National Cybersecurity Center of Excellence (NCCoE) Data Classification Practices: Facilitating Data-Centric Security Management, 56252-56254 [2021-21979]
Download as PDF
<![CDATA[
jspears on DSK121TN23PROD with NOTICES1
56252
Federal Register / Vol. 86, No. 193 / Friday, October 8, 2021 / Notices
to assemble’’ (RTA) wooden cabinets
and vanities, also commonly known as
‘‘flat packs,’’ except to the extent such
merchandise is already covered by the
scope of antidumping and
countervailing duty orders on
Hardwood Plywood from the People’s
Republic of China. See Certain
Hardwood Plywood Products from the
People’s Republic of China: Amended
Final Determination of Sales at Less
Than Fair Value, and Antidumping
Duty Order, 83 FR 504 (January 4, 2018);
Certain Hardwood Plywood Products
from the People’s Republic of China:
Countervailing Duty Order, 83 FR 513
(January 4, 2018). RTA wooden cabinets
and vanities are defined as cabinets or
vanities packaged so that at the time of
importation they may include: (1)
Wooden components required to
assemble a cabinet or vanity (including
drawer faces and doors); and (2) parts
(e.g., screws, washers, dowels, nails,
handles, knobs, adhesive glues) required
to assemble a cabinet or vanity. RTAs
may enter the United States in one or in
multiple packages.
Subject merchandise also includes
wooden cabinets and vanities and inscope components that have been
further processed in a third country,
including but not limited to one or more
of the following: Trimming, cutting,
notching, punching, drilling, painting,
staining, finishing, assembly, or any
other processing that would not
otherwise remove the merchandise from
the scope of the Order if performed in
the country of manufacture of the inscope product.
Excluded from the scope of this
Order, if entered separate from a
wooden cabinet or vanity are:
(1) Aftermarket accessory items which
may be added to or installed into an
interior of a cabinet and which are not
considered a structural or core
component of a wooden cabinet or
vanity. Aftermarket accessory items may
be made of wood, metal, plastic,
composite material, or a combination
thereof that can be inserted into a
cabinet and which are utilized in the
function of organization/accessibility on
the interior of a cabinet; and include:
• Inserts or dividers which are placed
into drawer boxes with the purpose of
organizing or dividing the internal
portion of the drawer into multiple
areas for the purpose of containing
smaller items such as cutlery, utensils,
bathroom essentials, etc.
• Round or oblong inserts that rotate
internally in a cabinet for the purpose
of accessibility to foodstuffs, dishware,
general supplies, etc.
(2) Solid wooden accessories
including corbels and rosettes, which
VerDate Sep<11>2014
17:07 Oct 07, 2021
Jkt 256001
serve the primary purpose of decoration
and personalization.
(3) Non-wooden cabinet hardware
components including metal hinges,
brackets, catches, locks, drawer slides,
fasteners (nails, screws, tacks, staples),
handles, and knobs.
(4) Medicine cabinets that meet all of
the following five criteria are excluded
from the scope: (1) Wall mounted; (2)
assembled at the time of entry into the
United States; (3) contain one or more
mirrors; (4) be packaged for retail sale at
time of entry; and (5) have a maximum
depth of seven inches.
Also excluded from the scope of the
Order are:
(1) All products covered by the scope
of the antidumping duty order on
Wooden Bedroom Furniture from the
People’s Republic of China. See Notice
of Amended Final Determination of
Sales at Less Than Fair Value and
Antidumping Duty Order: Wooden
Bedroom Furniture from the People’s
Republic of China, 70 FR 329 (January
4, 2005).
(2) All products covered by the scope
of the antidumping and countervailing
duty orders on Hardwood Plywood from
the People’s Republic of China. See
Certain Hardwood Plywood Products
from the People’s Republic of China:
Amended Final Determination of Sales
at Less Than Fair Value, and
Antidumping Duty Order, 83 FR 504
(January 4, 2018); Certain Hardwood
Plywood Products from the People’s
Republic of China: Countervailing Duty
Order, 83 FR 513 (January 4, 2018).
Imports of subject merchandise are
classified under Harmonized Tariff
Schedule of the United States (HTSUS)
statistical numbers 9403.40.9060 and
9403.60.8081. The subject component
parts of wooden cabinets and vanities
may be entered into the United States
under HTSUS statistical number
9403.90.7080. Although the HTSUS
subheadings are provided for
convenience and customs purposes, the
written description of the scope of this
Order is dispositive.
