81 FR 91917 - National Cybersecurity Center of Excellence (NCCoE) Multifactor Authentication for e-Commerce Project for the Retail Sector
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology Federal Register Volume 81, Issue 243 (December 19, 2016)
National Institute of Standards and Technology
Federal Register Volume 81, Issue 243 (December 19, 2016)
| Page Range | 91917-91919 | |
| FR Document | 2016-30435 |
[Federal Register Volume 81, Number 243 (Monday, December 19, 2016)] [Notices] [Pages 91917-91919] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-30435] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No.: 161116999-6999-01] National Cybersecurity Center of Excellence (NCCoE) Multifactor Authentication for e-Commerce Project for the Retail Sector AGENCY: National Institute of Standards and Technology, Department of Commerce. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The National Institute of Standards and Technology (NIST) invites organizations to provide products and technical expertise to support and demonstrate security platforms for the Multifactor Authentication for e-Commerce Project for the retail sector. This notice is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the retail sector program. Participation in the Multifactor Authentication for e-Commerce Project is open to all interested organizations. DATES: Interested parties must contact NIST to request a letter of interest template to be completed and submitted to NIST. Letters of interest will be accepted on a first come, first served basis. Collaborative activities will commence as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities, but no earlier than January 18, 2017. When the Multifactor Authentication for e-Commerce Project search for collaborators has been completed, NIST will post a notice on the NCCoE retail sector program Web site at https://nccoe.nist.gov/projects/use_cases/multifactor-authentication-ecommerce announcing the completion of the search for collaborators and informing the public that it will no longer accept letters of interest for this Multifactor Authentication for e-Commerce Project. ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway, Rockville, MD 20850. Letters of interest must be submitted to [email protected] or via hardcopy to National Institute of Standards and Technology, NCCoE; 9700 Great Seneca Highway, Rockville, MD 20850. Organizations whose letters of interest are accepted in accordance with the process set forth in the SUPPLEMENTARY INFORMATION section of this notice will be asked to sign a Cooperative Research and Development Agreement (CRADA) with NIST. A CRADA template can be found at: https://nccoe.nist.gov/library/nccoe-consortium-crada-example. FOR FURTHER INFORMATION CONTACT: William Newhouse via email to [email protected]; by telephone 301-975-0232; or by mail to National Institute of Standards and Technology, NCCoE; 9700 Great Seneca Highway, Rockville, MD 20850. Additional details about the Multifactor Authentication for e-Commerce Project are available at https://nccoe.nist.gov/projects/use_cases/multifactor-authentication-ecommerce. SUPPLEMENTARY INFORMATION: Background: The NCCoE, part of NIST, is a public-private collaboration [[Page 91918]] for accelerating the widespread adoption of integrated cybersecurity tools and technologies. The NCCoE brings together experts from industry, government, and academia under one roof to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. By accelerating dissemination and use of these integrated tools and technologies for protecting IT assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage systems; reduce risk for companies and individuals using IT systems; and encourage development of innovative, job-creating cybersecurity products and services. Process: NIST is soliciting responses from all sources of relevant security capabilities (see below) to enter into a Cooperative Research and Development Agreement (CRADA) to provide products and technical expertise to support and demonstrate security platforms for the Multifactor Authentication for e-Commerce Project for the retail sector. The full Multifactor Authentication for e-Commerce Project Description can be viewed at: https://nccoe.nist.gov/projects/use_cases/multifactor-authentication-ecommerce. Interested parties should contact NIST using the information provided in the FOR FURTHER INFORMATION CONTACT section of this notice. NIST will then provide each interested party with a letter of interest template, which the party must complete, certify that it is accurate, and submit to NIST. NIST will contact interested parties if there are questions regarding the responsiveness of the letters of interest to the Multifactor Authentication for e-Commerce Project objective or requirements identified below. NIST will select participants who have submitted complete letters of interest on a first come, first served basis within each category of product components or capabilities listed below up to the number of participants in each category necessary to carry out this Multifactor Authentication for e-Commerce Project. However, there may be continuing opportunity to participate even after initial activity commences. Selected participants will be required to enter into a consortium CRADA with NIST (for reference, see ADDRESSES section above). NIST published a notice in the Federal Register on October 19, 2012 (77 FR 64314) inviting U.S. companies to enter into National Cybersecurity Excellence Partnerships (NCEPs) in furtherance of the NCCoE. For this demonstration project, NCEP partners will not be given priority for participation. Multifactor Authentication for e-Commerce Project Objective: The goal of this project is to increase the confidence of user identity and reduce the risk of fraud in the online, Card-Not-Present (CNP) space by implementing multifactor authentication for e-commerce transactions along with other security controls. The solution will provide guidance for implementing multifactor authentication mechanisms, risk calculation, web analytics, and potentially identity federation, in retail IT architecture segments that support or interface with e- commerce transactions such as online shopping or loyalty points programs. It will produce an architecture that includes components that will integrate multifactor authentication mechanisms (certificate- based, biometric, or others), risk calculation engines (risk score calculation and decisions), web analytics (pertaining to known user behavior and/or web threat detection), potentially identity federation (which can include authentication and risk information sent from a third-party business partner and Identity Provider), and automated logging within and between each component. A detailed description of the Multifactor Authentication for e- Commerce Project is available at: https://nccoe.nist.gov/projects/use_cases/multifactor-authentication-ecommerce. Requirements: Each responding organization's letter of interest should identify which security platform component(s) or capability(ies) it is offering. Letters of interest should not include company proprietary information, and all components and capabilities must be commercially available. Components are listed in the High-Level Architecture section of the Multifactor Authentication for e-Commerce Project Description (for reference, please see the link in the Process section above) and include, but are not limited to:Online/e-commerce shopping cart and payment system (in- house or outsourced) Multifactor authentication mechanisms (types of which to be determined) Risk calculation platform/engine Web analytics engine Logging of risk calculation and web analytics data Data storage for risk calculation and web analytics data Identity federation mechanism (optional) Each responding organization's letter of interest should identify how their products address one or more of the following desired solution characteristics in the High-Level Architecture section of the Multifactor Authentication for e-Commerce Project Description for the retail use case (for reference, please see the link in the Process section above): Authentication mechanisms that meet business security and regulatory requirements Automated web analytics including monitoring of user behavior and contextual details Automated logging of web analytics and risk calculation data Automated data storage of web analytics and risk calculation data Ability to establish and enforce risk decisions including performing risk calculations Automated alerting of suspected fraudulent activity Ease of use for the consumer, no substantial increase in friction during the e-commerce transaction Identity federation (optional) Responding organizations need to understand and, in their letters of interest, commit to provide: 1. Access for all participants' project teams to component interfaces and the organization's experts necessary to make functional connections among security platform components 2. Support for development and demonstration of the Multifactor Authentication for e-Commerce Project for the retail use case in NCCoE facilities which will be conducted in a manner consistent with Federal requirements (e.g., FIPS 200, FIPS 201, SP 800-53, and SP 800-63) Additional details about the Multifactor Authentication for e- Commerce Project for the retail sector use case are available at: https://nccoe.nist.gov/projects/use_cases/multifactor-authentication-ecommerce. NIST cannot guarantee that all of the products proposed by respondents will be used in the demonstration. Each prospective participant will be expected to work collaboratively with NIST staff and other project participants under the terms of the consortium CRADA in the development of the Multifactor Authentication for e-Commerce Project for the retail sector capability. Prospective participant's contribution to the collaborative effort will include assistance in establishing the necessary interface functionality, connection and set- up capabilities and procedures, demonstration harnesses, environmental and safety conditions for use, integrated platform user instructions, and [[Page 91919]] demonstration plans and scripts necessary to demonstrate the desired capabilities. Each participant will train NIST personnel, as necessary, to operate its product in capability demonstrations to the retail community. Following successful demonstrations, NIST will publish a description of the security platform and its performance characteristics sufficient to permit other organizations to develop and deploy security platforms that meet the security objectives of the Multifactor Authentication for e-Commerce Project for the retail sector use case. These descriptions will be public information. Under the terms of the consortium CRADA, NIST will support development of interfaces among participants' products by providing IT infrastructure, laboratory facilities, office facilities, collaboration facilities, and staff support to component composition, security platform documentation, and demonstration activities. The dates of the demonstration of the Multifactor Authentication for e-Commerce Project for the retail sector capability will be announced on the NCCoE Web site at least two weeks in advance at http://nccoe.nist.gov/. The expected outcome of the demonstration is added security and reduced fraud stemming from an increased use of multifactor authentication for e-commerce transactions across an entire retail sector enterprise. Participating organizations will gain from the knowledge that their products are interoperable with other participants' offerings. For additional information on the NCCoE governance, business processes, and NCCoE operational structure, visit the NCCoE Web site http://nccoe.nist.gov/. Kevin Kimball, NIST Chief of Staff. [FR Doc. 2016-30435 Filed 12-16-16; 8:45 am] BILLING CODE 3510-13-P
![Federal Register / Vol. 81, No. 243 / Monday, December 19, 2016 / Notices 91917
party’s intellectual property rights). In NIST reserves the right to disqualify support and demonstrate security
addition, you agree to waive claims any Participant or Participant team it platforms for the Multifactor
against the Federal Government and its believes to be tampering with the Entry Authentication for e-Commerce Project
related entities, except in the case of process or the operation of the RAMP for the retail sector. This notice is the
willful misconduct, for any injury, Challenge or to be acting in violation of initial step for the National
death, damage, or loss of property, any applicable rule or condition. Cybersecurity Center of Excellence
revenue, or profits, whether direct, Any attempt by any person to (NCCoE) in collaborating with
indirect, or consequential, arising from undermine the legitimate operation of technology companies to address
your participation in the RAMP the RAMP Challenge may be a violation cybersecurity challenges identified
Challenge, whether the injury, death, of criminal and civil law, and, should under the retail sector program.
