The problem The previous post in our series discussed techniques for providing input privacy in PPFL systems where data is horizontally partitioned. This blog will focus on techniques for providing input privacy when data is vertically partitioned . As described in our third post , vertical partitioning is where the training data is divided across parties such that each party holds different columns of the data. In contrast to horizontally partitioned data, training a model on vertically partitioned data is more challenging as it is generally not possible to train separate models on different

The U.S. Small Business Administration is celebrating National Small Business Week from April 28 - May 4, 2024. This week recognizes and celebrates the small business community’s significant contributions to the nation. Organizations across the country participate by hosting in-person and virtual events, recognizing small business leaders and change-makers, and highlighting resources that help the small business community more easily and efficiently start and scale their businesses. To add to the festivities, this NIST Cybersecurity Insights blog showcases the NIST Cybersecurity Framework 2.0

We all need supplements sometimes. Whether it’s a little extra vitamin C during flu season or some vitamin D during the dark days of Winter. When used correctly, supplements help our body adjust to the changing conditions around us. Similarly, we are applying this same concept for the first time to our NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. Today, we published a supplement that provides interim guidance for agencies seeking to make use of ‘syncable authenticators’ ( for example, passkeys) in both enterprise-facing and public-facing use cases

In our second post we described attacks on models and the concepts of input privacy and output privacy. ln our last post, we described horizontal and vertical partitioning of data in privacy-preserving federated learning (PPFL) systems. In this post, we explore the problem of providing input privacy in PPFL systems for the horizontally-partitioned setting. Models, training, and aggregation To explore techniques for input privacy in PPFL, we first have to be more precise about the training process. In horizontally-partitioned federated learning, a common approach is to ask each participant to

Last November, I was pleased to chair the most recent meeting of the Interagency International Cybersecurity Standardization Working Group (IICSWG) – a group NIST created in 2016. Our charge, from the Cybersecurity Enhancement Act of 2014, was to build a coordination mechanism for government agencies to discuss international cybersecurity standardization issues, consistent with agencies’ responsibilities under OMB Circular A-119. Since then, IICSWG has grown as a forum to discuss cybersecurity and privacy standardization topics, examine the overall cybersecurity standardization landscape (

This post is part of a series on privacy-preserving federated learning. The series is a collaboration between NIST and the UK government’s Responsible Technology Adoption Unit (RTA), previously known as the Centre for Data Ethics and Innovation. Learn more and read all the posts published to date at NIST’s Privacy Engineering Collaboration Space or RTA’s blog . Our first post in the series introduced the concept of federated learning and described how it’s different from traditional centralized learning - in federated learning, the data is distributed among participating organizations, and

NIST CSF 2.0 QUICK LINKS | Explore our Full Suite of Resources: CSF 2.0 Quick Start Guides CSF 2.0 Profiles CSF 2.0 Informative References Cybersecurity & Privacy Reference Tool (CPRT) CSF 2.0 Reference Tool CSF 2.0 Website ( Homepage ) Official NIST News Announcement The NIST Cybersecurity Framework (CSF) development process all started with Executive Order (EO)13636 over a decade ago, which called for building a set of approaches ( a framework ) for reducing risks to critical infrastructure. Through this EO, NIST was tasked with developing a "Cybersecurity Framework." We knew that, to do

What is National Entrepreneurship (NatlEshipWeek) Week? Celebrated February 10-17, 2024, “NatlEshipWeek is a congressionally chartered week dedicated to empowering entrepreneurship across the United States. The annual initiative was relaunched in 2017 as NatlEshipWeek to bring together a network of partners from Maui to Miami to educate, engage, and build equitable access to America's Entrepreneurship Ecosystem.” Follow along online with #NatlEshipWeek. You can learn more about the initiative here: https://www.natleshipweek.org/about . Supporting Entrepreneurship is at the Heart of NIST’s

With the new year under way, NIST is continuing to engage with our international partners to enhance cybersecurity. Here are some updates on our international work from the end of 2023 into the beginning of 2024: Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0 . The current Draft CSF 2.0 has been shared in a public comment period that ended in November 2023. Stay tuned for the final version to be published soon! NIST international engagement continues through our support to the Department of State and the

It’s been four years since the release of The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0. Since then, many organizations have found it highly valuable for building or improving their privacy programs. We’ve also been able to add a variety of resources to support its implementation. We’re proud of how much has been accomplished in just a few short years, but we’re not resting on our laurels. As another, more famous, Dylan once said, “the times they are a-changin’.” For example, the past year has seen the release of the NIST AI Risk

This post is part of a series on privacy-preserving federated learning. The series is a collaboration between NIST and the UK government’s Centre for Data Ethics and Innovation. Learn more and read all the posts published to date at NIST’s Privacy Engineering Collaboration Space or the CDEI blog . Our first post in the series introduced the concept of federated learning—an approach for training AI models on distributed data by sharing model updates instead of training data. At first glance, federated learning seems to be a perfect fit for privacy since it completely avoids sharing data

Words like “metaverse” and “augmented reality” may conjure up thoughts of friends in headsets wielding virtual sabers or folks roaming the streets at night in search of PokéStops. Virtual, augmented, and mixed reality technologies (“immersive technologies”) have entered the popular conscience thanks in part to the success of games, but their applications go well beyond new experiences in entertainment. They are already being utilized to increase access to education , improve manufacturing , bolster accessibility , and train workforces in healthcare and retail. Immersive technologies have the

In August 2023 the Digital Identity Guidelines team hosted a two-day workshop to provide a public update on the status of revision 4. As part of that session, we committed to providing further information on the status of each volume going forward. In fulfillment of this commitment, we wanted to offer a quick update on where we stand. Our goal remains to have the next version of each volume out by the Spring of 2024. With our gratitude for the robust and substantive engagement we received during the comment period, at this time we would like to announce that all four volumes of Special

This post is the first in a series on privacy-preserving federated learning. The series is a collaboration between CDEI and NIST. Advances in machine learning and AI, fueled by large-scale data availability and high-performance computing, have had a significant impact across the world in the past two decades. Machine learning techniques shape what information we see online, influence critical business decisions, and aid scientific discovery, which is driving advances in healthcare, climate modelling, and more. Training Models: Conventional vs Federated Learning The standard way to train

5G will eventually impact every single industry—from healthcare to financial to even agriculture and transportation...and its impact is only increasing over time. Despite its benefits, it comes with privacy and security risks. An increasing number of interconnected devices increases the attack surface. In addition, there are also increased supply chain vulnerabilities and network visibility issues (companies may have issues identifying attacks since there may be a lot of new web traffic from mobile devices and/or more sophistication when it comes to attacks). The goal of the NCCoE 5G

Our Cybersecurity Awareness Month may have come to a close at the end of October — but the importance of enhancing cybersecurity and engaging with our international partners to enhance cybersecurity is at the forefront of our minds all year long. Here are some updates on our international work: Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0 , and NIST hosted its final workshop on September 19 and 20 with in-person and hybrid attendance featuring international participation (via both speakers and panelists). While

During this week’s blog series, we sat down with two of our NIST experts from the Visualization and Usability Group at NIST — Shanée Dawkins and Jody Jacobs — who discussed the importance of recognizing and reporting phishing . This blog wraps up our Cybersecurity Awareness Month 2023 blog series…but we of course plan to continue to share, collaborate, learn, and spread the word all year long. 1. This week’s Cybersecurity Awareness Month theme is ‘recognize and report phishing.’ How does your work/specialty area at NIST tie into this behavior? We work in the Information Technology Lab, but our

It’s week three in our Cybersecurity Awareness Month blog series! This week, we interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software. This week’s Cybersecurity Awareness Month theme is ‘updating software.’ How does your work/specialty area at NIST tie into this behavior? NIST’s Applied Cybersecurity Division’s core mission is to explore, measure, and evaluate both the cybersecurity guidance NIST provides as well as industry best practices. One of our current projects involves putting the practices described

Today’s blog is the second one in our 2023 Cybersecurity Awareness Month series and examines different factors associated with using strong passwords and a password manager. We interviewed NIST’s Yee-Yin Choong and Meghan Anderson to get their unique thoughts and insights. This week’s Cybersecurity Awareness Month theme is ‘ using strong passwords and a password manager .’ How does your work/specialty area at NIST tie into this behavior? Yee-Yin: At NIST, I’ve been conducting research on human factors and the usability aspects of human-technology interactions. One research area is human