Final Results of the Antidumping Duty
Changed Circumstances Review
For the reasons stated in the Initiation
and Preliminary Results, and because
we received no comments from
interested parties, Commerce continues
to find that Goldenhome is the
successor-in-interest to Xiamen
Goldenhome for AD purposes. As a
result of this determination, we
determine that Goldenhome should
receive the AD cash deposit rate
applicable to Xiamen Goldenhome.
Consequently, Commerce will instruct
U.S. Customs and Border Protection to
PO 00000
Frm 00014
Fmt 4703
Sfmt 4703
suspend liquidation of all shipments of
subject merchandise exported by
Goldenhome and entered, or withdrawn
from warehouse, for consumption on or
after the publication date of this notice
in the Federal Register at the current
AD cash-deposit rate applicable to
Xiamen Goldenhome.3 This cash
deposit requirement shall remain in
effect until further notice.
Notification to Interested Parties
This notice is published in
accordance with sections 751(b)(1) and
777(i) of the Act, and 19 CFR 351.216(e)
and 351.221(c)(3).
Dated: October 4, 2021.
Christian Marsh,
Acting Assistant Secretary for Enforcement
and Compliance.
[FR Doc. 2021–22031 Filed 10–7–21; 8:45 am]
BILLING CODE 3510–DS–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No. 210915–0187]
National Cybersecurity Center of
Excellence (NCCoE) Data
Classification Practices: Facilitating
Data-Centric Security Management
National Institute of Standards
and Technology, Department of
Commerce.
ACTION: Notice.
AGENCY:
The National Institute of
Standards and Technology (NIST)
invites organizations to provide letters
of interest describing products and
technical expertise to support and
demonstrate security platforms for the
Data Classification Practices:
Facilitating Data-Centric Security
Management project. This notice is the
initial step for the National
Cybersecurity Center of Excellence
(NCCoE) in collaborating with
technology companies to address
cybersecurity challenges identified
under the Data Classification Practices:
Facilitating Data-Centric Security
Management project. Participation in
the project is open to all interested
organizations.
SUMMARY:
Collaborative activities will
commence as soon as enough completed
and signed letters of interest have been
returned to address all the necessary
components and capabilities, but no
earlier than November 8, 2021.
DATES:
3 See
E:\FR\FM\08OCN1.SGM
Order, 85 FR at 22127.
08OCN1
Federal Register / Vol. 86, No. 193 / Friday, October 8, 2021 / Notices
The NCCoE is located at
9700 Great Seneca Highway, Rockville,
MD 20850. Letters of interest must be
submitted to data-nccoe@nist.gov or via
hardcopy to National Institute of
Standards and Technology, NCCoE;
9700 Great Seneca Highway, Rockville,
MD 20850. Interested parties can access
the letter of interest template by visiting
https://www.nccoe.nist.gov/projects/
building-blocks/data-classification and
completing the letter of interest
webform. NIST will announce the
completion of the selection of
participants and inform the public that
it is no longer accepting letters of
interest for this project at https://
www.nccoe.nist.gov/projects/buildingblocks/data-classification.
Organizations whose letters of interest
are accepted will be asked to sign a
consortium Cooperative Research and
Development Agreement (CRADA) with
NIST. An NCCoE consortium CRADA
template can be found at: https://
nccoe.nist.gov/library/nccoeconsortium-crada-example.
FOR FURTHER INFORMATION CONTACT:
William Newhouse via telephone at
301–975–0232; by email to data-nccoe@
nist.gov; or by mail to National Institute
of Standards and Technology, NCCoE;
9700 Great Seneca Highway, Rockville,
MD 20850. Additional details about the
Data Classification Practices:
Facilitating Data-Centric Security
Management project are available at
https://www.nccoe.nist.gov/projects/
building-blocks/data-classification.
SUPPLEMENTARY INFORMATION:
Background: The NCCoE, part of
NIST, is a public-private collaboration
for accelerating the widespread
adoption of integrated cybersecurity
tools and technologies. The NCCoE
brings together experts from industry,
government, and academia under one
roof to develop practical, interoperable
cybersecurity approaches that address
the real-world needs of complex
Information Technology (IT) systems.
