Professional Documents
Culture Documents
Cyber Security Activities at The
Cyber Security Activities at The
Cyber Security Activities at The
CIO OFFICE
BRUCE ROSEN
CONVERGENT SOFTWARE
COMPUTER INFORMATION INFORMATION STATISTICS
MATH NETWORKING INFORMATION TESTING
SECURITY ACCESS SERVICES
SYSTEMS
• Develop validation procedures for, and evaluate the effectiveness of, standards and
guidelines;
• Perform research and conduct studies to determine the nature and extent of the
vulnerabilities of sensitive systems;
•
• Devise techniques for the cost-effective security and privacy of sensitive
information systems;
•
• Provide the staff services necessary to assist the Computer System Security and
Privacy Board in carrying out its functions; and
•
• Assist the private sector, upon request, in using and applying the results of
programs and activities.
Computer Security Act of 1987 and IT Management Reform Act of 1996, reinforced in OMB Circular A-130, App. III
Computer Security Division
Mission
To improve information systems security by:
•
•raising awareness of IT risks, vulnerabilities and protection requirements,
particularly for new and emerging technologies;
•
• researching, studying, and advising agencies of IT vulnerabilities and
devising techniques for the cost-effective security and privacy of sensitive
Federal systems;
•
• developing standards, metrics, tests and validation programs:
to promote, measure, and validate security in systems and services;
to educate consumers; and
to establish minimum security requirements for Federal systems; and
•
• developing guidance to increase secure IT planning, implementation,
management and operation.
Key Themes
• Security is important to sound and efficient functioning of the economy and
government;
• Agency / OMB / Congress have high expectations of NIST re our Federal role;
– Reflected in bills such as HR 1259; H.R. 3394; HR 3316;
• Security of commercial products in the marketplace is inadequate
– Standards help -- NIST’s role in helping to develop specifications (to
drive the market) helps our customers – both Federal and industry
users know what to specify; Federal ones used as procurement
specs.
– Testing helps -- NIST’s role in testing helps users know they are
getting what they think they are buying; Also adds legitimacy to
vendors’ claims.
• Product evaluation (e.g., OpSys) is difficult / time consuming at best – needs
rigor and standardizable testing – a long term challenge
• Longer term challenge: security and composablility
–
•
Types of Deliverables
• Standards and Specifications • Security Outreach / Awareness
– FIPS (e.g., AES) / Leadership
– Forum
– Voluntary Industry – CSSPAB
Consensus Standards – ICCC
– Ad hoc specifications – CIO Security Committee
• Guidelines – CC MRA
– CSRC
– ITL Bulletins – Press articles
– Special Publications – ITL Bulletins
– NIST Recommendations – FPKI TWG
Goals
Establish secure cryptographic standards for storage and
communications & enable cryptographic security services in
applications through the development of: PKI, key
management protocols and secure application standards
Technical Areas
•Secure encryption, authentication, non-repudiation, key
establishment, & random number generation algorithms.
•PKI standards for protocols, standards and formats
•PKI interoperability, assurance & scalability
Impacts
•Strong cryptography used in COTS IT products
•Standardized PKI & cryptography improves interoperability
•Availability of secure applications through crypto & PKI
Projects
Collaborators
Impacts
•Secure e-commerce and data protection through highly secure
encryption that keeps pace with rapid advances in technology.
•Validation that COTS products comply with the AES standard.
•Banking and international standards communities are looking to adopt
the AES, which will promote its use outside of government
FY 2001
Collaborators •Selected the Rijndael algorithm as the AES
Federal: National Security Agency (NSA) •Developed draft AES FIPS & completed public comment.
Industry: Protonworld International (Belgium), IBM, •Developed Draft AES Basic Modes of Operation
RSA Security & Counterpane Systems •Hold Modes Workshop (4Q)
participated in AES finalists; many companies •Issue NIST Recommendation on Basic Modes of Operation (4Q)
provided extensive comments and papers on
the AES selection & spec. FY 2002
Academia: Katholieke Univ. (Belgium), MIT, •Announced Secretary’s approval of AES
Technicon, Cambridge Univ., & Univ. of •Complete AES validation tests and software
Bergen faculty participated in finalist •Publish AES Validation Guideline; begin testing AES products.
submissions; many others helped in analysis •Develop “Phase 2” AES Modes of Operation
Global: ISO JTC1/SC27
Cryptographic Standards Toolkit
Goals
•Improve information security and facilitate electronic commerce by
developing and standardizing strong cryptographic algorithms
•Provide guidance for the use of cryptography
Technical Areas
•Secure cryptographic algorithms for encryption, authentication, non-
repudiation, key establishment, and random number generation.
C Impacts
T
•Worldwide government and industry use of strong cryptography
•Guidance and education available in the use of cryptography.
R
•Secure interoperability achieved through standard algorithms
•Secure electronic commerce enabled through cryptography
o •
Y
ol FY 2001
Collaborators
P
ki
•Prepared draft AES and HMAC FIPS and completed public reviews
•AES and HMAC FIPS approval by SoC (4Q)
Industry: ANSI X9, RSA Security, Certco, Certicom, •Public Review of revised SHA with new algorithms (FIPS 180-2)
Chase Manhattan Bank, Cybersafe, Cygnacom, •Revision and public review of DSS (FIPS 186-3)
Tt
Deloitte &B Touche Security Services, IBM, •Draft NIST basic AES Modes of Operation Recommendation (4Q)
Entrust, BBN, Booz-Allen, Ernst & Young, •Modes Workshop (4Q)
First Data Corp., First Union Corp., IDA, •First Draft of Key Mgmt. Schemes & Guidance documents (4Q)
KPMG, Motorola, Gemplus, Jones Futurex,
O
FY 2002
Mastercard, Merrill Lynch, GTE Cyber Trust, •FIPS 180-2 and FIPS 186-3 approval by SoC
Pitney Bowes, PNC Bank, Price Waterhouse •Validation tests for: AES modes, DSA, SHA, HMAC, ANSI X9.42
Coopers, TecSec, Spyrus, Verifone, VeriSign, •Key Management Workshop
Visa, Xcert, AES submitters and commenters •Complete Key Establishment Scheme & Guidance Documents
Federal: NSA, BXA, Federal Reserve, CSE, •Develop phase 2 Modes of Operation recommendation
Treasury •Develop a Random Number Generation standard (ANSI X9.82)
•
First impact: Near-Term (Immediate to 2 years)
1/02
FY 2002
Collaborators •Federal PKI Technical Working Group
-Federal Bridge CA cross certifications
Federal: Federal PKI Policy Authority, Federal PKI - FBCA Certificate, CRL, and Directory Profiles
Steering Committee, General Services •PKI Policy Development Tools
Administration, General Accounting Office, -Generic Certificate Policies
National Security Agency, FDIC, Treasury -Certification Practice Statement templates
FMS, Army Corps of Engineers, Office of •Federal PKI Guidance Document (1Q)
Management and Budget •PKI directory guidance document
•High-Level PKI Services API Draft
Academia: EduCause (1,800 universities, colleges, and •Federal Deposit Insurance Corporation PKI Deployment (OG)
educational institutions) •Army Corps of Engineers PKI consultation
•Treasury FMS PKI application development
State: Illinois, Washington •
Exploring New Security
Technologies
• Identify and use emerging technologies,
especially infrastructure niches
• Develop models, reference implementations,
and demonstrations
• Transition new technology and tools to public &
private sectors
• Advise Federal agencies to facilitate planning
for secure use
1/02
Industry: IBM, Microsoft, SUN, Boeing, Intel, GTE, •Access Control & Authorization Management
VDG, SCC, Sybase, SAIC, SUN, Lincoln Labs, •ICAT Vulnerability/Patch Search Tool
Lucent, Trident, ISS, Symantec, MIT, 3Com, •National Smart Card Infrastructure
Interlink, Ford, BBN, CISCO, Lucent, Checkpoint, •Intrusion Detection
MCI, Oracle, Mitre, Mitretek, Intel, SAIC •Mobile Agents
•Wireless/Device Security
Academic: University of Maryland, Ohio State, University •IPSec/web interface testing
of Tulsa, George Mason, Rutgers University, Univ
•Quantum Computing Support
of Pittsburgh, Purdue University, Univ of
Washington •CIP Grants
•Automated Testing
Federal: NSA, DoD, NRL, DARPA •
1/02
Milestones
FY2001
Proposed Collaborators •Intrusion Detection
•Active Content & Mobile Code
Industry: MIS Training Institute, Booz Allen Hamilton, •Firewall Policy
•Network Security Testing & Incident Handling
Microsoft, I4 •Telecommuting/Broadband Security
Federal: NIST, NSA, OMB, GSA •PKI
•IT Security Engineering Principles & IT Security Models
Academic: University of Maryland, Purdue University •
FY 2002
•Public Web Server & E-Mail Server
•Wireless & Device Security
•Microsoft Windows 2000 Security Guidance
•Smart Card guidance and Security Patches
•Interconnecting Systems and Contingency Planning
•Procurement of products/services
1/02
ICAT
ICAT Metabase Goals
Provide the IT community a fine grained searchable index of all
known computer vulnerabilities using a standard naming scheme
linking users to publicly available vulnerability databases.
Technical Areas
• Developing classification schemes for vulnerabilities
A standards based searchable index of • Collecting and evaluating vulnerability information
virtually all known computer vulnerabilities • Measuring the characteristics of vulnerabilities
Impacts
• ICAT enables system administrators to identify flawed systems and
Technical Lead: to find the patches
Peter Mell • Provides the security community with a free standards based index
of all vulnerabilities
http://icat.nist.gov • Complementary and non-competitive with industry
• ICAT has received praise in over 12 news articles
“Your dedication to making ICAT into one of the premier
databases is admirable” (Internet Security Systems)
Collaborators Milestones
•
Educational: SANS Institute (sponsor) FY 2001
Military: NSA, DISA •ICAT web hits have increased by a factor of 17 in one year
•Analyzed over 2000 vulnerabilities for ICAT
Academia: Purdue/CERIAS •Started a vulnerability mailing list that now has 1600 subscribers
Industry: TrustWave, SecuritySaint.com, •Integrated ICAT into the SANS/FBI top 20 vulnerability list
CyberCopsEurope.com, IpNSA, •Helped mirror ICAT on the NSA network
Securityinfos.com, Hideaway.net, •Enable organizations to integrate their products into ICAT
•Began offering an off-line version of ICAT
VISC Software and Security, •Vulnerability notification system developed by Purdue
SOC GmbH •Provided top ten vulnerability service
•Joined the CVE vulnerability standard’s editorial board
Awarded Commerce Department Bronze Medal •
FY 2002
Averaging 50,000 hits per month •Analyze over 1000 vulnerabilities
Over 100,000 hits in November 2001 •Transition ICAT into being a more timely vulnerability service
1/02
Goals
Work with world-wide industry leaders to promote
the development of IP security standards, technology, and tests.
This will ensure early, reliable and interoperable deployment of
IPsec, the technology that is used to build VPNs and to protect
the next generation Internet infrastructure and applications.
•
Technical Areas
•International standardization of Internet security protocols
•WWW-based Interoperability Testing
•Reference implementations of next generation network and
IPSec Project
security technology
•
Impacts
Technical Lead: Sheila Frankel •Developed reference implementation of the IETF IPSec and IKE
standards - used for education, experimentation, testing
•Web-based IPSec interoperability test facility
http:ipsec-wit.antd.nist.gov
•Over 250 organizations have used NIST’s interoperability tester
•Over 650 organizations have requested NIST’s IPSec reference
implementation
Collaborators Milestones
FY 2001
Federal: NIST Internetworking Division, NSA •Added dynamic certificate request and transmissions capability
to PlutoPlus
•Updated AES Internet Draft to reflect AES selection
NIST IPSec Product Users •Wrote Internet Drafts on the use of SHA-256 and AES-XCBC-
MAC with IPsec and IKE
Industry: Bay Networks, BBN, Cabletron, Cisco, Compaq, •Wrote NIST Security Bulletin on IPsec Status/Issues/Security
CyberGuard, Digital, Frontiertech, Gartner Group, •Incorporated AES Algorithm (& other finalists) into PlutoPlus
GTE Internetworking,Hewlett Packard, IBM, Intel, Interlink, •Published Book, “Demystifying the IPsec Puzzle”
Lucent Technologies, MCI, MIT, Microsoft, Routerware, SAIC, •Presented invited talks and tutorial on IPsec
S-Cubed, Secure Computing, Spyrus, SUN, TIS, 3Com and FY 2002
many others •Add PKI Interaction to IPsec-WIT
•Implement Version 2 of IKE
Government: GSA, NRL, Oak Ridge National Labs and others •Add IKE Version 2 to IPsec-WIT
•Publish guidance on the use of PKI within IPsec and IKE
1/02
GSC
Create a ubiquitous Smart Card Infrastructure to foster
widespread use of smart card technology, improving the security of
information systems within the U.S.
Technical Areas
•Develop technical guidance required by Federal contracting
vehicles for procurement of standard smart card products
•In conjunction with the Government and vendor communities,
develop interoperability specifications and standards
•Develop reference implementations, prototype conformance test
Government Smart Card suites, security testing criteria, and architectural models
Impacts
Program •Increased overall security of U.S. information systems
•Reduced cost of smart card system integration
Technical Lead: Jim Dray •Simplification of user access control processes
•Enable development of consistent conformance test methodologies
for smart card products and systems
Milestones
Collaborators FY 2001
•NIST designated lead agency for GSC conformance test
Industry: EDS,Northrup/Grumann, MAXIMUS, development
KPMG, eEurope, British Telecom, W3C, RSA Labs, •Establish GSC testbed at NIST
Australian National Office of the Information •Develop GSC Interoperability Conformance Test Program
•Develop GSC automated test suite
Economy
•
FY 2002
Federal: NIST, GSA, DoD, State Dept, USPS, SSA, •NIST publications on smart card technolgoy and GSC
VA, IRS, DoJ, DoT interoperability framework
•Java smart card collaboration (prototype implementation)
•Establish a Smart Card security test program; coalesce
with Common Criteria methodology
•International standards coordination
•GSC developer workshops and implementation guidance
•Identify and execute relevant R&D projects to promote
smart card interoperability and standards
Assistance and Guidance / Outreach
• Assist U.S. Government agencies and other users with
technical security and management issues
• Assist in development of security infrastructures
• Develop or point to cost-effective security guidance
• Assist agencies in using security technology guidance
• Support agencies on specific security projects on a cost-
reimbursable basis
• Expanding use of recently-developed “NIST
Recommendations” series to complement existing
publication methods
• Raise awareness of our programs, value of evaluated
products, and need for security
1/02
Goals
•Provide computer security guidance to ensure sensitive government
information technology systems and networks are sufficiently secure
to meet the needs of government agencies and the general public
•Serve as focal point for Division outreach activities
•Facilitate exchange of security information among Federal
government agencies
Technical Areas
•Computer security policy/management guidance
•Computer Security Expert Assist Team (CSEAT) security support to
Federal agencies
•Outreach to government, industry, academia, citizens
Impacts
•Agencies use standard, interoperable solutions
•Increased federal agency computer security programs
•Reduced costs to agencies from reduction of duplication of efforts
•Use of “Best Security Practices” among federal agencies
Major Projects
Collaborators •Computer security expert assist team (CSEAT)
•Federal computer security program managers forum
Federal: All Federal Agencies •Computer system security and privacy advisory board (CSSPAB)
Federal Computer Security Program
•Computer security resource center (CSRC)
Managers’ Forum
OMB •Computer security conferences
GSA •Risk management guidance
NSA •Federal IT Security Self-Assessment Tool
CIOs •NIST Security Program Manager’s Handbook
Industry: Security Product Vendors
•Contingency Planning Guidance
Academia:Major Universities with Computer Security
curricula •Small and Medium Businesses Outreach
CSRC Redesigned 7/00
1/02
FY 2001
Collaborators •CSEAT methodology established
•Received multiple requests from agencies
Federal: All Federal Agencies •Review of FEMA completed (Q4)
OMB
FY 2002
•First high-risk program review of Indian Trust Management initiated
•Methodology provided on web site
•Initiate cost-reimbursable model if funding for administrative costs
received
•Develop sanitized case studies
•Initiate development of CSEAT review methodology guideline
1/02
FY 2001
Collaborators •Plan for conducting regional meetings completed (Q4)
•Meeting educational material developed (Q4)
Federal: Small Business Administration
National Infrastructure Protection Center – FY 2002
InfraGard Program •First 2 regional meetings conducted
Manufacturing Extension Partnership •Third regional meeting scheduled for February
•Build community of small business owners, IT professionals, and
Industry: Security Product Vendors researchers
