Tag Archives: nist

What is a Fingerprint Bifurcation?

(Image from NIST)

(Part of the biometric product marketing expert series)

If you hear a fingerprint person discussing a “bifurcation,” the definition is pretty simple.

“The point at which one friction ridge divides into two friction ridges.”

And if you think of fingerprint ridges as black lines on a white background, then a bifurcation is the exact opposite of a ridge ending.

The fingerprint image is from an appendix to the National Institute of Standards and Technology’s 2003 Fingerprint Vendor Technology Evaluation (FpVTE).

Yeah, THAT FpVTE. I remember it well from my days at Motorola…not a “top 3” vendor.

Imagen 4.

Worries About the Certified Communist Products List

(Imagen 4)

(Part of the biometric product marketing expert series)

How many of you have heard of the Certified Products List (CPL)?

The CPL’s vendor coverage

This list, part of the FBI’s Biometric Specifications website (FBI Biospecs), contains fingerprint card printers, fingerprint card scan systems, identification flats systems, live scan systems, mobile ID devices, and other products. Presence on the CPL indicates that the product complies with a relevant image quality specification such as Appendix F of the Electronic Biometric Transmission Specification.

The Certified Products List has existed since the 1990s and includes a number of products with which I am familiar. These products come from companies past and present, including 3M Cogent, Aware, Biometrics4All, Cross Match, DataWorks Plus, IDEMIA Identity & Security France, Identicator, Mentalix, Morpho, Motorola, NEC Technologies, Printrak, Sagem Defense Securite, Thales, and many others.

As of June 26, 2025, it also references companies such as Shenzhen Interface Cognition Technology Co., Ltd. and Shenzhen Zhi Ang Science and Technology Co., Ltd.

A strongly worded letter

Those and other listings caused heartburn for the bipartisan Members of the U.S. House of Representatives Select Committee on the Chinese Communist Party.

So they sent a strongly worded letter.

“We write to respectfully urge the FBI to put an end to its ongoing certification of products from Chinese military-linked and surveillance companies—including companies blacklisted or red-flagged by the U.S. government—that could be used to spy on Americans, strengthen the repressive surveillance state of the People’s Republic of China (PRC), and otherwise threaten U.S. national security.”

Interestingly enough, they make a big deal of Hikvision products on the list, but I searched the CPL multiple times and found no Hikvision products.

The CPL’s purpose

And it’s important to note the FBI’s own caveat about the CPL:

The Certified Product List (CPL) provides users with a list of products that have been tested and are in compliance with Next Generation Identification image quality specifications (IQS) regarding the capture of friction ridge images. Specifications and standards other than image quality may still need to be met. Appearance on the CPL is not, and should not be construed as, an FBI endorsement, nor should it be relied upon for any requirement beyond IQS. Users should contact their State CJIS Systems Officer (CSO) or Information Security Officer (ISO) to ensure compliance with the necessary policies and/or guidelines.

In other words, the ONLY purpose of the CPL is to indicate whether the products in question meet technology standards. It has nothing to do with export controls or any other criteria that any law enforcement agency needs to follow when buying a product.

What about the U.S. Department of Commerce?

But the FBI isn’t the only agency “promoting” Chinese biometrics.

Wait until the Select Committee discovers the Department of Commerce’s NIST FRTE lists, including the FRTE 1:1 and FRTE 1:N lists. The tops of these lists (previously known as FRVT) include many Chinese companies.

And actually, the FRTE testing includes facial recognition products that inspired U.S. export bans. Fingerprint devices are harder to use to repress people.

What next?

What happens if the concern extends beyond China, to products produced in France and products produced in Canada?

Regarding the strongly worded letter, Biometric Update added one detail:

“As of this writing, the FBI has not issued a public response. Whether the bureau will move to decertify the flagged companies or push back on the committee’s recommendations remains to be seen. But with multiple national security statutes already in place, and Congress signaling a willingness to legislate further, the days of quiet certification for foreign adversary-linked tech firms may be numbered.”

Making Case Studies (and Other Content) Specific So Prospects Act

(Imagen 4)

Tech CMOs want to move their prospects to act and buy world-changing offerings (products or services) from their firms…and I want to move my tech CMO prospects to act and buy marketing and writing services from Bredemarket. So tech CMOs, I definitely feel your pain. But how can you move your prospects…and how can I move you?

Failure of a vague problem, solution, and results

In my recent post about converting an end customer interview into a case study, I discussed a “problem, solution, results” simple case study outline.

Justin Welsh just discussed the same thing, but with better words.

“I copy/pasted a spreadsheet of over 100 posts I’ve written that created real impact for my readers into ChatGPT, and I found a pattern:

“Specific struggle + specific transformation = lasting change

“Not some vague tension. Not a generic transformation. Specific moments where everything shifted.”

My specific solution

Of course the dozen case studies I ghostwrote for my client were implicitly specific. But it’s helpful to make that word “specific” explicit.

Imagen 4.
  • Because my client had a specific problem. The client needed its prospects to understand how its offering could solve nagging prospect problems. Riots. Car thefts. Robberies.
  • And my client had a specific solution. I can’t reveal the solution without giving the client away, but let’s just say the the solution simultaneously addressed the end customers’ dual needs of speed and accuracy, as well as other end customer concerns.
  • As for specific results, I confess I don’t know. In this case my client never got back to me and said, “John, case study 3 attracted a prospect that ended up buying an annual contract.” And my primary contact at the client subsequently moved to another firm. But the fact that the client stuck with me for a dozen case studies and some subsequent NIST FRTE analysis work indicates that I did something right.

You see what I did there. Well, as much as I could while preserving my ghostwriter status and my client’s anonymity.

What is your specific problem?

This section of the blog post is specifically addressed to tech CMOs and other marketers. The rest of you can skip this part and watch this entertaining video instead.

Imagen 4.

Now I know I’ve loaded this post with links to previous Bredemarket content that addresses the…um…specific topics in much more detail. Maybe you clicked on the links, or maybe you didn’t. I will find out.

But if you are ready to move forward, this is the one link you need to click. (“Now you tell me, John!”) It lets you set up a meeting with Bredemarket to discuss your specific needs.

Wanna Know a “Why” Secret About Bredemarket’s TPRM Content?

(The picture is only from Imagen 3. I’ve been using it since January, as you will see.)

Here’s a “why” question: why does Bredemarket write the things it writes about?

Several reasons:

  • To promote Bredemarket’s services so that you meet with me and buy them.
  • To educate about Bredemarket’s target industries of identity/biometrics, technology, and Inland Empire business.
  • To dive into specific topics that interest me, such as deepfakes, HiveLLM, identity assurance levels, IMEI uniqueness, and Leonardo Garcia Venegas (the guy with the REAL ID that was real).
  • Because I feel like it.

And then there are really specific reasons such as this one.

In late January I first wrote about third-party risk management (TPRM) and have continued to do so since.

Why?

TPRM firm 1

Because at that time, a TPRM firm had a need for content marketing and product marketing services, and Bredemarket started consulting for the firm.

I was very busy for 2 1/2 months, and the firm was happy with my work. And I got to dive into TPRM issues in great detail:

  • The incredibly large number of third parties that a vendor deals with…possibly numbering into the hundreds. If hundreds of third parties have YOUR data, and just ONE of those third parties is breached, bad things can happen.
  • The delicate balance between automated and manual work. News flash: if you look at my prior employers, you will see that I’ve dealt with this issue for over 30 years.
  • Organizational process maturity. News flash: I used to work for Motorola.
  • All the NIST standards related to TPRM, including NIST’s discussion of FARM (Frame, Assess, Respond, and Monitor). News flash: I’ve known NIST standards for many years.
  • Other relevant standards such as SOC 2. News flash: identity verification firms deal with SOC 2 also.
  • Fourth-party, fifth-party, and other risks. News flash: anyone that was around when AIDS emerged already knows about nth-party risk.

But for internal reasons that I can’t disclose (NDA, you know), the firm had to end my contract.

Never mind, I thought. I had amassed an incredible 75 days of TPRM experience—or about the same time that it takes for a BAD TPRM vendor to complete an assessment. 

But how could I use this?

TPRM firm 2

Why not put my vast experience to use with another TPRM firm? (Honoring the first firm’s NDA, of course.)

So I applied for a product marketing position with another TPRM firm, highlighting my TPRM consulting experience.

The company decided to move forward with other candidates.

The firm had another product marketing opening, so I applied again.

The company decided to move forward with other candidates.

Even if this company had a third position, I couldn’t apply for it because of its “maximum 2 applications in 60 days” rule.

TPRM firm 3

Luckily for me, another TPRM firm had a product marketing opening. TPRM is active; the identity/biometrics industry isn’t hiring this many product marketers.

  • So I applied on Monday, June 2 and received an email confirmation:
  • And received a detailed email on Tuesday, June 3 outlining the firm’s hiring process.
  • And received a third email on Wednesday, June 4:

“Thank you for your application for the Senior Product Marketing Manager position at REDACTED. We really appreciate your interest in joining our company and we want to thank you for the time and energy you invested in your application to us.