By accelerating dissemination and use
of these integrated tools and
technologies for protecting IT assets, the
NCCoE will enhance trust in U.S. IT
communications, data, and storage
systems; reduce risk for companies and
individuals using IT systems; and
encourage development of innovative,
job-creating cybersecurity products and
services.
Process: NIST is soliciting responses
from all sources of relevant security
capabilities (see below) to enter into a
Cooperative Research and Development
Agreement (CRADA) to provide
products and technical expertise to
support and demonstrate security
jspears on DSK121TN23PROD with NOTICES1
ADDRESSES:
VerDate Sep<11>2014
17:07 Oct 07, 2021
Jkt 256001
platforms for the Data Classification
Practices: Facilitating Data-Centric
Security Management project. The full
project can be viewed at: https://
www.nccoe.nist.gov/projects/buildingblocks/data-classification.
Interested parties can access the
template for a letter of interest by
visiting the project website at https://
www.nccoe.nist.gov/projects/buildingblocks/data-classification and
completing the letter of interest
webform. On completion of the
webform, interested parties will receive
access to the letter of interest template,
which the party must complete, certify
as accurate, and submit to NIST by
email or hardcopy. NIST will contact
interested parties if there are questions
regarding the responsiveness of the
letters of interest to the project objective
or requirements identified below. NIST
will select participants who have
submitted complete letters of interest on
a first come, first served basis within
each category of product components or
capabilities listed below up to the
number of participants in each category
necessary to carry out this project.
When the project has been completed,
NIST will post a notice on the Data
Classification Practices: Facilitating
Data-Centric Security Management
project website at https://
www.nccoe.nist.gov/projects/buildingblocks/data-classification announcing
the completion of the project and
informing the public that it will no
longer accept letters of interest for this
project. Completed letters of interest
should be submitted to NIST and will be
accepted on a first come, first served
basis. There may be continuing
opportunity to participate even after
initial activity commences for
participants who were not selected
initially or have submitted the letter of
interest after the selection process.
Selected participants will be required to
enter into a consortium CRADA with
NIST (for reference, see ADDRESSES
section above).
Project Objective: Data-centric
security management aims to enhance
protection of information (data)
regardless of where the data resides or
with whom it is shared. This requires
that organizations know what data they
have, what its characteristics are, and
what security and privacy requirements
it needs to meet so the necessary
protections can be achieved.
Standardized mechanisms for
communicating data characteristics and
protection requirements are needed to
support zero trust architectures by
making data-centric security
management feasible at scale.
PO 00000
Frm 00015
Fmt 4703
Sfmt 4703
56253
The project’s objective is to develop
technology-agnostic recommended
practices for defining data
classifications and data handling
rulesets and for communicating them to
others. This project will inform, and
may identify opportunities to improve,
existing cybersecurity and privacy risk
management processes by helping with
communicating data classifications and
data handling rulesets. It will not
replace current risk management
practices, laws, regulations, or
mandates. The project will define the
approach for the solution, independent
of the supporting technologies, services,
architectures, operational environments,
etc. As part of this, a proof-of-concept
implementation of the defined approach
will be attempted. The proof-of-concept
will include limited data discovery,
analysis, classification, and labeling
capabilities, as well as a rudimentary
method for expressing how data with a
particular label should be handled for
each use case scenario. In support of
this phase of the project, basic
terminology and concepts will be
defined based on existing practices and
guidance to provide a common language
for discussing data classification. The
proposed proof-of-concept solution(s)
will integrate commercial and open
source products that leverage
cybersecurity standards and
recommended practices to demonstrate
the use case scenarios detailed in the
Data Classification Practices:
Facilitating Data-Centric Security
Management project description
available at: https://www.nccoe.nist.gov/
projects/building-blocks/dataclassification. This project will result in
a publicly available NIST Cybersecurity
Practice Guide as a Special Publication
1800 series, a detailed implementation
guide of the practical steps needed to
implement a cybersecurity reference
design that addresses this challenge.
