In-depth Q&A on federal cybersecurity writing
Earlier this fall, I did a Q&A session on my experiences writing for NIST. Last week I did a follow-up Q&A session that went into more detail on my NIST and FedRAMP writing.
Karen (Kent) Scarfone's Publications
Welcome! This site has links to all of my online publications. Sign up to get a weekly email update when I release something new.
SIEM benefits and features in the modern SOC
Let's explore key features and benefits of the modern SIEM.
7 top deception technology vendors for active defense
This article presents key factors to consider and features to look for when purchasing cyber deception technologies, along with a list of some of the top deception technology vendors.
What to know about 5G security threats in the enterprise
Organizations that use 5G services should consider how bad actors could use the technology against them. These are my top insights on 5G security threats for enterprise CISOs, based on a series of 5G cybersecurity white papers I co-authored for NIST's National Cybersecurity Center of Excellence.
Q&A on cyber writing for NIST
I recently did a Q&A session with members of Cybersecurity Club on my experiences writing for NIST, and I had the best time! With their kind permission, I’m sharing edited highlights from that Q&A with you, including a big announcement about an upcoming NIST-related project we’ll be doing at the Annex.
Addressing Visibility Challenges with TLS 1.3 within the Enterprise
This practice guide illustrates practical approaches that users can adopt to gain visibility into TLS 1.3-protected network traffic for application servers within their controlled enterprise data centers.
Multi-Factor Authentication for Criminal Justice Information Systems
This document provides practical information to agencies that are implementing MFA, reflecting on lessons learned from agencies around the country and from CJI-related technology vendors.
Cheat sheets for NIST's Digital Identity Guidelines
We released our second annotated versions of NIST’s Digital Identity Guidelines series. Our revamped “cheat sheets” for SPs 800-63-4, 800-63A-4, and 800-63B-4 add the NIST definition of each term the first time it’s used. The cheat sheets also highlight the recommendations and other info that, in our opinion, are most important for readers.
Annotated NIST pub on authentication
We’ve released an annotated version of NIST’s new SP 800-63B-4, Digital Identity Guidelines: Authentication and Authenticator Management. The annotations indicate each publication’s recommendations, definitions, and other information that, in our opinion, are most significant for readers.
Annotated version of NIST's Digital Identity Guidelines
We’ve released an annotated version of NIST’s Digital Identity Guidelines, SP 800-63-4. The annotations indicate the publication’s recommendations, definitions, and other information that, in our opinion, are most significant for readers. The annotations are intended to expedite, not replace, reading the NIST document.
How liveness detection catches deepfakes and spoofing attacks
Biometric liveness detection can stop fake users in their tracks. Learn how the technology works to distinguish real humans from deepfakes and other spoofing attacks.
Annotated NIST publication on media sanitization
We’ve released our second annotated NIST publication, this time with SP 800-88r2, Guidelines for Media Sanitization. We’ve annotated NIST’s PDF to indicate, in our opinion, which portions are most significant for people who want to read it or submit public comments on it to NIST.
New NIST publication on crypto agility
Our latest project at Trusted Cyber Annex involves reviewing new NIST draft publications and annotating them to indicate, in our opinion, which portions are most significant for people who want to read the drafts and especially those who want to submit public comments to NIST. The annotations are intended to supplement and expedite, not replace, reading the original NIST documents.
Empathy in the age of AI
I recently published an article on Trusted Cyber Annex about AI chatbots not stating technical facts accurately. I also posted about it on Reddit and LinkedIn. What I should have been expecting, but somehow wasn’t, was that many of the comments blamed the users.
AI-Enhanced Attacks Require Increased Vigilance From Federal Security Officers
Bad guys are becoming more successful with artificial intelligence, and agencies need both old and new methods for defense.
Considerations for Achieving Cryptographic Agility: Strategies and Practices
This white paper offers a common understanding of challenges and identified existing approaches related to crypto agility, and it includes sections on crypto agility for security protocols and applications, crypto agility strategic plans, and considerations for future work.
Do AI chatbots tell the truth? Part 2
This article presents the results of my research to compare how five popular AI chatbots—ChatGPT, Claude, Copilot, Gemini, and Perplexity—performed when asked to provide a set of facts from a publicly available cybersecurity standard that’s not copyrighted. I also asked each chatbot why its “facts” were fiction.
Mitigating GenAI content creation risks
Organizations using GenAI to create content should act immediately to identify and mitigate the associated risks. In this article, we recommend guidelines for organizations and individuals.
What Agencies Should Know About Security Service Edge
Security service edge solutions provide and integrate many pieces of a unified strategy through a single platform and interface. Here are some facts and common misconceptions about SSE solutions.
Do AI chatbots tell the truth?
I performed a little experiment using Google Gemini 2.5 Flash that demonstrated just how poorly chatbots can perform when asked for facts—and when asked why their “facts” are fiction.
Welcome to the Trusted Cyber Annex
Trusted Cyber Annex gives you honest, high-integrity cybersecurity guidance for free.
What is the Future of Cybersecurity?
As cyberthreats grow more sophisticated, enterprises face mounting challenges. What does the future of cybersecurity hold, and how can organizations stay ahead?
How to Build a Cybersecurity Strategy and Plan in 4 Steps
Planning a cybersecurity strategy for your organization takes effort, but it could mean the difference between surpassing your competitors and going out of business. Here are the basic steps to follow in developing an effective security strategy.
Cybersecurity Skills Gap: Why It Exists and How to Address It
Bridging this vast gap requires an understanding of why the cybersecurity skills shortage persists. This article explores the conundrum and proposes several ways that IT leaders and their organizations can address the underlying problems.
Load More