damage, or loss arises through such an attempt be made, NIST reserves Participation in the Multifactor
negligence or otherwise. the authority to seek damages from any Authentication for e-Commerce Project
NIST is not responsible for any such person to the fullest extent is open to all interested organizations.
miscommunications such as technical permitted by law. DATES: Interested parties must contact
failures related to computer, telephone, NIST to request a letter of interest
cable, and unavailable network or server Verification of Potential Winner(s)
template to be completed and submitted
connections, related technical failures, All potential winners are subject to to NIST. Letters of interest will be
or other failures related to hardware, verification by NIST, whose decisions accepted on a first come, first served
software or virus, or incomplete or late are final and binding in all matters basis. Collaborative activities will
Entries. Any compromise to the fair and related to the RAMP Challenge. commence as soon as enough completed
proper conduct of the RAMP Challenge Potential winner(s) must continue to and signed letters of interest have been
may result in the disqualification of an comply with all terms and conditions of returned to address all the necessary
Entry or Participant, termination of the the RAMP Challenge Rules described in components and capabilities, but no
RAMP Challenge, or other remedial this notice, and winning is contingent earlier than January 18, 2017. When the
action, at the sole discretion of NIST. upon fulfilling all requirements. In the Multifactor Authentication for e-
NIST reserves the right in its sole event that a potential winner, or an Commerce Project search for
discretion to extend or modify the dates announced winner, is found to be collaborators has been completed, NIST
of the RAMP Challenge, and to change ineligible or is disqualified for any will post a notice on the NCCoE retail
the terms set forth herein governing any reason, NIST may make an award, sector program Web site at https://
phases taking place after the effective instead, to another Participant. nccoe.nist.gov/projects/use_cases/
date of any such change. By entering, multifactor-authentication-ecommerce
you agree to the terms set forth herein Privacy and Disclosure under FOIA
announcing the completion of the
and to all decisions of NIST and/or all Except as provided herein, search for collaborators and informing
of their respective agents, which are information submitted throughout the the public that it will no longer accept
final and binding in all respects. RAMP Challenge will be used only to letters of interest for this Multifactor
NIST is not responsible for: (1) Any communicate with Participants Authentication for e-Commerce Project.
incorrect or inaccurate information, regarding Entries and/or the RAMP ADDRESSES: The NCCoE is located at
whether caused by a Participant, Challenge. Participant Entries and
printing errors, or by any of the 9700 Great Seneca Highway, Rockville,
submissions to the RAMP Challenge MD 20850. Letters of interest must be
equipment or programming associated may be subject to disclosure under the
with or used in the RAMP Challenge; (2) submitted to consumer-nccoe@nist.gov
Freedom of Information Act (‘‘FOIA’’). or via hardcopy to National Institute of
unauthorized human intervention in
any part of the Entry Process for the Authority: 15 U.S.C. 3719. Standards and Technology, NCCoE;
RAMP Challenge; (3) technical or 9700 Great Seneca Highway, Rockville,
Kevin Kimball,
human error that may occur in the MD 20850. Organizations whose letters
NIST Chief of Staff.
administration of the RAMP Challenge of interest are accepted in accordance
[FR Doc. 2016–30437 Filed 12–16–16; 8:45 am] with the process set forth in the
or the processing of Entries; or (4) any
injury or damage to persons or property
BILLING CODE 3510–13–P SUPPLEMENTARY INFORMATION section of
that may be caused, directly or this notice will be asked to sign a
indirectly, in whole or in part, from a Cooperative Research and Development
DEPARTMENT OF COMMERCE Agreement (CRADA) with NIST. A
Participant’s participation in the RAMP
Challenge or receipt or use or misuse of National Institute of Standards and CRADA template can be found at:
an Award. If for any reason an Entry is Technology https://nccoe.nist.gov/library/nccoe-
confirmed to have been deleted consortium-crada-example.
[Docket No.: 161116999–6999–01] FOR FURTHER INFORMATION CONTACT:
erroneously, lost, or otherwise
destroyed or corrupted, the Participant’s William Newhouse via email to
National Cybersecurity Center of
sole remedy is to submit another Entry william.newhouse@nist.gov; by
Excellence (NCCoE) Multifactor
in the RAMP Challenge. telephone 301–975–0232; or by mail to
Authentication for e-Commerce Project
National Institute of Standards and
Termination and Disqualification for the Retail Sector
Technology, NCCoE; 9700 Great Seneca
NIST reserves the authority to cancel, AGENCY: National Institute of Standards Highway, Rockville, MD 20850.
suspend, and/or modify the RAMP Additional details about the Multifactor
sradovich on DSK3GMQ082PROD with NOTICES
and Technology, Department of
Challenge, or any part of it, if any fraud, Commerce. Authentication for e-Commerce Project
technical failures, or any other factor ACTION: Notice. are available at https://nccoe.nist.gov/
beyond NIST’s reasonable control projects/use_cases/multifactor-
impairs the integrity or proper SUMMARY: The National Institute of authentication-ecommerce.
functioning of the RAMP Challenge, as Standards and Technology (NIST) SUPPLEMENTARY INFORMATION:
determined by NIST in its sole invites organizations to provide Background: The NCCoE, part of
discretion. products and technical expertise to NIST, is a public-private collaboration
VerDate Sep<11>2014 20:55 Dec 16, 2016 Jkt 241001 PO 00000 Frm 00018 Fmt 4703 Sfmt 4703 E:\FR\FM\19DEN1.SGM 19DEN1](https://thefederalregister.org/doc/81_FR_92160/page/1.svg)
![Federal Register / Vol. 81, No. 243 / Monday, December 19, 2016 / Notices 91919
demonstration plans and scripts SUMMARY: The Pacific Fishery representatives and the contents of
necessary to demonstrate the desired Management Council’s (Council) Ad future reports.
capabilities. Each participant will train Hoc Ecosystem Workgroup (EWG) will At its March 2017 meeting, the
NIST personnel, as necessary, to operate hold a webinar, which is open to the Council will also consider taking up a
its product in capability demonstrations public. new ecosystem-based fishery
to the retail community. Following management initiative. Appendix A to
DATES: The webinar will be held on
successful demonstrations, NIST will the FEP contains a list of these
January 10, 2017, from 1:30 to 4:30 p.m.,
publish a description of the security initiatives, which are intended to
or when business for the day is address ecosystem gaps in ecosystem
platform and its performance completed.
characteristics sufficient to permit other knowledge and FMP policies,
organizations to develop and deploy ADDRESSES: To join the webinar visit particularly with respect to the
security platforms that meet the security this link: http://www.gotomeeting.com/ cumulative effects of fisheries
objectives of the Multifactor online/webinar/join-webinar. Enter the management on marine ecosystems and
Authentication for e-Commerce Project Webinar ID: 917–479–603. Enter your fishing communities. The FEP
for the retail sector use case. These name and email address (required). establishes a schedule by which each
descriptions will be public information. Once you have joined the webinar, March the Council reviews progress to
Under the terms of the consortium choose either your computer’s audio or date on any ecosystem initiatives the
CRADA, NIST will support select ‘‘Use Telephone.’’ If you do not Council already has underway and
development of interfaces among select ‘‘Use Telephone’’ you will be determines whether to take up a new
participants’ products by providing IT connected to audio using your initiative. In odd-numbered years the
infrastructure, laboratory facilities, computer’s microphone and speakers Council may also consider identifying
office facilities, collaboration facilities, (VolP). To use your telephone for the new initiatives that are not already in
and staff support to component audio portion of the meeting dial this Appendix A. The EWG will discuss
composition, security platform TOLL number +1 (914) 614–3221 (not a current and potential new initiatives in
documentation, and demonstration toll-free number); then enter the preparation for the March 2017 Council
activities. Attendee phone audio access code 462– meeting.
