Nist Puns

I am going to perform a risk assessment for a non-federal organization. Is it okay to use the NIST SP 800-171 product to base my assessment on in this case?

I am trying to work on a gap analysis for CSF. I pulled some recommendations/guidance from the CIS to CSF control mapping doc, however, there are quite a lot of controls that they do not cover. Versus trying to copy and paste and carve up the direct NIST guidance, I was wondering if and what else folks use to make it easier for recipients to understand. Thanks in advance.

Hey everyone, I am a bit confused on this control. I know it seems straightforward, but surely this control doesn't mean every single user on every single computer must use MFA at the Windows login prompt right?

If it does then this will be an annoying rollout...

I have heard that we should require guest wifi users to have individual user accounts that automatically expire each day rather than having users connect to guest wireless using a PSK or some kind of other self service or anonymous access.

The guest network provides internet access. It does not connect to our internal resources.

I‘m trying to find specifically where this guideline is documented and what protection it would provide. Does anyone have a link to it?

If this is a real NIST or CMMC requirement, what are some recommendations on ways to actually implement this?

Hi folks,
Does anyone know of a Veeam cloud repository that is NIST/CMMC compliant for ITAR/DFARS organizations?

The data is fully encrypted obviously, but I'm still not seeing any real options that provide latest features like storage immutability, etc. One that comes up as compliant is Databank, but i can't find any information if they have immutability support.

Actually I'm implementing in python the Digital Signature Standard from NIST (FIPS 186-4) In the appendix C.4, we need to check if a number 'c' is a perfect square. There is the pseudo-code:

1. Set n, such that 2n > C ≥ 2(n−1).
2. m = n/2.
3. i = 0.
4. Select X0, such that 2m > X0 ≥ 2(m−1).
5. Repeat
5.1 i = i + 1.
5.2 Xi = ((Xi–1)2 + C)/(2Xi–1).
Until (Xi)2 < 2m + C.
6. If C =  Xi  2, then
status = PERFECT SQUARE.
Else
status = NOT A PERFECT SQUARE.
76
7. Return status 

This algorithm seem to be slow because of all this steps. There is the function that I've wrote:

def perfect_square(c):
    return int((c**(1/2))**2) == c

So I don't understand why the pseudo-code have so many steps when I can do it in a one-line code. It is better to do it like that ? I need to understand the reason of those steps

Available downloads:

• 10 Things I Hate About Uncertainty
• Close Entanglements of the Quantum Kind
• The Magnificent Seven Base Units
• Schrödinger’s Cats
• Atomic Bond
• Green Candela
• 50 First Data Points
• The Polar Molecule Express
• 3:10:00 to Yuma

https://www.nist.gov/education/nistified-movie-posters

So, I got a degree in computer science prior to Covid and had two internships as a software dev. Currently I am working at a job where I was hired as a software dev, but I’ve been largely roped into conducting basically all IT for the business by my boss.

Well, about a year ago, we started having to implement NIST compliant cyber security for some stuff that we handle, and I got stuck with doing basically every aspect of this.

Over the last year I’ve gotten a lot done in terms of the paperwork and implementing systems, but the IT side of things has never been my strong suit, and now I feel incredibly stuck.

I don’t know almost anything about what solutions in the real world are best for monitoring for CUI transmission, or how to implement MFA on Windows Server, or even really how to work with the server at large.

Now I just feel exhausted and defeated, even after a week off for the holidays(though I did spend more than half of it sick and in bed.) I don’t know what to do anymore as I spend almost all day at work browsing the internet trying to learn about this stuff, but the progress is almost non-existent. My boss also absolutely refuses to contract any kind of external help, despite that I’ve explained things, and I’m probably burning enough hours that a consultant would be cheaper.

I’m honestly terrified every morning of going to work, because of the anxiety I feel about this. I can barely sleep, making my performance even worse, and contributing to a recent tardiness.

I feel like I’m at the end of my rope. I really need help from someone who knows what they’re doing.

Late night walking the dog (pretty overcast sky). I noticed a greenish blue (teal?) flash and a blue flash in the sky (similar to lightning in a cloud). Didn’t hear any noise.

I found it odd then realized it was in the area where NIST is (I live <2 miles away).

Before I decide to go all in on them bringing Stranger Things to life, has anyone noticed that before? Possible explanation?