Requirements for Letters of Interest:
Each responding organization’s letter of
interest should identify which security
platform component(s) or capability(ies)
it is offering. Letters of interest should
not include company proprietary
information, and all components and
capabilities must be commercially
available. Components are listed in
section 3 of the Data Classification
Practices: Facilitating Data-Centric
Security Management project
description at https://
www.nccoe.nist.gov/projects/buildingblocks/data-classification and include,
but are not limited to:
Core Components:
• Endpoints:
Æ Client Devices—Various PCs
(desktops or laptops) and mobile
E:\FR\FM\08OCN1.SGM
08OCN1
jspears on DSK121TN23PROD with NOTICES1
56254
Federal Register / Vol. 86, No. 193 / Friday, October 8, 2021 / Notices
devices will be involved in data
creation, storage, transmission,
retention, and destruction, as well as
data-centric security management. Some
client devices will be managed by the
organization. Some will be used by the
organization’s employees, while others
will be used by people from other
organizations.
Æ Client Device Apps—The client
devices will have commercial-off-theshelf (COTS) apps used for data
lifecycle activities, such as word
processing software and email client
software.
Æ Additional Devices—Examples of
additional types of devices that could be
utilized are networked printers and
Internet of Things (IoT) devices.
• Network/Infrastructure Devices—
The architecture will include devices
such as firewalls, routers, or switches
that are needed for network
functionality and network traffic
restriction, as well as the software for
managing those devices.
• Services and Applications—The
architecture will include several types
of services and applications that are
involved in data lifecycle activities for
one or more of the scenarios. The
following are examples of possible
service and application types:
Æ Enterprise Services/Applications:
Email, collaboration, file sharing, web
conferencing, file/data backup, code
repositories, content management
systems.
Æ Data Services/Applications: Data
processing, data analytics, artificial
intelligence/machine learning services.
Æ Business Services/Applications: A
variety of system-to-system and humanto-system business applications, both
COTS and custom-written, including
those that produce and/or consume
data.
• Data Classification Solutions—The
architecture will include several types
of components used to perform data
classification responsibilities, such as
data discovery, inventory, analysis,
classification, and labeling.
Each responding organization’s letter
of interest should identify how its
products help address one or more of
the following desired security
characteristics and properties in section
3 of the Data Classification Practices:
Facilitating Data-Centric Security
Management at https://
www.nccoe.nist.gov/projects/buildingblocks/data-classification:
• All data is discovered and analyzed
to determine how it should be
classified.
• All data classification and data
handling ruleset creation, modification,
and deletion is restricted to authorized
VerDate Sep<11>2014
17:07 Oct 07, 2021
Jkt 256001
personnel only, with all actions logged
and auditable and with all
communications protected.
• For all data classifications and data
handling rulesets, there is a mechanism
for verifying the integrity of the policy
or ruleset.
• Data classification labels or tags are
assigned to all data.
• For all data classification labels or
tags assigned to data, there is a
mechanism for verifying the integrity of
the label or tag.
In their letters of interest, responding
organizations need to acknowledge the
importance of and commit to provide:
1. Access for all participants’ project
teams to component interfaces and the
organization’s experts necessary to make
functional connections among security
platform components.
2. Support for development and
demonstration of the Data Classification
Practices: Facilitating Data-Centric
Security Management project, which
will be conducted in a manner
consistent with the following standards
and guidance: FIPS 199, NISTIR 8112,
FIPS 200, SP 800–37, SP 800–53, SP
800–60, SP 800–63, SP 800–154, SP
800–171, SP 800–207, the NIST
Cybersecurity Framework, and the NIST
Privacy Framework.
Additional details about the Data
Classification Practices: Facilitating
Data-Centric Security Management
project are available at https://
www.nccoe.nist.gov/projects/buildingblocks/data-classification.
NIST cannot guarantee that all of the
products proposed by respondents will
be used in the demonstration. Each
prospective participant will be expected
to work collaboratively with NIST staff
and other project participants under the
terms of the consortium CRADA in the
development of the Data Classification
Practices: Facilitating Data-Centric
Security Management project.
Prospective participants’ contribution to
the collaborative effort will include
assistance in establishing the necessary
interface functionality, connection and
set-up capabilities and procedures,
demonstration harnesses, environmental
and safety conditions for use, integrated
platform user instructions, and
demonstration plans and scripts
necessary to demonstrate the desired
capabilities. Each participant will train
NIST personnel, as necessary, to operate
its product in capability
demonstrations. Following successful
demonstrations, NIST will publish a
description of the security platform and
its performance characteristics sufficient
to permit other organizations to develop
and deploy security platforms that meet
the security objectives of the Data
PO 00000
Frm 00016
Fmt 4703
Sfmt 4703
Classification Practices: Facilitating
Data-Centric Security Management
project. These descriptions will be
public information.
