National Cybersecurity Center of Excellence Mitigating Cybersecurity Risk in Telehealth Smart Home Integration, 23397-23400 [2023-08079]
Download as PDF
<![CDATA[
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Notices
respondent remaining in this review,7 or
for the China-wide entity. Therefore,
there are no calculations to disclose for
these final results.
Assessment Rates
Because we have determined that
Nozawa had no shipments of subject
merchandise in this review, Commerce
will instruct U.S. Customs and Border
Protection (CBP) to liquidate any
suspended entries that entered under
Nozawa’s case number at the Chinawide entity rate (i.e., 77.57 percent).8
Commerce intends to issue
assessment instructions to CBP no
earlier than 35 days after the date of
publication of the final results of this
review in the Federal Register. If a
timely summons is filed at the U.S.
Court of International Trade, the
assessment instructions will direct CBP
not to liquidate relevant entries until the
time for parties to file a request for a
statutory injunction has expired (i.e.,
within 90 days of publication).
Cash Deposit Requirements
lotter on DSK11XQN23PROD with NOTICES1
The following cash deposit
requirements will be effective for all
shipments of PRCBs from China
entered, or withdrawn from warehouse,
for consumption on or after the date of
publication of the final results of this
administrative review in the Federal
Register, as provided by section
751(a)(2)(C) of the Act: (1) for previously
investigated or reviewed Chinese and
non-Chinese exporters that received a
separate rate in a prior segment of this
proceeding, the cash deposit rate will
continue to be the existing exporterspecific rate; (2) for all Chinese
exporters of subject merchandise that
have not been found to be entitled to a
separate rate, the cash deposit rate will
be that for the China-wide entity (i.e.,
77.57 percent); and (3) for all nonChinese exporters of subject
merchandise which have not received
their own rate, the cash deposit rate will
be the rate applicable to the Chinese
exporter(s) that supplied that nonChinese exporter (or, if unidentified,
that of the China-wide entity). These
cash deposit requirements, when
imposed, shall remain in effect until
further notice.
7 Commerce rescinded the review in part with
respect to Crown Polyethylene Products
(International) Ltd., the only other mandatory
respondent subject to this review. See Preliminary
Results.
8 See Non-Market Economy Antidumping
Proceedings: Assessment of Antidumping Duties, 76
FR 65694, 65695 (October 24, 2011).
VerDate Sep<11>2014
16:57 Apr 14, 2023
Jkt 259001
Notification to Importers
This notice serves as a final reminder
to importers of their responsibility
under 19 CFR 351.402(f)(2) to file a
certificate regarding the reimbursement
of antidumping duties prior to
liquidation of the relevant entries
during this POR. Failure to comply with
this requirement could result in
Commerce’s presumption that
reimbursement of antidumping duties
occurred and the subsequent assessment
of doubled antidumping duties.
Administrative Protective Order
This notice also serves as a final
reminder to parties subject to
administrative protective order (APO) of
their responsibility concerning the
return or destruction of proprietary
information disclosed under the APO in
accordance with 19 CFR 351.305(a)(3),
which continues to govern business
proprietary information in this segment
of the proceeding. Timely written
notification of the return or destruction
of APO materials or conversion to
judicial protective order is hereby
requested. Failure to comply with the
regulations and terms of an APO is a
violation which is subject to sanction.
Notification to Interested Parties
Commerce is issuing and publishing
this notice in accordance with sections
751(a)(1) and 777(i) of the Act, and 19
CFR 351.213(h)(1) and 19 CFR
351.221(b)(5).
Dated: April 11, 2023.
Lisa W. Wang,
Assistant Secretary for Enforcement and
Compliance.
[FR Doc. 2023–08028 Filed 4–14–23; 8:45 am]
BILLING CODE 3510–DS–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No. 230302–0062]
RIN 0693–XC126
National Cybersecurity Center of
Excellence Mitigating Cybersecurity
Risk in Telehealth Smart Home
Integration
National Institute of Standards
and Technology, Department of
Commerce.
ACTION: Notice.
AGENCY:
The National Institute of
Standards and Technology (NIST)
invites organizations to provide letters
of interest describing products and
technical expertise to support and
SUMMARY:
PO 00000
Frm 00008
Fmt 4703
Sfmt 4703
23397
demonstrate security platforms for the
Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration
project. This notice is the initial step for
the National Cybersecurity Center of
Excellence (NCCoE) in collaborating
with technology companies to address
cybersecurity challenges identified
under the Mitigating Cybersecurity Risk
in Telehealth Smart Home Integration
project. Participation in the project is
open to all interested organizations.
DATES: Collaborative activities will
commence as soon as enough completed
and signed letters of interest have been
returned to address all the necessary
components and capabilities, but no
earlier than May 17, 2023.
ADDRESSES: The NCCoE is located at
9700 Great Seneca Highway, Rockville,
MD 20850. Letters of interest must be
submitted to hit_nccoe@nist.gov or via
hardcopy to National Institute of
Standards and Technology, NCCoE;
9700 Great Seneca Highway, Rockville,
MD 20850. Interested parties can access
the letter of interest template by visiting
https://www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration and completing
the letter of interest webform. NIST will
announce the completion of the
selection of participants and inform the
public that it will no longer accept
letters of interest for this project at
https://www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration. Organizations
whose letters of interest are accepted in
accordance with the process set forth in
the SUPPLEMENTARY INFORMATION section
of this notice will be asked to sign an
NCCoE consortium Cooperative
Research and Development Agreement
(CRADA) with NIST. An NCCoE
consortium CRADA template can be
found at https://nccoe.nist.gov/library/
nccoe-consortium-crada-example.
FOR FURTHER INFORMATION CONTACT:
Ronald Pulivarti via email to hit_nccoe@
nist.gov; or by mail to National Institute
of Standards and Technology, NCCoE;
9700 Great Seneca Highway, Rockville,
MD 20850. Additional details about the
Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration
project are available at https://
www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration.
SUPPLEMENTARY INFORMATION:
Background: The NCCoE, part of
NIST, is a public-private collaboration
for accelerating the widespread
adoption of integrated cybersecurity and
privacy tools and technologies. The
NCCoE brings together experts from
industry, government, and academia
E:\FR\FM\17APN1.SGM
17APN1
lotter on DSK11XQN23PROD with NOTICES1
23398
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Notices
under one roof to develop practical,
interoperable cybersecurity and privacy
approaches that address the real-world
needs of complex Information
Technology (IT) systems. By
accelerating dissemination and use of
these integrated tools and technologies
for protecting IT assets, the NCCoE will
enhance trust in U.S. IT
communications, data, and storage
systems; reduce risk for companies and
individuals using IT systems; and
encourage development of innovative,
job-creating cybersecurity and privacy
products and services.
Process: NIST is soliciting responses
from all sources of relevant security and
privacy capabilities (see below) to enter
into an NCCoE Cooperative Research
and Development Agreement (CRADA)
to provide products and technical
expertise to support and demonstrate
security platforms for the Mitigating
Cybersecurity Risk in Telehealth Smart
Home Integration project. The full
project can be viewed at: https://
www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration.
Interested parties can access the
template for a letter of interest by
visiting the project website at https://
www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration and completing
the letter of interest webform. On
completion of the webform, interested
parties will receive a letter of interest
template, which the party must
complete, certify as accurate, and
submit to NIST by email or hardcopy.
NIST will contact interested parties if
there are questions regarding the
responsiveness of the letters of interest
to the project objective or requirements
identified below. NIST will select
participants who have submitted
complete letters of interest on a first
come, first served basis within each
category of product components or
desired requirements listed below, up to
the number of participants in each
category necessary to carry out this
project. Once the project participant
selection process is complete, NIST will
post a notice on the Mitigating
Cybersecurity Risk in Telehealth Smart
Home Integration project website at
https://www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration announcing the
completion of the project participant
selection and informing the public that
it is no longer accepting letters of
interest for this project. There may be
continuing opportunity to participate
even after initial activity commences.
Selected participants will be required to
enter into an NCCoE consortium
VerDate Sep<11>2014
16:57 Apr 14, 2023
Jkt 259001
CRADA with NIST (for reference, see
section above).
ADDRESSES
Project Objective
The NCCoE will build an
environment that will model patients’
use of smart speakers in a telehealth
ecosystem. The project’s goal is to
identify and mitigate cybersecurity and
privacy risks associated with these
ecosystems. The NCCoE environment
will implement a ‘‘four-domain’’
ecosystem where solution components
will be deployed in a patient’s home, a
cloud-hosted service provider, a health
technology integration solution, and a
healthcare delivery organization where
each of these groupings represents a
respective ‘‘domain.’’ This project will
apply concepts established in the NIST
Risk Management Framework, NIST
Cybersecurity Framework, and the NIST
Privacy Framework to identify both
cybersecurity and privacy challenges
affecting the ecosystem. This project
will describe risk assessment
methodologies and will apply
cybersecurity and privacy controls to
mitigate risks that may be found in the
ecosystem. The project environment
will use commercially available
technology and capabilities that enable
patient-centric use cases described in
the Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration
project description available at: https://
www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration. The project
will result in a publicly available NIST
Cybersecurity Practice Guide as a
Special Publication 1800-series
document that will describe an
overview of the ecosystem, practical
measures for health delivery
organizations that include risk
assessment approaches, mitigating
control selection, reference architecture,
and a detailed description on the lab
environment construction.
Requirements for Letters of Interest:
Each responding organization’s letter of
interest should identify which security
and privacy platform component(s) or
desired requirement(s) it is offering.
Letters of interest should not include
company proprietary information, and
all components and desired
requirements must be commercially
available.
