For this edition, the main changes concern the following files:
- Sheet no. 2 “Authenticating users” takes into account the new recommendation relating to passwords and other shared secrets adopted in 2022 by the CNIL. In particular, it uses the notion of password entropy to offer greater freedom in the definition of password policies and abandons the obligation to renew passwords for “classic” user accounts.
- Sheet no. 4 “Tracing operations and managing incidents” takes into account the recommendation relating to logging adopted in 2021. It explains how to ensure traceability of access and actions in multi-user systems while finding the balance between security, surveillance and associated risks.
- Sheet no. 12 “Supervising IT developments” has also been enriched with elements from the GDPR guide for the development team .
- Finally, sheets no. 15 “Securing exchanges with other organisations” and no. 17 “Encrypting, hashing or signing” have been updated to take into account changes in currently recommended practices.
Other more ad hoc updates and improvements have been made to keep up with the evolution of the threat and knowledge.
The initial public draft of NIST AI 100-2 (2003 edition), Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations, is now available for public comment.
NIST is specifically interested in comments on and recommendations for the following topics:
- What are the latest attacks that threaten the existing landscape of AI models?
- What are the latest mitigations that are likely to withstand the test of time?
- What are the latest trends in AI technologies that promise to transform the industry/society? What potential vulnerabilities do they come with? What promising mitigations may be developed for them?
- Is there new terminology that needs standardization?
“The complaint also alleges that until early 2020, GoodRx did not have “sufficient or formal compliance programs for reviewing and approving all data sharing requests or third-party tracking tool integrations. It also had no policies or procedures for notifying users of breaches of their personal and health information.”