existing named locations to include the identified IPv6 ranges. 

 

Customers who use Conditional Access location based policies to restrict and secure access to their apps from specific networks need to: 

 

  1. Conduct an audit of existing Conditional Access policies to identify use of named locations as a condition to anticipate potential impact; 
  2. Review and update existing Conditional Access location based policies to ensure they continue to meet your organization’s security requirements. 

 

We created an easy to remember link where we’ll continue to share additional guidance on IPv6 enablement in Azure AD. Access these details here: https://aka.ms/azureadipv6 

 

 

Learn more about Microsoft identity: 


 

Password Manager LastPass has been breached.

I been telling people if you are going to use a password manager understand the settings and configuration issues. This is true of all software.

 

I have said over and over again. 

Use on each site different, a strong password and change them regularly. and go to multi-factor solutions.

I found a great article on a site I review from time to time. Here is the article to look at:

LastPass has been breached: What now?

If you have a LastPass account you should have received an email updating you on the state of affairs concerning a recent LastPass breach. While this email and the corresponding blog post try to appear transparent, they don’t give you a full picture. In particular, they are rather misleading concerning a very important question: should you change all your passwords now?
Screenshot of an email with the LastPass logo. The text: Dear LastPass Customer, We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.

To read the full blog please go here

Interesting press release: SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

 FOR IMMEDIATE RELEASE

2022-39

Washington D.C., March 9, 2022 —

The Securities and Exchange Commission today proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”

The proposed amendments would require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.

The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.

The proposing release will be published on SEC.gov and in the Federal Register. The comment period will remain open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework

 Note to Reviewers
NIST is publishing this concept paper to seek additional input on the structure and direction of the
Cybersecurity Framework (CSF or Framework) before crafting a draft of CSF 2.0. 

This concept paper outlines
more significant potential changes that NIST is considering in developing CSF 2.0. These potential changes are
informed by the extensive feedback received to date, including in response to the NIST Cybersecurity Request
for Information (RFI) and the first workshop on CSF 2.0. 

Some of the proposed changes outlined here are larger structural changes that may impact compatibility with
CSF 1.1, thus warranting additional attention and discussion. This paper also outlines potential major changes to
CSF resources, including the CSF website, Profiles, mappings, and guidance. 

 This paper does not cover all potential changes that may be made to the Framework structure, format, and
content, especially specific changes to Categories and Subcategories of the CSF Core. NIST continues to
welcome input on specific changes, including redlines, to the CSF narrative and Core, as well as to related CSF
resources. 

NIST seeks feedback on this paper to inform further development of CSF 2.0, including, for each
numbered section.

 (e.g., Section 1.1. ‘Change the CSF’s title…’): 

 1. Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and
technologies)? 

 2. Are the proposed changes sufficient and appropriate? Are there other elements that should
be considered under each area? 

 3. Do the proposed changes support different use cases in various sectors, types, and sizes of
organizations (and with varied capabilities, resources, and technologies)? 

 4. Are there additional changes not covered here that should be considered? 

 5. For those using CSF 1.1, would the proposed changes affect continued adoption of the
Framework, and how so? 

 6. For those not using the Framework, would the proposed changes affect the potential use of
the Framework? 

 Feedback and comments should be directed to cyberframework@nist.gov by March 3, 2023. All relevant
comments, including attachments and other supporting material, will be made publicly available on the NIST
CSF 2.0 website. 

Personal, sensitive, or confidential business information should not be included. Comments
with inappropriate language will not be considered. 

The changes proposed in this paper will also be discussed at
the upcoming second CSF 2.0 virtual workshop on February 15, 2023, and during CSF 2.0 in-person working
sessions on February 22-23, 2023. 

Contact cyberframework@nist.gov if you would like NIST to consider
participating at a conference, webinar, or informal roundtable to discuss the CSF update and this paper. 

After reviewing feedback on this concept paper and considering insights gained through the workshops, NIST
intends to publish the draft Cybersecurity Framework 2.0 in the coming months for a 90-day public review.

To see the full paper go https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdfre

Registration is Open: 3rd High-Performance Computing Security Workshop

 

3rd High-Performance Computing Security Workshop

Security is an essential component of High-Performance Computing
(HPC). NIST, in collaboration with National Science Foundation (NSF),
hosts the 3rd High-Performance Computing Security Workshop on March 15-16,
2023 at NCCoE (National Cybersecurity Center of Excellence) at Rockville,
Maryland. The workshop aims to report and reflect on the activities at
HPC Security WG, listen to community’s needs and feedbacks, and define
and discuss future directions with stakeholders from industry, academia, and
government. We look forward to your participation. 

Register
Now