Aug 15 2025

NIST Strengthens Digital Identity Security to Tackle AI-Driven Threats

Category: AI,NIST Privacydisc7 @ 9:27 am

The US National Institute of Standards and Technology (NIST) has issued its first major update to the Digital Identity Guidelines since 2017, responding to new cybersecurity challenges such as AI-enhanced phishing, deepfake fraud, and evolving identity attacks. The revision reflects how digital identity threats have grown more sophisticated and how organizations must adapt both technically and operationally to counter them.

The updated guidelines combine technical specifications and organizational recommendations to strengthen identity and access management (IAM) practices. While some elements refine existing methods, others introduce a fundamentally different approach to authentication and risk management, encouraging broader adoption of phishing-resistant and fraud-aware security measures.

A major focus is on AI-driven attack vectors. Advances in artificial intelligence have made phishing harder to detect, while deepfakes and synthetic identities challenge traditional identity verification processes. Although passwordless authentication, such as passkeys, offers a promising solution, adoption has been slowed by integration and compatibility hurdles. NIST now emphasizes stronger fraud detection, media forgery detection, and the use of FIDO-based phishing-resistant authentication.

This revision—NIST Special Publication 800-63, Revision 4—is the result of nearly four years of research, public drafts, and feedback from about 6,000 comments. It addresses identity proofing, authentication, and federation requirements, aiming to enhance security, privacy, and user experience. Importantly, it positions identity management as a shared responsibility, engaging cybersecurity, privacy, usability, program integrity, and mission operations teams in coordinated governance.

Key updates include revised risk management processes, continuous evaluation metrics, expanded fraud prevention measures, restructured identity proofing controls with clearer roles, safeguards against injection attacks and forged media, support for synced authenticators like passkeys, recognition of subscriber-controlled wallets, and updated password rules. These additions aim to balance robust protection with usability.

Overall, the revision represents a strategic shift from the previous edition, incorporating lessons from real-world breaches and advancements in identity technology. By setting a more comprehensive and collaborative framework, NIST aims to help organizations make digital interactions safer, more trustworthy, and more user-friendly while maintaining strong defenses against rapidly evolving threats.

“It is increasingly important for organizations to assess and manage digital identity
security risks, such as unauthorized access due to impersonation. As organizations
consult these guidelines, they should consider potential impacts to the confidentiality,
integrity, and availability of information and information systems that they manage, and
that their service providers and business partners manage, on behalf of the individuals
and communities that they serve.
Federal agencies implementing these guidelines are required to meet statutory
responsibilities, including those under the Federal Information Security Modernization
Act (FISMA) of 2014 [FISMA] and related NIST standards and guidelines. NIST
recommends that non-federal organizations implementing these guidelines follow
comparable standards (e.g., ISO/IEC 27001) to ensure the secure operation of their
digital systems.”

Download the complete guide HERE

EU AI Act concerning Risk Management Systems for High-Risk AI

Understanding the EU AI Act: A Risk-Based Framework for Trustworthy AI – Implications for U.S. Organizations

Interpretation of Ethical AI Deployment under the EU AI Act

Aligning with ISO 42001:2023 and/or the EU Artificial Intelligence (AI) Act

State of Agentic AI Security and Governance

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

Digital Ethics in the Age of AI 

DISC InfoSec’s earlier posts on the AI topic

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: Digital Identity Security

Jul 03 2025

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Category: Information Security,NIST CSF,NIST Privacy,Security Compliance,vCISOdisc7 @ 1:56 pm

At Deura InfoSec, we help small to mid-sized businesses navigate the complex world of cybersecurity and compliance—without the confusion, cost, or delays of traditional approaches. Whether you’re facing a looming audit, need to meet ISO 27001, NIST, HIPAA, or other regulatory standards, or just want to know where your risks are—we’ve got you covered.

We offer fixed-price compliance assessments, vCISO services, and easy-to-understand risk scorecards so you know exactly where you stand and what to fix—fast. No bloated reports. No endless consulting hours. Just actionable insights that move you forward.

Our proven SGRC frameworks, automated tools, and real-world expertise help you stay audit-ready, reduce business risk, and build trust with customers.

