Tag Archives: nist

Do We Have 18,000 Forensic Sciences?

Mike Bowers (CSIDDS) shared a Substack article by Max Houck regarding the uneven nature of forensic science in the United States. Houck’s thesis:

…how the fragmented, decentralized nature of American law enforcement and forensic practice creates a landscape where what counts as science (and possibly what counts as justice) can vary wildly depending on where you happen to be.

There are about 18,000 police agencies in the United States at all levels of government, and 400 separate forensic laboratories.

But we have standards, right?

Do Even when national scientific bodies like ASTM or NIST’s OSAC develop well-reasoned, consensus-based forensic standards, adoption is purely voluntary. Some laboratories fully integrate these standards, using them to validate methods, structure protocols, and train staff. Most others ignore them, modify them, or apply them selectively based on local preference or operational convenience. There is no enforcement mechanism, no unified system of oversight. The science exists, but whether it is followed depends on where you are.

Houck’s article details many other issues that plague forensic science, but the main issues arise because there are 18,000 different authorities on the matter. Because this is a structural issue, deeply rooted in how Americans think of governing ourselves, Houck doesn’t see an easy solution.

Reforming this system will not be easy. It runs up against the powerful American instincts toward local control, political independence, and legal precedent. Federal mandates for forensic accreditation, national licensing of analysts, or the establishment of an independent forensic science* oversight body (all ideas floated over the years) face stiff political and logistical resistance. I don’t give these ideas much of a chance.

Even Houck’s minimal suggestions for reform are questionable. In fact, if you read the list of his solutions at the bottom of his article, you’ll see that he’s already crossed one of them out.

Federal funding could be tied to meaningful accreditation and quality assurance requirements.

(Imagen 3)

Frame, Assess, Respond, and Monitor (FARM) in Third-Party Risk Management

I just listened to a third-party risk management (TPRM) Mitratech webinar about NIST cybersecurity frameworks, hosted by OCEG, which talked about a farm.

No, they’re not planting corn at NIST’s Gaithersburg headquarters.

(At least I don’t think so. I haven’t been there since early 2009, back when Motorola and Safran people couldn’t talk about the possible acquisition. We did anyway. But I digress.)

Back to TPRM. In Mitratech’s case, FARM stands for “frame, assess, respond, and monitor.”

Here’s how Mitratech introduced the topic in a 2022 post:

NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.

If you visit the latest (as of 2024) update to SP 800-161, you can find NIST’s explanation of the FARM in Appendix G. The three referenced levels in the quote below are the enterprise, mission, and operations levels.

The first approach is known as FARM and consists of four steps: Frame, Assess, Respond, and Monitor. FARM is primarily used at Level 1 and Level 2 to establish the enterprise’s risk context and inherent exposure to risk. Then, the risk context from Level 1 and Level 2 iteratively informs the activities performed as part of the second approach described in The Risk Management Framework (RMF). The RMF predominantly operates at Level 3 [SP80037], – the operational level – and consists of seven process steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

Briefly:

  • Frame establishes the context.
  • Assess is the risk assessment itself.
  • Respond is where the assessors communicate the results of the assessment and propose mitigations and controls.
  • Monitor is compliance verification and continuous monitoring.

Section G.2 of the document includes much, much more detailed definitions of the FARM elements, should you be interested. I’d provide those details myself, but then I fear I’d have to say to you, “Sorry if I’ve stayed too long.”

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)

Baby Steps Toward Order of Magnitude Increases in Fingerprint Resolution

(Part of the biometric product marketing expert series)

For many years, the baseline for high-quality capture of fingerprint and palm print images has been to use a resolution of 500 pixels per inch. Or maybe 512 pixels per inch. Whatever.

The crime scene (latent) folks weren’t always satisfied with this, so they pushed to capture latent fingerprint and latent palm print images at 1000 pixels per inch. Pardon me, 1024.

But beyond this, the resolution of captured prints hasn’t really changed in decades. I’m sure some people have been capturing prints at 2000 (2048) pixels per inch, but there aren’t massive automated biometric identification systems that fully support this resolution from end to end.

But that may be changing.

One important truth about infant fingerprints

For about as long as latent examiners have pursued 1000 ppi print capture, people outside of the criminal justice arena have been looking at fingerprints for a very different purpose.

Our normal civil fingerprint processes require us to identify people via fingerprints beginning at the age of 18, or perhaps at the age of 12.

But gow do we identify people in those first 12 years?

More specifically, can we identify someone via their fingerprints at birth, and then authenticate them as an adult by comparing to those original prints?

