NIST Framework – Page 2 – WindowsTechs.com

NIST urged to include multi-factor authentication in cyber framework

Posted on May 3, 2017 by Shaun Waterman

The U.S. government should specify some form of online identity security that goes beyond a username and password in the forthcoming update to its voluntary cybersecurity framework, advocates urged at an industry conference Tuesday. “Right now, you have a situation where Teen Vogue is recommending [two-factor identity authentication, or] 2FA and the [National Institute for Standards and Technology] Cybersecurity Framework isn’t,” pointed out Jeremy Grant, who headed up NIST’s effort to kick-start a market for identity security from 2011 to 2015. “Shouldn’t we take a look at that?” he asked the audience at the International Biometric Identity Association’s Connect:ID conference. NIST is preparing an update to its highly regarded Cybersecurity Framework and is in the midst of analyzing public comments on its initial draft ahead of a public workshop later this month. The article in cyber-savvy Teen Vogue was something of a high-water mark for popular awareness of 2FA, also called multi-factor authentication, or MFA. […]

The post NIST urged to include multi-factor authentication in cyber framework appeared first on Cyberscoop.

Continue reading NIST urged to include multi-factor authentication in cyber framework→

It’s time to put multi-factor authentication in the NIST Cyber Framework

Posted on May 1, 2017 by Brett McDowell

Many private and public sector organizations rightly look to NIST’s Cybersecurity Framework as a how-to guide for building a solid foundation for a cybersecurity strategy. But after a long public consultation and drafting process, one critical piece of any such strategy was missing from the original framework when it was published in February 2014: the use of multi-factor identity authentication. MFA, also often called two-factor authentication, means using some method beyond a simple username/password combination to prove who you are — another “factor” like a FIDO security keystick or a biometric, such as a fingerprint. Excluding MFA from the framework, according to NIST at the time, was necessary because there weren’t any widely accepted, interoperable standards for ensuring secure identity and because of usability problems with the technologies then available. NIST has drafted an update of the framework, but even though the section on identity and access management has been expanded and overhauled, there’s still no mention of MFA. We in the FIDO […]

The post It’s time to put multi-factor authentication in the NIST Cyber Framework appeared first on Cyberscoop.

Continue reading It’s time to put multi-factor authentication in the NIST Cyber Framework→

Business lobby pushes back on NIST Framework measurement plans

Posted on April 13, 2017 by Shaun Waterman

Business lobbying groups are pushing back on plans by federal scientists to add third-party measurement of cybersecurity to a voluntary framework designed to help private companies improve its defenses against hackers, cybercriminals and online spies. A draft proposed revision of the National Institute of Standards and Technology’s Cybersecurity Framework, to be known as version 1.1, includes a new section on “measuring and demonstrating cybersecurity.” But public comments filed by business groups voice concern about what metrics should be used for measurement and how public that demonstration ought to be. “Measuring state and trends over time, internally, through external audit, and through conformity assessment, enables an organization to understand and convey meaningful risk information to dependents, partners, and customers,” reads the introduction to the proposed new section. One of the complaints about the framework — which is generally recognized as a useful tool for companies looking to improve their online security — is that […]

The post Business lobby pushes back on NIST Framework measurement plans appeared first on Cyberscoop.

Continue reading Business lobby pushes back on NIST Framework measurement plans→

What’s in the NIST cybersecurity controls catalogue update?

Posted on April 4, 2017 by Shaun Waterman

NIST Special Publication 800-53 isn’t the most exciting book, but for federal IT managers, the canonical catalogue of cybersecurity controls is like the English Hymnal and the Book of Common Prayer rolled into one. Changes to it are a very big deal. The latest version, put together by top federal scientists from the U.S. National Institute for Standards and Technology, incorporates privacy controls as well, one of its principal authors told CyberScoop. “It’s a leap ahead document,” NIST Cybersecurity Advisor Ron Ross said of the new draft of NIST SP 800-53: “Security and Privacy Controls for Federal Information Systems and Organizations.” Ross and other cyber experts from NIST last week briefed the agency’s Information Security and Privacy Board about the latest, long-awaited set of proposed revisions to the magisterial index of security controls — 800-53 Rev5. SP 800-53 lists the security controls federal managers have to choose from to ensure their IT systems comply with the security standards […]

The post What’s in the NIST cybersecurity controls catalogue update? appeared first on Cyberscoop.

Continue reading What’s in the NIST cybersecurity controls catalogue update?→