Computer Security Division Program

Document Sample
Computer Security Division Program Powered By Docstoc
					NIST’s Role in Computer Security

                         Ed Roback
                   Computer Security Division

    NIST Information Technology Laboratory

November 9, 1999                                1

 Who we are
 Computer security program
 NIST partnerships
 Summary

    November 9, 1999      2
                              Advanced Network Technologies
Promote the U.S. economy
                              Computer Security
  and public welfare by
                              Distributed Computing and
  providing technical          Information Services
  leadership for the          High Performance Systems and
  Nation’s measurement         Services
                              Information Access and User
  and standards                Interfaces
  infrastructure for          Mathematical and Computational
  information technology       Sciences
                              Software Diagnostics and
                               Conformance Testing
                              Statistical Engineering
   November 9, 1999        4
          NIST Mandate for Computer
   Develop standards and guidelines for the Federal

   Improve the competitiveness of the American IT

    November 9, 1999        5
Computer Security Division Mission
To improve the state-of-the-art in information security through:
                              Guidance -
                         to increase effective
                       security planning and
                 implementation of cost-effective
                    security in Federal systems Standards,

                                                  Metrics, Tests
                                              Metrics, Tests -

          Awareness -

                                          to promote, measure, and
             of IT
                                               validate security
         vulnerabilities                  improvements and enable
              and                       confidence for marketplace
           protection                    transactions and minimum
         requirements                       standards for Federal

 November 9, 1999                    6

 Who we are
 Computer security program
 NIST partnerships
 Summary

    November 9, 1999      7
             Security Program Strategy

   Collaboration with industry and government
    – Work to develop IT specifications and conformance
      tests to promote secure, interoperable products and
    – Develop standards in cooperation with industry and
      voluntary consensus standards bodies to promote and
      protect USG and IT industry interests
   Acting as “honest broker”

    November 9, 1999          8
             Security Program Strategy
   Focus on Improving the security of products and
    – Develop standards for secure, interoperable products
    – Validate conformance of commercial products to selected
      Federal Information Processing Standards (FIPS)
    – Perform research and conduct studies to identify
      vulnerabilities and devise solutions
    – Develop new test methods and procedures that will make
      testing of security requirements/ specifications more efficient
      and cost effective

    November 9, 1999                 9
           Key Components of NIST’s
           Computer Security Program
 Security standards development
 Security testing
 Exploring new security technologies
 Assistance and guidance

    November 9, 1999     10
     Security Standards Development

   Work with industry and government to develop
    standards for computer security
    –   Cryptography
    –   Policies, management, and operational controls
    –   Best practices
    –   Common Criteria
    –   Public Key Infrastructure (PKI)

    November 9, 1999             11
              Key Efforts -- Standards
 AES                Advanced Encryption Standard
 FIPS 46-3          Triple Data Encryption Standard (DES)
 DSS Upgrade        to include RSA, Elliptic Curve
 SHA-2              Upgrade of SHA-1
 FIPS 140-2         Upgrade of 140-1
 X9.82              Random Number Generator
 Key Exchange       Key Exchange/Agreement Standard(s)
 ISO 15408          Common Criteria v.2
 IETF               PKIX, IPSec, DNSSec, etc.
 ISO 15292/15446    Protection Profile Registration and
                      Development Guidance
 FIPA               Foundation for Intelligent Physical Agents
 PKI                Security Requirements for Certificate Issuing
                     and Management Components (CIMCs)
  November 9, 1999               12
                       Security Testing
 Develop the tests, tools, profiles, methods, and
  implementations for timely, cost effective
  evaluation and testing
 Validation
    – Cryptographic Module Validation Program (CMVP)
    – National Information Assurance Partnership (NIAP)
   Conformance and interoperability testing
    – MISPC
    – IPv6 test resource
    November 9, 1999           13
               Key Efforts -- Testing
   Crypto Module Validation Program
   Algorithm Testing
   Random Number Generator Testing
   MISPC Testing
   Certificate Authority Testing
   Firewall Security & Evaluation Tests
   Telecommunications Switch Security
   Protection Profile Testing
   Automated Test Development/Generation
   Common Criteria Evaluation and Validation
   Laboratory Accreditation
November 9, 1999           14
                Exploring New Security
 Identify and use emerging technologies,
  especially infrastructure niches
 Develop prototypes, reference implementations,
  and demonstrations
 Transition new technology and tools to public &
  private sectors
 Advise Federal agencies

    November 9, 1999       15
    Key Efforts -- New Technologies

 Role-Based Access Control
 Policy Management
 Intrusion Detection
 Mobile Agents
 Automated Security Test Generation
 IPSec/web interface testing
 Security Service Interfaces

    November 9, 1999    16
               Assistance and Guidance

   Assist U.S. Government agencies and other users with
    technical security and management issues
   Assist in development of security infrastructures
   Develop or point to cost-effective security guidance
   Actively transfer security technology and guidance
    from NIST to agencies/industry
   Support agencies on specific security projects on a cost-
    reimbursable basis
    November 9, 1999            17
    Key Efforts -- Assistance and Guidance
   NIST Special Publications:
     – 800-18, “Guide for Developing Security Plans for Information
       Technology Systems”
     – 800-16, “Information Technology Security Training Requirements”
     – “Guideline for Implementing Cryptography in the Federal Government”
     – “Security Incident Handling -- A Cooperative Approach”
   ITL Bulletins (1999):
     – November        Intrusion Detection
     – September       Securing Web Servers
     – August          The Advanced Encryption Standard: A Status
     – May             Computer Attacks: What They Are and How to Defend
                       Against Them
    November 9, 1999                    18

 Who we are
 Computer security program
 NIST partnerships
 Summary

    November 9, 1999      19
In carrying out NIST’s programs,

               we don’t work alone...

November 9, 1999                        20
                                    •ACM Workshops on Access Control
                                    •Agency Assistance Federal Computer
                    Federal          Security Training Resource Center
                                    •Best Practice Task Force
                                    •CIO Council Security Privacy-Critical
                    Agencies         Infrastructure
                                    •Computer System Security & Privacy
                                     Advisory Board Standards
                                    •ANSI Accredited(CSSPAB) Committee X9F3
                                    •Critical Infrastructure Protection
                                    •ANSI X9.82 Random Number Generation
                                    •American Bar Association Information Security
                                    •Department of Justice Executive Advisory
                       IT            Standard
                                    •ANSI X9F,Criteria Mutual Recognition
                                    •Common X9F1, X9F3
                                    •Director Forum Computer Security
                                    •ANSI-NCITS T4 of CIO Council
                    Industry         Arrangement Management Ctte
                                    •DoC/CIO Contingency Planning Affinity Group
                                    •Nat'l Committee for Information Technology
                                    •Critical Infrastructure Coordination Group
                                    •FedCIRC Partners
                                     Standards,& Awareness Ctte
                                     Education Technical Committee T3-Open
                                    •Federal Computer Security Program Managers'
                                     Distributed Processing
                                    •Federal Public Key Infrastructure Technical
                                    •NIST-NSA Technical Working Group
                                     Working Group
                                    •CEAL: aInformation Systems Security Educators'
                                    •Federal Cygnacom Solutions Laboratory
                    Testing         •IETF S/MIME V3 Working Group Healthcare
                                    •Forum for Privacy & Security in Division of LGS
                                    •Critical Infrastructure Coordination Group
                                    •DOMUS IT Security Laboratory, A
                                     Association (FISSEA)
                                    •IETF Public Industry Group
                                    •Information Key Infrastructure Working Group
                                     Group, Inc. & Awareness Ctte
                                    •Federal Public Key Infrastructure Steering
                                    •National Colloquium for Information Systems
                     Labs           •InfoGard Laboratories, Inc.
                                     Committee & Subgroups
                                    •IETF Internet Protocol Security (IPSEC)
                                     Security Education (NCISSE)
                                    •Forum for Privacy & Security in (IPSP)
                                    •Internet Protocol Foundation Career Proposal
                                    •National Science Secure Policy
                                    •High Performance Computing and

NIST                                 Review Protocol Secure Remote Access (IPSRA)
                                     Internet Panel
                                    •ISO/Internat'l Electrotechnical Commission Joint
                                    •Nat'l Ctte for Information Technology Standards,
                                    •Information Industry Group
                   Standards         Technical CommitteeProcessing
                                     T3-Open Distributed 1
                                    •INFOSECSC27 Computer Security
                                                 Research Council
                                    •ISO JTCI Security Information Exchange
                                    •National Colloquium Users Group
                                    •Smart Card Security for Information Systems
Outreach           Community        •Smart Card Security Users Group
                                     Security Education (NCISSE)
                                    •Steering Ctte Member of ACM Workshop on
                                    •National Science Foundation Career Proposal
                                     Access Control
                                     Review Panel
                                    •National Security Telecommunications &
                                     Systems Security Committee (NSTISSC)
                   Academia         •Network Security Information Exchange
                                    •NIST-NSA Technical Working Group
November 9, 1999               21   •Open Source Security Working Group
                                    •Smart Card Security Users Group
 Key Theme: Improving Security Products

  How we improve security
through standards and testing
November 9, 1999    22
 Develop security

    standards                                            Test products against
                                                          security standards

                    Security is
                     Identify needs for security standards

                          - industry and government

   Users get more                                       Vendors improve
   secure products                                         products

November 9, 1999                         23

 Who we are
 Computer security program
 NIST partnerships
 Summary

    November 9, 1999      24
               Summary & Conclusions
NIST is improving security by:
 Raising awareness of the need for cost-effective security
 Engaging in key U.S. voluntary standards activities
 Developing standards and guidelines to secure Federal
  systems (often adopted voluntarily by private sector)
    – Cryptographic algorithms
    – Policy, management, operations, and best practices guidance
    – PKI
   Providing National leadership role for security testing and
    – Cryptographic Module Validation Program
    – National Information Assurance Partnership
    November 9, 1999              25

                   there is more

                   we could do...

November 9, 1999                    26
       President’s 9/99 Proposal for
      Increasing NIST CIP Activities
   Establish an Expert Review Team at NIST
    – Assist Government-wide agencies in adhering to
      Federal computer security requirements
    – Director to consult with OMB and NSC on plans to
      protect and enhance computer security for Federal
   Fund a permanent 15-member team responsible
     – Helping agencies identify vulnerabilities
     – Plan secure systems, and 27
    November 9, 1999
                                implement CIP plans
President’s 9/99 Proposal for Increasing
   NIST CIP Activities (Concluded)
   Establish an operational fund at NIST for
    computer security projects among Federal
    – Independent vulnerability assessments
    – Computer intrusion drills
    – Emergency funds to cover security fixes for systems
      identified to have unacceptable security risks

    November 9, 1999          28

November 9, 1999                29