It’s a dream, but many have pursued this dream. Dr. Anil Jain at Michigan State University has pursued this for years, and co-authored a 2014 paper on the topic.

Given that children, as well as the adults, in low income countries typically do not have any form of identification documents which can be used for this purpose [vaccination], we address the following question: can fingerprints be effectively used to recognize children from birth to 4 years? We have collected 1,600 fingerprint images (500 ppi) of 20 infants and toddlers captured over a 30-day period in East Lansing, Michigan and 420 fingerprints of 70 infants and toddlers at two different health clinics in Benin, West Africa.

At the time, it probably made sense to use 500 pixel per inch scanners to capture the prints, since developing countries don’t have a lot of money to throw around on expensive 1000 ppi scanners. But the use of regular scanners runs counter to a very important truth about infants and their fingerprints. Are you sitting down?

Because infants are smaller than adults, infant fingerprints are smaller than adult fingerprints.

Think about it. The standard FBI fingerprint card assumes that a rolled fingerprint occupies 1.6 inches x 1.5 inches of space. If you were to roll an infant fingerprint, it would occupy much less than that. Heck, I don’t even know if an infant’s entire FINGER is 1.6 inches long.

So the capture device is obtaining these teeny tiny ridges, and these teeny tiny ridge endings, and these teeny tiny bifurcations. Or trying to. And if those second-level details can’t be captured, then you’re not going to get the minutiae, and your fingerprint matching is going to fail.

So a decade later, researchers today are adopting a newer approach, according to a Biometric Update summary of an ID4Africa webinar. (This particular portion is at the very end of the webinar, at around the 2 hour 40 minute mark.)

A video presentation from Judge Lidia Maejima of the Court of Justice of Parana, Brazil introduced the emerging legal framework for biometric identification of infants. Her representative Felipe Hay explained how researchers in Brazil developed 5,000 dpi scanners, he says, which accurately record the minutiae of infants’ fingerprints.

Did you capture that? We’re moving from five hundred pixels per inch to FIVE THOUSAND pixels per inch. (Or maybe 5120.) Whether even that resolution is capable of capturing infant fingerprint detail remains to be seen.

And as Dr. Joseph Atick noted, all this research is still in its…um…infancy. We won’t know for years whether the algorithms can truly match infant fingerprints to child or adult fingerprints.

By the way, when talking about digital images, Adobe notes that the correct term is pixels per inch, not dots per inch. DPI specifically refers to printer resolution, which is appropriate when you’re printing a fingerprint card but not when you’re displaying an image on a screen.

(Image from From https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-290e3.pdf )

Amazon One and Palm/Vein Identity Scanning in Healthcare: Does It Work?

If you create your own test data, you’re more likely to pass the test. So what data was used for Amazon One palm/vein identity scanning accuracy testing?

(Part of the biometric product marketing expert series)

(Image from Imagen 3)

I’ve previously discussed Amazon’s biometric palm/vein identity scanning efforts. But according to Dr. Sai Balasubramanian, M.D., J.D. in Forbes, Amazon is entering a new market, healthcare.

“Amazon announced that it is partnering with NYU Langone to launch Amazon One, a contactless palm screening technology, throughout the health system.”

Which makes sense, as long as the medical professional isn’t wearing gloves. I don’t know if Amazon One can read veins through medical gloves.

As I reflected upon this further, I realized something:

  • NIST has tested fingerprint verification and identification.
  • NIST has tested facial recognition. (Not that Amazon participated.)
  • NIST has tested iris recognition.

But NIST has never conducted regular testing of palm identification in general, or palm/vein identity scanning in particular. Not for Amazon. Not for Fujitsu. Not for Imprivata. Not for Ingenico. Not for Pearson. Not for anybody.

So how do we know that Amazon One works?

Because Amazon said so.

“Amazon One is 100 times more accurate than scanning two irises. It raises the bar for biometric identification by combining palm and vein imagery, and after millions of interactions among hundreds of thousands of enrolled identities, we have not had a single false positive.”

Claims may dazzle some people, but (as of 2023) Jim Nash was not among them:

“The company claims it is 99.999 percent accurate but does not offer information supporting that statistic.”

And so far I haven’t found any either.

Since the company trains its algorithm on synthetically generated palms, I would like to make sure the company performs its palm/vein identity scanning accuracy testing on REAL palms. If you actually CREATE the data for any test, including an accuracy test, there’s a higher likelihood that you will pass.

I think many people would like to see public substantiated Amazon One accuracy data. ZERO false positives is a…BOLD claim to make.

On Marketing Personas

(Imagen 3)

Marketing personas are like NIST biometric tests.

