My information Resource (blog.mir.net)

 Ever wonder what a Microsoft data center looks like i found this on the internet it is a great view and insight to data centers

We Live in the Cloud | Microsoft Story Labs

Comment Now: NCCoE Draft
Project Description for Mitigating AI Bias 

The National Cybersecurity Center of Excellence (NCCoE) has
released a new draft project description, Mitigating
AI/ML Bias in Context: Establishing Practices for Testing, Evaluation,
Verification, and Validation of AI Systems. Publication of this
project description begins a process to solicit public comments for the project
requirements, scope, and hardware and software components for use in a
laboratory environment.

We want your feedback on this draft to help refine the project.
The comment period is now open and will close on September 16, 2022.

To tackle the complex problem of mitigating AI bias, this project
will adopt a comprehensive socio-technical approach to testing, evaluation,
verification, and validation (TEVV) of AI systems in context. This approach
will connect the technology to societal values in order to develop guidance for
recommended practices in deploying automated decision-making supported by AI/ML
systems. A small but novel part of this project will be to look at the
interplay between bias and cybersecurity and how they interact with each other.

The initial phase of the project will focus on a proof-of-concept
implementation for credit underwriting decisions in the financial services
sector. We intend to consider other application use cases, such as hiring and
school admissions, in the future. This project will result in a freely
available NIST SP 1800 Series Practice Guide.

Upcoming Workshop Update

Earlier this month, we announced a hybrid workshop on Mitigating AI
Bias in Context on Wednesday, August 31, 2022. The workshop will now
be virtual only via WebEx and will provide an opportunity to discuss this topic
and work towards finalizing this project description. You can register by
clicking on the above workshop link. We hope to see you there! 

We Want to Hear from You!

The public comment period for this draft is open through September
16, 2022. See the publication details for a copy of the draft and
instructions for submitting comments.

We value and welcome your input and look forward to your comments.

Comment
Now!

NIST requests public comments on the initial public draft (ipd) of
NIST IR 8214B, Notes on Threshold
EdDSA/Schnorr Signatures.
This report considers signature schemes that are compatible with the
verification phase of the Edwards Curve Digital Signature Algorithm (EdDSA)
specified in Draft Federal Information Processing Standards (FIPS) publication
186-5. The report analyzes threshold schemes, where the private signing key is
secret-shared across multiple parties, and signatures can be produced without
the parties reconstructing the key. Security holds even if up to a threshold number
of parties has been compromised.

The report reviews the properties of EdDSA/Schnorr deterministic
and probabilistic signatures schemes, both in the conventional (non-threshold)
and threshold setting, summarizing various known properties and approaches.
These threshold signatures can allow for a drop-in replacement of conventional
signatures without changing the legacy code used for verification. This work is
useful to advance the NIST Multi-Party Threshold Cryptography project, which is
also interested in other primitives. The document suggests that it is
beneficial to further consult with the community of experts for security
formulations, technical descriptions, and reference implementations. 

The report includes a section for each of the following: 

• Conventional setting: gives
  context of conventional EdDSA/Schnorr-style signature schemes and their
  security properties; 
• Threshold approaches:
  summarizes various threshold approaches for deterministic and
  probabilistic schemes, at a high level; 
• Further considerations:
  describes how various aspects only arise in the threshold setting, thus
  requiring a more sophisticated analysis with respect to the security
  formulation; 
• Conclusions: identifies the
  need for additional analysis aided by the community of experts. 

The public comment period is open through October 24, 2022. See
the publication details for a copy of the draft and
instructions for submitting comments. 

 

NOTE: A call for patent claims is included on page iii of this
draft. For additional information, see the Information Technology
Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications. 

Read
More

 

The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) invites
public comments on volumes C-D of a preliminary draft practice guide “Implementing a Zero Trust Architecture”. This guide
summarizes how the NCCoE and its collaborators are using commercially available
technology to build interoperable, open standards-based ZTA example
implementations that align to the concepts and principles in NIST Special
Publication (SP) 800-207, Zero Trust Architecture. As the project progresses,
the preliminary draft will be updated, and additional volumes will also be
released for comment.