Components are listed in section 3 of
the Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration
project description at https://
www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration. Components
will align with each of the four domains
that constitute the modelled ecosystem:
PO 00000
Frm 00009
Fmt 4703
Sfmt 4703
the patient home environment, a cloudhosted service provider, a health
technology integration solution, and a
healthcare delivery organization.
Components for the respective domains
include, but are not limited to:
• Patient Home Environment
Æ Smart home devices: Devices (e.g.,
smart speakers) that have audio input
and output capabilities. These devices
are enabled to accept vocalized
commands involving natural language
processing, speech-to-text, and text-tospeech that allow the user to access
internet-hosted resources.
Æ Personal firewall: An application
that controls network traffic to and from
a computer, permitting or denying
communications based on a security
policy.
Æ Wireless access point router: A
device that performs the functions of a
router and includes the ability for
components to connect to the patient’s
network infrastructure, including
having internet communications.
Æ Internet router: A device that
provides a demarcation point for
broadband communications access (e.g.,
cable, digital subscriber line [DSL],
wireless, long-term-evolution [LTE], 5G)
and presents an Ethernet interface to
allow internet access via the broadband
infrastructure. It may include wireless
access point functionality or may allow
for wireless access point routers to route
network traffic through the internet
router.
• Cloud-Hosted Service Provider
Æ Voice assist platform: An
environment that allows the cloudhosted service provider and other
organizations to develop applications
that operate with smart home devices
such as smart speakers. The voice assist
platform enables applications by
providing a natural language processing
feature.
Æ Cloud platform: A hosting
environment where voice-enabled
applications may be hosted and made
available for patients to interact with
health information systems.
• Health Technology Integration
Solution
Æ Telehealth integration applications:
Code and applications that enable
patient-driven functionality to interface
with clinical systems. These should
provide application logic that meets
prevailing regulatory compliance
requirements.
E:\FR\FM\17APN1.SGM
17APN1
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES1
• Healthcare Delivery Organization
Æ Electronic health record (EHR)
system: A system that includes patient
health history information.
Æ Patient portal: A patient-facing
application that allows the patient to
retrieve their medical history
information, schedule visitations, and
request prescription refills.
Æ Network access control: A
capability or service that discovers and
accurately identifies devices connected
to wired networks, wireless networks,
and Virtual Private Networks (VPNs)
and provides network access controls to
ensure that only authorized individuals
with authorized devices can access the
systems and data that the access policy
permits.
Æ Network firewall: A network
security device that monitors and
controls incoming and outgoing network
traffic, based on defined security rules.
Æ VPN: A secure endpoint access
solution that delivers secure remote
access through virtual private
networking.
Each responding organization’s letter
of interest should identify how their
products address one or more of the
following desired requirements in
section 3 of the Mitigating Cybersecurity
Risk in Telehealth Smart Home
Integration project description at
https://www.nccoe.nist.gov/healthcare/
mitigating-cybersecurity-risk-telehealthsmart-home-integration. The NCCoE
intends to apply both the NIST
Cybersecurity Framework and the NIST
Privacy Framework. Both Frameworks
apply a Function-Category-Subcategory
paradigm. In this project, the NCCoE
will use the Function and Category level
concepts from both Frameworks to
identify cybersecurity and privacy risk
mitigation approaches. The NCCoE
applies the Function and Category
labelling found in both Frameworks.
The Cybersecurity Framework labels
Functions with a two-character
identifier (e.g., the Function ‘‘Identify’’
is indicated by ‘‘ID’’). Categories are
labelled with the two-character
identifier for the Function followed by
a dot and a corresponding two-character
identifier for the Category (e.g., the
Category ‘‘Asset Management’’ within
the Function ‘‘Identify’’ is indicated by
‘‘ID.AM’’). Functions and Categories
derived from the NIST Privacy
Framework follow the same labelling
conventions as those in the
Cybersecurity Framework, except that
‘‘-P’’ is added to the character identifiers
(e.g., the Function ‘‘Identify’’ is
indicated by ‘‘ID–P’’, and the Category
‘‘Inventory and Mapping’’ within the
VerDate Sep<11>2014
16:57 Apr 14, 2023
Jkt 259001
Function ‘‘Identify’’ is indicated by
‘‘ID.IM–P’’).
Below are the desired requirements
for this project; numbered items
represent the Functions by which the
NCCoE will examine this project, and
the sub-bulleted points represent the
corresponding Categories. The NCCoE
will leverage these Functions and
Categories in identifying cybersecurity
and privacy risks and the corresponding
risk mitigation approaches. All
descriptions are specific to this project.
1. IDENTIFY (ID and ID–P):
Organizations should ensure that they
are aware of actors, components,
integrating systems, and processes that
are within or affect the environment.
When examining a system,
organizations should consider an
enterprise view of the system’s business
value, drivers, outputs, and impact.