“We received a large number of applications, and after carefully reviewing all of them, unfortunately, we have to inform you that this time we won’t be able to invite you to the next round of our hiring process.

“Due to the high number of applications, we are unfortunately not able to provide individual feedback to your application at this early stage of the process.

“Again, we really appreciated your application and we would welcome you to apply to REDACTED in the future. Be sure to keep up to date with future roles at REDACTED by following us on LinkedIn and our other social channels. 

“We wish you all the best in your job search.”

Unfortunately, I apparently did not have “impressive credentials.” Oh well.

TPRM firm 4?

What now?

If nothing else, I will continue to write about TPRM and the issues I listed above.

Well, if any TPRM firm wants to contract with Bredemarket, schedule a meeting: https://bredemarket.com/cpa/

And if any TPRM firm wants to use my technology experience and hire me as a full-time product marketer, contact my personal LinkedIn account: https://www.linkedin.com/in/jbredehoft

I’m motivated to help your firm succeed, and make your competitors regret passing on me.

Sadly, despite my delusions of grandeur and expositor syndrome (to be addressed in a future Bredemarket blog post), I don’t think any TPRM CMOs are quaking in their boots and fearfully crying, “We missed out on Bredehoft, and now he’s going to work for the enemy and crush us!”

But I could be wrong.

Do We Have 18,000 Forensic Sciences?

Mike Bowers (CSIDDS) shared a Substack article by Max Houck regarding the uneven nature of forensic science in the United States. Houck’s thesis:

…how the fragmented, decentralized nature of American law enforcement and forensic practice creates a landscape where what counts as science (and possibly what counts as justice) can vary wildly depending on where you happen to be.

There are about 18,000 police agencies in the United States at all levels of government, and 400 separate forensic laboratories.

But we have standards, right?

Do Even when national scientific bodies like ASTM or NIST’s OSAC develop well-reasoned, consensus-based forensic standards, adoption is purely voluntary. Some laboratories fully integrate these standards, using them to validate methods, structure protocols, and train staff. Most others ignore them, modify them, or apply them selectively based on local preference or operational convenience. There is no enforcement mechanism, no unified system of oversight. The science exists, but whether it is followed depends on where you are.

Houck’s article details many other issues that plague forensic science, but the main issues arise because there are 18,000 different authorities on the matter. Because this is a structural issue, deeply rooted in how Americans think of governing ourselves, Houck doesn’t see an easy solution.

Reforming this system will not be easy. It runs up against the powerful American instincts toward local control, political independence, and legal precedent. Federal mandates for forensic accreditation, national licensing of analysts, or the establishment of an independent forensic science* oversight body (all ideas floated over the years) face stiff political and logistical resistance. I don’t give these ideas much of a chance.

Even Houck’s minimal suggestions for reform are questionable. In fact, if you read the list of his solutions at the bottom of his article, you’ll see that he’s already crossed one of them out.

Federal funding could be tied to meaningful accreditation and quality assurance requirements.

(Imagen 3)

Frame, Assess, Respond, and Monitor (FARM) in Third-Party Risk Management

I just listened to a third-party risk management (TPRM) Mitratech webinar about NIST cybersecurity frameworks, hosted by OCEG, which talked about a farm.

No, they’re not planting corn at NIST’s Gaithersburg headquarters.

(At least I don’t think so. I haven’t been there since early 2009, back when Motorola and Safran people couldn’t talk about the possible acquisition. We did anyway. But I digress.)

Back to TPRM. In Mitratech’s case, FARM stands for “frame, assess, respond, and monitor.”

Here’s how Mitratech introduced the topic in a 2022 post:

NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.

If you visit the latest (as of 2024) update to SP 800-161, you can find NIST’s explanation of the FARM in Appendix G. The three referenced levels in the quote below are the enterprise, mission, and operations levels.

The first approach is known as FARM and consists of four steps: Frame, Assess, Respond, and Monitor. FARM is primarily used at Level 1 and Level 2 to establish the enterprise’s risk context and inherent exposure to risk. Then, the risk context from Level 1 and Level 2 iteratively informs the activities performed as part of the second approach described in The Risk Management Framework (RMF). The RMF predominantly operates at Level 3 [SP80037], – the operational level – and consists of seven process steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

Briefly:

  • Frame establishes the context.
  • Assess is the risk assessment itself.
  • Respond is where the assessors communicate the results of the assessment and propose mitigations and controls.
  • Monitor is compliance verification and continuous monitoring.

Section G.2 of the document includes much, much more detailed definitions of the FARM elements, should you be interested. I’d provide those details myself, but then I fear I’d have to say to you, “Sorry if I’ve stayed too long.”

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)