1 / 58

Ed Roback Chief, Computer Security Division April 4, 2005

Securing U.S. Federal Information Systems and Beyond: NIST Activities and Other Government Initiatives. Ed Roback Chief, Computer Security Division April 4, 2005. Agenda Topics. NIST Statutory Responsibilities & Other Key Assignments Overview of Current Projects

dea
Download Presentation

Ed Roback Chief, Computer Security Division April 4, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing U.S. Federal Information Systems and Beyond: NIST Activities and Other Government Initiatives Ed Roback Chief, Computer Security Division April 4, 2005

  2. Agenda Topics • NIST Statutory Responsibilities & Other Key Assignments • Overview of Current Projects • High Visibility Projects • New Projects

  3. NIST Statutory Security Mandates Federal Information Security Management Act of 2002 Federal security standards and guidelines Minimum requirements; categorization standards, incident handling, NSS identification, … Advisory Board support Cyber Security Research and Development Act of 2002 Extramural research support Fellowships Intramural research Checklists NRC study support Non-national security systems

  4. Other Key Security Assignments • HAVA – Security of Voting Systems • Homeland Security Presidential Directive #12

  5. Federal Security Roles Unclassified Systems NIST – standards, guidelines, security research (in-house and academic-industry partnerships) Federal Information Security Management Act of 2002 Cyber Security Research and Development Act of 2002 DHS – Day-to-day security alerts, operations, etc. National Cyber Security Division in IAIP NSF – Academic research support Cyber Security Research and Development Act of 2002 Congress/ OMB – Government-wide policy/oversight role Classified Systems A. National Security Systems – “Committee on National Security Systems” B. Intelligence Systems – Director of Central Intelligence

  6. No Standard Terminology • Standards • Performance vs. interoperability • Market Dominant product “standards” • Voluntary Industry Consensus Standards (“formal”) • What’s a FIPS? (“Federal”) Applicability… • Guidelines … Applicability of NIST Guidelines… • “Best” Practices • Procedures • Policies

  7. Key Standards Organizations International ICAO IETF ITU IEEE ISO IEC Internet Area Security Area Routing Area Opns & Mgmt Area Transport Area ISOTC 68 ISO/IEC JTC1 SC 6 SC 17 SC 27 SC 37 SC 2 Regional ETSI eEurope NESSIE Eurosmart EESSI ANSI National BSI JIS X9, Inc. INCITS Japan’s Cryptographic Technology Evaluation Committee X9F B10 M1 T3 T4

  8. Cryptography / E-Auth Cryptographic Standards and Applications Cryptographic Standards Toolkit E-Authentication Security Testing Cryptographic Module Validation Program 800-53A Validation Guideline Security Management and Guidance Industry and Federal Security Standards Security Management Guidelines Agency Program Reviews Emerging Technologies Checklists Technical Security Guidelines Government Smart Card Program Mobile Device Security Forensics Access Control and Authorization Management ICAT NIST-CSD Research Projects

  9. Recent Federal Security Standards • FIPS 201, Personal Identity Verification for Federal Employees and Contractors • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems • FIPS 198, Keyed-Hash Message Authentication Code • FIPS 197, Advanced Encryption Standard Coming Soon… • FIPS 200, Minimum Requirements for All Federal Systems* * Exact title TBD

  10. Recently Completed NIST Security Guidelines • Draft 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification • Draft 800-77, Guide to IPsec VPNs • Draft 800-76, Biometric Data Specification for Personal Identity Verification • Draft 800-73, Integrated Circuit Card for Personal Identity Verification • 800-72, Guidelines on PDA Forensics November 2004 • 800-70, Draft 800-70, The NIST Security Configuration Checklists Program • 800-68, Draft 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist • 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, May 2004 • 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 2005 Available at http://csrc.nist.gov/publications/nistpubs/index.html

  11. Recently Completed NIST Security Guidelines • 800-65, Integrating Security into the Capital Planning and Investment Control Process, January 2005 • 800-64, Security Considerations in the Information System Development Life Cycle,October 2003 (publication original release date)(revision 1 released June 2004) • 800-63, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology, June 2004 (publication original release date)(revision 1.0.1 released September 2004) • 800-61, Computer Security Incident Handling Guide, January 2004 • 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004 • 800-59, Guideline for Identifying an Information System as a National Security System, August 2003 • 800-58, Security Considerations for Voice Over IP Systems, January 2005 • DRAFT 800-57 Recommendation on Key Management • 800-55, Security Metrics Guide for Information Technology Systems,July 2003 • 800-53, Recommended Security Controls for Federal Information Systems, February 2005 • DRAFT 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations Available at http://csrc.nist.gov/publications/nistpubs/index.html

  12. Future Guidelines* • Checklists and Configuration/Hardening Guides (DHS) • Media Destruction/Sanitization (DHS) • Risk Management (DHS) • Incident Exercises (DHS) • Malware (DHS) • VOIP • Forensics Handbook • Sensor Deployment • Penetration Testing & Vulnerability Management • Technical Security Metrics • Web Services • IP/Telephony Convergence • Trust frameworks • RFID • Embedded Systems • Governance *funding permitting, except as noted

  13. Please consider submitting any practices you may have for inclusion in our site!

  14. Tested Products / Modules

  15. 3 High Visibility Projects • FISMA Trilogy - #3 - Minimum Standards for all Federal Systems • CSRDA - Checklists • HSPD #12 - Personal Identity Verification

  16. Key NIST Tasks to Implement FISMA

  17. Categorization StandardsFISMA Requirement • Develop standards to be used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels • Publication status: • Federal Information Processing Standards (FIPS) Publication 199, “Standards for Security Categorization of Federal Information and Information Systems” • Final Publication: December 2003* *FIPS Publication 199 was signed by the Secretary of Commerce in February 2004.

  18. FIPS Publication 199 • FIPS 199 is critically important to enterprises because the standard— • Requires prioritization of information systems according to potential impact on mission or business operations • Promotes effective allocation of limited information security resources according to greatest need • Facilitates effective application of security controls to achieve adequate information security • Establishes appropriate expectations for information system protection

  19. FIPS 199 Applications • FIPS 199 should guide the rigor, intensity, and scope of all information security-related activities within the enterprise including— • The application and allocation of security controls within information systems • The assessment of security controls to determine control effectiveness • Information system authorizations or accreditations • Oversight, reporting requirements, and performance metrics for security effectiveness and compliance

  20. SP 800-60 Security Categorization Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories

  21. SP 800-60 Security Categorization Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories Minimum Security Controls for High Impact Systems

  22. Mapping GuidelinesFISMA Requirement • Develop guidelines recommending the types of information and information systems to be included in each category • Publication status: • NIST Special Publication 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories” • Final Publication: June 2004

  23. Minimum Security RequirementsFISMA Requirement • Develop minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category • Publication status: • Federal Information Processing Standards (FIPS) Publication 200, “Minimum Security Controls for Federal Information Systems”* • NIST Deadline: December 2005 *NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems,” February 2005, will provide interim guidance until completion of standard.

  24. Security Control AssessmentFISMA Requirement • Conduct periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices (including management, operational, and technical security controls) • Publication status: • NIST Special Publication 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems” • Initial Public Draft: 2005

  25. Certification and AccreditationSupporting FISMA Requirement • Conduct periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices (including management, operational, and technical security controls) • Publication status: • NIST Special Publication 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems” • Final Publication: May 2004

  26. Personal Identity Verification For Federal Employees and Contractors Meeting the Requirements of HSPD #12…

  27. General Objectives Common reliable identification verification for Government employees and contractors • Reliable Identification Verification • Government-wide - Interoperability - Basis for reciprocity

  28. Personal Identity Verification Requirements HSPD-12: Policy for a Common Identification Standard • Secure and reliable forms of personal identification: • Based on sound criteria to verify an individual employee’s identity • Is strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation • Personal identity can be rapidly verified electronically • Identity tokens issued only by providers whose reliability has been established by an official accreditation process

  29. Personal Identity Verification Requirements • Applicable to all government organizations and contractors • To be used to grant access to Federally-controlled facilities and logical access to Federally-controlled information systems, to the maximum extent practicable • Graduated criteria from least secure to most secure to ensure flexibility in selecting the appropriate security level for each application • Not applicable to identification associated with national security systems • To be implemented in a manner that protects citizens’ privacy

  30. Personal Identity Verification Requirements HSPD: Policy for a Common Identification Standard • Departments and agencies shall have a program in place to ensure conformance within 4 months after issuance of FIPS • Departments and agencies to identify applications important to security that would benefit from conformance to the standard within 6 months after issuance • Compliance with the Standard is required in applicable Federal applications within 8 months following issuance

  31. Phased-Implementation Approach Two Parts to PIV Standard • Part I – Common Identification and Security Requirements - HSPD #12 Control Objectives Examples: Identification shall be issued based on strong Government-wide criteria for verifying an individual employee’s identity The identification shall be capable of being rapidly authenticated electronically Government-wide - Identity Proofing Requirements (revised from October draft) - Effective October 2005 • Part II – Common Interoperability Requirements - Specifications - No set deadline for implementation in PIV standard • Migration Timeframe (i.e., Part I  II) - IAW HSPD #12, Implementation Plans for OMB before July 2005 - OMB approves agency plans and/or develops schedule directive - OMB developing implementation guidance for public review and comment

  32. Area for additional optional data. Agency-specific data may be printed in this area. See other examples for required placement of additional optional data elements. Note: In this example, Zone 9,11, and 13 are optional but shall be placed as depicted and therefore are not in the blue shaded area. United States Government ColorPhotograph AffiliationCivilian Agency/Department Department of Homeland Security Issued 01/01/05 Expires 01/01/08 Doe John, G. Pay O15 Contact Chip Federal Emergency Response Official 30.5 2.5 51.5 30.75 Zone 9 – Header 2.5 4.5 Area likely to be needed by card manufacturer. Optional data may be printed in this area but may be subject to restrictions imposed by card and/or printer manufacturers. 20 Reserved area. No printing is permitted in this area unless verified as printable area by card and/or printer manufacturers. 27 37 41.5 Zone 2 – NameArial 10pt Bold 50 57.5 65.5

  33. The NIST Security Configuration Checklists Program for IT Products

  34. What is a Checklist? • Often called lockdown guides, configuration guides, security guides, benchmark, hardening guides, STIGs, other terms • A document or list of procedures to secure a system or application • Implementation guides used to provide security controls to the information system • Could include scripts, add-on templates, or executables

  35. Why Checklists • Most products are insecure out of the box • Most users need assistance in configuring security controls due to complexity of the technology • Demand for easy-to-understand checklists for improving security • Demand for checklists tailored to different environments, such as home, small office, enterprise, or higher security • Checklists can have a large impact on security with relatively small upfront investment

  36. Tasking to NIST • Cyber Security Research and Development Act of 2002 directs NIST to: • Develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government. • NIST would set priorities for development

  37. FISMA Legislation • FISMA (section 3534(b)(2)(D)(iii)) requires each agency to determine minimally acceptable system configuration requirements and ensure compliance with them • NIST is expected to assist agencies in guidance for developing configuration checklists and for sharing them

  38. NIST’s Response: • Write guideline for developers and users • Build the repository; populate with current checklists from NIST, NSA, DISA, CIS • Get participation agreements from major developers • Assist agencies in using the repository to share and acquire configuration checklists • Work with vendors to begin including checklists with their products

  39. How Does the Program Work? • Developers follow NIST guidance in creating checklists, e.g., targeted operational environments • After submission to NIST and initial screening, checklists are publicly reviewed • Issues are addressed, checklist is listed in repository and maintained by developer • Developers can use our logo on their products • Users can provide feedback to NIST and developers

  40. Operational Environments

  41. Security Checklists for Commercial IT Products About Checklists Search the Security Checklist Database Under the Cyber Security Research and Development Act, NIST is charged with developing security checklists. These checklists describe security settings for commercial IT products. Operational Environment Each security checklist describes the operational environment for which it is intended to be used. These generally specify levels consistent with the government wide security categorizations for information systems. Partners The checklists provided on this website are provided by a wide variety of vendors, government agencies, consortia, non-profit organizations, and user organizations. For a complete list, click here. NIST gratefully acknowledges their contributions and assistance in providing this security service. Disclaimer The contents of each checklist is the responsibility of the submitting organization. We encourage users to send comments on specific checklists to the appropriate author. Search By specific product name Microsoft Windows 2000 By security environment Enterprise By product type Operating System Results (list of checklists) NIST Windows 2000 Special Publication NSA Windows 2000 Security Guide DISA Windows 2000 Security Configuration Guide CIS Windows 2000 Guide – Level 2

  42. Developer Steps Overview Please consider submitting any checklists you may have for inclusion in our repository!

More Related