• Risk Assessment (ID.RA; ID.RA–P):
In context of this project, risk
assessment activities examine a holistic
reference architecture. Activities
include assessing cybersecurity threats,
vulnerabilities, problematic data
actions, and both cybersecurity and
privacy risks.
2. CONTROL (CT–P): These activities
enable organizations or individuals to
manage data with sufficient granularity
to manage privacy risks.
• Data Processing Management
(CT.DM–P): Data processing uses
standardized formats to increase
manageability and effectively manage
privacy risk.
• Disassociated Processing (CT.DP–
P): Data processing solutions permit
selective collection or disclosure of data
elements.
3. COMMUNICATE (CM–P): These
activities enable organizations to convey
design and build solution components
to support predictability in data
processing.
• Data Processing Awareness
(CM.AW–P): promotes a reliable
understanding of data processes and
privacy risks for both organizations and
individuals that:
Æ allows the patient visibility into
how their data are processed and by
which parties; and
Æ enables traceability so that
organizations and individuals
understand where data originates and
travels in the data processing ecosystem
and information lifecycle.
4. PROTECT (PR and PR–P): These
activities support the ability to develop
and implement appropriate safeguards
based on risk.
• Identity Management,
Authentication, and Access Control
(PR.AC; PR.AC–P): includes user
PO 00000
Frm 00010
Fmt 4703
Sfmt 4703
23399
account management and remote access
that:
Æ implements controls that limit
access to information systems, devices,
and data only to authorized individuals,
processes, and devices;
Æ controls and audits accounts, e.g.,
administering and monitoring users,
processes, and devices;
Æ controls (and audits) access by
external accounts and devices;
Æ enforces least privilege for all
(internal and external) accounts; and
Æ enforces least functionality.
• Data Security (PR.DS; PR.DS–P):
includes data confidentiality, integrity,
and availability assurance, as well as
protecting individuals’ privacy by:
Æ securing data-at-rest and data-intransit, i.e., communications between
the smart home device and clinical
systems should include data and
hardware integrity and protections
against unauthorized access and data
leaks;
Æ validating that cryptographic
modules meet appropriate standards
such as NIST Federal Information
Processing Standards (FIPS) 140–2;
Æ configuring systems to provide only
essential functions; and
Æ protecting communication and
control networks.
5. DETECT (DE): These activities
enable timely discovery of a
cybersecurity event.
• Anomalies and Events (DE.AE): this
category ensures that the control
environment establishes a baseline of
expected behavior, monitors for unusual
activity, and alerts appropriate
individuals for event management.
In their letters of interest, responding
organizations need to acknowledge the
importance of and commit to provide:
1. Access for all participants’ project
teams to component interfaces and the
organization’s experts necessary to make
functional connections among security
and privacy platform components.
2. Support for development and
demonstration of the Mitigating
Cybersecurity Risk in Telehealth Smart
Home Integration project for the
healthcare sector in NCCoE facilities,
which will be conducted in a manner
consistent with the following standards
and guidance: NISTIR 8228, NIST FIPS
140–3, NIST SP 800–41 Revision 1,
NIST SP 800–52 Revision 2, NIST SP
800–57 Part 1 Revision 5, NIST SP 800–
77 Revision 1, NIST SP 800–95, NIST
SP 800–121, NIST SP 800–144, NIST SP
800–146, and NIST SP 1800–1.
Additional details about the
Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration
project are available at: https://
www.nccoe.nist.gov/healthcare/
E:\FR\FM\17APN1.SGM
17APN1
23400
Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 / Notices
mitigating-cybersecurity-risk-telehealthsmart-home-integration.
NIST cannot guarantee that all of the
products proposed by respondents will
be used in the demonstration. Each
prospective participant will be expected
to work collaboratively with NIST staff
and other project participants under the
terms of the NCCoE consortium CRADA
in the development of the Mitigating
Cybersecurity Risk in Telehealth Smart
Home Integration project. Prospective
participants’ contribution to the
collaborative effort will include
assistance in establishing the necessary
interface functionality, connection and
set-up capabilities and procedures,
demonstration harnesses, environmental
and safety conditions for use, integrated
platform user instructions, and
demonstration plans and scripts
necessary to demonstrate the desired
capabilities. Each participant will train
NIST personnel, as necessary, to operate
its product in capability
demonstrations. Following successful
demonstrations, NIST will publish a
description of the security and privacy
platform and its performance
characteristics sufficient to permit other
organizations to develop and deploy
security and privacy platforms that meet
the security and privacy objectives of
the Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration
project. These descriptions will be
public information.
Under the terms of the NCCoE
consortium CRADA, NIST will support
development of interfaces among
participants’ products by providing IT
infrastructure, laboratory facilities,
office facilities, collaboration facilities,
and staff support to component
composition, security and privacy
platform documentation, and
demonstration activities.
The dates of the project
demonstration of the Mitigating
Cybersecurity Risk in Telehealth Smart
Home Integration project capability will
be announced on the NCCoE website at
least two weeks in advance at https://
nccoe.nist.gov/. The expected outcome
of the demonstration is to provide
guidance on smart home device
integration with healthcare information
systems. Participating organizations will
gain from the knowledge that their
products are interoperable with other
participants’ offerings.
For additional information on the
NCCoE governance, business processes,
and NCCoE operational structure, visit
the NCCoE website https://
nccoe.nist.gov/.
Alicia Chambers,
NIST Executive Secretariat.
Atmospheric Administration (NOAA),
Commerce.
Notice; issuance of permits and
permit amendments.
ACTION:
Notice is hereby given that
permits and permit amendments have
been issued to the following entities
under the Marine Mammal Protection
Act (MMPA) and the Endangered
Species Act (ESA), as applicable.
SUMMARY:
The permits and related
documents are available for review
upon written request via email to
NMFS.Pr1Comments@noaa.gov.
ADDRESSES:
FOR FURTHER INFORMATION CONTACT:
Carrie Hubard (Permit No. 26593),
Jennifer Skidmore (Permit Nos. 21419,
26689, 26716, and 27102), Shasta
McClenahan, Ph.D. (Permit Nos. 26622
and 27049), Amy Hapeman (Permit No.
22156–03), and Courtney Smith, Ph.D.
(Permit No. 21059); at (301) 427–8401.
Notices
were published in the Federal Register
on the dates listed below that requests
for a permit or permit amendment had
been submitted by the below-named
applicants. To locate the Federal
Register notice that announced our
receipt of the application and a
complete description of the activities, go
to https://www.federalregister.gov and
search on the permit number provided
in table 1 below.
SUPPLEMENTARY INFORMATION:
[FR Doc. 2023–08079 Filed 4–14–23; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
[RTID 0648–XC923]
Marine Mammals and Endangered
Species
National Marine Fisheries
Service (NMFS), National Oceanic and
AGENCY:
TABLE 1—ISSUED PERMITS AND PERMIT AMENDMENTS
lotter on DSK11XQN23PROD with NOTICES1
Permit No.
21059–01 .......
0648–XF378
21419–01 .......
0648–XG029
22156–03 .......
0648–XC712
26593 .............
0648–XC409
26622 .............
0648–XC250
26689 .............
0648–XC425
26716 .............
0648–XC455
27049 .............
0648–XC753
VerDate Sep<11>2014
Applicant
Previous Federal Register
notice
Issuance date
Philip N. Hooge, Ph.D., Glacier Bay National Park and
Preserve, P.O. Box 140, Gustavus, AK 99826.
Shannon Atkinson, Ph.D., University of Alaska Fairbanks, 17101 Point Lena Loop Road, Juneau, AK
99801.
Douglas Nowacek, Ph.D., Nicholas School of the Environment, Duke University Marine Laboratory, 135
Duke Marine Lab Road, Beaufort, NC 28516.
Adam A. Pack, Ph.D., University of Hawaii at Hilo, 200
West Kawili Street, Hilo, HI 96720.
Randall Wells, Ph.D., Chicago Zoological Society’s
Sarasota Dolphin Research Program, c/o Mote Marine Laboratory, 1600 Ken Thompson Parkway,
Sarasota, FL 34236.
Elsie Sunderland, Ph.D., Harvard University, 29 Oxford
Street, Pierce Hall No. 127, Cambridge, MA 02138.
Kathleen Hunt, Ph.D., George Mason University, Department of Biology, 8936 Center Street, Manassas,
VA 20110.
Cristy Rocio Gonzalez Barrientos, D.V.M., Texas A&M
University, 2711 Wilderness Drive North, College
Station, TX 77845.
83 FR 17655, April 23, 2018 ......
March 29, 2023.
83 FR 21765, May 10, 2018 .......
March 8, 2023.
88 FR 4156, January 24, 2023 ...
March 15, 2023.
87 FR 59063, September 29,
2022.
87 FR 48157, August 8, 2022 ....
March 13, 2023.
87 FR 60125, October 4, 2022 ...
March 30, 2023.
87 FR 66162, November 2, 2022
March 31, 2023.
88 FR 9254, February 13, 2023
March 28, 2023.
RTID
16:57 Apr 14, 2023
Jkt 259001
PO 00000
Frm 00011
Fmt 4703
Sfmt 4703
E:\FR\FM\17APN1.SGM
17APN1
March 9, 2023.
]]>Agencies
[Federal Register Volume 88, Number 73 (Monday, April 17, 2023)]
[Notices]
[Pages 23397-23400]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-08079]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 230302-0062]
RIN 0693-XC126
National Cybersecurity Center of Excellence Mitigating
Cybersecurity Risk in Telehealth Smart Home Integration
AGENCY: National Institute of Standards and Technology, Department of
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
invites organizations to provide letters of interest describing
products and technical expertise to support and demonstrate security
platforms for the Mitigating Cybersecurity Risk in Telehealth Smart
Home Integration project. This notice is the initial step for the
National Cybersecurity Center of Excellence (NCCoE) in collaborating
with technology companies to address cybersecurity challenges
identified under the Mitigating Cybersecurity Risk in Telehealth Smart
Home Integration project. Participation in the project is open to all
interested organizations.
DATES: Collaborative activities will commence as soon as enough
completed and signed letters of interest have been returned to address
all the necessary components and capabilities, but no earlier than May
17, 2023.
ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway,
Rockville, MD 20850. Letters of interest must be submitted to
[email protected] or via hardcopy to National Institute of Standards
and Technology, NCCoE; 9700 Great Seneca Highway, Rockville, MD 20850.
Interested parties can access the letter of interest template by
visiting https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration and completing the
letter of interest webform. NIST will announce the completion of the
selection of participants and inform the public that it will no longer
accept letters of interest for this project at https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration. Organizations whose letters of interest are
accepted in accordance with the process set forth in the SUPPLEMENTARY
INFORMATION section of this notice will be asked to sign an NCCoE
consortium Cooperative Research and Development Agreement (CRADA) with
NIST. An NCCoE consortium CRADA template can be found at https://nccoe.nist.gov/library/nccoe-consortium-crada-example.
FOR FURTHER INFORMATION CONTACT: Ronald Pulivarti via email to
[email protected]; or by mail to National Institute of Standards and
Technology, NCCoE; 9700 Great Seneca Highway, Rockville, MD 20850.
Additional details about the Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration project are available at https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration.
SUPPLEMENTARY INFORMATION:
Background: The NCCoE, part of NIST, is a public-private
collaboration for accelerating the widespread adoption of integrated
cybersecurity and privacy tools and technologies. The NCCoE brings
together experts from industry, government, and academia
[[Page 23398]]
under one roof to develop practical, interoperable cybersecurity and
privacy approaches that address the real-world needs of complex
Information Technology (IT) systems. By accelerating dissemination and
use of these integrated tools and technologies for protecting IT
assets, the NCCoE will enhance trust in U.S. IT communications, data,
and storage systems; reduce risk for companies and individuals using IT
systems; and encourage development of innovative, job-creating
cybersecurity and privacy products and services.
Process: NIST is soliciting responses from all sources of relevant
security and privacy capabilities (see below) to enter into an NCCoE
Cooperative Research and Development Agreement (CRADA) to provide
products and technical expertise to support and demonstrate security
platforms for the Mitigating Cybersecurity Risk in Telehealth Smart
Home Integration project. The full project can be viewed at: https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration.
Interested parties can access the template for a letter of interest
by visiting the project website at https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration and completing the letter of interest webform. On
completion of the webform, interested parties will receive a letter of
interest template, which the party must complete, certify as accurate,
and submit to NIST by email or hardcopy. NIST will contact interested
parties if there are questions regarding the responsiveness of the
letters of interest to the project objective or requirements identified
below. NIST will select participants who have submitted complete
letters of interest on a first come, first served basis within each
category of product components or desired requirements listed below, up
to the number of participants in each category necessary to carry out
this project. Once the project participant selection process is
complete, NIST will post a notice on the Mitigating Cybersecurity Risk
in Telehealth Smart Home Integration project website at https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration announcing the completion of the project
participant selection and informing the public that it is no longer
accepting letters of interest for this project. There may be continuing
opportunity to participate even after initial activity commences.
Selected participants will be required to enter into an NCCoE
consortium CRADA with NIST (for reference, see ADDRESSES section
above).
Project Objective
The NCCoE will build an environment that will model patients' use
of smart speakers in a telehealth ecosystem. The project's goal is to
identify and mitigate cybersecurity and privacy risks associated with
these ecosystems. The NCCoE environment will implement a ``four-
domain'' ecosystem where solution components will be deployed in a
patient's home, a cloud-hosted service provider, a health technology
integration solution, and a healthcare delivery organization where each
of these groupings represents a respective ``domain.'' This project
will apply concepts established in the NIST Risk Management Framework,
NIST Cybersecurity Framework, and the NIST Privacy Framework to
identify both cybersecurity and privacy challenges affecting the
ecosystem. This project will describe risk assessment methodologies and
will apply cybersecurity and privacy controls to mitigate risks that
may be found in the ecosystem. The project environment will use
commercially available technology and capabilities that enable patient-
centric use cases described in the Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration project description available at:
https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration. The project will result in a
publicly available NIST Cybersecurity Practice Guide as a Special
Publication 1800-series document that will describe an overview of the
ecosystem, practical measures for health delivery organizations that
include risk assessment approaches, mitigating control selection,
reference architecture, and a detailed description on the lab
environment construction.
Requirements for Letters of Interest: Each responding
organization's letter of interest should identify which security and
privacy platform component(s) or desired requirement(s) it is offering.