I've worked in information security for 17 years. I was asked by NIST to give a talk on breaking into the industry/ landing your first job. It was a 30 minute briefing and then 60 minutes of rapid fire QA from the audience.

I've transcribed every question asked during QA portion and put time markers with direct link URL to the answer below. Hope this helps answer some common questions folks have.

The whole talk is here: https://youtu.be/yBpnIcfqBiQ

Specific Answers are Linked below:

14:08 10000 foot view of what an information security department looks like

16:06 What Cybersecurity Certifications Are Important and Which Matter?

17:45 How do I get practical skills in Cybersecurity?

23:38 How do I find a Cybersecurity job?

32:15 What a resume should and should not be.

42:48 With so many aspects of cybersecurity. What are some of the common questions that are asked during interviews?

45:51 Can someone with 40 years of IT get a remote Cybersecurity job?

47:10 Can you advise for people having trouble getting any cyber jobs due to lack of skill experience?

48:34 How to move from NOC to GRC?

49:42 What is the expected salary for an entry level SOC analyst?

50:31 Is the problem with me finding my first job that the market is flooded with people trying get into cyber? Over-saturation of entry level applicants?

52:43 I'm new to the cybersecurity field. I have been in IT, How do I start my cybersecurity career?

55:21 What are you thoughts on jobs posted for 5-7 years of experience but pay from $45-50k

56:47 Does anyone have experience with the Rice University cybersecurity bootcamp?

[57:34](h

Looking for some feedback here. What is everyones recommendations for a compliance framework to strive for for a large non-profit that is not a federal entity, but does work with the federal government?

800-53? 800-71? Something else?

Feedback much appreciated.

My organization is trying to implement this control: "Verify and control/limit connections to and use of external systems."

We have business tied to allowing clients (or our own employees at client sites) to connect to our CUI environment. We limit which applications are available this way, and we control what access those users have to our environment.

The guidance discusses establishing terms and conditions, but it's unclear how we could enforce or verify DFARS compliance as an IT organization on other organization's systems.

Does anyone have any examples of how they've implemented this policy, specifically what group(s) in their organization enforced it, and what/how it was enforced?

I was curious if anyone can point to where I can read about real life use-cases for using these frameworks.

During my studies - I keep reading about them and what they are supposed to do, but I would like to read about an example of someone implementing the controls mentioned in those documents.

For example:
You are the security architect for a private firm that's just taken on government work. How would you use NIST 800-53 and ensure you are using best practices?

Hello,

I am preparing for the CCSP exam on wednesday and see lots of questions about some specific ISO, NIST references.

Are there very precise questions about frameworks in the CCSP exam usually? (I am asking because when I passed the CISSP there were nothing like that, I would like to not waste time memorizing them...)

Wondering if the business version is compliant with NIST 800-171. I am looking for an SMB email solution that is.

Thanks.

I’m trying to design a TRNG on FPGA. I’m testing my design using NIST statistical test suite downloaded from https://csrc.nist.gov/CSRC/media/Projects/Random-Bit-Generation/documents/sts-2_1_2.zip

I generate test vectors containing 5 million bits and test them as 10 bitstreams. I made many different designs and repeated these tests 100 times for each design. When I fail any of the test types in the suite, I consider the test completely unsuccessful. When I evaluate test results in this way, my maximum success rate is 96%, so 96 out of 100 tests are completely successful. Failed tests are generally Non-overlapping template test.

I tried adding Conditioning and used AES and different HASH algorithms for it. Using AES and HASH outputs didn't change the test results either.

Also, the design has passed the IID and AIS31 tests.

My questions:

1- Is this method an accurate way to evaluate whether the design is a bad source? Does a good source have to pass 100% on these tests?

2- Does not being completely successful in these tests indicate that a design is a bad source? If so, is there a rate for it?

3- If AES and HASH outputs fail at the same rate, does it indicate that there may be a bug in the test suite?

Small shop, I'm trying to use risk assessments as a sales tool, if they sign up, we build the cost of it into the projects and service, but I don't want to do anything for free, so I do want to charge an amount, that's fair, if they end up not going with our services.

Just wondering how others handle this? Do you just take the risk and time and not charge it? How much do you charge? Small businesses only, less than 10-15 users/devices is my target demo.