Author: jay f

The Zero Trust Architecture (ZTA) team at NIST’s National
Cybersecurity Center of Excellence (NCCoE) has published the
second version of volumes A-D and the first version of volume E of a
preliminary draft practice guide titled “Implementing a
Zero Trust Architecture” and is seeking the public’s comments on
their contents. This guide summarizes how the NCCoE and its collaborators are
using commercially available technology to build interoperable, open
standards-based ZTA example implementations that align to the concepts and
principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture.

The updated versions of volumes A-D document three additional ZTA
implementations that have been added to the guide since the previous drafts
were published. Volume E provides a risk analysis and mapping of ZTA security
characteristics to cybersecurity standards and recommended practices. As the
project progresses, the guide will be updated.

As an enterprise’s data and resources have become distributed
across the on-premises environment and multiple clouds, protecting them has
become increasingly challenging. Many users need access from anywhere, at any
time, from any device. The NCCoE is addressing these challenges by
collaborating with industry participants to demonstrate several approaches to a
zero trust architecture applied to a conventional, general-purpose
enterprise IT infrastructure on-premises and in the cloud.

We Want to Hear from You!

The NCCoE is making volumes A-E available as preliminary drafts
for public comment while work continues on the project. Review the preliminary
drafts and submit comments online on or before February 6, 2023.

Comment here

NIST is in the process of a periodic review and maintenance of its
cryptography standards and guidelines. 

Currently, we are reviewing the following publication: 

• NIST
  Special Publication (SP) 800-132, Recommendation
  for Password-Based Key Derivation: Part 1: Storage Applications,
  2010. 

SP 800-132 specifies a family of password-based key derivation
functions (PBKDFs) for deriving cryptographic keys from passwords or
passphrases for the protection of electronically-stored data or for the
protection of data protection keys. 

NIST requests feedback on all aspects of SP 800-132. Additionally,
NIST would appreciate feedback on the industry need for new password-based
standards, including memory-hard password-based key derivation functions and
password hashing schemes. 

The public comment period is open through February 24, 2023. Send
comments to [email protected] with
“Comments on SP 800-132” in the subject line. 

Comments received in response to this request will be posted on
the Crypto
Publication Review Project site after the due date. Submitters’
names and affiliations (when provided) will be included, while contact
information will be removed. See the project site for additional information
about the review process. 

Read
More

 The National Cybersecurity Center of Excellence (NCCoE) has issued
a Federal Register Notice inviting industry participants and other interested
collaborators to participate in the Responding to and Recovering from a Cyber Attack:
Cybersecurity for the Manufacturing Sector project. In conjunction
with the Federal Register Notice, the NCCoE has published the Final Responding to and Recovering from a Cyber Attack: Cybersecurity for
the Manufacturing Sector Project Description, Revision
1.

Industrial control systems (ICS) and devices that run
manufacturing environments play a critical role in the supply chain. These same
systems face an increasing number of cyber attacks that present a threat to
safety, production, and economic impact to a manufacturing organization. This
project will demonstrate an approach for responding to and recovering from a
cyber attack on ICS within the manufacturing sector.

Join Us

There are two ways to join the NCCoE for this project:

• Become
  an NCCoE Collaborator –
  Collaborators are members of the project team who work alongside the NCCoE
  staff to build the demonstration by contributing products, services, and
  technical expertise. Collaborators are expected to participate in
  regularly scheduled conference calls and to help build and document the
  demonstration.

• Get Started Today – If you are
  interested in becoming an NCCoE collaborator for the Responding to and Recovering
  from a Cyber Attack: Cybersecurity for the Manufacturing Sector project,
  first review the requirements identified in the Federal Register Notice.
  If you wish to become a collaborator, you can find the final project
  description and the form to request a Letter of Interest (LOI) template on
  the project page.
  Once you have filled out the request form on the project page, you will be
  provided a link to download the project’s LOI template. The completed LOI
  should be sent to the NCCoE Manufacturing team at [email protected]. Completed
  submissions are considered on a first-come, first-served basis within
  each category of components or characteristics listed in the Federal
  Register Notice, up to the number of participants in each category
  necessary to carry out the project build. 

• Collaborator Selection – The NCCoE
  Manufacturing team will review all submissions and may follow up with
  respondents with questions or to discuss your capabilities. The NCCoE
  Manufacturing team will notify each selected collaborator via email and
  begin the process to establish a Cooperative Research and Development
  Agreement (CRADA) to formalize your collaboration with the NCCoE. Once the
  CRADA has been established, the selected collaborators can begin working
  with the NCCoE to draft white papers, playbooks, and demonstrable
  proof-of-concept implementations.
• If you submit a Letter of
  Interest and are not selected, the project team will notify you via email.
  We encourage those who are not selected to be collaborators to stay
  engaged via our Community of Interest and to bring your expertise when
  project deliverables are posted as drafts for public comment and during
  any public meetings held for this project.
• Join our
  Community of Interest
  – By joining the NCCoE Manufacturing Community of Interest (COI), you will
  receive project updates and the opportunity to share your expertise to
  help guide this project. Request to join our COI by visiting our project page.

If you have any questions, please contact our project team at [email protected].