Letters of interest should not include company proprietary information,
and all components and desired requirements must be commercially
available.
Components are listed in section 3 of the Mitigating Cybersecurity
Risk in Telehealth Smart Home Integration project description at
https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration. Components will align with each of
the four domains that constitute the modelled ecosystem: the patient
home environment, a cloud-hosted service provider, a health technology
integration solution, and a healthcare delivery organization.
Components for the respective domains include, but are not limited to:
Patient Home Environment
[cir] Smart home devices: Devices (e.g., smart speakers) that have
audio input and output capabilities. These devices are enabled to
accept vocalized commands involving natural language processing,
speech-to-text, and text-to-speech that allow the user to access
internet-hosted resources.
[cir] Personal firewall: An application that controls network
traffic to and from a computer, permitting or denying communications
based on a security policy.
[cir] Wireless access point router: A device that performs the
functions of a router and includes the ability for components to
connect to the patient's network infrastructure, including having
internet communications.
[cir] Internet router: A device that provides a demarcation point
for broadband communications access (e.g., cable, digital subscriber
line [DSL], wireless, long-term-evolution [LTE], 5G) and presents an
Ethernet interface to allow internet access via the broadband
infrastructure. It may include wireless access point functionality or
may allow for wireless access point routers to route network traffic
through the internet router.
Cloud-Hosted Service Provider
[cir] Voice assist platform: An environment that allows the cloud-
hosted service provider and other organizations to develop applications
that operate with smart home devices such as smart speakers. The voice
assist platform enables applications by providing a natural language
processing feature.
[cir] Cloud platform: A hosting environment where voice-enabled
applications may be hosted and made available for patients to interact
with health information systems.
Health Technology Integration Solution
[cir] Telehealth integration applications: Code and applications
that enable patient-driven functionality to interface with clinical
systems. These should provide application logic that meets prevailing
regulatory compliance requirements.
[[Page 23399]]
Healthcare Delivery Organization
[cir] Electronic health record (EHR) system: A system that includes
patient health history information.
[cir] Patient portal: A patient-facing application that allows the
patient to retrieve their medical history information, schedule
visitations, and request prescription refills.
[cir] Network access control: A capability or service that
discovers and accurately identifies devices connected to wired
networks, wireless networks, and Virtual Private Networks (VPNs) and
provides network access controls to ensure that only authorized
individuals with authorized devices can access the systems and data
that the access policy permits.
[cir] Network firewall: A network security device that monitors and
controls incoming and outgoing network traffic, based on defined
security rules.
[cir] VPN: A secure endpoint access solution that delivers secure
remote access through virtual private networking.
Each responding organization's letter of interest should identify
how their products address one or more of the following desired
requirements in section 3 of the Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration project description at https://www.nccoe.nist.gov/healthcare/mitigating-cybersecurity-risk-telehealth-smart-home-integration. The NCCoE intends to apply both the NIST
Cybersecurity Framework and the NIST Privacy Framework. Both Frameworks
apply a Function-Category-Subcategory paradigm. In this project, the
NCCoE will use the Function and Category level concepts from both
Frameworks to identify cybersecurity and privacy risk mitigation
approaches. The NCCoE applies the Function and Category labelling found
in both Frameworks. The Cybersecurity Framework labels Functions with a
two-character identifier (e.g., the Function ``Identify'' is indicated
by ``ID''). Categories are labelled with the two-character identifier
for the Function followed by a dot and a corresponding two-character
identifier for the Category (e.g., the Category ``Asset Management''
within the Function ``Identify'' is indicated by ``ID.AM''). Functions
and Categories derived from the NIST Privacy Framework follow the same
labelling conventions as those in the Cybersecurity Framework, except
that ``-P'' is added to the character identifiers (e.g., the Function
``Identify'' is indicated by ``ID-P'', and the Category ``Inventory and
Mapping'' within the Function ``Identify'' is indicated by ``ID.IM-
P'').
Below are the desired requirements for this project; numbered items
represent the Functions by which the NCCoE will examine this project,
and the sub-bulleted points represent the corresponding Categories. The
NCCoE will leverage these Functions and Categories in identifying
cybersecurity and privacy risks and the corresponding risk mitigation
approaches. All descriptions are specific to this project.
1. IDENTIFY (ID and ID-P): Organizations should ensure that they
are aware of actors, components, integrating systems, and processes
that are within or affect the environment. When examining a system,
organizations should consider an enterprise view of the system's
business value, drivers, outputs, and impact.
Risk Assessment (ID.RA; ID.RA-P): In context of this
project, risk assessment activities examine a holistic reference
architecture. Activities include assessing cybersecurity threats,
vulnerabilities, problematic data actions, and both cybersecurity and
privacy risks.
2. CONTROL (CT-P): These activities enable organizations or
individuals to manage data with sufficient granularity to manage
privacy risks.