Under the terms of the consortium
CRADA, NIST will support
development of interfaces among
participants’ products by providing IT
infrastructure, laboratory facilities,
office facilities, collaboration facilities,
and staff support to component
composition, security platform
documentation, and demonstration
activities.
The dates of the demonstration of the
Data Classification Practices:
Facilitating Data-Centric Security
Management project capability will be
announced on the NCCoE website at
least two weeks in advance at https://
nccoe.nist.gov/. The expected outcome
will demonstrate how the components
of the Data Classification Practices:
Facilitating Data-Centric Security
Management project architecture can
provide security capabilities to mitigate
identified risks related to data
throughout its lifecycle. Participating
organizations will gain from the
knowledge that their products are
interoperable with other participants’
offerings.
For additional information on the
NCCoE governance, business processes,
and NCCoE operational structure, visit
the NCCoE website https://
nccoe.nist.gov/.
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2021–21979 Filed 10–7–21; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
[RTID 0648–XB403]
Fisheries of the Caribbean, Gulf of
Mexico, and South Atlantic; Exempted
Fishing Permit
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice of receipt of an
application for an exempted fishing
permit; request for comments.
AGENCY:
NMFS announces the receipt
of an application for an exempted
fishing permit (EFP) from Dr. Matthew
Ajermian of Harbor Branch
Oceanographic Institute of Florida
Atlantic University (FAU). If granted,
the EFP would authorize the captain
SUMMARY:
E:\FR\FM\08OCN1.SGM
08OCN1
]]>Agencies
[Federal Register Volume 86, Number 193 (Friday, October 8, 2021)]
[Notices]
[Pages 56252-56254]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-21979]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 210915-0187]
National Cybersecurity Center of Excellence (NCCoE) Data
Classification Practices: Facilitating Data-Centric Security Management
AGENCY: National Institute of Standards and Technology, Department of
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
invites organizations to provide letters of interest describing
products and technical expertise to support and demonstrate security
platforms for the Data Classification Practices: Facilitating Data-
Centric Security Management project. This notice is the initial step
for the National Cybersecurity Center of Excellence (NCCoE) in
collaborating with technology companies to address cybersecurity
challenges identified under the Data Classification Practices:
Facilitating Data-Centric Security Management project. Participation in
the project is open to all interested organizations.
DATES: Collaborative activities will commence as soon as enough
completed and signed letters of interest have been returned to address
all the necessary components and capabilities, but no earlier than
November 8, 2021.
[[Page 56253]]
ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway,
Rockville, MD 20850. Letters of interest must be submitted to [email protected] or via hardcopy to National Institute of Standards and
Technology, NCCoE; 9700 Great Seneca Highway, Rockville, MD 20850.
Interested parties can access the letter of interest template by
visiting https://www.nccoe.nist.gov/projects/building-blocks/data-classification and completing the letter of interest webform. NIST will
announce the completion of the selection of participants and inform the
public that it is no longer accepting letters of interest for this
project at https://www.nccoe.nist.gov/projects/building-blocks/data-classification. Organizations whose letters of interest are accepted
will be asked to sign a consortium Cooperative Research and Development
Agreement (CRADA) with NIST. An NCCoE consortium CRADA template can be
found at: https://nccoe.nist.gov/library/nccoe-consortium-crada-example.
FOR FURTHER INFORMATION CONTACT: William Newhouse via telephone at 301-
975-0232; by email to [email protected]; or by mail to National
Institute of Standards and Technology, NCCoE; 9700 Great Seneca
Highway, Rockville, MD 20850. Additional details about the Data
Classification Practices: Facilitating Data-Centric Security Management
project are available at https://www.nccoe.nist.gov/projects/building-blocks/data-classification.
SUPPLEMENTARY INFORMATION:
Background: The NCCoE, part of NIST, is a public-private
collaboration for accelerating the widespread adoption of integrated
cybersecurity tools and technologies. The NCCoE brings together experts
from industry, government, and academia under one roof to develop
practical, interoperable cybersecurity approaches that address the
real-world needs of complex Information Technology (IT) systems. By
accelerating dissemination and use of these integrated tools and
technologies for protecting IT assets, the NCCoE will enhance trust in
U.S. IT communications, data, and storage systems; reduce risk for
companies and individuals using IT systems; and encourage development
of innovative, job-creating cybersecurity products and services.