They’re not real.

Use them with caution.

Marketing personas.

This part isn’t in the video:

Yes, I know that marketing personas are representations of your hungry people (target audience) that wonderfully focus the mind on the people interested in your product or service. But if we’re being honest with ourselves, a software purchase is not greatly influenced by a non-person entity’s go-to coffee shop order.

Or whether the purchasing manager is 28 or 68.

So don’t go overboard in persona development.

That is all.

Except for the Bredemarket content-proposal-analysis promo.

https://bredemarket.com/cpa/

CPA

P.S. Dorothy Bullard’s article can be found here.

Clean Fast Contactless Biometrics

(Image from DW)

The COVID-19 pandemic may be a fading memory, but contactless biometrics remains popular.

Back in the 1980s, you had to touch something to get the then-new “livescan” machines to capture your fingerprints. While you no longer had messy ink-stained fingers, you still had to put your fingers on a surface that a bunch of other people had touched. What if they had the flu? Or AIDS (the health scare of that decade)?

As we began to see facial recognition in the 1990s and early 2000s, one advantage of that biometric modality was that it was CONTACTLESS. Unlike fingerprints, you didn’t have to press your face against a surface.

From https://www.youtube.com/watch?v=4XhWFHKWCSE.

But then fingerprints also became contactless after someone asked an unusual question in 2004.

“Actually this effort launched before that, as there were efforts in 2004 and following years to capture a complete set of fingerprints within 15 seconds…”

This WAS an unusual question, considering that it took a minute or more to capture inked prints or livescan prints. And the government expected this to happen in 15 seconds?

A decade later several companies were pursuing this in conjunction with NIST. There were two solutions: dedicated kiosks such as MorphoWave from my then-employer MorphoTrak, and solutions that used a standard smartphone camera such as SlapShot from Sciometrics and Integrated Biometrics.

Slide 10 from the NIST presentation posted at https://www.nist.gov/system/files/documents/2016/12/14/iai_2016-nist_contactless_fingerprints-distro-20160811.pdf.

The, um, upshot is that now contactless fingerprint and face capture are both a thing. Contactless capture provides speed, and even the impossible 15 second capture target was blown away. 

Fingers and faces can be captured “on the move” in airports, border crossings, stadiums, and university lunchrooms and other educational facilities.

Perhaps Iris and voice can be considered contactless and fast. 

But even “rapid” DNA isn’t that rapid.

TPRM

(Imagen 3)

A little (just a little) behind the scenes of why I write what I write.

What does TPRM mean?

I was prompted to write my WYSASOA post when I encountered a bunch of pages on a website that referred to TPRM, with no explanation.

Now if I had gone to the home page of that website, I would have seen text that said “Third Party Risk Management (TPRM).”

But I didn’t go to the home page. I entered the website via another page and therefore never saw the home page explanation of what the company meant by the acronym.

They meant Third Party Risk Management.

Unless you absolutely know that everybody in the world agrees on your acronym definition, always spell out the first instance of an acronym on a piece of content. So if you mention that acronym on 10 web pages, spell it out on all 10 of them.

That’s all I wanted to say…

How is NIST related to TPRM?

…I lied.

Because now I assume you want to know what Third Party Risk Management (TPRM) actually is.

Let’s go to my esteemed friends at the National Institute of Standards & Technology, or NIST.

What is TPRM?

But TPRM is implied in a NIST document entitled (PDF) Best Practices in Cyber Supply Chain Risk Management. Because there are a lot of “third parties” in the supply chain.

When companies began extensively outsourcing and globalizing the supply chain in the 1980’s and 1990’s, they did so without understanding the risks suppliers posed. Lack of supplier attention to quality management could compromise the brand. Lack of physical or cybersecurity at supplier sites could result in a breach of corporate data systems or product corruption. Over time, companies have begun implementing vendor management systems – ranging from basic, paper-based approaches to highly sophisticated software solutions and physical audits – to assess and mitigate vendor risks to the supply chain.

Because if MegaCorp is sharing data with WidgetCorp, and WidgetCorp is breached, MegaCorp is screwed. So MegaCorp has to reduce the risk that it’s dealing with breachable firms.

The TPRM problem

And it’s not just my fictional MegaCorp. Cybersecurity risks are obviously a problem. I only had to go back to January 26 to find a recent example.

Bank of America has confirmed a data breach involving a third-party software provider that led to the exposure of sensitive customer data.

What Happened: According to a filing earlier this month, an unidentified third-party software provider discovered unauthorized access to its systems in October. The breach did not directly impact Bank of America’s systems, but the data of at least 414 customers is now at risk.

