NIST's FY 2023 in Review

For more than 50 years, the National Institute of Standards and Technology (NIST) has made important contributions to cybersecurity and privacy. NIST recently released Special Publication (SB) 800-229, which reviews the agency’s accomplishments in cybersecurity and privacy for fiscal year 2023. In this blog post, we’ll review some of the key highlights of this report. The cross-cutting domains we’ll look at are: cryptography, workforce development, emerging technologies, human-centered cybersecurity, identity & access management, privacy, risk management, and trustworthy networks.

Cryptography: Leading the Charge in Post-Quantum and Lightweight Encryption

In 2023, NIST's Cryptography division made substantial strides, particularly in the realms of post-quantum cryptography (PQC) and lightweight cryptography. Key milestones include hosting the Fourth PQC Standardization Conference and releasing the first three draft PQC standards for public comment. This initiative is pivotal as it prepares the digital infrastructure for the advent of quantum computing, which threatens to render current cryptographic systems obsolete.

Simultaneously, the Lightweight Cryptography team selected the Ascon family for standardization, catering to applications requiring low computational resources, as explained in IR 8454.

Additionally, advancements in multi-party threshold cryptography (MPTC) and privacy-enhancing cryptography (PEC) underscore NIST's commitment to developing robust, future-proof cryptographic solutions.

Workforce Development: Building a Diverse and Skilled Cybersecurity Community

The education, training, and workforce development initiatives led by NIST's National Initiative for Cybersecurity Education (NICE) are critical for addressing the growing demand for cybersecurity professionals. In December 2022, the NICE Workforce Framework for Cybersecurity (NICE Framework) K12 FAQ was released, followed by continuous updates throughout 2023, including the publication of IR 8355.

A significant emphasis has been placed on diversity, equity, inclusion, and accessibility (DEIA) within the cybersecurity workforce. This is evidenced by the launch of a DEIA resource page and the creation of a new Diversity and Inclusion Community of Interest. These initiatives aim to foster a more inclusive environment that reflects the varied demographics of the cybersecurity field.

Emerging Technologies: Securing the Frontiers of Innovation

NIST's focus on emerging technologies, particularly in autonomous vehicles (AV) and artificial intelligence (AI), highlights the institute's proactive approach to cybersecurity. A notable achievement was the March 2023 release of the initial public draft of AI 100-2 E2023, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This document aims to establish a comprehensive framework for understanding and addressing adversarial threats in AI systems.

Moreover, NIST's research into autonomous vehicle cybersecurity continues to expand, with workshops and community initiatives that bring together over 300 participants to tackle the interdisciplinary challenges of this field. The development of experimental testbeds like Dioptra for machine learning algorithms exemplifies NIST's commitment to staying ahead of technological advancements and their associated security risks.

Human-Centered Cybersecurity: Putting People First

Recognizing that technology is only as strong as its weakest human link, NIST's human-centered cybersecurity projects aim to enhance user engagement and education. In 2023, an interview study of parent-child pairs provided valuable insights into online privacy and security practices, informing NIST's contributions to the interagency Task Force on Kids Online Health and Safety.

Additionally, the development of the Phish Scale, a tool to rate socially engineered email attacks, earned the team a U.S. Department of Commerce Gold Medal. This tool is now utilized by both public and private sectors globally, reinforcing the importance of user awareness in preventing cyber threats.

Identity and Access Management: Ensuring Secure Access

Identity and access management (IAM) remains a cornerstone of cybersecurity efforts. In 2023, NIST published draft revisions of the SP 800-63-4 Digital Identity Guidelines and introduced new guidelines for derived personal identification verification (PIV) credentials and PIV federation. These updates are crucial for advancing modern digital identity controls and ensuring interoperability within the federal enterprise.

NIST also made significant progress in face analysis technology, releasing reports on image quality assessment and presentation attack detection (PAD). These efforts contribute to improving the accuracy and reliability of biometric systems, which are increasingly used for secure access management.

Privacy: Enhancing Data Protection and User Trust

NIST's dedication to privacy is reflected in the comprehensive updates and frameworks released in 2023. The Privacy Framework received significant enhancements to better address the dynamic privacy landscape. Notably, NIST published updates to the Risk Management Framework (RMF) to include a stronger emphasis on privacy risks, thus ensuring that privacy is integrated into the broader risk management process. These updates help organizations balance the benefits of data use with the need to protect individuals' privacy rights.

Additionally, NIST's research into privacy-enhancing technologies (PETs) advanced significantly, providing practical tools and guidance for implementing privacy-preserving data analytics. This includes the release of new reports and standards that focus on differential privacy and other techniques that mitigate the risk of re-identification in data sets.

Risk Management: Strengthening Resilience Through Comprehensive Frameworks

Risk management remains at the core of NIST’s mission to enhance the security and resilience of critical infrastructure. In 2023, significant updates were made to the Cybersecurity Framework (CSF), reflecting evolving threats and incorporating feedback from a broad array of stakeholders. The updates ensure that the CSF remains a relevant and effective tool for organizations of all sizes and sectors.

Moreover, the introduction of the NIST SP 800-53 Revision 5 controls marked a major milestone. These controls provide a comprehensive set of security and privacy safeguards designed to protect federal information systems and critical infrastructure. The integration of privacy controls into this revision underscores NIST’s commitment to a holistic approach to risk management that includes both security and privacy considerations.

Trustworthy Networks: Building a Secure and Resilient Internet

NIST's efforts in promoting trustworthy networks focus on ensuring that the underlying infrastructure of the internet and other critical networks are secure and resilient against threats. In 2023, NIST published SP 1800-34, which is a practical guide to verifying that the internal components of computing devices like laptops and servers have not been tampered with.

Additionally, NIST published reports detailing how to secure devices and operating systems in support of a zero trust policy.

Conclusion

NIST's 2023 Cybersecurity and Privacy Annual Report showcases a year of significant achievements and forward-thinking initiatives. From pioneering cryptographic standards to fostering a diverse cybersecurity workforce and securing emerging technologies, NIST continues to lead in developing robust frameworks and guidelines that address the evolving landscape of cybersecurity threats. As we look ahead, these accomplishments provide a strong foundation for future advancements and collaborations in the field of cybersecurity and privacy.

Please reach out to learn more about how to incorporate advances featured in this blog post to increase cybersecurity and privacy in your organization.