Thursday, July 28, 2022

[MITRE CREF Navigator]: Cyber Resiliency Engineering Framework (CREF)

Tags: MITRE; CREF; Navigator; Cyber Resiliency Engineering Framework; NIST SP 800-160


What is it?

“a relational database of NIST SP 800-160 Volume 2 concepts that is searchable, visualizes resilience relationships & presents a Web UI while utilizing portable, opensource components to enable use in tools. The CREF Navigator distills tons of useful terms, tables, and relationships from the CREF/NIST SP 800-160 Volume 2 into an online tool.”

Must-see Images:

Visualize the interaction between the Goals, Objectives, Techniques, and Approaches of Cyber Resiliency:


Interaction of Techniques, Approaches, and Adversarial Effects:

Wednesday, July 27, 2022

Learning Cybersecurity

So you want to learn cybersecurity? 

The knowledge base is available to you. You can do it! Find the time and prioritize the effort. Focus on the outcome. Focus on your why and make it bigger than the effort to get there. There are hundreds of books available. Dozens of free resources. Google is your friend... Or if you prefer, here's a tiny snippet of online available resources: 

Top Schools...

Many top schools have open courseware such as:

Additional Online Courses...

In addition, there are great free online courses available:

And if you have a subscription (it's worth it IMHO): 


These cost money - and time - but they demonstrate a fundamental level of knowledge highly desirable by hiring managers. They also demonstrate your passion for the topic and desire to put in the additional work to stand out from your peers. 

Tuesday, July 12, 2022

2022 CMMCv2 and SP 800-171r2 and SP 800-171A Combined

CMMC depends on the content from 800-171r2 and 171A... Here is something I created that combines all three into one place. I find this helps visualize and focus discussions between the driver (CMMC) requirement, implementation, and assessment. 

Download it from my files here: 2022 CMMCv2 and SP 800-171r2 and SP 800-171A Combined.ver.02a

Relevant Sources

Tuesday, July 5, 2022

Hello Big News! Quantum-Resistant Cryptographic Algorithms

Tags: NIST; Quantum-Resistant Cryptographic Algorithms

Source: NIST Announces First Four Quantum-Resistant Cryptographic Algorithms | NIST

Big news in the standards world!

Why do I care?

Taken from a different blog, this is why quantum resistant cryptographic algorithms are important today:

“Rather than breaking an entire class of encryption in total and all at the same time, an adversary would have to collect that encrypted information and then apply the quantum capability against that single session of communication, break that, and then move to the next one.

We don’t anticipate talking about your personal bank accounts at first, but rather very valuable information that will be worth the expense of using those first cryptographically capable quantum machines, national security information as an example. That's why, even though there's not a cryptographically relevant quantum machine now, we need to be preparing now so that even the data we have today is quantum proof tomorrow.”

What just happened?


NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

Federal agency reveals the first group of winners from its six-year competition

The algorithms are designed for two main tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. All four of the algorithms were created by experts collaborating from multiple countries and institutions. 

For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. 

For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-DilithiumFALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections.