MITRE ATT&CK & NIST 800-53 Mapping
33,579 mappings have been magically connected between MITRE ATT&CK and NIST 800-53.
https://wadebach.blackcatwhitehatsecurity.com/blog.cfm#80053mapping
#Blog #MITRE #ATT&CK #NIST #Mapping #programming
MITRE ATT&CK & NIST 800-53 Mapping
33,579 mappings have been magically connected between MITRE ATT&CK and NIST 800-53.
https://wadebach.blackcatwhitehatsecurity.com/blog.cfm#80053mapping
#Blog #MITRE #ATT&CK #NIST #Mapping #programming
“We need some sort of crypto. We shouldn't depend on #NIST. That's what we're building, and we wouldn't have been able to do without #NGI funding.” — Karolin Varner from @rosenpass #NGIForum25 #OpenSource
Trump quietly throws out Biden-era #cyber #policies
Following Biden-era programs is now out or significantly rolled back:
- Requirement for federal #software vendors provide #SBOM gone
- Several #AI #cybersecurity research mandates, have been scrapped or deprioritized.
- Requirement that software contractors formally attest they followed secure development practices has been cut. Instead, #NIST will now coordinate a new industry consortium to review security guidelines.
https://www.axios.com/2025/06/10/trump-executive-order-cybersecurity-biden
i'm not a grant writer so i don't usually look at these but here's something interesting for #infosec:
2025-NIST-RAMPS-01 —
Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) Cybersecurity Education and Workforce Development
#NIST #grant #cybersecurity
https://www.grants.gov/search-results-detail/358792
KeeperPAM is now listed on CISA’s CDM Approved Products List. Our zero-trust privileged access management solution enables federal agencies to secure credentials, enforce least-privilege access and meet FedRAMP and NIST compliance requirements.
Learn more here: https://bit.ly/4j7z10Z.
Speaking of mysterious software. The (not so) brilliant web developers at #NIST show a lovely time zone map with the current time in each zone with a US territory or state.
But they forgot to include the date! And there are two dates needed! Is this an old site or a brand new one developed by script kiddies?
IETF organized a "PQC Dialogue with
Government Stakeholders" meeting. This post by John Preuß Mattsson is very informative:
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/5_WPq6mFi68
Abstract:
- EU: Transition for ”Harvest now, decrypt later” should be done by the end of 2030 and in general, the whole transition by the end of 2035. Not legally binding but might become law in the future.
- US, CA, UK, all agree on a timeline targeting around 2035 for mass adoption of quantum-resistant requirements.
- Heated discussion on the topic of "pure" vs "hybrid" schemes. BSI recommend hybrids for everything except for hash-based signatures.
- Very strong agreement that PQC is the priority. BSI says QKD is not mature and even long-term the only possible use case would be defense-in-depth in niche application. UK NCSC and NIST does not endorse QKD. Sweden says that QKD will never be useful.
- Discussion about paywalled standards. EU and US courts have decided that access to standards referenced by law is a human right.
Another US institution of world-wide significance being gutted.
@jens and this is how #NIST destroyed any #reputation left post-#DUAL_EC_DRBG!
@jens nodds in agreement
Older standards do get declared deprecated, but that means they'll remain in the books still to reference for historical reasons.
This has been the norm for everyone regsrdless if DIN, ISO, IEC, IEEE or IETF....
Imagine if IEC decided to basically scrap all other AC power connectors but IEC 6320 C19/C20, IEC60906-1 & IEC60309 125A 400 V 3L+N+PE 6h and tell electricians to "GTFO!" when it comes to anything else.
This is worse than what the Nazis did with DIN, cuz even they didn't fuck with standardization AFAIK!
Headlines don't get much better than this...
"#NIST Standardizes #Stool for #Microbiome #Research"
Death by a 1000 Paper Cuts...
Numerous US federal agencies that contribute to our national cybersecurity defenses have suffered sweeping job and program cuts. These cutbacks put the US at a disadvantage in its efforts to mitigate cybercrimes, cyber espionage, and other cyber-enabled attacks by criminal and state (sponsored) actors.
Political pundits at The Bulwark are much better informed than I to examine the broad ramifications of a weakened US cybersecurity presence. I will take you closer to ground zero by sharing three examples of cyber-enabled activities that are real and imminent threats to you, your organization, or your friends and family.
https://interisle.substack.com/p/death-by-1000-paper-cuts-how-foreign?r=59cehk
"#War #Manifesto On #Compliance Frameworks:
Turning #Protocols, #Regulations & #Standards Into Monetization Weapons
(#BaselIII, #CCPA, #Dodd-Frank, #ESG, #GDPR, #HIPAA, #HITECH, #IATF16949, #IEC/ISO #9001/#14001/#27001/#45001, #NIST, #PCI #DSS, #SOC 1/2/3, #SOX & All Other Current/Future #Frameworks)"
Daniel J. Bernstein (#djb, to those who know and love him [1]) has a new blog entry about the NIST post-quantum #cryptography standardization process that's been ongoing for some years. Also, follow him @djb .
If you're not aware of some of the controversy about how NIST is running this process, it's a must-read.
https://blog.cr.yp.to/20250423-mceliece.html
My $0.02: it sure looks like NIST is backstopping an attempt by the NSA to get everyone to standardize on cryptography #standards that the #NSA knows how to break.
Again.
Yes, they did it before. If you read up on the Dual_EC calamity and its fallout, and how this time it was supposed to be different - open, transparent, secure - then prepare to be disappointed. NIST is playing #Calvinball with their rules for this contest, yanking the rug out from under contenders that appear to be more #secure and better understood, while pushing alternatives that are objectively worse (#weaker encryption, less studied, poorer #performance).
Frankly, I think organizations outside of the #USA would be foolish to trust anything that comes out of #NIST's current work. Well, those inside the USA too, but some of those may be forced by law to use whatever NIST certifies.
[1] Some people think djb is "prickly", not lovable. Oddly, it seems that the only people who say this are those who are wildly incorrect about code/algorithms and are being gently but publicly corrected about by djb at the time
New blog post "McEliece standardization: Looking at what's happening, and analyzing rationales." https://blog.cr.yp.to/20250423-mceliece.html #nist #iso #deployment #performance #security
About 120 of my fellow Boulderites rushed to the building that houses #NIST and #NOAA (and #NWSBoulder) headquarters this morning based only on a rumor that the dodgy people had shown up and were firing people.
It turned out only to be a rumor, and our representative, Joe Neguse, came out at 1pm to address the crowd, telling folks that he appreciated them coming out to support federal workers.
But this really demonstrates that this community will step up to defend and protect the critical federal workforce at NIST and NOAA in support of the American people. We will not back down in the face of the wholesale destruction of institutions whose work protects everyone.
NIST houses some of the world's most precise atomic clocks. They were built here! They (and NTP) are partly responsible for your computer and phone not blinking 12:00 all the time.
NOAA and the related NCAR do some of the most vital weather prediction work and uses supercomputers to model the climate both for forecasting and for analysis of our climate catastrophe.
It's hard to understate the value of just these two functions of these agencies. And that's just two of them!
Can anyone confirm DOGE is on their way to NOAA and NIST in Boulder today? Human chain anyone?
Update: According to Rep. Joe Neguse, they're not there today, but could come anytime in the coming weeks. About 50 people showed up today based on the rumor and I'm glad they did.