📌 ISO 27001 | ISO 42001 | SOC 2 | HIPAA | NIST | Privacy | TPRM | M&A
📌 Risk & Gap Assessments | vCISO | Internal Audit
📌 Security Roadmaps | AI & InfoSec Governance | Awareness Training

Start with our Compliance Self-Assessment and discover how secure—and compliant—you really are.

👉 DeuraInfoSec.comLet’s make security simple.

If you’re dealing with audits, scaling security, or just want to know how exposed your business is—we’re the no-BS partner you’ve been looking for.

✅ Big 4 experience + hands-on delivery
✅ Cyber data governance tailored to small/mid-sized orgs
✅ Practical, business-first approach to InfoSec

Next Steps: Let us prepare a customized scorecard or walk you through a free 15-minute discovery call.

Contact: info@discinfosec.com | www.discinfosec.com

Vineyard and Wineries may be at Risk

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: Deura InfoSec, DISC InfoSec, Secure Your Business

Jan 16 2025

7 steps for evaluating, comparing, and selecting frameworks

Category: ISO 27k,NIST CSF,NIST Privacy,vCISOdisc7 @ 11:38 am

7 steps for evaluating, comparing, and selecting frameworks:

  1. Identify frameworks that align with regulatory compliance requirements.
  2. Assess the organization’s risk appetite and select frameworks that align with its strategic goals.
  3. Compare your organization to others in the industry to determine the most commonly used frameworks and their relevance.
  4. Choose frameworks that can scale as the business grows.
  5. Select frameworks that help the organization better align with its clients.
  6. Conduct a cost analysis to assess the feasibility of implementing the framework(s).
  7. Determine whether the framework can be implemented in-house or if external guidance is needed.

This process helps organizations select the most suitable framework for their needs and long-term.

Why Your Organization Needs ISO 27001 Amid Rising Risks

10 key benefits of ISO 27001 Cert for SMBs

ISO 27001: Building a Culture of Security and Continuous Improvement

Penetration Testing and ISO 27001 – Securing ISMS

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

A Comprehensive Guide to the NIST Cybersecurity Framework 2.0: Strategies, Implementation, and Best Practice

CIS Controls in Practice: A Comprehensive Implementation Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: CIS, ISO, NIST

Jul 16 2024

Understanding Compliance With the NIST AI Risk Management Framework

Category: NIST Privacy,Risk Assessmentdisc7 @ 10:06 am
Understanding Compliance With the NIST AI Risk Management Framework

Incorporating artificial intelligence (AI) seems like a logical step for businesses looking to maximize efficiency and productivity. But the adverse effects of AI use, such as data security risk and misinformation, could bring more harm than good.

According to the World Economic Forum’s Global Risks Report 2024, AI-generated misinformation and disinformation are among the top global risks businesses face today.

To address the security risks posed by the increasing use of AI technologies in business processes, the National Institute of Standards and Technology (NIST) released the Artificial Intelligence Risk Management Framework (AI RMF 1.0) in January 2023. 

Adhering to this framework not only puts your organization in strong position to avoid the dangers of AI-based exploits, it also adds an impressive type of compliance to your portfolio, instilling confidence in external stakeholders. Moreover, while NIST AI RMF is more of a guideline than a regulation, today there are several AI laws in the process of being enacted, so adhering to NIST’s framework helps CISOs to future-proof their AI compliance postures.

Let’s examine the four key pillars of the framework – govern, map, measure and manage – and see how you can incorporate them to better protect your organization from AI-related risks.

1.Establish AI Governance Structures

In the context of NIST AI RMF, governance is the process of establishing processes, procedures, and standards that guide responsible AI development, deployment, and use. Its main goal is to connect the technical aspect of AI system design and development with organizational goals, values, and principles.

Strong governance starts from the top, and NIST recommends establishing accountability structures with the appropriate teams responsible for AI risk management, under the framework’s “Govern” function. These teams will be responsible for putting in place structures, systems and processes, with the end goal of establishing a strong culture of responsible AI use throughout the organization.

Using automated tools is a great way to streamline the often tedious process of policy creation and governance. “We view it as our responsibility to help organizations maximize the benefits of AI while effectively mitigating the risks and ensuring compliance with best practices and good governance,” said Arik Solomon, CEO of Cypago, a SaaS platform that automates governance, risk management, and compliance (GRC) processes in line with the latest frameworks.

