Microsoft Supports Solutions to Help Feds Police Their AI Work
Let’s take a closer look at several Microsoft tools that could help federal agencies secure their AI environments and AI use.
Karen Scarfone's Publications and Blog
Welcome! This site has links to my online publications and blog posts. Sign up to get a weekly email update when I release a new pub or blog post.
Towards Automating IoT Security: Implementing Trusted Network-Layer Onboarding
This document provides an overview of trusted IoT device network-layer onboarding, a capability for securely providing IoT devices with their local network credentials in a manner that helps to ensure that the network is not put at risk as new IoT devices are connected to it— enhancing network security and management.
Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile
SP 800-61 Revision 3 seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0.
5G Cybersecurity (Executive Summary)
As the first volume of the practice guide, this document summarizes the most significant cybersecurity and privacy recommendations identified thus far from our research on this project. For more information, project goals and implementation details are being documented in a second NIST Cybersecurity Practice Guide Volume B. In addition, detailed information on 5G cybersecurity and privacy capabilities is also being published as part of a white paper series.
MFA for Criminal Justice Information Systems
Criminal and non-criminal justice agencies in the U.S. require the use of multi-factor authentication (MFA) to protect access to criminal justice information (CJI). This document provides a general overview of MFA, outlines design principles and architecture considerations for implementing MFA to protect CJI, and offers specific examples of use cases that agencies face today.
CSF Profile for Semiconductor Manufacturing
This draft Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to semiconductor manufacturing systems.
Integrating Cybersecurity and Enterprise Risk Management (ERM)
This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing.
The ends do not justify the means
Do something to help our federal employees.
5G Cybersecurity: No SUPI-Based Paging
This publication provides an overview of “no Subscription Permanent Identifier (SUPI) based paging,” a 5G capability for protecting users from being identified and located by an attacker.
Ransomware Risk Management CSF 2.0 Profile
NIST IR 8374 reflects changes made to the Cybersecurity Framework (CSF) from CSF 1.1 to CSF 2.0 which identifies security objectives that support managing, detecting, responding to, and recovering from ransomware events. You can use this publication to gauge your organization’s readiness to counter ransomware threats, mitigate potential consequences of a ransomware event, and to develop a ransomware countermeasure playbook.
SP 1800-35 (Draft), Implementing a Zero Trust Architecture
This publication outlines results and best practices from the NCCoE effort working with 24 vendors to demonstrate end-to-end zero trust architectures.
Reallocation of Temporary Identities: Applying 5G Cybersecurity and Privacy Capabilities
This publication provides additional details regarding how 5G protects subscriber identities (IDs). It focuses on how the network reallocates temporary IDs to protect users from being identified and located by an attacker.
Automation of the NIST CMVP
The NIST NCCoE has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to support improvement in the efficiency and timeliness of CMVP operations and processes. The goal is to demonstrate a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols.
CSF 2.0: Quick-Start Guide for C-SCRM
This guide focuses on two ways the CSF can help you: 1) Use the CSF’s GV.SC Category to establish and operate a C-SCRM capability. 2) Define and communicate supplier requirements using the CSF.
CSF 2.0: Quick-Start Guide for Using the CSF Tiers
This Quick-Start Guide describes how to apply the CSF 2.0 Tiers. CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes. This can help provide context on how an organization views cybersecurity risks and the processes in place to manage those risks.
Using Hardware-Enabled Security to Ensure 5G System Platform Integrity
This publication provides an overview of employing hardware-enabled security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system’s server infrastructure.
Supplemental CSF Spreadsheet
NIST is providing users with a resource to compare and contrast CSF 1.1 and CSF 2.0. This new supplemental document is intended as an aid to anyone who is transitioning a CSF 1.1 Organizational Profile, conducting mapping, or converting other CSF 1.1 Core content to use the CSF 2.0 Core.
Protecting Subscriber Identifiers with Subscription Concealed Identifier (SUCI)
This publication describes enabling SUCI protection, an optional capability new in 5G which provides important security and privacy protections for subscribers. 5G network operators are encouraged to enable SUCI on their 5G networks and subscriber SIMs and to configure SUCI to use a non-null encryption cipher scheme; this provides their customers with the advantages of SUCI’s protections.
Applying 5G Cybersecurity and Privacy Capabilities: Introduction to the White Paper Series
This publication explains what you can expect from each part of the white paper series: information, guidance, recommended practices, and research findings for a specific technical cybersecurity or privacy-supporting capability available in 5G systems or their supporting infrastructures.
Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile
This publication augments the secure software development practices and tasks defined in SSDF Version 1.1. It adds practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle.
Making myself dispensable
Making yourself dispensable--by sharing what you've learned with others--enables others to do what you do.
SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile
This publication augments the secure software development practices and tasks defined in SSDF Version 1.1. SP 800-218A adds practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle.
Incident Response Recommendations and Considerations
This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0.
The CSF 2.0 FAQ
Have questions about CSF 2.0?
Load More