The dates of the demonstration of the 275–391, then enter your audio phone Although nonemergency issues not
Multifactor Authentication for e- pin (shown after joining the webinar). contained in the meeting agenda may be
Commerce Project for the retail sector Participants are encouraged to use their discussed, those issues may not be the
capability will be announced on the telephone, as this is the best practice to subject of formal action during this
NCCoE Web site at least two weeks in avoid technical issues and excessive meeting. Action will be restricted to
advance at http://nccoe.nist.gov/. The feedback. You may send an email to Mr. those issues specifically listed in this
expected outcome of the demonstration Kris Kleinschmidt (kris.kleinschmidt@ document and any issues arising after
is added security and reduced fraud noaa.gov) or contact him at (503) 820– publication of this document that
stemming from an increased use of 2425 for technical assistance. A public require emergency action under section
multifactor authentication for e- listening station will also be provided at 305(c) of the Magnuson-Stevens Fishery
commerce transactions across an entire the Pacific Council office. Conservation and Management Act,
retail sector enterprise. Participating Council address: Pacific Council, provided the public has been notified of
organizations will gain from the 7700 NE Ambassador Place, Suite 101, the intent to take final action to address
knowledge that their products are Portland, OR 97220–1384. the emergency.
interoperable with other participants’ FOR FURTHER INFORMATION CONTACT: Dr. Special Accommodations
offerings. Kit Dahl, Pacific Council Staff Officer; This meeting is physically accessible
For additional information on the phone: (503) 820–2422; email: kit.dahl@ to people with disabilities. Requests for
NCCoE governance, business processes, noaa.gov. sign language interpretation or other
and NCCoE operational structure, visit SUPPLEMENTARY INFORMATION: The auxiliary aids should be directed to Mr.
the NCCoE Web site http:// purpose of the webinar is for the EWG Kris Kleinschmidt at (503) 820–2425 at
nccoe.nist.gov/. to discuss (1) preparation of the Annual least 10 business days prior to the
Kevin Kimball, State of the California Current meeting date.
NIST Chief of Staff.
Ecosystem Report and (2) future Dated: December 14, 2016.
ecosystem initiatives under the
[FR Doc. 2016–30435 Filed 12–16–16; 8:45 am] Tracey L. Thompson,
Council’s Fishery Ecosystem Plan (FEP).
BILLING CODE 3510–13–P Acting Deputy Director, Office of Sustainable
Each March, the National Marine
Fisheries, National Marine Fisheries Service.
Fisheries Service’s Northwest and
[FR Doc. 2016–30416 Filed 12–16–16; 8:45 am]
DEPARTMENT OF COMMERCE Southwest Fisheries Science Centers
BILLING CODE 3510–22–P
deliver a State of the California Current
National Oceanic and Atmospheric Ecosystem Report to the Council. The
Administration Report assesses current status through a
DEPARTMENT OF COMMERCE
series of indicators covering physical,
RIN 0648–XF040 biological, and socioeconomic National Oceanic and Atmospheric
components of the ecosystem. The Administration
Pacific Fishery Management Council; Council has provided advice to the
sradovich on DSK3GMQ082PROD with NOTICES
Public Meeting Science Centers on how to make the RIN 0648–XF082
AGENCY: National Marine Fisheries report more relevant to Council
Marine Mammals; File No. 20527
Service (NMFS), National Oceanic and decision-making including comments
Atmospheric Administration (NOAA), on the suite of indicators it uses. The AGENCY: National Marine Fisheries
Commerce. webinar will provide an opportunity for Service (NMFS), National Oceanic and
the EWG to discuss preparation of the Atmospheric Administration (NOAA),
ACTION: Notice; public meeting.
current Report with Science Center Commerce.
VerDate Sep<11>2014 20:55 Dec 16, 2016 Jkt 241001 PO 00000 Frm 00020 Fmt 4703 Sfmt 4703 E:\FR\FM\19DEN1.SGM 19DEN1](https://thefederalregister.org/doc/81_FR_92160/page/3.svg)
Document Created: 2016-12-17 03:15:18
Document Modified: 2016-12-17 03:15:18
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice. | |
| Dates | Interested parties must contact NIST to request a letter of interest template to be completed and submitted to NIST. Letters of interest will be accepted on a first come, first served basis. Collaborative activities will commence as soon as enough completed and | |
| Contact | William Newhouse via email to [email protected]; by telephone 301-975-0232; or by mail to National Institute of Standards and Technology, NCCoE; 9700 Great Seneca Highway, Rockville, MD 20850. Additional details about the Multifactor Authentication for e-Commerce Project are available at https://nccoe.nist.gov/projects/use_cases/multifactor-authentication- ecommerce. | |
| FR Citation | 81 FR 91917 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR