Risk
9/19/2013
10:54 AM
50%
50%

NIST Awards Grants To Improve Online Security, Privacy

Five firms have been selected to pilot approaches for National Strategy for Trusted Identities in Cyberspace.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
The National Institute of Standards and Technology (NIST) has awarded more than $7 million in grants to five U.S. organizations to develop pilot online identity protection and verification systems.

The awards are part of federal efforts to work with private sector and advocacy groups to develop the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC program is seeking ways for individuals and organizations to adopt secure, easy-to-use, and interoperable identity credentials to access online services.

"Collectively, these five pilots will drive innovation in online identity management, helping to foster a marketplace of more secure, convenient, privacy-enhancing identity solutions available to all Americans online," said NIST's Jeremy Grant, senior executive advisor for identity management. Grant is head of the NSTIC National Program Office at NIST.

The selected pilot proposals receiving grants include:

Exponent (Calif.): $1,589,400

The Exponent pilot will issue secure, easy-to-use privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a healthcare organization and the U.S. Department of Defense. The test program will deploy two types of identity verification: the use of mobile devices that leverage so-called "derived credentials" stored in the device's SIM card, and secure wearable devices such as rings and bracelets.

[ Is data-centric more effective than device-centric when it comes to security? Read Secure Data, Not Devices. ]

Georgia Tech Research Corporation (GTRC) (Ga.): $1,720,723

The GTRC pilot will develop and demonstrate a "trust mark framework" that seeks to improve trust, interoperability and privacy. Trust marks are a badge, image or logo displayed on a business' website to indicate that the business has been shown to be trustworthy by the issuing organization. Defining trust marks for specific sets of policies, using machine-readable methods, will allow website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact or do business.

Privacy Vaults Online (PRIVO) (Va.): $1,611,349

PRIVO will pilot a solution that provides families with secure, privacy-enhancing credentials that are compliant with the Children's Online Privacy Protection Act (COPPA). The credentials will enable parents and guardians to authorize their children to interact with online services in a more confidential and usable way. Project partners, including one of the country's largest online content providers and one of the world's largest toy companies, will benefit from a streamlined consent process while simplifying their legal obligations regarding the collection and storage of children's data.

ID.me (Va.): $1,204,957

ID.me's Troop ID will develop and pilot more secure (Level of Assurance 3) trusted identity solutions that will allow military families to access sensitive information online from government agencies, financial institutions and healthcare organizations in a more privacy-enhancing, secure and efficient manner. Troop ID lets qualified users verify their military affiliation online across a network of organizations that provides discounts and benefits in recognition of their service. The more secure Troop ID credential solution would permit users to interacting online with U.S. government agencies through the recently announced Federal Cloud Credential Exchange (FCCX).

Transglobal Secure Collaboration Participation (TSCP) (Va.): $1,264,074

The TSCP pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, using an open source, technology-neutral Trust Framework Development Guidance document.

The NSTIC National Program Office will invite pilot project awardees to give presentations on their initiatives at a January 2014 meeting in Atlanta.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
9/20/2013 | 9:22:20 PM
re: NIST Awards Grants To Improve Online Security, Privacy
Let's hope the National Strategy for Trusted Identities in Cyberspace (NSTIC) is able to turn these pilots into tangible answers for crafting reliable authentication practices.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.