“These latest features ensure that Cypago supports the newest AI and cyber governance frameworks, enabling GRC and cybersecurity teams to automate GRC with the most up-to-date requirements.”

Rather than existing as a stand-alone component, governance should be incorporated into every other NIST AI RMF function, particularly those associated with assessment and compliance. This will foster a strong organizational risk culture and improve internal processes and standards.

2.Map And Categorize AI Systems

The framework’s “Map” function supports governance efforts while also providing a foundation for measuring and managing risk. It’s here that the risks associated with an AI system are put into context, which will ultimately determine the appropriateness or need for the given AI solution.

As Opice Blum data privacy expert Henrique Fabretti Moraes explained, “Mapping the tools in use – or those intended for use – is crucial for understanding and fine-tuning acceptable use policies and potential mitigation measures to decrease the risks involved in their utilization.” 

But how do you actually put this mapping process into practice?

NIST recommends the following approach:

  • Clearly establish why you need or want to implement the AI system. What are the expectations? What are the prospective settings where the system will be deployed? You should also determine the organizational risk tolerance for operating the system.
  • Map all of the risks and benefits associated with using the system. Here is where you should also determine your risk tolerance, not only with monetary costs but also those stemming from AI errors or malfunctions.
  • Analyze the likelihood and magnitude of the impact the AI system will have on the organization, including employees, customers, and society as a whole.

3.Measure AI Performance and Risk

The “Measure” function utilizes qualitative and quantitative techniques to analyze and monitor the AI-related risks identified in the “Map” function.

AI systems should be tested before deployment and frequently thereafter. But measuring risk with AI systems can be tricky. The technology is fairly new, so there are no standardized metrics yet. This might change in the near future, as developing these metrics is a high priority for many consulting firms. For example, Ernst & Young (EY) is developing an AI Confidence Index

“Our confidence index is founded on five criteria – privacy and security, bias and fairness, reliability, transparency and explainability, and the last is accountability,” noted Kapish Vanvaria, EY Americas Risk Market Leader. The other axis includes regulations and ethics. 

“Then you can have a heat map of the different processes you’re looking at and the functions in which they’re deployed,” he says. “And you can go through each one and apply a weighted scoring method to it.”

In the NIST framework’s priorities, there are three main components of an AI system that must be measured: trustworthiness, social impact, and how humans interact with the system. The measuring process will likely consist of extensive software testing, performance assessments and benchmarks, along with reporting and documentation of results.

4.Adopt Risk Management Strategies

The “Manage” function puts everything together by allocating the necessary resources to regularly attend to uncovered risks during the previous stages. The means to do so are typically determined with governance efforts, and can be in the form of human intervention, automated tools for real-time detection and response, or other strategies.

To manage AI risks effectively, it’s crucial to maintain ongoing visibility across all organizational tools, applications, and models. AI should not be handled as a separate entity but integrated seamlessly into a comprehensive risk management framework.

Ayesha Gulley, an AI policy expert from Holistic AI, urges businesses to adopt risk management strategies early, taking into account five factors: robustness, bias, privacy, exploitability and efficacy. Holistic’s software platform includes modules for AI auditing and risk posture reporting.

“While AI risk management can be started at any point in the project development,” she said, “implementing a risk management framework sooner than later can help enterprises increase trust and scale with confidence.”

Evolve With AI

The NIST AI Framework is not designed to restrict the efficient use of AI technology. On the contrary, it aims to encourage adoption and innovation by providing clear guidelines and best practices for developing and using AI securely and responsibly.

Implementing the framework will not only help you reach compliance standards but also make your organization much more capable of maximizing the benefits of AI technologies without compromising on risk.

AI-RMF A Practical Guide for NIST AI Risk Management Framework

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: NIST AI Risk Management Framework

Sep 08 2023

NIST Gap Assessment Tool

Category: NIST CSF,NIST Privacydisc7 @ 1:23 pm

The NIST Gap Assessment Tool will cost-effectively assess your organization against the NIST SP 800-171 standard. It will help you to:

  • Understand the NIST SP 800-171 requirements for storing, processing, and transmitting CUI (Controlled Unclassified Information)
  • Quickly identify your NIST SP 800-171 compliance gaps
  • Plan and prioritise your NIST SP 800-171 project to ensure data handling meets U.S. DoD (Department of Defense) requirements

Get started with your NIST SP 800-171 compliance project

The DoD requires U.S. contractors and their subcontractors to have an available assessment of their compliance with NIST SP 800-171. As part of a national movement to have a consistent approach to cybersecurity across the U.S., even organizations that store, process, or transmit unclassified and/or sensitive information must complete an assessment.

