The links below are to resources provided by the US Federal Government that are related to cybersecurity and comprise regulations, rules, commentary, engineering resources, and databases & statistics on security incidents. This article is updated frequently.
Where to start:
- National Cyber Strategy of the United States of America.
- Federal Chief Information Officer (CIO) cio.gov
- Department of Homeland Security Cybersecurity Division
- National Security Administration (NSA) / Central Security Service (CSS): nsa.gov and their role in US cybersecurity.
- NIST (National Institute of Standards and Technology) CSRC (Computer Security Resource Center) Glossary of Cybersecurity Terms
- Usable Cybersecurity Research at NIST
- Search U.S. Government Information with govinfo.
Online Security Incidents
The CVE database was launched by MITRE as a community effort in 1999, and the U.S. National Vulnerability Database (NVD) was launched by the NIST in 2005. The CVE database feeds into the NVD.
Acronyms to know: CVE (Common Vulnerabilities and Exposures) and CNA (CVE Numbering Authority). In other words, these are security holes, typically in software, that have been both discovered and reported.
- MITRE's CVE
Database and Information
"MITRE is a private, not-for-profit corporation"
- NIST's National Vulnerability Database NVD
- United States Computer Emergency Readiness Team: US-CERT
Reporting of security incidents, threats and reports
- US-CERT provides weekly summaries of new vulnerabilities in the form of bulletins
- NSF Cybersecurity Special Report
- NIST Cybersecurity Framework
"The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk."
Recent Federal CyberSecurity Publications and Alerts
- U.S. Cyber Command shares eleven new malware samples on its VirusTotal page. VirusTotal is a website owned by Chronicle, which is a subsidiary of Alphabet and can be used to analyze suspicious files and URLs to detect types of malware.
- Interested in FIDO (Fast IDentity Online) and MFA for e-commerce? NIST has published a Multifactor Authentication Practice Guide. This guide demonstrates methods for implementing MFA based on the lessons learned in a NIST and NCCoE (National Cybersecurity Center of Excellence) laboratory where various MFA methods were implemented and studied.
- Interested in IoT security? Send NIST your comments regarding their draft Core Cybersecurity Feature Baseline for Securable IoT Devices. The publication defines a core baseline of cybersecurity features that manufacturers may voluntarily adopt for IoT devices they produce. Comments are due by September 30, 2019.
- Recommendation for Cryptographic Key Generation by NIST discusses the generation of the keys to be managed and used by approved cryptographic algorithms.
- NIST Draft Publication on Securing IoT Devices: Mitigating Network-Based Attacks Using MUD. IETF has recently published RFC 8520 Manufacturer Usage Description Specification. This NIST publication "explains what consumers should expect from IoT device manufacturers and demonstrates how MUD protocols and tools can reduce the potential for harm from exploited IoT devices.
- Vetting the Security of Mobile Applications: document "outlines and details a mobile application vetting process. This process can be used to ensure that mobile applications conform to an organization’s security requirements and are reasonably free from vulnerabilities."
- NIST has published Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. This publication specifies key-transport and key-agreement schemes using the RSA cryptographic algorithm. Approves additional key sizes for key establishment, removes provisions for using the Triple Data Encryption Algorithm (TDEA), and removes the KTS-KEM-KWS key-transport scheme that was included in previous versions of this recommendation.
- NIST has published Transitioning the Use of Cryptographic Algorithms and Key Lengths. This publication provides guidance for federal agencies when transitioning to the use of stronger cryptographic keys and more robust algorithms to protect sensitive but unclassified information. These transitions address the challenges posed by new cryptanalysis, the increasing power of classical computing technology, and the potential emergence of quantum computers.
- NSA's updated guidance for vulnerabilities affecting modern processors, such as Spectre, Meltdown, and Foreshadow
Chinese Cyber Attacks
Various nations have accused the Chinese government of cyber attacks and theft against service / cloud providers and their customers. Below is a listing of resources for more information on this subject that also includes information for IT professionals to determine if they or the sites they maintain are being targeted.
- CS-CERT: Chinese Malicious Cyber Activity
- GOV.UK: UK and allies reveal global scale of Chinese cyber campaign
- New Zealand: Cyber campaign attributed to China
Russian Government Grizzly Steppe: recent Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
Filing an Internet Crime Complaint with the FBI
Do you know about the IC3? It's the Internet Crime Complaint Center. IC3's mission is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity.
CALEA (Communications Assistance for Law Enforcement Act)
Note that CALEA is basically a wire tap provision in the law that applies to virtually all equipment and services in the network that enables the Federal Government to monitor the communications of individuals.
From the FCC's CALEA website:
"CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance while protecting the privacy of information outside the scope of the investigation. It requires that telecommunications carriers and manufacturers of telecommunications equipment design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information. Communications services and facilities utilizing Circuit Mode equipment, packet mode equipment, facilities-based broadband Internet access providers and providers of interconnected Voice over Internet Protocol (VoIP) service are all subject to CALEA. These compliance requirements include wireless services, routing and soft switched services, and internet-based telecommunications present in applications used by telecommunications devices."
The question seems to still remain whether the CALEA wire tap provision does or will apply to customer premises equipment (e.g, home and business routers, phones, PCs, etc.)
Note that the much heralded Obama-era Net Neutrality (Open Internet Order) discusses CALEA and does not preclude its provisions from customer premises equipment. You can read it here
FIPS (Federal Information Processing Standards) and CMVP (Cryptographic Module Validation Program)
FIPS is a term commonly applied to the security level of cryptographic-related software and systems.
- FIPS 140-2: Security Requirements for Cryptographic Modules "specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments."
- NIST's Cryptographic Module Validation Program "validates cryptographic modules to Federal Information Processing Standards (FIPS)140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001 and supersedes FIPS 140-1." % include "line_divider.html" %}
- FIPS updates by NIST
Post-Quantum Cryptography (PQC)
"For many years it has been known that both the integer factorization problem, upon which RSA is based, and the elliptic curve discrete logarithm problem (ECDLP), upon which ECC is based, can be solved in polynomial time by a quantum computer." [Koblitz and Menezes]
From csrc.nist.gov: " If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography ... is to develop cryptographic systems that are secure against both quantum and classical computers..."
- NIST Post-Quantum Cryptography Standardization
- NSA and CSS Commercial National Security Algorithm Suite and Quantum Computing FAQ
- Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process
Other Related Government Links
- National Science Foundation (NSF): nsf.gov
- Sandia National (Research) Labs: sandia.gov
- National Telecommunications and Information Administration NTIA
- NTIA's United States Frequency Allocation Chart as of January 2016
- FCC (Federal Communications Commission): fcc.gov
- FCC's Enforcement Bureau
"responsible for enforcement of provisions of the Communications Act, the Commission's rules, Commission orders and terms and conditions of station authorizations"
general search engine for rules, proposed rules, and notices. Users can post comments and participate in petitions. Prepare to be overwhelmed!
- An acronym to know: CFR (Code of Federal Regulations)
- Electronic Code of Federal Regulations with e-CFR
The electronic code is a current but unofficial editorial compilation of CFR material and Federal Register amendments, so you may want to further review the disclaimers at the site.