Friday, September 16, 2022

SP 800-66 Rev. 2 Reverse Mapped HIPPA - NIST Updated Guidance for Health Care Cybersecurity

Here's a NIST mapping crosswalk between the HIPAA requirements and NIST SP 800-53r5 in a spreadsheet format.

Spreadsheet Here: 2022 HIPAA Crosswalk SP 800-66 ipd Table 12.ver.01.xlsx - Google Drive from Blog Downloads (

NIST PageSP 800-66 Rev. 2 (Draft), Implementing the HIPAA Security Rule: Cybersecurity Resources | CSRC (

Publication LinkNIST SP 800-66r2 initial public draft, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

I reworked the information from the initial public draft into a spreadsheet that also allows easy importing into different tools. Additionally, I included a direct NIST map, essentially reversing the look-up. Finally, all control IDs are now two digits which allows for proper sorting and lookups with tools inside arrays.

Here's a snapshot of the format (click to view): 

Thursday, August 18, 2022

Federal Auditing is... Complicated.

Breaking down your understanding of all things Federal, eh? Yeah, I'm *still* learning. I love this compilation you can find at I've been using this chart for years to demonstrate to my peers how different bodies of work interact. You'll find this in compliance slide decks I've created for graduate college classes to drive the point that there is a lot to consider when making control selection, design, implementation, and operational decisions. 

You can use this as another tool for peeling back layers and quickly finding related directives and publications. 
From the website (do yourself a favor and read this before looking at the chart...): 
  • "The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware of, in a helpful organizational scheme. The use of colors, fonts, and hyperlinks is designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems, and data.
  • At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right-hand side are boxes identifying key legal authorities, federal/national level cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can also be found in the chart."

Wednesday, August 17, 2022

Global 500 vs Fortune (US) 500 Sector Comparisons - I.e. Profit Margins!

I created this out of curiosity about the macro business environment changes and differences over the last year and between US and Global markets among different sectors. As usual - Follow the money... There's some interesting insights. 

So what line of business is the most profitable?? This is organized by the average profit margin of companies within each sector.

Tuesday, August 16, 2022

Brilliant Article: (Don’t) Focus on Your Job at the Expense of Your Career

Credit to HBR and specifically Dorie Clark. Brilliant. Young people need to hear this. 

Don’t Focus on Your Job at the Expense of Your Career (

Summary: "The gap between what we have to do today and where we see ourselves in the future can be vexing. We’d like to advance toward our goals, but we feel dragged down by responsibilities that seem banal or off-target for our eventual vision. In this piece, the author offers four strategies you can try so that you can simultaneously accomplish what’s necessary for the short-term while playing the long game for the betterment of your career." 

  1. Analyze the strategic value of your activities.
  2. Enlist allies.
  3. Manage your brand.
  4. Be willing to experiment with “120% time.”
IMHO - This is what I tell my own teenagers and students in college:
  • Put in the time when you are young because you have the energy, mental capacity, and the greatest amount of neural plasticity.
  • The world and the workplace are not fair. Position yourself to capitalize on opportunities. That can be many things - training, visibility, kindness, someone others want to be around and emulate.
  • Embrace the opposite of Imposter Syndrome. Be confident and go for it. Why not you? 
  • Hard work beats talent when talent doesn't work hard. 
More excellent articles by Dorie Clark

  1. Haven't Networked in a While? Here's How to Jump Back In.
  2. Stop Procrastinating and Tackle That Big Project
  3. Approach Your Personal Brand Like a Project Manager
  4. How to Make Progress on Your Long-Term Career Goals
  5. The Upside of Feeling Uncertain About Your Career

Thursday, August 11, 2022

Open Cybersecurity Schema Framework (OCSF)

Who: Amazon, Cloudflare, CrowdStrike, IBM, Okta, and Salesforce

What: They have collaborated on a joint initiative to solve a critical bottleneck in the sharing of threat information: The different data formats currently in use across multiple cybersecurity tools and products.

  • Schema includes: Activity; Activity ID; Category; Category ID; Class; Class ID; Count; Duration; End Time; Enrichments; Event Time; Message; Metadata; Observables; Original Time; Product; Profiles; Raw Data; Reference Event Code; Reference Event ID; Reference Event Name; Severity; Severity ID; Start Time; Status; Status Code; Status Details; Status ID; Timezone Offset; Type ID; Type Name; Unmapped Data

Thoughts: There's still a tremendous amount of work to be done and it will realistically be quite some time before the value is realized from this effort. However, it's good to see some progress and interest. This has been a problem for a very, very long time. 

Tags: Open Cybersecurity Schema Framework (OCSF)


Thursday, July 28, 2022

[MITRE CREF Navigator]: Cyber Resiliency Engineering Framework (CREF)

Tags: MITRE; CREF; Navigator; Cyber Resiliency Engineering Framework; NIST SP 800-160


What is it?

“a relational database of NIST SP 800-160 Volume 2 concepts that is searchable, visualizes resilience relationships & presents a Web UI while utilizing portable, opensource components to enable use in tools. The CREF Navigator distills tons of useful terms, tables, and relationships from the CREF/NIST SP 800-160 Volume 2 into an online tool.”

Must-see Images:

Visualize the interaction between the Goals, Objectives, Techniques, and Approaches of Cyber Resiliency:


Interaction of Techniques, Approaches, and Adversarial Effects:

Wednesday, July 27, 2022

Learning Cybersecurity

So you want to learn cybersecurity? 

The knowledge base is available to you. You can do it! Find the time and prioritize the effort. Focus on the outcome. Focus on your why and make it bigger than the effort to get there. There are hundreds of books available. Dozens of free resources. Google is your friend... Or if you prefer, here's a tiny snippet of online available resources: 

Top Schools...

Many top schools have open courseware such as:

Additional Online Courses...

In addition, there are great free online courses available:

And if you have a subscription (it's worth it IMHO): 


These cost money - and time - but they demonstrate a fundamental level of knowledge highly desirable by hiring managers. They also demonstrate your passion for the topic and desire to put in the additional work to stand out from your peers. 

Tuesday, July 12, 2022

2022 CMMCv2 and SP 800-171r2 and SP 800-171A Combined

CMMC depends on the content from 800-171r2 and 171A... Here is something I created that combines all three into one place. I find this helps visualize and focus discussions between the driver (CMMC) requirement, implementation, and assessment. 

Download it from my files here: 2022 CMMCv2 and SP 800-171r2 and SP 800-171A Combined.ver.02a

Relevant Sources

Tuesday, July 5, 2022

Hello Big News! Quantum-Resistant Cryptographic Algorithms

Tags: NIST; Quantum-Resistant Cryptographic Algorithms

Source: NIST Announces First Four Quantum-Resistant Cryptographic Algorithms | NIST

Big news in the standards world!

Why do I care?

Taken from a different blog, this is why quantum resistant cryptographic algorithms are important today:

“Rather than breaking an entire class of encryption in total and all at the same time, an adversary would have to collect that encrypted information and then apply the quantum capability against that single session of communication, break that, and then move to the next one.

We don’t anticipate talking about your personal bank accounts at first, but rather very valuable information that will be worth the expense of using those first cryptographically capable quantum machines, national security information as an example. That's why, even though there's not a cryptographically relevant quantum machine now, we need to be preparing now so that even the data we have today is quantum proof tomorrow.”

What just happened?


NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

Federal agency reveals the first group of winners from its six-year competition

The algorithms are designed for two main tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. All four of the algorithms were created by experts collaborating from multiple countries and institutions. 

For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. 

For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-DilithiumFALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections.