• No results found

NIST Cyber Security Activities

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "NIST Cyber Security Activities"

Copied!
13
0
0

Loading.... (view fulltext now)

Download now ( 13 Page )

Full text

(1)

1

NIST Cyber Security Activities

Dr. Alicia Clay

Deputy Chief, Computer Security Division NIST Information Technology Laboratory

U.S. Department of Commerce

September 29, 2004

(2)
(3)

3

Computer Security Division Mission

Mission: To improve information systems security by:

Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies;

Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;

Developing standards, metrics, tests and validation programs:

to promote, measure, and validate security in systems and services to educate consumers and

to establish minimum security requirements for Federal systems

Developing guidance to increase secure IT planning, implementation, management and operation.

(4)

Cyber Security Statutory Mandates

Federal Information Security Management Act of 2002 Federal security standards and guidelines

Minimum requirements;

categorization standards, incident handling,

NSS identification, … Support of ISPAB

Cyber Security Research and Development Act of 2002 Extramural research support

Fellowships

Intramural research Checklists

NRC study support

(5)

5

Current NIST Computer Security Activities

Cryptographic Standards and E-Authentication

Establish secure cryptographic standards for storage and communications &

enable cryptographic security services in e-Government applications through electronic authentication and key management protocols

Emerging Technologies

Identify & exploit emerging technologies especially infrastructure niches

Develop prototypes, reference implementations, and demonstrations

Transition new technology and tools to public & private sectors

Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing

Management and Assistance

Provide computer security guidance to ensure sensitive government information technology systems and networks are sufficiently secure to meet the needs of government agencies and the general public

Serve as focal point for Division outreach activities

Facilitate exchange of security information among Federal government agencies

Security Testing

Improve the security and quality of IT products

Foster development of test methods, tools, techniques, assurance metrics, and security requirements

Promote the development and use of tested and validated IT products

Champion the development and use of national/international IT security standards

(6)

Recently Completed NIST Security Guidelines

800-30, Risk Management Guide for Information Technology Systems

800-31, Intrusion Detection Systems

800-34, Contingency Planning Guide for Information Technology System

800-37, Security Certification and Accreditation

800-40, Procedures for Handling Security Patches

800-41, Guidelines on Firewalls and Firewall Policy

800-42, Guideline on Network Security Testing

800-44, Guidelines on Securing Public Web Servers

800-45, Guidelines on Electronic Mail Security

800-46, Security for Telecommuting and Broadband Communications

800-47, Security Guide for Interconnecting Information Technology Systems

800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices

800-63, Electronic Authentication Guideline

800-67, Recommendation for the Triple Data Encryption Algorithm Block Cipher

(7)

7

Select Guidelines Under Development

800-53, Security Controls for Federal Information Systems (DRAFT)

800-56, Recommendation on Key Establishment Schemes (DRAFT)

800-57, Recommendation on Key Management (DRAFT)

800-58, Security Considerations for Voice Over IP (DRAFT)

800-61, Computer Security Incident Handling Guide (DRAFT)

800-65, Integrating Security into the Capital Planning and Investment Control Process (DRAFT)

800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (DRAFT)

800-68, Securing Microsoft Windows XP Systems for IT Professionals (DRAFT)

800-70, The NIST Security Configuration Checklists Program (DRAFT)

800-72, Guidelines on PDA Forensics (DRAFT)

•Media Destruction/Sanitization

•Penetration Testing & Vulnerability Management

•Trust frameworks

(8)

3 High Visibility Projects

• Minimum Standards for all Federal Systems

• Cyber Security Checklists

• Personal Identity Verification

(9)

9

Risk Management Framework

In system security plan, provides a an overview of the security requirements for the

information system and documents the security controls planned or in place

SP 800-18

Security Control Documentation

Defines category of information system according to potential

impact of loss FIPS 199 / SP 800-60

Security Categorization

Selects minimum security controls (i.e., safeguards and countermeasures) planned or

in place to protect the information system SP 800-53 / FIPS 200

Security Control Selection

Determines extent to which the security controls are implemented correctly, operating

as intended, and producing desired outcome with respect to meeting security requirements

SP 800-53A / SP 800-37

Security Control Assessment

SP 800-53 / FIPS 200 / SP 800-30

Security Control Refinement

Uses risk assessment to adjust minimum control set based on local conditions, required threat

coverage, and specific agency requirements

SP 800-37

System Authorization

Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing

SP 800-37

Security Control Monitoring

Continuously tracks changes to the information system that may affect security controls and

assesses control effectiveness

Implements security controls in new or legacy information systems;

implements security configuration checklists

Security Control Implementation

SP 800-70

(10)

10

Cyber Security Checklists

• Task to NIST … Develop checklists:

setting forth settings and option selections that minimize the security risks associated with each computer

hardware or software system that is, or is likely to become, widely used within the Federal government.

• NIST developing web-based database

• DHS Support

• FISMA requirements for agencies

• 800-70 out for comment

• ~December 2004 – Target for Launch

• Outreach – NCSP, CISWG, ITAA, BSA, etc.

(11)

11

Personal Identity Verification

HSPD #12 – Six Month Deadline to create a secure and reliable automated system that may be used Government-wide to:

1) Establish the authentic true identity of an individual;

2) Issue an identity credential token to each authenticated individual containing an “electronic representation” of the identity and the person to whom it is

issued which can later be verified using appropriate technology when access to a secure Federal facility or information system is requested;

3) Provide graduated criteria that provide appropriate levels of assurance and security to the application;

4) Be strongly resistant to identity fraud, counterfeiting, and exploitation by individuals, terrorist organizations, or conspiracy groups;

5) Initiate development and use of interoperable automated systems meeting these requirements.

(12)

Deployment of Outcomes

What

• Guidelines and standards

How

• Buy-in through collaboration

• Bulletins and brochures

• Workshops (examples)

• Strong Web Presence http://csrc.nist.gov

• PRISM

• Direct agency support

• Voluntary standards participation

• Sharing information with other National Bodies

(13)

13

Objectives

NIST’s cyber security work provides:

• Increased protection against cyber security disruptions;

• Increased trust and confidence in the security of the IT infrastructure leading to increased usage for transactions, increased productivity, and enhanced flexibility of use;

• Improved cyber security for government information

systems enhancing the ability of agencies to deliver services electronically and ensuring continuity of operations; and

• Decreased life-cycle costs of government IT

References

Download now ( PDF - 13 Page - 300.04 KB )

Related documents

04 Nephrology

Hence once DMSA has ruled out renal scarring, we can begin treatment as for a lower urinary tract infection.. Treatment

Market and Business Analysis of Tissue Engineered Blood Vessels

infection, a lack of foreign scaffold materials, more favorable mechanical properties (more compliant, less stiff) and greater contractile responsiveness. However, there are

Extended sufficient semilocal convergence for the Secant method

Using our new concept of recurrent functions, and combining Lipschitz and center-Lipschitz conditions on the divided difference operator, we provided new sufficient

WLAN/Cellular Convergence. Michael F. Finneran President dbrn Associates, Inc.

IMS Reference Architecture Call Session Controller Applications & Services 2G Networks PSTN Gateway PSTN IP Network - WLAN - WiMax - xDSL - Cable Modem Gateway GPRS Support

Peruvian Mental Health Reform: a Framework for Scaling-Up Mental Health Services

The activities implemented are based on recommendations by the WHO, 3 and involve the task-shifting of detection and treatment of mild to moderate disorders from specialists

Healthy Food Enterprise Microlending Intermediaries Los Angeles County. Proposal Guidelines

The California FreshWorks Fund (FreshWorks) is announcing the availability of $2 million in loan capital, as well as companion grants and technical assistance resources, for

Beyond Kolpak: EU Law’s unforeseen contribution to the movement of African Cricketers

During the period of South Africa’s international isolation numerous individual cricketers played professionally in English County Cricket; thus the global movement of

Wake up call for collegiate athlete sleep: narrative review and consensus recommendations from the NCAA Interassociation Task Force on Sleep and Wellness

screening follow-up, including triggers for referral to (campus and/or off- campus) sleep medicine providers. Recommendation 9: Provide evidence- based sleep education to