NIST: One Final, Two Draft Guides Issued
Agency to Host Workshops on Cyber-Physical SystemsThe National Institute of Standards and Technology on Friday issued preliminary guidance on BIOS integrity and common remediation enumeration.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
The agency also released Special Publication 800-56C Recommendation for Key Derivation through Extraction-then-Expansion, which specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in SP 800-56A or 800-56B through an extraction-then-expansion procedure.
NIST also announced its Information Technology Laboratory's Computer Security Division will host a two day conference to explore the cybersecurity needed for cyber-physical systems.NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines, is ready for public comment. The document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System, or BIOS, integrity measurement and reporting chain.
BIOS is a critical security component in systems because of its unique and privileged position within the personal computer architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization, either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware).
The documented guidelines are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.
Comments on draft SP 800-155 should be submitted by Jan. 20 to 800-155comments@nist.gov, with "Comments SP 800-155" in the subject line.
Common Remediation Enumeration
The draft NIST Interagency Report 7831, Common Remediation Enumeration Version 1.0, defines the common remediation enumeration, or CRE, specification.
CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier. This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created and defines the technical requirements for constructing CRE entries.
Comments on draft NISTIR 7831 should be submitted by Jan. 6 to remediation-comments@nist.gov.
Cyber-Physical Security Workshop
The two-day cyber-physical security workshop will be held on April 23 and 24, and focus on research results and real-world deployment experiences. On the first day, speakers will address cyber-physical systems across multiple sectors of industry such as automotive, aviation and healthcare. Day two will concentrate on cybersecurity needs of cyber-physical systems in the electric smart grid.
NIST is seeking experts to present at the workshops. Those interested in leading a session can click here to get more details.