Tag: nist

Whistleblower: DOGE put Social Security database covering 300 million Americans on insecure cloud

Aug 27, 2025 8:23 PM

Tags: access, ai, attack, cio, ciso, cloud, compliance, computer, control, data, data-breach, fraud, government, law, nist, privacy, risk, service, software, technology, unauthorized

Did the DOGE workers violate the law?: Under the Federal Information Security Management Act (FISMA), all information systems operated by or on behalf of the US federal government must obtain an authorization to operate (ATO). The purpose of an ATO is to minimize the security risks to which those systems might be exposed.Complying with the…
Custom Controls: Beyond NIST SP 800-53

Aug 26, 2025 7:22 PM

Tags: compliance, control, nist, risk

Extend Q-Compliance’s capabilities beyond its out-of-the box offerings! Custom Controls allow organizations meet compliance objectives with unique requirements, procedures and risk profiles. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/08/custom-controls-beyond-nist-sp-800-53/
NIST Releases Lightweight Cryptography Standard for IoT Security

Aug 25, 2025 8:54 AM

Tags: cryptography, cyber, government, Internet, iot, nist, technology

The National Institute of Standards and Technology (NIST) has formally published Special Publication 800-232, “Ascon-Based Lightweight Cryptography Standards for Constrained Devices,” establishing the first U.S. government benchmark for efficient cryptographic algorithms tailored to resource-constrained environments such as the Internet of Things (IoT), embedded systems, and low-power sensors. In February 2023, NIST selected the Ascon family…
Cybersecurity Snapshot: Industrial Systems in Crosshairs of Russian Hackers, FBI Warns, as MITRE Updates List of Top Hardware Weaknesses

Aug 22, 2025 10:54 PM

Tags: access, ai, attack, automation, cisa, cisco, cloud, conference, control, credentials, cve, cyber, cybersecurity, data, data-breach, deep-fake, detection, docker, espionage, exploit, flaw, framework, fraud, google, government, group, guide, hacker, hacking, Hardware, identity, infrastructure, intelligence, Internet, iot, LLM, microsoft, mitigation, mitre, mobile, network, nist, risk, russia, scam, service, side-channel, software, strategy, switch, technology, threat, tool, update, vulnerability, vulnerability-management, windows

Check out the FBI’s alert on Russia-backed hackers infiltrating critical infrastructure networks via an old Cisco bug. Plus, MITRE dropped a revamped list of the most important critical security flaws. Meanwhile, NIST rolled out a battle plan against face-morphing deepfakes. And get the latest on the CIS Benchmarks and on vulnerability prioritization strategies! Here are…
NIST Releases New Control Overlays to Manage Cybersecurity Risks in AI Systems

Aug 22, 2025 9:54 AM

Tags: ai, control, cyber, cybersecurity, framework, intelligence, nist, risk, technology

The National Institute of Standards and Technology (NIST) has unveiled a comprehensive initiative to address the growing cybersecurity challenges associated with artificial intelligence systems through the release of a new concept paper and proposed action plan for developing NIST SP 800-53 Control Overlays specifically designed for securing AI systems. New Framework Addresses Critical AI Security…
Zero Trust in Practice: Mapping NIST 800-207 to Real-World Technologies

Aug 22, 2025 5:54 AM

Tags: endpoint, firewall, identity, nist, zero-trust

Learn how to implement Zero Trust Architecture in practice. We map NIST 800-207 concepts”, like Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs)”, to real-world technologies such as firewalls, identity providers, and endpoint protection platforms. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/08/zero-trust-in-practice-mapping-nist-800-207-to-real-world-technologies/
NIST Unveils Guidelines to Help Spot Face Morphing Attempts

Aug 21, 2025 11:54 AM

Tags: detection, nist, software

NIST has released new guidelines examining the pros and cons of detection methods for face morphing software First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/nist-unveils-guidelines-spot-face/
NIST’s attempts to secure AI yield many questions, no answers

Aug 20, 2025 5:54 AM

Tags: access, ai, attack, best-practice, business, ceo, cio, ciso, cloud, conference, control, cybersecurity, data, detection, group, injection, ml, nist, privacy, risk, saas, technology, threat, tool, training, update

Challenges to consider: The NIST report talked about various categories of AI integration that forced serious cybersecurity considerations, including: using genAI to create new content; fine-tuning predictive AI; using single AI agents as well multiple agents; and security controls for AI developers. The potentially most challenging element of securing AI in enterprises is visibility. But the…
Securing Government Systems at Scale: How CimTrak Delivers Unprecedented Visibility, Security and Cyber Resilience

Aug 19, 2025 6:54 PM

Tags: compliance, cyber, cybersecurity, government, nist, resilience, threat, unauthorized, zero-trust
Securing Government Systems at Scale: How CimTrak Delivers Unprecedented Visibility, Security and Cyber Resilience

Aug 19, 2025 6:54 PM

Tags: compliance, cyber, cybersecurity, government, nist, resilience, threat, unauthorized, zero-trust
NIST seeks input on control overlays for securing AI systems

Aug 18, 2025 6:54 PM

Tags: ai, control, nist

The federal agency plans to develop guidance to organizations about various AI use cases. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/nist-input-control-overlays-securing-ai/757909/
NIST seeks input on control overlays for securing AI systems

Aug 18, 2025 6:54 PM

Tags: ai, control, nist

The federal agency plans to develop guidance to organizations about various AI use cases. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/nist-input-control-overlays-securing-ai/757909/
New NIST guide explains how to detect morphed images

Aug 18, 2025 4:54 PM

Tags: guide, identity, nist, software

Face morphing software can blend two people’s photos into one image, making it possible for someone to fool identity checks at buildings, airports, borders, and other secure … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/08/18/nist-guide-detect-morphed-images/
NIST Digital Identity Guidelines Evolve With Threat Landscape

Aug 17, 2025 9:54 PM

Tags: identity, nist, technology, threat

The US National Institute of Standards and Technology updated its Digital Identity Guidelines to match current threats. The document detailed technical recommendations as well as suggestions for organizations. First seen on darkreading.com Jump to article: www.darkreading.com/identity-access-management-security/nist-digital-identity-guidelines-evolve-with-threat-landscape
From Risk to ROI: How Security Maturity Drives Business Value

Aug 12, 2025 10:12 AM

Tags: access, ai, breach, business, cloud, compliance, control, cyber, cybersecurity, data, detection, encryption, exploit, finance, framework, GDPR, governance, government, healthcare, incident response, infrastructure, insurance, intelligence, monitoring, nist, privacy, ransomware, regulation, resilience, risk, risk-assessment, risk-management, service, software, strategy, threat, tool, unauthorized, vulnerability

From Risk to ROI: How Security Maturity Drives Business Value madhav Tue, 08/12/2025 – 04:30 Cyber threats are like moving targets”, constantly evolving and increasingly pervasive. In a hyper-connected world, no individual, industry, or organization is immune. The threat landscape presents a serious and persistent challenge for governments, businesses, critical infrastructure, and individuals alike. Many…
Why AI Security Needs Continuous Red Teaming

Aug 11, 2025 11:12 PM

Tags: ai, cyber, nist, RedTeam

NIST’s Apostol Vassilev Explains Need for Dynamic Response, Not Static Testing. As AI models grow in scale and power, leading to even more unpredictable outcomes, security teams are grappling with how to defend technologies that some experts can’t begin to fully comprehend. Cyber response teams are exploring the practice of continuous red teaming, said NIST’s…
From NIST 800-53 to FedRAMP: What it really takes to bridge the gap

Aug 11, 2025 6:12 PM

Tags: cloud, fedramp, nist, risk

If your cloud platform is already compliant with NIST SP 800-53, you’ve laid important groundwork for security and risk management. But when the goal shifts to serving U.S. federal agencies, the bar is raised significantly. That’s where FedRAMP enters the picture. While FedRAMP is built on NIST 800-53, the two are not interchangeable. FedRAMP adds…The…
Cybersecurity Snapshot: CISA Analyzes Malware Used in SharePoint Attacks, as U.K. Boosts Cyber Assessment Framework

Aug 9, 2025 12:11 AM

Tags: access, advisory, ai, attack, authentication, automation, backup, breach, china, cisa, cloud, computer, credentials, cve, cyber, cybersecurity, data, defense, detection, docker, exploit, framework, github, google, government, grc, group, guide, hacker, healthcare, identity, infrastructure, iot, ISO-27001, jobs, kubernetes, malicious, malware, mfa, microsoft, mitigation, monitoring, network, nist, open-source, password, programming, ransomware, resilience, risk, risk-management, service, social-engineering, software, startup, strategy, supply-chain, tactics, technology, threat, tool, update, vulnerability, zero-day

Check out what CISA found after it dissected malware from the latest SharePoint hacks. Plus, the U.K.’s cyber agency is overhauling its cyber framework to keep pace as threats escalate. In addition, Google is warning that cloud attacks are getting dangerously sophisticated. And get the latest on CISA’s new malware analysis platform and its report…
Cybersecurity Snapshot: CISA Analyzes Malware Used in SharePoint Attacks, as U.K. Boosts Cyber Assessment Framework

Aug 9, 2025 12:11 AM

Tags: access, advisory, ai, attack, authentication, automation, backup, breach, china, cisa, cloud, computer, credentials, cve, cyber, cybersecurity, data, defense, detection, docker, exploit, framework, github, google, government, grc, group, guide, hacker, healthcare, identity, infrastructure, iot, ISO-27001, jobs, kubernetes, malicious, malware, mfa, microsoft, mitigation, monitoring, network, nist, open-source, password, programming, ransomware, resilience, risk, risk-management, service, social-engineering, software, startup, strategy, supply-chain, tactics, technology, threat, tool, update, vulnerability, zero-day

Check out what CISA found after it dissected malware from the latest SharePoint hacks. Plus, the U.K.’s cyber agency is overhauling its cyber framework to keep pace as threats escalate. In addition, Google is warning that cloud attacks are getting dangerously sophisticated. And get the latest on CISA’s new malware analysis platform and its report…
Beyond cryptocurrency: Blockchain 101 for CISOs and why it matters

Aug 8, 2025 2:11 PM

Tags: access, ai, api, attack, blockchain, breach, ciso, compliance, container, control, credentials, crypto, data, framework, gartner, governance, identity, incident response, infrastructure, international, malicious, nist, regulation, risk, saas, sbom, software, supply-chain, technology, threat, tool, unauthorized, vulnerability, zero-trust

Decentralization. Eliminates single points of failure or compromise Immutability. Data written to the chain is nearly impossible to change Verifiability. Stakeholders can independently verify logs or data integrity Transparency + confidentiality. You can audit metadata while encrypting sensitive content According to Gartner, 20% of large enterprises will use blockchain for digital trust initiatives by 2025. That’s not hype, it’s…
Beyond cryptocurrency: Blockchain 101 for CISOs and why it matters

Aug 8, 2025 2:11 PM

Tags: access, ai, api, attack, blockchain, breach, ciso, compliance, container, control, credentials, crypto, data, framework, gartner, governance, identity, incident response, infrastructure, international, malicious, nist, regulation, risk, saas, sbom, software, supply-chain, technology, threat, tool, unauthorized, vulnerability, zero-trust

Decentralization. Eliminates single points of failure or compromise Immutability. Data written to the chain is nearly impossible to change Verifiability. Stakeholders can independently verify logs or data integrity Transparency + confidentiality. You can audit metadata while encrypting sensitive content According to Gartner, 20% of large enterprises will use blockchain for digital trust initiatives by 2025. That’s not hype, it’s…
Beyond cryptocurrency: Blockchain 101 for CISOs and why it matters

Aug 8, 2025 2:11 PM

Tags: access, ai, api, attack, blockchain, breach, ciso, compliance, container, control, credentials, crypto, data, framework, gartner, governance, identity, incident response, infrastructure, international, malicious, nist, regulation, risk, saas, sbom, software, supply-chain, technology, threat, tool, unauthorized, vulnerability, zero-trust

Decentralization. Eliminates single points of failure or compromise Immutability. Data written to the chain is nearly impossible to change Verifiability. Stakeholders can independently verify logs or data integrity Transparency + confidentiality. You can audit metadata while encrypting sensitive content According to Gartner, 20% of large enterprises will use blockchain for digital trust initiatives by 2025. That’s not hype, it’s…
What is a CISO? The top IT security leader role explained

Aug 8, 2025 9:12 AM

Tags: access, authentication, breach, business, ceo, cio, cisa, ciso, compliance, computer, container, control, corporate, credentials, cyber, cybersecurity, data, ddos, defense, dns, encryption, exploit, finance, firewall, framework, fraud, guide, Hardware, healthcare, infosec, infrastructure, intelligence, international, jobs, kubernetes, mitigation, msp, mssp, network, nist, programming, RedTeam, regulation, risk, risk-management, security-incident, service, skills, software, strategy, technology, threat, training, vpn, zero-day, zero-trust

. You’ll often hear people say the difference between the two is that CISOs focus entirely on information security issues, while a CSOs remit is wider, also taking in physical security as well as risk management.But reality is messier. Many companies, especially smaller ones, have only one C-level security officer, called a CSO, with IT…
NIST Risk Assessment Template: A Step-by-Step Guide to Effective Risk Management

Aug 5, 2025 6:28 AM

Tags: business, cyber, guide, nist, risk, risk-assessment, risk-management, strategy

Key Takeaways The Disconnect Between Cyber Risk and Business Strategy If you’re wondering why risk assessments often feel disconnected from business strategy, you’re not alone. ISACA and PwC have both found that even in well-resourced organizations, critical gaps remain: This lack of operational clarity stems often from the absence of a structured, repeatable approach to……
So verändert KI Ihre GRC-Strategie

Aug 5, 2025 6:28 AM

Tags: ai, ciso, compliance, cyersecurity, framework, fraud, governance, grc, group, monitoring, nist, risk, risk-management, strategy, tool
Compliance and AIOps: Boosting Resilience with NIST RA-05

Aug 4, 2025 9:28 PM

Tags: compliance, nist, resilience

The comprehensive nature of NIST RA-05 makes it a de facto standard for many organizations aiming for the security of any organization. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/08/compliance-and-aiops-boosting-resilience-with-nist-ra-05/
Tangled in the web: Scattered Spider’s tactics changing to snare more victims

Jul 31, 2025 5:28 AM

Tags: access, attack, authentication, awareness, business, cisa, control, credentials, cybersecurity, data, defense, detection, google, group, guide, identity, marketplace, mfa, microsoft, mitigation, monitoring, network, nist, password, phishing, phone, social-engineering, software, spear-phishing, tactics, threat, tool, training, vpn

-helpdesk or a type of SSO to add credibility.In some instances, Scattered Spider members purchase employee or contractor credentials on illicit marketplaces to gain access. More commonly, they search business-to-business websites to gather information about specific individuals. Once they identify usernames, passwords, personally identifiable information (PII), and conduct SIM swapping (transferring a victim’s phone number…
Prepping for the quantum threat requires a phased approach to crypto agility

Jul 30, 2025 10:28 AM

Tags: access, ceo, ciso, computing, crypto, cryptography, cybersecurity, encryption, firmware, government, Hardware, identity, network, nist, open-source, software, supply-chain, threat, tool, vulnerability

Missing pieces: Michael Smith, field CTO at DigiCert, noted that the industry is “yet to develop a completely PQC-safe TLS protocol.””We have the algorithms for encryption and signatures, but TLS as a protocol doesn’t have a quantum-safe session key exchange and we’re still using Diffie-Hellman variants,” Smith explained. “This is why the US government in…
The healthcare industry is at a cybersecurity crossroads

Jul 29, 2025 9:28 AM

Tags: access, ai, api, attack, backdoor, backup, breach, business, ciso, cloud, communications, compliance, control, cyber, cybersecurity, data, encryption, firmware, flaw, framework, governance, government, healthcare, infrastructure, intelligence, Internet, monitoring, network, nist, programming, ransomware, risk, risk-management, service, software, tactics, technology, threat, tool, training, unauthorized, vulnerability

Digital transformation of business processes. Examples include telehealth, remote patient monitoring, e-prescribing, and ambient listening/note taking. These systems require new equipment, such as internet of medical things (IoMT), high-speed networks, cloud services, APIs, and tightly integrated applications.Aggressive adoption of AI. AI diagnostics are gaining popularity in areas such as cardiology, oncology, and radiology, especially at…
Threat actors scanning for apps incorporating vulnerable Spring Boot tool

Jul 19, 2025 1:40 AM

Tags: access, attack, authentication, ciso, compliance, country, credentials, cybersecurity, data, data-breach, email, encryption, endpoint, exploit, finance, flaw, governance, group, hacker, incident response, infrastructure, Internet, kev, nist, organized, password, risk, technology, threat, tool, vulnerability, zero-day

/health endpoints, commonly used to detect internet-exposed Spring Boot deployments. If vulnerable implementations of apps, including TeleMessage SGNL, are found, they could be exploited to steal sensitive data in heap memory, including plaintext usernames and passwords. The hole is serious enough that it was added this week to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited…