Latest news with #NationalInstituteofStandardsandTechnology
The Hill
3 days ago
- Science
- The Hill
Calls for facial recognition alternatives are unsustainable
Despite being penned by House Homeland Security Committee Chairman Mark Green (R-Tenn.), Friday's opinion piece urging 'an alternative' to facial recognition technology offers a bizarre string of statements that do not make the case. Each biometric modality (fingerprint, iris, face, etc.) offers advantages that could make it the most effective for a specific purpose. But there are data-backed reasons facial recognition technology is widely adopted — including the ability to use existing hardware (cameras) and photos, rather than requiring specialized equipment and data collection processes. With rapid improvement through machine learning and neural networks, the leading technologies are now over 99 percent accurate across demographics according to National Institute of Standards and Technology data. Customs and Border Protection selected face recognition for its programs and has since verified more than 697 million travelers of all nationalities and ethnicities. More than 2 million U.S. air travelers use facial recognition technology every day to verify IDs at Transportation Security Administration checkpoints. Much is made about the risk of fraudsters getting the software to falsely match, but the figures cited are from research limited to unlocking personal phones, and conducted before Face ID was introduced on iPhones in 2017. Since then, presentation attack detection capabilities have been integrated into iPhones as well as higher security biometric applications. Fake videos, printed photos and masks are not a concern in an in-person setting where human detection of spoofing efforts would be immediate. The potential for fraud is with remote, online verification, where presentation attack detection measures are commonly combined with matching software. Homeland Security's Science and Technology Directorate is testing these technologies, showing so far, the leading presentation attack detection technologies detect spoofing attempts 100 percent of the time. Across the nation, facial recognition technology is successfully leveraged in law enforcement to find missing children, fight human trafficking and stop dangerous criminals. It's unclear how facial recognition technology alternatives would work, when the only evidence from a crime scene may be security video, recordings from by-standers or online media. We agree, China's use of technology 'to control its citizenry' is unacceptable. But this shouldn't deter U.S. agencies from leading the way in responsible use of (non-Chinese) technology under established privacy rules, bounded by the Constitution and subject to congressional oversight. Jake Parker is senior director of government relations for the Security Industry Association (SIA). He came to SIA with more than 12 years of experience on Capitol Hill, most recently as legislative director for Rep. Tom Latham (R-Iowa), a senior member of the House Appropriations Committee.
Yahoo
12-06-2025
- Business
- Yahoo
Patton Unveils Second-Generation, US-Made, Commercial-Grade, FIPS-140 Ultra-Secure SIP Phone with Enhanced NG911 Compliance
US-designed and manufactured, Patton's new commercial SIP-Phone is ultra-secure, FIPS 140-2 validated, and NG911-enabled. Providing POE and Fiber-to-the-Desk, the Tone Commander TC7110 delivers network and source-of-supply security. Patton... Let's Connect! GAITHERSBURG, Md., June 12, 2025 (GLOBE NEWSWIRE) -- Patton—world leader and US manufacturer of secure telephony, UC, and networking gear—announces today the new Tone Commander TC7110 ultra-secure SIP phone is now available for pre-order. Tone Commander products are designed and manufactured in the USA, ensuring source-of-origin and supply-chain security. 'The TC7110 combines security, flexibility, and ease-of-use in a modern SIP phone platform,' said Robert R. Patton, CEO of Patton. 'This launch reinforces our commitment to delivering trusted, U.S.-manufactured communications solutions to public and private sectors.' Innovation. Patton has incrementally innovated the original Tone Commander military-grade SIP-Phone. Enhancements to the commercial grade version include Gigabit, PoE, and fiber connectivity, modern E911 features sets, and updated security modules. Secure FIPS-140-2/3 Encryption. The TC7110 offers robust SIP support with TLS and SRTP encryption using FIPS-140-2/3 validated crypto modules. FIPS 140 is the U.S. standard that defines security requirements for hardware, software, and firmware that perform cryptographic functions. The standard is managed by the National Institute of Standards and Technology (NIST), overseen and validated by the Cryptographic Module Validation Program (CMVP). Enhanced NG911. NG911 system enhancements include Specific Location Information Server (LIS) interactions via RFC 5985 (HTTP Enable Location Delivery HELD protocol), storing and relaying location by reference and location by value. The system includes geodetic coordinates (latitude, longitude, and ellipsoidal height) and E911 Gateway functions within the NG911 environment. E911 Compliance. The TC7110 supports legislated E911 standards including Kari's Law for direct 911 calling and Ray Baum's Act for specific location information. Additional E911 protocols supported include: Automatic Location Information (ALI) Automatic Number Identification (ANI) Compliance with the National Emergency Number Association (NENA) regulations RFC 5962 – Location Object represented in a SIP Header (PIDF-LO) Key Features of the TC7110 SIP Phone: Security – TLS and SRTP encryption with FIPS-140-2/3 validated crypto and IPv4/IPv6 support. Customizable Interface – Ten programmable, desi-less multifunction keys and 320x240 color display. Cloud Orchestration – Automatically provision, manage, monitor, secure, alert, troubleshoot, analyze and optimize services using the Patton Cloud. Remotely and securely access and control phones, LANs, and over-the-top (OTT) services. Flexible Power Options – Supports Power over Ethernet (PoE) and includes external power supply. For more information about the Tone Commander IP Phone TC7110, go to In related news, Patton recently announced the new Tone Commander TC7910 secure SIP Phone that offers three switched gigabit Ethernet ports. About Patton Patton is a world-renowned manufacturer of networking and communications technology, offering a wide range of solutions including VoIP, Ethernet extension, wireless, and fiber optic products. Founded in 1984 and headquartered in Gaithersburg, MD, Patton has a strong global presence and a reputation for delivering reliable and innovative solutions to a diverse customer base. Let's Connect! Media Contact: Glendon Flowers | +1 301 975 1000 | press@ A video accompanying this announcement is available at in to access your portfolio
Yahoo
12-06-2025
- Science
- Yahoo
Here's how to generate a truly random number with quantum physics
Very little in this life is truly random. A coin flip is influenced by the flipper's force, its surrounding airflow, and gravity. Similar variables dictate rolling a pair of dice or shuffling a deck of cards, while even classical computing's cryptographic algorithms are theoretically susceptible to outside influence or bias. 'True randomness is something that nothing in the universe can predict in advance,' explained Krister Shalm, a physicist at the National Institute of Standards and Technology (NIST). So how does someone achieve true randomness? For that, you need to peer into the quantum realm. The task once required years of study and access to vast research facilities, but thanks to an ingenious new project from Shalm and his colleagues, now anyone can access a 'factory for random numbers.' And it's free to use. Designed by NIST in collaboration with the University of Colorado Boulder, the Colorado University Randomness Beacon (CURBy) is a first-of-its-kind system that relies on headspinning quantum mechanics concepts to offer truly random number generation. More specifically, CURBy's foundation rests on a task known as the Bell test. Named after the famed physicist John Stewart Bell, the test measures pairs of entangled photons with properties that remain correlated even after separating across huge distances. While the outcome is always random when measuring a single particle, a pair's properties are more correlated than classical physics dictates. This allows experts to verify the randomness at a quantum level. Albert Einstein previously described this 'quantum nonlocality' as 'spooky action as a distance,' and he wasn't a fan of the idea. Unfortunately for him, NIST proved its existence back in 2015. Three years later, they developed methodologies to use Bell tests in order to construct the world's first true randomness generators. These initial random results necessitated months of refinement and only ran for a few hours in total. Even then, the physicists and engineers only generated 512 bits of true randomness. Since then, researchers expanded and automated their experiment, thus offering random numbers whenever needed.'We really wanted to take that experiment out of the lab and turn it into a useful public service,' said Shalm. Their finalized protocol served up randomness 7,454 times over its first 40 days of existence. Researchers then recorded 7,434 cases of randomness—a success rate of 99.7 percent. But how do you actually generate true randomness? For that, you need a system that relies on a bespoke nonlinear crystal to generate entangled photon pairs. The particles then speed away in an optical fiber to separate laboratories at opposite ends of a hallway at NIST. Once they reach the two labs, researchers measure their subsequent polarizations. This relay race is then repeated a headspinning 250,000 times per second. All that data needs to be processed, so NIST sends off its millions of quantum coin flips to a specially designed computer program built by engineers at UC Boulder. The program then translates the measurements into 512 random bits of binary code that can then be parsed by anyone. But utilizing CURBy is much simpler than the dizzying quantum computations required to generate true randomness. All a user needs to do is head to its website and key in the list of items you want shuffled. CURBy then will rearrange the entries based on any given day's quantumly determined randomness. The outcome is decades in the making, and would have certainly given Einstein something to think about. 'I am at all events convinced that [the Creator] does not play dice,' he famously wrote to Max Born in 1926 regarding the concepts of quantum theory. 'If God does play dice with the universe, then you can turn that into the best random number generator that the universe allows,' Shalm said.
Axios
10-06-2025
- Business
- Axios
Trump quietly throws out Biden's cyber policies
President Trump quietly took a red pen to much of the Biden administration's cyber legacy in a little-noticed move late Friday. Why it matters: Until now, it has been unclear which Biden-era cybersecurity policies the Trump administration would keep — if any. Cybersecurity is a rare bipartisan area. It's pretty common for new administrations to keep their predecessors' programs in place. Driving the news: Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Biden's cyber policy legacy — while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber Trust Mark program — an Energy Star-type labeling initiative for consumer smart devices. But hallmark programs tied to software bills of materials, zero-trust implementation, and space contractor cybersecurity requirements have been either rescinded or left in limbo. The new executive order amends both the Biden cyber executive order signed in January and an Obama administration order. Zoom in: Each of the following Biden-era programs is now out the door or significantly rolled back: A broad requirement for federal software vendors to provide a software bill of materials — essentially an ingredient list of code components — is gone. Biden-era efforts to encourage federal agencies to accept digital identity documents and help states develop mobile driver's licenses were revoked. Several AI cybersecurity research mandates, including those focused on AI-generated code security and AI-driven patch management pilots, have been scrapped or deprioritized. The requirement that software contractors formally attest they followed secure development practices — and submit those attestations to a federal repository — has been cut. Instead, the National Institute of Standards and Technology will now coordinate a new industry consortium to review software security guidelines. The big picture: If this executive order is a blueprint, Trump 2.0 appears poised to adopt a less prescriptive, more decentralized approach to cybersecurity — focused on paring back federal mandates and shifting more discretion to agencies and state governments. Flashback: The Biden administration emphasized holding not just foreign adversaries accountable for cyberattacks, but also software makers whose insecure products left federal systems vulnerable. Much of that vision involved a long-term public-private effort to build stronger accountability and transparency in software development — a campaign that now appears to be on pause. What they're saying: Reaction to the executive order has been mixed as officials have only begun to parse its full implications.
Business Journals
01-06-2025
- Business
- Business Journals
How to choose the right cybersecurity framework: A guide for mid-market companies
As cyber threats become more sophisticated and regulatory requirements more stringent, companies, especially mid-market, must take a proactive approach to security. Choosing the right cybersecurity framework is a critical step in protecting sensitive data, maintaining compliance and building trust with customers, investors and regulators. However, with so many frameworks available, each with different requirements and industry applications, determining the best fit can be challenging. Understanding cybersecurity frameworks vs security standards Cybersecurity frameworks: Structured sets of best practices and methodologies for managing cybersecurity risks. Helps organizations build a structured approach to security, ensuring that policies, processes and technologies align with industry-recognized standards. Security standards: Defines specific requirements that organizations must meet to achieve compliance. Typically associated with audits, ensuring that an organization meets legal and contractual obligations. Common security standards include HIPAA, PCI DSS and GDPR. While standards ensure compliance with regulatory requirements, frameworks offer strategic guidance for building a resilient security posture. Choosing the right framework ensures a comprehensive approach to cybersecurity that not only satisfies legal requirements but also strengthens overall protection against evolving threats. Key cybersecurity frameworks in 2025 Selecting the best framework depends on your industry, regulatory landscape and business operations. NIST Cybersecurity Framework (CSF) 2.0 Developed by the National Institute of Standards and Technology (NIST), the NIST CSF 2.0 is a voluntary, risk-based cybersecurity framework focuses on six core functions: govern, identify, protect, detect, respond and recover. It provides a variety of high-level cybersecurity outcomes that organizations can use to understand, assess, prioritize and communicate their cybersecurity efforts more effectively. Best for: Organizations of any size or sector, particularly those looking for a flexible and risk-based approach to managing cybersecurity and aligning with industry standards. ISO/IEC 27001 The ISO/IEC 27001 is an internationally recognized standard for information security management. It provides a structured framework for implementing an Information Security Management System (ISMS), ensuring the confidentiality, integrity and availability of corporate data, including financial information, intellectual property, employee details and third-party managed data. Best for: Organizations of any size or sector, especially those needing a comprehensive ISMS to ensure data protection and demonstrate