The breach pertains to mortgage loans and the compromised data includes customers’ names, social security numbers, addresses, phone numbers, passport numbers, and loan numbers.

Note that the problem didn’t occur at Bank of America’s systems, but at the systems of some other company.

Manage your TPRM…now that you know what I mean by the acronym.

How Bredemarket Adopts Your Point of View

The video embedded in my “Where is ByteDance From?” blog post included an interesting frame:

“So depending upon your needs, you can argue that”

This frame was followed by three differing answers to the “Where is ByteDance From?” question.

But isn’t there only one answer to the question? How can there be three?

It all depends upon your needs.

Who is the best age estimation vendor?

I shared an illustrative example of this last year. When the National Institute of Standards and Technology (NIST) tested its first six age estimation algorithms, it published the results for everyone to see.

“Because NIST conducts so many different tests, a vendor can turn to any single test in which it placed first and declare it is the best vendor.

“So depending upon the test, the best age estimation vendor (based upon accuracy and or resource usage) may be Dermalog, or Incode, or ROC (formerly Rank One Computing), or Unissey, or Yoti. Just look for that “(1)” superscript….

“Out of the 6 vendors, 5 are the best. And if you massage the data enough you can probably argue that Neurotechnology is the best also. 

“So if I were writing for one of these vendors, I’d argue that the vendor placed first in Subtest X, Subtest X is obviously the most important one in the entire test, and all the other ones are meaningless.”

Are you the best? Only if I’m writing for you

I will let you in on a little secret.

  • When I wrote things for IDEMIA, I always said that IDEMIA was the best.
  • When I wrote things for Incode, I always said that Incode was the best.
  • And when I write things for each of my Bredemarket clients, I always say that my client is the best.

I recently had to remind a prospect of this fact. This particular prospect has a very strong differentiator from its competitors. When the prospect asked for past writing samples, I included this caveat:

“I have never written about (TOPIC 1) or (TOPIC 2) from (PROSPECT’S) perspective, but here are some examples of my writing on both topics.”

I then shared four writing samples, including something I wrote for my former employer Incode about two years ago. I did this knowing that my prospect would disagree with my assertions that Incode’s product is so great…and greater than the prospect’s product. 

If this loses me the business, I can accept that. Anyone with any product marketing experience in the identity industry is guaranteed to have said SOMETHING offensive to most of the 80+ companies in the industry.

How do I write for YOU?

But let’s say that you’re an identity firm and you decide to contract with Bredemarket anyway, even though I’ve said nice things about your competitors in the past.

How do we work together to ensure that I say nice things about you?

That’s where my initial questions (seven, plus some more) come into play.

My first seven questions.

By the time we’re done, we have hopefully painted a hero picture of your company, describing why you are the preferred solution for your customers—better than IDEMIA, Incode, or anyone else.

(Unless of course IDEMIA or Incode contracts with Bredemarket, in which case I will edit the sentence above just a bit.)

So let’s talk

If you would like to work with Bredemarket for differentiated content, proposal, or analysis work, book a free meeting on my “CPA” page.

CPA

You Need FAT and SAT

On LinkedIn, I was just discussing the difference between a controlled study and a real-world test. Think of a NIST test vs. a benchmark.

Then I started talking about some of the post-contract signature tests in the automated biometric identification system world, including factory acceptance tests and site acceptance tests.

These tests are not unique to ABIS. Healthcare (the other biometric) conducts FAT and SAT also, as Powder Systems notes.

“When manufacturing complex machinery in industries such as pharmaceuticals or fine chemicals, extensive equipment testing must be carried out before commissioning.

“It requires thorough functional, performance, and safety tests of intricate systems. These may comprise many components and interdependencies. Challenging though it may be, these must be systematically assessed before they’re put into operation. This approach is broadly known as acceptance testing.

“There are many forms of acceptance testing. Two closely related approaches that often come in for confusion are Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT). Both are critical stages in the verification and validation of equipment and systems within industrial and manufacturing contexts. However, they differ significantly in terms of location, timing, purpose, scope, participants, outcomes, and testing environment.”

You should read the entire article to learn about the significant differences between the two test types. But let me highlight one point:

“Factory acceptance testing typically involves a more rigorous and comprehensive testing process. This testing procedure includes the detailed verification of system components to ensure they function correctly and meet design specifications.”

This is based on the fact that it’s less costly to fix problems early at the factory than to fix them later out in the field.

Whether you’re testing pharmaceutical machinery or ABIS, both factory and site acceptance tests are absolutely critical. Skipping one of the two tests does not save costs.