Data Processing Management (CT.DM-P): Data processing uses
standardized formats to increase manageability and effectively manage
privacy risk.
Disassociated Processing (CT.DP-P): Data processing
solutions permit selective collection or disclosure of data elements.
3. COMMUNICATE (CM-P): These activities enable organizations to
convey design and build solution components to support predictability
in data processing.
Data Processing Awareness (CM.AW-P): promotes a reliable
understanding of data processes and privacy risks for both
organizations and individuals that:
[cir] allows the patient visibility into how their data are
processed and by which parties; and
[cir] enables traceability so that organizations and individuals
understand where data originates and travels in the data processing
ecosystem and information lifecycle.
4. PROTECT (PR and PR-P): These activities support the ability to
develop and implement appropriate safeguards based on risk.
Identity Management, Authentication, and Access Control
(PR.AC; PR.AC-P): includes user account management and remote access
that:
[cir] implements controls that limit access to information systems,
devices, and data only to authorized individuals, processes, and
devices;
[cir] controls and audits accounts, e.g., administering and
monitoring users, processes, and devices;
[cir] controls (and audits) access by external accounts and
devices;
[cir] enforces least privilege for all (internal and external)
accounts; and
[cir] enforces least functionality.
Data Security (PR.DS; PR.DS-P): includes data
confidentiality, integrity, and availability assurance, as well as
protecting individuals' privacy by:
[cir] securing data-at-rest and data-in-transit, i.e.,
communications between the smart home device and clinical systems
should include data and hardware integrity and protections against
unauthorized access and data leaks;
[cir] validating that cryptographic modules meet appropriate
standards such as NIST Federal Information Processing Standards (FIPS)
140-2;
[cir] configuring systems to provide only essential functions; and
[cir] protecting communication and control networks.
5. DETECT (DE): These activities enable timely discovery of a
cybersecurity event.
Anomalies and Events (DE.AE): this category ensures that
the control environment establishes a baseline of expected behavior,
monitors for unusual activity, and alerts appropriate individuals for
event management.
In their letters of interest, responding organizations need to
acknowledge the importance of and commit to provide:
1. Access for all participants' project teams to component
interfaces and the organization's experts necessary to make functional
connections among security and privacy platform components.
2. Support for development and demonstration of the Mitigating
Cybersecurity Risk in Telehealth Smart Home Integration project for the
healthcare sector in NCCoE facilities, which will be conducted in a
manner consistent with the following standards and guidance: NISTIR
8228, NIST FIPS 140-3, NIST SP 800-41 Revision 1, NIST SP 800-52
Revision 2, NIST SP 800-57 Part 1 Revision 5, NIST SP 800-77 Revision
1, NIST SP 800-95, NIST SP 800-121, NIST SP 800-144, NIST SP 800-146,
and NIST SP 1800-1.
Additional details about the Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration project are available at: https://
www.nccoe.nist.gov/healthcare/
[[Page 23400]]
mitigating-cybersecurity-risk-telehealth-smart-home-integration.
NIST cannot guarantee that all of the products proposed by
respondents will be used in the demonstration. Each prospective
participant will be expected to work collaboratively with NIST staff
and other project participants under the terms of the NCCoE consortium
CRADA in the development of the Mitigating Cybersecurity Risk in
Telehealth Smart Home Integration project. Prospective participants'
contribution to the collaborative effort will include assistance in
establishing the necessary interface functionality, connection and set-
up capabilities and procedures, demonstration harnesses, environmental
and safety conditions for use, integrated platform user instructions,
and demonstration plans and scripts necessary to demonstrate the
desired capabilities. Each participant will train NIST personnel, as
necessary, to operate its product in capability demonstrations.
Following successful demonstrations, NIST will publish a description of
the security and privacy platform and its performance characteristics
sufficient to permit other organizations to develop and deploy security
and privacy platforms that meet the security and privacy objectives of
the Mitigating Cybersecurity Risk in Telehealth Smart Home Integration
project. These descriptions will be public information.
Under the terms of the NCCoE consortium CRADA, NIST will support
development of interfaces among participants' products by providing IT
infrastructure, laboratory facilities, office facilities, collaboration
facilities, and staff support to component composition, security and
privacy platform documentation, and demonstration activities.
The dates of the project demonstration of the Mitigating
Cybersecurity Risk in Telehealth Smart Home Integration project
capability will be announced on the NCCoE website at least two weeks in
advance at https://nccoe.nist.gov/. The expected outcome of the
demonstration is to provide guidance on smart home device integration
with healthcare information systems. Participating organizations will
gain from the knowledge that their products are interoperable with
other participants' offerings.
For additional information on the NCCoE governance, business
processes, and NCCoE operational structure, visit the NCCoE website
https://nccoe.nist.gov/.
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2023-08079 Filed 4-14-23; 8:45 am]
BILLING CODE 3510-13-P