ITG NIST Gap Assessment Tool provides the assessment template you need to guide you through compliance with the DoD’s requirements for NIST SP 800-171. The tool lays out all 14 categories and 110 security controls from the Standard, in Excel format, so you can complete a full and easy-to-use assessment with concise data reporting.

What does the tool do?

  • Features the following tabs: ‘Instructions’, ‘Summary’, and ‘Assessment and SSP (System Security Plan)’.
  • The ‘Instructions’ tab provides an easy explanation of how to use the tool and assess your compliance project, so you can complete the process without hassle.
  • The ‘Assessment and SSP’ tab shows all control numbers and requires you to complete your assessment of each control.
  • Once you have completed the full assessment, the ‘Summary’ tab provides high-level graphs for each category and overall completion. Analysis includes an overall compliance score and shows the amount of security controls that are completed, ongoing, or not applied in your organization.
  • The ‘Summary’ tab also provides clear direction for areas of development and how you should plan and prioritize your project effectively, so you can start the journey of providing a completed NIST SP 800-171 assessment to the DoD.

This NIST Gap Assessment Tool is designed for conducting a comprehensive compliance assessment.  NIST SP 800-171 Assessment Tool.

The Complete DOD NIST 800-171 Compliance Manual: Comprehensive Controlled Unclassified Information (CUI) Marking & Handling Section

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NIST Gap Assessment Tool, NIST SP 800-171

Feb 21 2022

New Version of the NIST CSF Tool

Category: NIST CSF,NIST PrivacyDISC @ 9:32 am
NIST CSF Tool

By John Masserini

THE NIST CSF TOOL

I am quite thrilled to announce that the long-overdue update to my NIST CSF tool V2.0 is finally done. While this new version generally looks the same as the prior one, there are substantial changes underneath which will make updating it in the future far easier.

Originally released in January of 2019, it has become the most popular page on the site, with almost 20,000 downloads. To get a full understanding of the tool, you can read the original post here which goes into great detail about why it was developed and how to use it.

After numerous requests, I have also added the NIST Privacy Framework to the tool as well. The same logic has been applied here as to the CSF side – it’s just as, or perhaps even more, important to measure what you do (your practices) against what you say you do (your policies) when it comes to Privacy as it is Security.

As always, I welcome suggestions and feedback. The email to reach me is in the worksheet.

You can find the new version on the Downloads page.

NIST Cybersecurity Framework: A pocket guide 

Tags: NIST CSF Tool

Jan 02 2022

NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT

Category: data security,Information Privacy,NIST PrivacyDISC @ 11:15 am

NIST-PRIVACY-FRAMEWORK-A-TOOL-FOR-1Download

The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can: 

* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager

NIST Cybersecurity Framework

NIST Cybersecurity Framework: A pocket guide by [Alan Calder]

Data Governance

Tags: Data Governance, NIST Cybersecurity Framework, NIST PRIVACY FRAMEWORK, Privacy as a Service

Apr 16 2021

New Federal Data Privacy Legislation Proposed

Category: Information Privacy,NIST Privacy,Security and privacy LawDISC @ 2:32 pm
New Federal Data Privacy Legislation Proposed

In late March 2021, Representative Susan DelBene (D-WA 01) introduced legislation to the 116th Congress to protect consumer privacy and put control of consumers’ data in their own hands.

DelBene noted that states are surging ahead of the federal government in creating privacy laws, each with their own flavor and each serving the needs of a particular constituency/demographic. DelBene argued that having a federal policy will stem consumer confusion and put the United States back into the conversation on global privacy policies. The EU, for example, is pushing their General Data Protection Regulation (GDPR) as the global standard.

The Information Transparency and Personal Data Control Act (pdf) will ensure that an individual’s personal identifying information (PII), and all information pertaining to children under the age of 13, are protected. The bill requires:

  • Companies produce their privacy policies in “plain English” within 90 days of the bill’s passage.
  • Users must “opt in” before companies my use their sensitive PII. In doing so, the user is made aware of how the information may be used and more importantly how it is not to be used. Companies will have 90 days to put in place this capability once the legislation becomes law.
  • Companies must be transparent when it comes to sharing user information – who, what, where, how and why.
  • The Federal Trade Commission (FTC) will be given the authority to fine bad actors on their first offense and empower state attorneys general to pursue offenders. If the FTC doesn’t act on a complaint within 60 days, the state attorney general may pursue legal remedies.
  • Trust, yet verify by requiring, every two years, a “neutral” privacy audit to ensure companies (with information from 250,000 or more people) are handling PII in accordance with the provisions of the Act.

The bill will provide to the FTC 50 additional full-time employees, of which 15 must be technical experts (not further defined), and initial funding for the program will be $35 million.

DISC InfoSec Shop

Feb 02 2021

5 key privacy trends for 2021

Category: GDPR,Information Privacy,NIST Privacy,Security and privacy LawDISC @ 3:28 pm
No alt text provided for this image

Source: 5 key privacy trends for 2021

As organisations become increasingly reliant on the use of personal data, the risks they face grow exponentially.

We saw last year a record number of data breachesand a surge in penalties for regulatory violations, but 2021 is set to be even more perilous as the public demand for data privacy grows, COVID-19 scams continue and data protection laws get more complex following Brexit.

Here are our five key data privacy trends for this year.

1. There will be more public awareness of privacy rights

This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.

All of this information is helping consumers become more aware of their rights.

Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.

The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.

There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.

Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.

2. Brexit will continue to cause headaches

Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.

For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.

Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.

3. We shouldn’t expect an adequacy decision imminently

Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.

For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.

But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.

Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.

In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.

The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.

4. GDPR enforcement will be more consistent

In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.

In some cases, the fines were miniscule, but in others the penalties were large.

It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.

We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.

Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.

5. Cookie laws will come under greater scrutiny

From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.

This is evident in the £91 million fine levied against Google for its ad tracking practices, as well as the recent actions from Max Schrems and his organisation NOYB.

So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.

Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.

Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.

Meet your data privacy requirements with IT Governance

You can find out more about data privacy and the steps you must take to protect the information you process with our Privacy by Design Foundation Training Course.

One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.

Nov 18 2020

Senate passes bill to secure internet-connected devices against cyber

Category: NIST CSF,NIST PrivacyDISC @ 11:40 pm

The Senate this week unanimously passed bipartisan legislation designed to boost the cybersecurity of internet-connected devices.

The Senate passes a bill that would require all internet-connected devices purchased by the US government to comply with NIST’s minimum security recommendations

The Internet of Things Cybersecurity Improvement Act would require all internet-connected devices purchased by the federal government — such as computers and mobile devices — to comply with minimum security recommendations issued by the National Institute of Standards and Technology.

The bill would require private sector groups providing devices to the federal government to notify agencies if the internet-connected device has a vulnerability that could leave the government open to attacks.

The legislation, which the Senate advanced on Tuesday, was passed unanimously by the House in September. It now heads to President Trump for a signature.

“Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand,” Gardner noted in a separate statement. “We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks. Ensuring that our government has the capabilities and expertise to help navigate the impacts of the latest technology will be important in the coming years and decades.”

Source: Senate passes bill to secure internet-connected devices against cyber










Jan 19 2020

NIST Releases Version 1.0 of Privacy Framework

Category: NIST PrivacyDISC @ 11:08 pm

Source: NIST Releases Version 1.0 of Privacy Framework

Tool will help optimize beneficial uses of data while protecting individual privacy

The best practice guide for an effective privacy function

Practice Guide

Open a PDF file NIST Releases Version 1.0 of Privacy Framework

Developing the NIST Privacy Framework – Part 1
httpv://www.youtube.com/watch?v=W-snx9jRFf4

Developing the NIST Privacy Framework – Part 2
httpv://www.youtube.com/watch?v=gZ7ED0t09zk

Developing the NIST Privacy Framework – Part 3
httpv://www.youtube.com/watch?v=x6lTHu1VbiM



Subscribe to DISC InfoSec blog by Email