Risk
9/19/2013
10:54 AM
50%
50%

NIST Awards Grants To Improve Online Security, Privacy

Five firms have been selected to pilot approaches for National Strategy for Trusted Identities in Cyberspace.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
The National Institute of Standards and Technology (NIST) has awarded more than $7 million in grants to five U.S. organizations to develop pilot online identity protection and verification systems.

The awards are part of federal efforts to work with private sector and advocacy groups to develop the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC program is seeking ways for individuals and organizations to adopt secure, easy-to-use, and interoperable identity credentials to access online services.

"Collectively, these five pilots will drive innovation in online identity management, helping to foster a marketplace of more secure, convenient, privacy-enhancing identity solutions available to all Americans online," said NIST's Jeremy Grant, senior executive advisor for identity management. Grant is head of the NSTIC National Program Office at NIST.

The selected pilot proposals receiving grants include:

Exponent (Calif.): $1,589,400

The Exponent pilot will issue secure, easy-to-use privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a healthcare organization and the U.S. Department of Defense. The test program will deploy two types of identity verification: the use of mobile devices that leverage so-called "derived credentials" stored in the device's SIM card, and secure wearable devices such as rings and bracelets.

[ Is data-centric more effective than device-centric when it comes to security? Read Secure Data, Not Devices. ]

Georgia Tech Research Corporation (GTRC) (Ga.): $1,720,723

The GTRC pilot will develop and demonstrate a "trust mark framework" that seeks to improve trust, interoperability and privacy. Trust marks are a badge, image or logo displayed on a business' website to indicate that the business has been shown to be trustworthy by the issuing organization. Defining trust marks for specific sets of policies, using machine-readable methods, will allow website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact or do business.

Privacy Vaults Online (PRIVO) (Va.): $1,611,349

PRIVO will pilot a solution that provides families with secure, privacy-enhancing credentials that are compliant with the Children's Online Privacy Protection Act (COPPA). The credentials will enable parents and guardians to authorize their children to interact with online services in a more confidential and usable way. Project partners, including one of the country's largest online content providers and one of the world's largest toy companies, will benefit from a streamlined consent process while simplifying their legal obligations regarding the collection and storage of children's data.

ID.me (Va.): $1,204,957

ID.me's Troop ID will develop and pilot more secure (Level of Assurance 3) trusted identity solutions that will allow military families to access sensitive information online from government agencies, financial institutions and healthcare organizations in a more privacy-enhancing, secure and efficient manner. Troop ID lets qualified users verify their military affiliation online across a network of organizations that provides discounts and benefits in recognition of their service. The more secure Troop ID credential solution would permit users to interacting online with U.S. government agencies through the recently announced Federal Cloud Credential Exchange (FCCX).

Transglobal Secure Collaboration Participation (TSCP) (Va.): $1,264,074

The TSCP pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, using an open source, technology-neutral Trust Framework Development Guidance document.

The NSTIC National Program Office will invite pilot project awardees to give presentations on their initiatives at a January 2014 meeting in Atlanta.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
9/20/2013 | 9:22:20 PM
re: NIST Awards Grants To Improve Online Security, Privacy
Let's hope the National Strategy for Trusted Identities in Cyberspace (NSTIC) is able to turn these pilots into tangible answers for crafting reliable authentication practices.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

CVE-2015-6266
Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

CVE-2015-6267
Published: 2015-08-28
Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted L2TP packet, aka Bug IDs CSCsw95722 and CSCsw95496.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.