Process: NIST is soliciting responses from all sources of relevant
security capabilities (see below) to enter into a Cooperative Research
and Development Agreement (CRADA) to provide products and technical
expertise to support and demonstrate security platforms for the Data
Classification Practices: Facilitating Data-Centric Security Management
project. The full project can be viewed at: https://www.nccoe.nist.gov/projects/building-blocks/data-classification.
Interested parties can access the template for a letter of interest
by visiting the project website at https://www.nccoe.nist.gov/projects/building-blocks/data-classification and completing the letter of
interest webform. On completion of the webform, interested parties will
receive access to the letter of interest template, which the party must
complete, certify as accurate, and submit to NIST by email or hardcopy.
NIST will contact interested parties if there are questions regarding
the responsiveness of the letters of interest to the project objective
or requirements identified below. NIST will select participants who
have submitted complete letters of interest on a first come, first
served basis within each category of product components or capabilities
listed below up to the number of participants in each category
necessary to carry out this project. When the project has been
completed, NIST will post a notice on the Data Classification
Practices: Facilitating Data-Centric Security Management project
website at https://www.nccoe.nist.gov/projects/building-blocks/data-classification announcing the completion of the project and informing
the public that it will no longer accept letters of interest for this
project. Completed letters of interest should be submitted to NIST and
will be accepted on a first come, first served basis. There may be
continuing opportunity to participate even after initial activity
commences for participants who were not selected initially or have
submitted the letter of interest after the selection process. Selected
participants will be required to enter into a consortium CRADA with
NIST (for reference, see ADDRESSES section above).
Project Objective: Data-centric security management aims to enhance
protection of information (data) regardless of where the data resides
or with whom it is shared. This requires that organizations know what
data they have, what its characteristics are, and what security and
privacy requirements it needs to meet so the necessary protections can
be achieved. Standardized mechanisms for communicating data
characteristics and protection requirements are needed to support zero
trust architectures by making data-centric security management feasible
at scale.
The project's objective is to develop technology-agnostic
recommended practices for defining data classifications and data
handling rulesets and for communicating them to others. This project
will inform, and may identify opportunities to improve, existing
cybersecurity and privacy risk management processes by helping with
communicating data classifications and data handling rulesets. It will
not replace current risk management practices, laws, regulations, or
mandates. The project will define the approach for the solution,
independent of the supporting technologies, services, architectures,
operational environments, etc. As part of this, a proof-of-concept
implementation of the defined approach will be attempted. The proof-of-
concept will include limited data discovery, analysis, classification,
and labeling capabilities, as well as a rudimentary method for
expressing how data with a particular label should be handled for each
use case scenario. In support of this phase of the project, basic
terminology and concepts will be defined based on existing practices
and guidance to provide a common language for discussing data
classification. The proposed proof-of-concept solution(s) will
integrate commercial and open source products that leverage
cybersecurity standards and recommended practices to demonstrate the
use case scenarios detailed in the Data Classification Practices:
Facilitating Data-Centric Security Management project description
available at: https://www.nccoe.nist.gov/projects/building-blocks/data-classification. This project will result in a publicly available NIST
Cybersecurity Practice Guide as a Special Publication 1800 series, a
detailed implementation guide of the practical steps needed to
implement a cybersecurity reference design that addresses this
challenge.
Requirements for Letters of Interest: Each responding
organization's letter of interest should identify which security
platform component(s) or capability(ies) it is offering. Letters of
interest should not include company proprietary information, and all
components and capabilities must be commercially available. Components
are listed in section 3 of the Data Classification Practices:
Facilitating Data-Centric Security Management project description at
https://www.nccoe.nist.gov/projects/building-blocks/data-classification
and include, but are not limited to:
Core Components:
Endpoints:
[cir] Client Devices--Various PCs (desktops or laptops) and mobile
[[Page 56254]]
devices will be involved in data creation, storage, transmission,
retention, and destruction, as well as data-centric security
management. Some client devices will be managed by the organization.
Some will be used by the organization's employees, while others will be
used by people from other organizations.
[cir] Client Device Apps--The client devices will have commercial-
off-the-shelf (COTS) apps used for data lifecycle activities, such as
word processing software and email client software.