As an enterprise’s data and resources have become distributed
across the on-premises environment and multiple clouds, protecting them has
become increasingly challenging. Many users need access from anywhere, at any
time, from any device. The NCCoE is addressing these challenges by
collaborating with industry participants to demonstrate several approaches to a
zero trust architecture applied to a conventional, general purpose
enterprise IT infrastructure on premises and in the cloud.

We Want to Hear from You!

The NCCoE is making volumes C-D available as a preliminary draft
for public comment while work continues on the project. Review the preliminary
draft and submit comments online on or before September 9, 2022.

Comment Here

We welcome your input and look forward to your comments. We invite
you to join nccoe-zta-coi@list.nist.gov to receive
news and updates about this project.  

– Zero Trust Architecture Project Team

Read
More

The PNT cybersecurity profile is part of NIST’s response to the
February 12, 2020, Executive Order (EO) 13905, Strengthening National Resilience Through
Responsible Use of Positioning, Navigation, and Timing Services. The
EO notes that “the widespread adoption of PNT services means disruption or
manipulation of these services could adversely affect U.S. national and
economic security. To strengthen national resilience, the Federal Government
must foster the responsible use of PNT services by critical infrastructure
owners and operators.” The Order also calls for updates to the profile every
two years or on an as needed basis.

Based on NIST’s interaction with public and private sector
stakeholders and their efforts to create “sector specific” profiles, it was
decided to create Revision 1. No substantive changes were made to the original
Foundational Profile; NIST is only seeking comments on the changes made in this
Revision. Among the most noteworthy are: the addition of five new Cybersecurity
Framework (CSF) Subcategories, and the addition of two appendices; Appendix D;
Applying the PNT Profile to Cybersecurity Risk Management, and Appendix E;
Organization Specific PNT Profiles.

All changes are captured in Table 26: “Change Log” for easy
reference to reviewers.

The PNT Profile was created by applying the NIST CSF to help
organizations:

• Identify systems dependent on
  PNT
• Identify appropriate PNT
  sources
• Detect disturbances and
  manipulation of PNT services
• Manage the risk to these
  systems

Organizations may continue to use this profile as a starting point
to apply their own unique mission, business environment, and technologies to
create or refine a security program that will include the responsible use of
PNT services.

One Week Left to
Comment!

• The public comment for this
  publication is open through August 12, 2022. See the publication
  details for a copy of the draft and instructions for submitting
  comments.
• Email comments directly to: pnt-eo@list.nist.gov.

Submit
Comments

The National Cybersecurity Center of Excellence (NCCoE) has
released a new draft project description, Software Supply Chain and DevOps Security
Practices: Implementing a Risk-Based Approach to DevSecOps.
Publication of this project description begins a process to solicit public
comments for the project requirements, scope, and hardware and software
components for use in a laboratory environment.

We want your feedback on this draft to help refine the project.
The comment period is now open and will close on August 22, 2022.

The project will focus initially on developing and documenting an
applied risk-based approach and recommendations for secure DevOps and software
supply chain practices consistent with the Secure Software Development
Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and
other NIST, government, and industry guidance. This project will apply these
practices in proof-of-concept use case scenarios that are each specific to a
technology, programming language, and industry sector. Both commercial and open
source technology will be used to demonstrate the use cases. This project will
result in a freely available NIST Cybersecurity Practice Guide.

We Want to Hear from You!

Review the project description and submit comments online on or
before August 22, 2022. You can also help shape and contribute to this project
by joining the NCCoE’s DevSecOps Community of Interest. Send an email to devsecops-nist@nist.gov detailing your
interest.

We value and welcome your input and look forward to your comments.

Read
More

 

 The initial public draft of NIST Special Publication (SP) 800-66r2
(Revision 2), Implementing the
Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A
Cybersecurity Resource Guide, is now available for public comment.

The HIPAA Security Rule specifically focuses on protecting the
confidentiality, integrity, and availability of electronic protected health
information (ePHI), as defined by the Security Rule. All HIPAA-regulated
entities must comply with the requirements of the Security Rule.