compliance to international standards. CIS Controls Developed by the Center for Internet Security (CIS), CIS Controls are a structured and simplified set of best practices designed to help organizations strengthen their security posture. Best for: Small to mid-market organizations seeking a simplified, actionable set of cybersecurity best practices to quickly strengthen their security posture with minimal resource investment. CMMC The Cybersecurity Maturity Model Certification (CMMC) is a unified standard developed by the U.S. Department of Defense (DoD) to ensure contractors and subcontractors meet specific cybersecurity practices when handling Controlled Unclassified Information (CUI). CMMC integrates various cybersecurity standards and best practices and assigns them across maturity levels, ranging from foundational to advanced. Best for: Defense contractors and subcontractors in the DoD supply chain who must demonstrate compliance with strict cybersecurity requirements to be eligible for government contracts. FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization and continuous monitoring for cloud services used by federal agencies. It ensures that cloud providers meet strict federal security requirements before working with government entities. Best for: Cloud service providers aiming to do business with U.S. federal agencies and needing to prove compliance with federal cybersecurity standards. StateRAMP Modeled after FedRAMP, StateRAMP offers a standardized approach to cybersecurity for state and local governments. It helps ensure that cloud service providers meet consistent security requirements when providing services to government agencies, promoting transparency, verification and trust. Best for: Cloud vendors looking to work with state and local governments that require proven compliance with standardized cybersecurity benchmarks. How to choose the right framework for your business Assess your current security posture Before selecting a new framework, conduct a comprehensive gap assessment to evaluate your institution's existing cybersecurity controls. Identify strengths, pinpoint vulnerabilities and determine where enhancements are needed to align with your chosen framework. Understand your industry requirements Certain frameworks are better suited for meeting industry-specific regulations. Understanding your industry's unique regulatory landscape will help you determine which security frameworks align with these requirements and which ones are most effective for addressing sector-specific risks. Consider business goals and objectives When selecting a security framework, it's important to align your choice with your company's broader business objectives. For example, with the FFIEC Cybersecurity Assessment Tool being phased out, financial institutions may consider adopting ISO 27001 to enhance their cybersecurity posture and build credibility with investors and regulators. Additionally, if your organization is focused on streamlining compliance processes or reducing the burden of managing multiple audits, a consolidated compliance framework, combining assessments like NIST, ISO, PCI DSS, HITRUST and/or SOC 2, can help alleviate audit fatigue and ensure consistent, efficient compliance across various regulatory requirements. Real-world example: For companies navigating a complex landscape of regulatory requirements, working with multiple providers testing the same controls can strain internal resources. Learn how FD's Consolidated Compliance Assessment Program helped a leading global payments technology company streamline compliance, exceed regulatory requirements and reduce audit redundancies. Read more here. Engage key stakeholders Cybersecurity is not just an IT concern; it requires collaboration across executive leadership, technology teams, risk and compliance professionals and internal audit. Engaging these stakeholders early ensures alignment on strategic priorities and regulatory expectations. Monitor, validate and adapt Cyber threats and regulatory expectations continue to evolve, making ongoing monitoring essential. Regularly measure progress against targeted cybersecurity maturity levels, reassess risk factors and adjust your strategy as needed. Internal audit should be involved in periodic reviews to validate compliance and readiness for regulatory examinations. Next steps: Strengthening your security posture Choosing the right security framework is more than just a compliance requirement; it's a strategic investment in your company's resilience, reputation and long-term success. As cyber threats grow more sophisticated and regulatory landscapes shift, companies must take a proactive approach to security. By assessing your current security posture, aligning with industry requirements and considering business goals, you can implement a framework that not only meets compliance standards but also strengthens your overall cybersecurity strategy. Navigating these complexities can be challenging, but you don't have to do it alone. Frazier & Deeter's experts are here to help you evaluate your options, implement the right framework and build a security posture that protects your business now and in the future. Contact us to get started. Frazier & Deeter (FD) is comprised of Frazier & Deeter, LLC, a US licensed CPA firm that provides attest services to its clients, and Frazier & Deeter Advisory, LLC, an alternative practice structure that provides tax and advisory services to clients worldwide. Learn more at
