Cybersecurity, NIST, and the RSA Conference: what you need to know

What a week we had at RSA Conference 2018! This year’s conference was from April 16-20^th in San Francisco, CA—and thousands of attendees gathered to see presentations, visit booths on the expo floor, and network about all kinds of topics we at NIST love… like digital identity, cybersecurity education and workforce, mobile and IoT security, cloud, privacy, and virtualization (to name a few).

We had a cybersecurity-themed booth that got tons of foot traffic as participants from the public and private sectors stopped by to learn more about our projects, talk to our experts, see demos (like our mobile SSO demo), and to get information from NIST staff about all things cybersecurity. NIST Director Walt Copan even stopped by to meet attendees and discuss projects.

Throughout the conference, we had fantastic speakers at over nine sessions—covering topics from recovering quickly and safely from ransomware to strategies for finding and building a robust workforce. For instance, Donna Dodson (NIST Fellow and Chief Cybersecurity Advisor) teamed with Zulfikar Ramzan (Chief Technology Officer at RSA) for a session called ‘NCCoE Trusted Cloud: A Secure Solution,’ which highlighted how the NCCoE developed a trusted cloud solution focused on deploying data and workloads across hybrid cloud environments in collaboration with industry partners. 

In addition to the booth and various speaking engagements, NIST had a big announcement: Version 1.1 of the Cybersecurity Framework was issued on day one of the conference. This update incorporates significant stakeholder feedback, is fully compatible with v1.0, and remains flexible, voluntary, and cost-effective. It also better accounts for authorization, authentication, and identity proofing…among several other updates.

Other major accomplishments and updates from RSAC include:
 

• Naomi Lefkovitz co-presented ‘Nobody Puts Privacy in a Corner: Privacy in Enterprise Risk Management,’ highlighting how to integrate privacy and security requirements to achieve trustworthy systems and parity in enterprise risk management processes.
• The NIST Cybersecurity for the Internet of Things (IoT) Program attended three roundtables and hosted a discussion on managing IoT cybersecurity and privacy risk, engaging with more than 150 stakeholders to hear their feedback on IoT risks, our discussion draft, and NISTIR 8200.
• The IoT Program also hosted the NIST-Led Discussion on Managing IoT Security and Privacy Risks. ITL Director Chuck Romine introduced the 60 attendees to the roundtable, and they discussed IoT cybersecurity and privacy risks, as well as how NIST can help with guidance to manage these risks.
• Steve Lipner from SAFECode and Donna Dodson and Matt Scholl from NIST led a discussion around the development of the Special Publication (SP) 800-XXX, Guide to Secure Software Development Life Cycle (SSDLC) Practices: A producer and consumer perspective. The SSDLC workshop was held with the purpose of allowing members of both the software producer and consumer community to provide commentary on the direction and creation of the SSDLC publication.

• Kevin Stine and Adam Sedgewick from NIST teamed up with Mark Simos from Microsoft, Jermaine Roebuck for DHS, and Tony Sager from CIS to host a session discussing Cyber Hygiene, particularly as it relates to patching. The NCCoE is considering developing a project to help organizations rapidly and effectively improve their security hygiene as it relates to firmware, OS, and applications patching. Kevin and Mark presented the same topic at the Microsoft booth on Thursday morning.

  

• This year’s conference coincided with the publication of NIST Special Publication 1800-13, Mobile Single Sign-On and lead engineer Bill Fisher was very busy presenting demos and collaborating with conference attendees. He also spoke about the project, which aims to improve authentication processes for public safety first responders, at a conference session.

• At the Ransomware and Destructive Attacks seminar on Monday, NCCoE engineers shared their expertise on how to recover quickly and safely from ransomware. The NIST Special Publication 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events, outlines how to do this. The popular seminar, attended by 500, provided a full day of focus on ransomware and its multifaceted implications across technical, policy, compliance, and financial responses.

  

• NCCoE cybersecurity engineers participated in a joint presentation on the topic: ‘Practical Applications of Derived PIV Credentials developed by the NCCoE using Intercede’s MyID and Intel’s VSC.’ The presentation was featured in the Intel booth and provided an overview of the NCCoE Derived PIV Credentials project, which demonstrates how organizations can provide multifactor authentication for websites from mobile devices that lack PIV Card readers. They also demonstrated the Derived PIV reference architecture for conference attendees at a dedicated demo station.
• The National Initiative for Cybersecurity Education (NICE) program office hosted an industry roundtable to discuss mechanisms for strengthening workforce pipelines and using the NICE Cybersecurity Workforce Framework. They also held a demo of CyberSeek, a cybersecurity jobs heat map and pathways tool.

Thank you to everyone who stopped by our booth, attended our sessions, and spoke with us throughout the week. We look forward to engaging with you more…and see you next year! Also, remember to follow us on Twitter for future updates and news!