Regional business consortia •Generate a plan to provide web based IT security information in areas
Selected business partners of specific importance to small businesses
FY 2003
•Continue conducting regional meetings
•Train local trainers, members of local chapters of industrial
associations, or other small business resources
Security Testing
Goals
User •Improve the security and quality of IT products
Securit •Foster development of test methods, tools, techniques, assurance
metrics, and security requirements
y •Promote the development and use of tested and validated IT products
Needs •Champion the development and use of national/international IT security
Standa standards
Produc Technical Areas
rds •Provide Federal agencies, industry, and the public with a proven set of
t
Validat
IT Security and IT security testing methodologies and test metrics
•Promote joint work between NIST, the American National Standard
Metric Institute (ANSI) and the international standards community
ion Impacts
s •Timely, cost-effective IT security testing
Testing •Increased security in IT systems through availability of tested products
and •Creates business opportunities for vendors of security products, testing
laboratories, and security consultants
Evalua
tion
•
1/02
Collaborators
FY 2001
Federal: National Voluntary Laboratory Accreditation Program §Finalized FIPS 140-2: Security Requirements for Cryptographic Modules
§Implemented Cost Recovery Plan as of February 15, 2001
§Developed FIPS 140-2 Derived Test Requirements and Automated Tool (Q4)
Industry: American National Standards Institute (ANSI)
§Validated 45 crypto modules and 46 crypto algorithm implementations
InfoGard Laboratories Inc.
§Coordinated ANSI X9.42-2001: Key Agreements Using Diffie-Hellam and MQV
CygnaCom Solutions
§Finalized SD-012 Guideline for Validating Implementations Conforming to ANSI
DOMUS IT Security Laboratory, a Division of LGS
COACT, Inc. CAFÉ Lab Standards
§Completed Cryptographic Module Reference Implementation (Q4)
Atlan Laboratories
EWA-Canada LTD, IT Security Evaluation Facility
CORSEC Security Inc.
FY 2002
§ReviseCryptographic Module Testing (CMT) laboratory accreditation process,
NVLAP Handbook 150-17
Global: Communication Security Establishment (CSE) of the §Accredit 2-3 additional CMT Laboratories, including international
Government of Canada §Expand the agreement with CSE to include additional countries
§Conduct second Cryptographic Module Validation Program Workshop/Conference
§Develop Validation Test Suites for new algorithms/protocols
1/02
Collaborators FY 2001
Federal: State Dept., DoC, DoD, GSA, NIST, NSA, DoE, OMB §Accredited 5 Common Criteria (CC) Testing Laboratories
§Expanded CC Recognition Arrangement to 14 nations adding Israel
Industry: Oracle, CISCO, Hewlett-Packard, Lucent, SAIC, §Hosted national-level Government-Industry IT Security Forum
Microsoft, Computer Sciences Corp., Cygnacom, Arca, IBM, EDS, VISA, §Conducted international IT security outreach training for Japan and Israel
MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun §Developed comprehensive operations manual for CC Recognition Arrangement
Microsystems, Network Assoc., Booz-Allen, Seculab, Entrust, Silicon §Completed smart card protection profile and corresponding evaluation
Graphics, COACT §Initiated new security requirements forum for process control systems
§Validated 4 security products and 4 protection profiles
Global: United Kingdom, France, Germany, Japan, Korea, Canada,
The Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, FY 2002
Norway, Greece, Israel, Russia, ECMA, JCB, Europay, Mondex §Accredit 1-2 additional CC Testing Laboratories
§Expand CC Recognition Arrangement by 1-2 nations
Forums: Healthcare, Information Assurance, Process Control, Smart §Develop technology-based lab accreditation program with smart card prototype
Card, Insurance §Initiate cooperative protection profile development effort with government/industry
§Develop guidance, procedures and assessment program for system certifications
§Enhance outreach program and activities
Common Criteria
PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2
PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1
Operating Database PKI Smart Biometrics Firewall Wireless Web Apps Intrusio Virtual
Systems Systems Cards Devices s & n Private
Browsers Detectio Networks
n
Families of Protection Protection Profiles Systems
Fran.nielsen@nist.gov
301/975-3669