October is always an exciting time for us as we celebrate Cybersecurity Awareness Month and some of NIST’s greatest accomplishments, resources, guidance, and latest news in the cybersecurity space. This year is a big one because 2023 marks the 20 th anniversary of this important initiative —and we will celebrate in various ways every day throughout the month. What is NIST Up to in October? We’ll be using our NIST Cybersecurity Awareness Month website to share information about our events, resources, blogs, and how to stay involved. We will be using our NISTcyber X account as a vehicle to

The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “ championing the human in cybersecurity.” With our new name, we hope to highlight that usability still

With a mention in the new National Cyber Workforce and Education Strategy and even a dedicated state law , K–12 cybersecurity education clearly has the eye of policymakers. However, despite public attention and new opportunities for high school students to pursue cybersecurity coursework, high schools often struggle to provide students with a clear understanding of what cybersecurity careers actually look like. Hands-on learning experiences, like those we’ve had at our schools and during our internship with NICE at NIST, can help bring cybersecurity education and career pathways into focus for

Background: NIST Special Publication (SP) 800-66 Healthcare organizations face many challenges from cybersecurity threats. This can have serious impacts on the security of patient data, the quality of patient care, and even the organization’s financial status. Healthcare organizations also must comply with regulatory requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, which focuses on safeguarding the electronic protected health information (ePHI) held or maintained by HIPAA covered entities and business associates (collectively,

International engagement is an integral part of many ongoing NIST efforts, including the Journey to the Cybersecurity Framework (CSF 2.0) update , our update to the digital identity guidelines, and increasing awareness of the NIST Privacy Framework and IoT cybersecurity work. In the update to NIST CSF 2.0, NIST continues to work with the international community. At NIST’s February 2023 virtual workshop on the CSF 2.0 update, participants from Italian and New Zealand governments and Mexican industry spoke on panels. In addition, participants joined from several countries. We are continuing to

NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218) describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide

RSA Conference week is always a whirlwind. NIST was there front and center last month, and we learned a lot, shared a lot, and made a big announcement during the festivities… We were excited to announce that NIST’s DRAFT Identity and Access Management Roadmap was released for public comment on Friday, April 14 th and that the comment period will be extended to June 16 th. What is the Roadmap? The Roadmap provides a consolidated view of NIST’s planned identity efforts over the coming years and serves as a vehicle to communicate our priorities. It provides guiding principles, strategic

Did you know that 99.9% of businesses in America are small businesses? [1] Small businesses are a major source of innovation for our country—but they’re often faced with limited resources and budgets. Many of them need cybersecurity solutions, guidance, and training so they can cost-effectively address and manage their cybersecurity risks. Hmmm…where can you find guidance like this all in one place? Voila! The Small Business Cybersecurity Corner ! This website was created by NIST in 2019 in response to the NIST Small Business Cybersecurity Act, which directed us to “disseminate clear and

Who needs to know ‘What,’ ‘When,’ and ‘How’ to tell them The Challenge There are many challenges to providing and maintaining cybersecurity in today’s connected world. While product developers increasingly consider security as they design and build products, they may not always communicate critical cybersecurity information about their connected products. Information gaps present a challenge to stakeholders—especially customers—who have limited insight into the security processes, functions and features that protect connected products, components, and services. Effective communication is the

If you own a computer, watch the news, or spend virtually any time online these days you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself. Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple

Perhaps you’ve been hearing about data analytics, which is being promoted as a way for even small businesses to analyze communications with customers, enhance customer experience, save money, and ultimately improve your brand. However, data analytics can have big privacy implications. You may think of managing privacy risk as protecting sensitive customer information, such as credit cards. As the Venn diagram to the right demonstrates, data security is certainly one aspect of privacy risk, but privacy risks can also arise by means unrelated to cybersecurity incidents. People can experience

NIST has continued to collaborate into the fall season with partners throughout the world on the Cybersecurity Framework 2.0 update. International engagement and alignment with international standards are important themes for the 2.0 update and will drive changes to ensure global relevance. As part of this ongoing international engagement, NIST welcomed visitors to the NCCoE and NIST headquarters to discuss various cybersecurity topics and explore areas for mutual collaboration. In the past few weeks, NIST met with visitors from Italy, Singapore, New Zealand, Germany, and Brazil at the NCCoE

There is a growing movement toward increasing the use of competency and skills-based education and hiring practices in both the public and private sectors. For example, the Executive Order on Modernizing and Reforming the Assessment and Hiring of Federal Job Candidates calls upon the Federal Government to “ensure that the individuals most capable of performing the roles and responsibilities required of a specific position are those hired for that position”—resulting in “merit-based reforms that will replace degree-based hiring with skills- and competency-based hiring.” Similarly, the

This blog will officially wrap up our 2022 Cybersecurity Awareness Month blog series — today we have a special interview from Marian Merritt, deputy director, lead for industry engagement for the National Initiative for Cybersecurity Education (NICE)! Marian will be discussing the importance of recognizing and reporting phishing incidents in detail. A phishing attack is an attempt to fool an individual into sharing private information or taking an action that gives criminals access to your accounts, your computer, login credentials or even your network. This week’s Cybersecurity Awareness

Hi, our names are Aubrie, Kyle, and Lindsey! We participated in internships at the National Initiative for Cybersecurity Education (NICE) Program Office this past year. This is a career pivot for Aubrie, meaning this is her introduction to cybersecurity from another career; she is earning her master’s with a concentration in cybersecurity. Kyle was an undergraduate intern majoring in Computer Engineering. He is almost finished with his education and will soon be transitioning into the workforce. Lindsey is a high school member of the program. The three of us come from different academic and

Cybersecurity Awareness Month is flying by, and today’s blog identifies different security vulnerabilities that can be exposed if you are unable to keep up with your software updates. We interviewed NIST’s Michael Ogata, a computer scientist in the Applied Cybersecurity Division, and he walked us through different strategies to minimize your cybersecurity risks. Michael also was able to provide cyber tips to improve online safety. This week’s Cybersecurity Awareness Month theme is updating software. How does your work/specialty area at NIST tie into this behavior? Today, mobile applications

The key behavior that we are highlighting this week for Cybersecurity Awareness Month is using strong passwords and a password manager. In today’s blog we interviewed NIST’s Connie LaSalle, a senior technology policy advisor, and she offers four specific ways to mitigate your cybersecurity risks online while discussing the importance of adopting strong passwords. Take a look at her responses to our questions below… This week’s Cybersecurity Awareness Month theme is using strong passwords and a password manager. How does your work/specialty area at NIST tie into this behavior? As a senior

In celebration of Cybersecurity Awareness Month, NIST will be publishing a dedicated blog series throughout October; we will be sharing blogs each week that will match up to four key behaviors identified by the National Cybersecurity Alliance (NCA). Today’s interview-style blog features two NIST experts —Bill Newhouse and Ryan Galluzzo—discussing different reasons to enable multi-factor authentication (a mechanism to verify an individual’s identity by requiring them to provide more information than just a username and password). Here are the questions they both were asked, along with their

The subject of international alignment and alignment with international resources continues to be an important focus for NIST, particularly with the process for the Cybersecurity Framework (CSF) 2.0 update. This was an important area for many of our stakeholders, as described in the summary of analysis of the Request for Information (RFI) from February. NIST hosted its first virtual workshop on the journey to the CSF 2.0 update process in August. During the workshop, NIST described the importance of international alignment as well as the feedback we heard on continuing our international

Today’s blog will jumpstart NIST’s celebration of Cybersecurity Awareness Month 2022! We have a lot in store for October and are looking forward to sharing our work, progress, events, and news with you. This year’s theme is "See Yourself In Cyber" and will cover four key behaviors: Enabling multi-factor authentication Using strong passwords and a password manager Updating software Recognizing and reporting phishing As a repeat Cybersecurity Awareness Month Champion, NIST is dedicated to promoting a safer online environment and helping others learn and understand the complex world of

In providing a foundation for cybersecurity advancements over the years, NIST has taken the global context into account when determining priorities and approaches. Our participation in Standards Developing Organizations (SDOs) has expanded steadily, and we encourage international participation in the development of our own programs and resources. As we celebrate the 50 th anniversary of cybersecurity at NIST, it is more important than ever that we work with our partners around the world. NIST’s growing impact on the international stage is reflected in the many translations of our signature

