NIST: In mobile authentication, think hardware, not software

From: Computerworld

The National Institute of Standards and Technology is trying to bolster e-commerce authentication on desktops and mobile devices.

By , Contributing Columnist, Computerworld


According to the NCCoE, its recommendation for initiating multifactor authentication borrows from a technique that is already widely used on retail sites. A user could start shopping online with minimally invasive authentication — simply username and password or even auto-login. But as circumstances merit, more could be required. That decision would be based on factors such as “the nature of the product, a known IP address associated with the customer, typical geolocation, and consistency with past patterns of online purchases,” NIST said. In other words, your shopping history and use of various devices at various locations would be analyzed to see if you are behaving unusually — and perhaps are not you.

Developments In New York And Colorado Cybersecurity Regulations

From: Mondaq

Article by Gregory Bautista and Jeremy T. Merkel | Wilson Elser Moskowitz Edelman & Dicker LLP

New York
For the first time since New York’s Cybersecurity Regulation (23 NYCRR Part 500) became effective on March 1, 2017, the Department of Financial Services (DFS) has issued Frequently Asked Questions to assist Covered Entities in their compliance and provide guidance into the DFS’s interpretation and enforcement of its newly adopted regulation.

Since the new Regulation was promulgated, Covered Entities, including banks, financial institutions and insurance companies, have faced uncertainly as to how their compliance will be assessed by DFS. With the Regulation’s first deadline for implementation quickly approaching on August 28, 2017, these updated FAQs offer some much needed clarification.

How confident is your agency in the security of the IT it’s buying?

From: 1500 AM

By Jason Miller | @jmillerWFED


It may seem concerns about the federal IT supply chain have reemerged after a five-year absence from the spotlight. But in fact, a dedicated group from the Defense and Homeland Security departments, the intelligence community and the General Services Administration has moved the government to the cusp of addressing this growing challenge.

The most recent and significant sign of this long-term effort is a new policy from the Committee on National Security Systems. CNSS released a new supply chain risk management policy in late July to establish “an integrated, organization-wide cybersecurity risk management program to achieve and maintain an acceptable level of cybersecurity risk for organizations that own, operate, or maintain national security systems.”

U.S. Governors Sign Cybersecurity Compact

From: Lexology

Jennifer A. Beckage and Gargi Sen | Phillips Lytle LLP

In July 2017, at the National Governors Association (“NGA”) meeting, it was announced that 39 governors had signed “A Compact to Improve State Cybersecurity” (“Compact”). The signing U.S. states and territories include:

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Guam
  • Hawaii
  • Idaho
  • Indiana
  • Iowa
  • Kentucky
  • Louisiana
  • Maryland
  • Massachusetts
  • Michigan
  • Minnesota
  • Missouri
  • Montana
  • Nevada
  • New Hampshire
  • New Jersey
  • North Carolina

Invisible Hands and Iron Fists: Challenges in Regulating the Innovation Economy

From: Lawfare

By Megan Stifel, Jamil N. Jaffer

Have you heard of “Regulators in Cyberia”?  No, it’s not the latest thriller on the silver screen.  Rather, it’s a white paper recently released by the Federalist Society’s Regulatory Transparency Project that explores the challenges existing regulatory approaches pose to technological innovation.