This draft update:

• Includes a brief overview of
  the HIPAA Security Rule
• Provides guidance for regulated
  entities on assessing and managing risks to ePHI
• Identifies typical activities
  that a regulated entity might consider implementing as part of an
  information security program
• Lists additional resources that
  regulated entities may find useful in implementing the Security Rule

A public comment period is open
through September 21, 2022. See the publication
details for a copy of the draft and instructions for submitting
comments.

NOTE:
A call for patent claims is included on page v of this draft. For additional
information, see the Information
Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL
Publications.

Read
More

 Comment Period Extended
for NIST SP 1800-34, Validating the Integrity of Computing Devices

The National Cybersecurity Center of Excellence (NCCoE) has
published, for public comment, a draft of NIST SP 1800-34, Validating the
Integrity of Computing Devices. Please download the document and share your
expertise with us to strengthen the draft practice guide. The public
comment period for this draft has been extended and will now close on August 8^th,
2022.

The NCCoE relies on developers, providers, and users of
cybersecurity technology and information to provide comments on our practice
guides. The public is encouraged to review the draft and provide feedback for
possible incorporation into the final version before the public comment period
closes.

If you have any questions or would like to join our Supply Chain
Community of Interest, please email us at supplychain-nccoe@nist.gov.

Comment Now

 Today, NIST is seeking public comments on NIST IR 8409 ipd (initial public
draft), Measuring the
Common Vulnerability Scoring System Base Score Equation.

Calculating the severity of information technology vulnerabilities
is important for prioritizing vulnerability remediation and helping to
understand the risk of a vulnerability. The Common Vulnerability Scoring System
(CVSS) is a widely used approach to evaluating properties that lead to a
successful attack and the effects of a successful exploitation. CVSS is managed
under the auspices of the Forum of Incident Response and Security Teams (FIRST)
and is maintained by the CVSS Special Interest Group (SIG). Unfortunately,
ground truth upon which to base the CVSS measurements has not been available.
Thus, CVSS SIG incident response experts maintain the equations by leveraging
CVSS SIG human expert opinion.

This work evaluates the accuracy of the CVSS “base score”
equations and shows that they represent the CVSS maintainers’ expert opinion to
the extent described by these measurements. NIST requests feedback on the
approach, the significance of the results, and any CVSS measurements that
should have been conducted but were not included within the initial scope of
this work. Finally, NIST requests comments on sources of data that could
provide ground truth for these types of measurements.

The public comment review period for this draft is open through
July 29, 2022. See the publication
details for instructions on how to submit comments.

 

NOTE: A call for patent claims is included on page iv of this
draft. For additional information, see Information
Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL
Publications.

Read
More

 NIST is in the process of a periodic review and maintenance of its
cryptography standards and guidelines.   

This announcement initiates the review of Federal Information Processing
Standard (FIPS) 180-4, Secure Hash
Standard (SHS), 2015.

NIST requests public
comments on all aspects of FIPS 180-4. Additionally, NIST would
appreciate feedback on the following two areas of particular concern:

1. SHA-1. In recent years, the cryptanalytic attacks on the SHA-1
   hash function have become increasingly severe and practical (see, e.g., the 2020
   paper “SHA-1 is a Shambles” by Leurent and Peyrin).
   NIST, therefore, plans to remove SHA-1 from a revision of FIPS 180-4 and
   to deprecate and eventually disallow all uses of SHA-1. The Cryptographic
   Module Validation Program will establish a validation
   transition schedule.

     *  How will this plan impact fielded and
planned SHA-1 implementations?

   
 *  What should NIST consider in establishing the timeline for
disallowing SHA-1?

2. Interface. The “Init, Update, Final” interface was part
   of the SHA-3 Competition submission requirements. Should a revision of
   FIPS 180-4 discuss the “Init, Update, Final” hash function interface?

 The public comment period is open through September 9, 2022. Comments
may address the concerns raised in this announcement or other issues around
security, implementation, clarity, risk, or relevance to current
applications.  

Send comments to cryptopubreviewboard@nist.gov with
“Comments on FIPS 180-4” in the Subject. 

For more information about the review process, visit the Crypto
Publication Review Project page. 

Read
More