Workshop Shines Light on Role of Standards in Cybersecurity for IoT What do Chief Product Security Officers (CPSOs) want to make their job easier? As it turns out, standards. This insight was one of many shared at a public virtual workshop NIST held June 22, 2022, to discuss the next steps for the Cybersecurity for the Internet of Things (IoT) program. As we move forward in developing cybersecurity guidance for IoT products, NIST remains committed to an open and transparent process that builds on input from stakeholders, including industry and the broader public. Our June 22 workshop explored

Given the increasing reliance of organizations on technologies over the past 50 years, a number of risk disciplines have evolved into full-fledged risk programs. In recent years, cybersecurity, supply chain, and privacy risk management programs have formalized best practices. Yet the rapid evolution of these disciplines sometimes has led to miscommunication and inefficiencies between those risk programs and overarching enterprise risk management (ERM) portfolio. The years ahead will focus on optimizing coordination and communication between all risk programs and ERM. To be supportive of

Digital identity for access control is a fundamental and critical cybersecurity capability that ensures the right people and things have the right access to the right resources at the right time. NIST has a rich history in digital identity standardization spanning more than 50 years. We have conducted research, developed prototypes and reference implementations, and supported pilots to better understand new and emerging technologies that inform our digital identity standards, guidelines, and resources. Also, NIST participates and leads in the development of national and international standards

With the update to the Cybersecurity Framework in full swing, NIST continues to prioritize international engagement through conversations and collaborations on cybersecurity. This work is critical to NIST’s efforts to ensure international alignment on cybersecurity and privacy resources. Here’s a quick summary of some recent engagements, with more to come in the next few weeks! Under Secretary of Commerce for Standards and Technology and NIST Director Laurie Locascio participated virtually in the G7 Digital Ministers meeting on May 10 th alongside the State Department. She spoke about current

Over the past few months, NIST has been seeking feedback on the use and improvements to its cybersecurity resources through the Request for Information (RFI) on “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management.” In this RFI, NIST asked about evaluating and improving the NIST Cybersecurity Framework (CSF or Framework), use of the Framework in conjunction with other resources, and improving supply chain cybersecurity risk management. The RFI garnered 134 comments (at date of publication) from a diverse range of

In today’s connected digital world, cryptographic algorithms are implemented in every device and applied to every link to protect information in transmission and in storage. Over the past 50 years, the use of cryptographic tools has expanded dramatically, from limited environments like ATM encryption to every digital application used today. Throughout this long journey, NIST has played a unique leading role in developing critical cryptographic standards. Data Encryption Standard (DES) In the early 1970s, there was little public understanding of cryptography, although most people knew that

The NIST Cybersecurity for IoT program published Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks ( NISTIR 8228 ) in June 2019, nearly 3 years ago. Since then, IoT technology has continued to develop and be adopted across sectors and markets. NIST’s own work, both in and outside IoT, has also progressed since the publication of NISTIR 8228. These developments warrant a new look at the contents of NISTIR 8228 and at future IoT cybersecurity priorities at NIST. As the Cybersecurity for IoT program has progressed through guidance for IoT device manufacturers (

NIST has a history of collaboration between its programs, which helps maximize project impacts and practicality to industry. One great example is between NIST’s National Cybersecurity Center of Excellence ( NCCoE ) and the Cybersecurity for the Internet of Things (IoT) Program . Recent project reports from the NCCoE include mappings of relevant IoT device cybersecurity capabilities and nontechnical supporting capabilities; these three mappings align NIST’s IoT cybersecurity guidance with real-world implementation approaches: Securing Telehealth Remote Patient Monitoring Ecosystem Securing

As part of NIST’s 50 th anniversary of cybersecurity, this month’s blog post is centered on privacy at NIST. Since many of you have become familiar with the Privacy Engineering Program ’s popular Venn diagram showing the relationship between cybersecurity and privacy risks, let’s use it to show how NIST has expanded and matured its understanding of privacy over the last 50 years. If we go back in time to the 1960s, data privacy really came into focus when the growing use of computers created concerns about secret databases of people’s information. The report, Records, Computers, and the Rights