[cir] Additional Devices--Examples of additional types of devices
that could be utilized are networked printers and Internet of Things
(IoT) devices.
Network/Infrastructure Devices--The architecture will
include devices such as firewalls, routers, or switches that are needed
for network functionality and network traffic restriction, as well as
the software for managing those devices.
Services and Applications--The architecture will include
several types of services and applications that are involved in data
lifecycle activities for one or more of the scenarios. The following
are examples of possible service and application types:
[cir] Enterprise Services/Applications: Email, collaboration, file
sharing, web conferencing, file/data backup, code repositories, content
management systems.
[cir] Data Services/Applications: Data processing, data analytics,
artificial intelligence/machine learning services.
[cir] Business Services/Applications: A variety of system-to-system
and human-to-system business applications, both COTS and custom-
written, including those that produce and/or consume data.
Data Classification Solutions--The architecture will
include several types of components used to perform data classification
responsibilities, such as data discovery, inventory, analysis,
classification, and labeling.
Each responding organization's letter of interest should identify
how its products help address one or more of the following desired
security characteristics and properties in section 3 of the Data
Classification Practices: Facilitating Data-Centric Security Management
at https://www.nccoe.nist.gov/projects/building-blocks/data-classification:
All data is discovered and analyzed to determine how it
should be classified.
All data classification and data handling ruleset
creation, modification, and deletion is restricted to authorized
personnel only, with all actions logged and auditable and with all
communications protected.
For all data classifications and data handling rulesets,
there is a mechanism for verifying the integrity of the policy or
ruleset.
Data classification labels or tags are assigned to all
data.
For all data classification labels or tags assigned to
data, there is a mechanism for verifying the integrity of the label or
tag.
In their letters of interest, responding organizations need to
acknowledge the importance of and commit to provide:
1. Access for all participants' project teams to component
interfaces and the organization's experts necessary to make functional
connections among security platform components.
2. Support for development and demonstration of the Data
Classification Practices: Facilitating Data-Centric Security Management
project, which will be conducted in a manner consistent with the
following standards and guidance: FIPS 199, NISTIR 8112, FIPS 200, SP
800-37, SP 800-53, SP 800-60, SP 800-63, SP 800-154, SP 800-171, SP
800-207, the NIST Cybersecurity Framework, and the NIST Privacy
Framework.
Additional details about the Data Classification Practices:
Facilitating Data-Centric Security Management project are available at
https://www.nccoe.nist.gov/projects/building-blocks/data-classification.
NIST cannot guarantee that all of the products proposed by
respondents will be used in the demonstration. Each prospective
participant will be expected to work collaboratively with NIST staff
and other project participants under the terms of the consortium CRADA
in the development of the Data Classification Practices: Facilitating
Data-Centric Security Management project. Prospective participants'
contribution to the collaborative effort will include assistance in
establishing the necessary interface functionality, connection and set-
up capabilities and procedures, demonstration harnesses, environmental
and safety conditions for use, integrated platform user instructions,
and demonstration plans and scripts necessary to demonstrate the
desired capabilities. Each participant will train NIST personnel, as
necessary, to operate its product in capability demonstrations.
Following successful demonstrations, NIST will publish a description of
the security platform and its performance characteristics sufficient to
permit other organizations to develop and deploy security platforms
that meet the security objectives of the Data Classification Practices:
Facilitating Data-Centric Security Management project. These
descriptions will be public information.
Under the terms of the consortium CRADA, NIST will support
development of interfaces among participants' products by providing IT
infrastructure, laboratory facilities, office facilities, collaboration
facilities, and staff support to component composition, security
platform documentation, and demonstration activities.
The dates of the demonstration of the Data Classification
Practices: Facilitating Data-Centric Security Management project
capability will be announced on the NCCoE website at least two weeks in
advance at https://nccoe.nist.gov/. The expected outcome will
demonstrate how the components of the Data Classification Practices:
Facilitating Data-Centric Security Management project architecture can
provide security capabilities to mitigate identified risks related to
data throughout its lifecycle. Participating organizations will gain
from the knowledge that their products are interoperable with other
participants' offerings.
For additional information on the NCCoE governance, business
processes, and NCCoE operational structure, visit the NCCoE website
https://nccoe.nist.gov/.
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2021-21979 Filed 10-7-21; 8:45 am]
BILLING CODE 3510-13-P