Project
Page

 NEW Virtual Training Day: Secure Access and Management

The new Secure Access and Management Virtual Training Day replaces the Zero Trust Virtual Training Day and features new, extended content on the topic. It explores how using identity as a security perimeter protects data. After attending, participants will be able to:

• Explain what Zero Trust is, and how Microsoft uses identity as the foundation of Zero Trust.
• Configure Conditional Access to allow for granular access and monitoring of Azure resource usage.
• Use Defender for Cloud Apps and Identity Governance to protect cloud and on-premises solutions and data.

 

The Secure Access and Management Virtual Training Day is available now. Register for this new course on the Microsoft Security Virtual Training Days home page.

Microsoft Software and Systems Academy (MSSA) provides transitioning service members and veterans with critical technical and career skills required for today’s growing technology industry.

Torqued to address the unique needs of the military community

Microsoft Software and Systems Academy (MSSA) is a full-time, 17-week technical training program leading to in-demand careers in cloud development, cloud administration, and related fields. Our proven training model incorporates live instruction, hands-on virtual labs, real-life application scenarios, and opportunities to obtain industry-recognized certifications to prepare our participants for rewarding tech jobs in any industry

To learn more, go here

 In August 2021, NIST’s Crypto Publication Review Board initiated a process to review NIST Special Publication (SP) 800-107 Revision 1, Recommendation
for Applications Using Approved Hash Algorithms. SP 800-107 Rev. 1 discusses
the security strengths of hash functions and provides recommendations on
digital signatures, HMAC, hash-based key derivation functions, random number
generation, and the truncation of hash functions. See the initial public comments received by NIST. 

On June 8, 2022, NIST proposed the
withdrawal of SP 800-107 Rev. 1 and called for comments on that
decision proposal. See the decision proposal comments received by NIST. 

After considering the received
comments, NIST is planning to withdraw SP 800-107 Rev. 1. Since
the publication of SP 800-107 Rev. 1 in 2012, NIST has published (or revised)
multiple recommendations that cover hash functions in different applications in
more detail (e.g., SP 800-90A/B/C, SP 800-56A/B/C, SP 800-131A, SP 800-133, SP
800-135). In order to keep specific use requirements for a primitive in their
most relevant publications—and avoid duplicating them in a separate
publication—NIST has decided to withdraw SP 800-107 Rev. 1. 

NIST has moved the supplementary material currently in SP 800-107
Rev. 1 to NIST’s hash functions webpage. Next, NIST will move the
requirements listed in SP 800-107 Rev.1 that are not currently addressed in
other standards to a new Implementation Guidance (IG)
developed by the Cryptographic Module Validation Program (CMVP).
These requirements will again be considered when hash-function-related
standards are revised. Once the new IG has been published, NIST will
withdraw SP 800-107 Rev. 1. 

Information about the review process is available at NIST’s Crypto Publication Review Project. 

Read
More

 The U.S. Department of Commerce’s National Institute of Standards
and Technology (NIST) has entered into a cooperative research and development
agreement with AIM Photonics that will give chip developers a critical new tool
for designing faster chips that use both optical and electrical signals to
transmit information. Called integrated photonic circuits, these chips are key
components in fiber-optic networks and high-performance computing facilities
and are used in laser-guided missiles, medical sensors and other advanced
technologies.

AIM Photonics, a Manufacturing USA institute, is a public-private
partnership that accelerates the commercialization of new technologies for
manufacturing photonic chips. The New York-based institute provides small and
medium-sized businesses and academic and government researchers access to
expertise and fabrication facilities during all phases of the photonics
development cycle, from design to fabrication and packaging.

Read More

 Wi-Fi routers continuously broadcast radio frequencies that your
phones, tablets and computers pick up and use to get you online. As the
invisible frequencies travel, they bounce off or pass through everything around
them — the walls, the furniture, and even you. Your movements, even breathing,
slightly alter the signal’s path from the router to your device.

Those interactions don’t interrupt your internet connection, but
they could signal when someone is in trouble. NIST has developed a deep
learning algorithm, called BreatheSmart, that can analyze those minuscule
changes to help determine whether someone in the room is struggling to breathe.
And it can do so with already available Wi-Fi routers and devices. This work
was recently published in IEEE
Access.

Read More

Date: January 25, 2023

Time: 3:00 p.m.-3:45 p.m. ET

Event Description:

Part of National Institute of Standards and Technology’s (NIST)
Applied Cybersecurity Division, the NCCoE is a collaborative hub where
industry, government, and academia work together to address businesses’ most
pressing cybersecurity challenges for specific industries as well as for broad,
cross-sector technology areas.

What makes the NCCoE unique is the hands-on nature of our work and
our close association with industry and the cybersecurity technology
community. This public-private partnership enables the creation of modular and
adaptable example cybersecurity demonstrations that show practitioners how to
apply standards and best practices using commercially available technologies.

Join us on January 25, 2023 to kick off our 2023 NCCoE Learning
Series with an overview of the NCCoE. We’ll take some
time to outline who we are, what we do, and why it matters. Learn about our
applied cybersecurity mission, how we deliver value to industry, and ways you
can get involved.

Agenda:

• 3:00-3:30: Overview of the
  NCCoE
• 3:30-3:45: Audience Q&A

Speaker:

• Bill Newhouse, Cybersecurity
  Engineer, NIST National Cybersecurity Center of Excellence

Register
Here

 

 Great article that I helped contribute to, in ChannelPro magazine.

The article talks about the risk or Software as a Service. You a read the article here