Friday, September 16, 2022
Here's a NIST mapping crosswalk between the HIPAA requirements and NIST SP 800-53r5 in a spreadsheet format.
I reworked the information from the initial public draft into a spreadsheet that also allows easy importing into different tools. Additionally, I included a direct NIST map, essentially reversing the look-up. Finally, all control IDs are now two digits which allows for proper sorting and lookups with tools inside arrays.
Here's a snapshot of the format (click to view):
Thursday, August 18, 2022
- "The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware of, in a helpful organizational scheme. The use of colors, fonts, and hyperlinks is designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems, and data.
- At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right-hand side are boxes identifying key legal authorities, federal/national level cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can also be found in the chart."
Wednesday, August 17, 2022
Tuesday, August 16, 2022
Summary: "The gap between what we have to do today and where we see ourselves in the future can be vexing. We’d like to advance toward our goals, but we feel dragged down by responsibilities that seem banal or off-target for our eventual vision. In this piece, the author offers four strategies you can try so that you can simultaneously accomplish what’s necessary for the short-term while playing the long game for the betterment of your career."
- Analyze the strategic value of your activities.
- Enlist allies.
- Manage your brand.
- Be willing to experiment with “120% time.”
- Put in the time when you are young because you have the energy, mental capacity, and the greatest amount of neural plasticity.
- The world and the workplace are not fair. Position yourself to capitalize on opportunities. That can be many things - training, visibility, kindness, someone others want to be around and emulate.
- Embrace the opposite of Imposter Syndrome. Be confident and go for it. Why not you?
- Hard work beats talent when talent doesn't work hard.
Thursday, August 11, 2022
What: They have collaborated on a joint initiative to solve a critical bottleneck in the sharing of threat information: The different data formats currently in use across multiple cybersecurity tools and products.
- Schema includes: Activity; Activity ID; Category; Category ID; Class; Class ID; Count; Duration; End Time; Enrichments; Event Time; Message; Metadata; Observables; Original Time; Product; Profiles; Raw Data; Reference Event Code; Reference Event ID; Reference Event Name; Severity; Severity ID; Start Time; Status; Status Code; Status Details; Status ID; Timezone Offset; Type ID; Type Name; Unmapped Data
Thoughts: There's still a tremendous amount of work to be done and it will realistically be quite some time before the value is realized from this effort. However, it's good to see some progress and interest. This has been a problem for a very, very long time.
Tags: Open Cybersecurity Schema Framework (OCSF)
Thursday, July 28, 2022
Tags: MITRE; CREF; Navigator; Cyber Resiliency Engineering Framework; NIST SP 800-160
- CREF Navigator (mitre.org)
- SP 800-160 Vol. 2 Rev. 1, Developing Cyber-Resilient Systems: SSE Approach | CSRC (nist.gov)
What is it?
“a relational database of NIST SP 800-160 Volume 2 concepts that is searchable, visualizes resilience relationships & presents a Web UI while utilizing portable, opensource components to enable use in tools. The CREF Navigator distills tons of useful terms, tables, and relationships from the CREF/NIST SP 800-160 Volume 2 into an online tool.”
Visualize the interaction between the Goals, Objectives, Techniques, and Approaches of Cyber Resiliency:
Interaction of Techniques, Approaches, and Adversarial Effects:
Wednesday, July 27, 2022
So you want to learn cybersecurity?
The knowledge base is available to you. You can do it! Find the time and prioritize the effort. Focus on the outcome. Focus on your why and make it bigger than the effort to get there. There are hundreds of books available. Dozens of free resources. Google is your friend... Or if you prefer, here's a tiny snippet of online available resources:
Additional Online Courses...
Tuesday, July 12, 2022
CMMC depends on the content from 800-171r2 and 171A... Here is something I created that combines all three into one place. I find this helps visualize and focus discussions between the driver (CMMC) requirement, implementation, and assessment.
Download it from my files here: 2022 CMMCv2 and SP 800-171r2 and SP 800-171A Combined.ver.02a
- OUSD A&S - Cybersecurity Maturity Model Certification (CMMC) (osd.mil)
- SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov)
- SP 800-171A, Assessing Security Requirements for CUI | CSRC (nist.gov)
Tuesday, July 5, 2022
Tags: NIST; Quantum-Resistant Cryptographic Algorithms
Big news in the standards world!
Why do I care?
Taken from a different blog, this is why quantum resistant cryptographic algorithms are important today:
“Rather than breaking an entire class of encryption in total and all at the same time, an adversary would have to collect that encrypted information and then apply the quantum capability against that single session of communication, break that, and then move to the next one.
We don’t anticipate talking about your personal bank accounts at first, but rather very valuable information that will be worth the expense of using those first cryptographically capable quantum machines, national security information as an example. That's why, even though there's not a cryptographically relevant quantum machine now, we need to be preparing now so that even the data we have today is quantum proof tomorrow.”
What just happened?
NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
Federal agency reveals the first group of winners from its six-year competition
The algorithms are designed for two main tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. All four of the algorithms were created by experts collaborating from multiple countries and institutions.
For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation.
For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-Dilithium, FALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections.