nist s role in computer security
Download
Skip this Video
Download Presentation
NIST’s Role in Computer Security

Loading in 2 Seconds...

play fullscreen
1 / 29

NIST’s Role in Computer Security - PowerPoint PPT Presentation


  • 117 Views
  • Uploaded on

NIST’s Role in Computer Security. Ed Roback Computer Security Division NIST Information Technology Laboratory. Agenda. Who we are Computer security program NIST partnerships Summary.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' NIST’s Role in Computer Security' - yosefu


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nist s role in computer security

NIST’s Role in Computer Security

Ed Roback

Computer Security Division

NIST Information Technology Laboratory

agenda
Agenda
  • Who we are
  • Computer security program
  • NIST partnerships
  • Summary
slide4
Promote the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure for information technology

Advanced Network Technologies

Computer Security

Distributed Computing and Information Services

High Performance Systems and Services

Information Access and User Interfaces

Mathematical and Computational Sciences

Software Diagnostics and Conformance Testing

Statistical Engineering

nist mandate for computer security
NIST Mandate for Computer Security
  • Develop standards and guidelines for the Federal government
  • Improve the competitiveness of the American IT industry
slide6

Guidance -

to increase effective

security planning and implementation of cost-effective security in Federal systems

Standards,

Metrics, Tests -

to promote, measure, and validate security improvements and enable confidence for marketplace transactions and minimum standards for Federal systems

Awareness -

of IT

vulnerabilities

and

protection

requirements

Computer Security Division MissionTo improve the state-of-the-art in information security through:

Guidance

Standards,

Metrics, Tests

Awareness

agenda1
Agenda
  • Who we are
  • Computer security program
  • NIST partnerships
  • Summary
security program strategy
Security Program Strategy
  • Collaboration with industry and government
    • Work to develop IT specifications and conformance tests to promote secure, interoperable products and systems
    • Develop standards in cooperation with industry and voluntary consensus standards bodies to promote and protect USG and IT industry interests
  • Acting as “honest broker”
security program strategy concluded
Security Program Strategy (Concluded)
  • Focus on Improving the security of products and systems
    • Develop standards for secure, interoperable products
    • Validate conformance of commercial products to selected Federal Information Processing Standards (FIPS)
    • Perform research and conduct studies to identify vulnerabilities and devise solutions
    • Develop new test methods and procedures that will make testing of security requirements/ specifications more efficient and cost effective
key components of nist s computer security program
Key Components of NIST’s Computer Security Program
  • Security standards development
  • Security testing
  • Exploring new security technologies
  • Assistance and guidance
security standards development
Security Standards Development
  • Work with industry and government to develop standards for computer security
    • Cryptography
    • Policies, management, and operational controls
    • Best practices
    • Common Criteria
    • Public Key Infrastructure (PKI)
key efforts standards
Key Efforts -- Standards
  • AES Advanced Encryption Standard
  • FIPS 46-3 Triple Data Encryption Standard (DES)
  • DSS Upgrade to include RSA, Elliptic Curve
  • SHA-2 Upgrade of SHA-1
  • FIPS 140-2 Upgrade of 140-1
  • X9.82 Random Number Generator
  • Key Exchange Key Exchange/Agreement Standard(s)
  • ISO 15408 Common Criteria v.2
  • IETF PKIX, IPSec, DNSSec, etc.
  • ISO 15292/15446 Protection Profile Registration and Development Guidance
  • FIPA Foundation for Intelligent Physical Agents
  • PKI Security Requirements for Certificate Issuing and Management Components (CIMCs)
security testing
Security Testing
  • Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing
  • Validation
    • Cryptographic Module Validation Program (CMVP)
    • National Information Assurance Partnership (NIAP)
  • Conformance and interoperability testing
    • MISPC
    • IPv6 test resource
key efforts testing
Key Efforts -- Testing
  • Crypto Module Validation Program
  • Algorithm Testing
  • Random Number Generator Testing
  • MISPC Testing
  • Certificate Authority Testing
  • Firewall Security & Evaluation Tests
  • Telecommunications Switch Security
  • Protection Profile Testing
  • Automated Test Development/Generation
  • Common Criteria Evaluation and Validation Scheme
  • Laboratory Accreditation
exploring new security technologies
Exploring New Security Technologies
  • Identify and use emerging technologies, especially infrastructure niches
  • Develop prototypes, reference implementations, and demonstrations
  • Transition new technology and tools to public & private sectors
  • Advise Federal agencies
key efforts new technologies
Key Efforts -- New Technologies
  • Role-Based Access Control
  • Policy Management
  • Intrusion Detection
  • Mobile Agents
  • Automated Security Test Generation
  • IPSec/web interface testing
  • Security Service Interfaces
assistance and guidance
Assistance and Guidance
  • Assist U.S. Government agencies and other users with technical security and management issues
  • Assist in development of security infrastructures
  • Develop or point to cost-effective security guidance
  • Actively transfer security technology and guidance from NIST to agencies/industry
  • Support agencies on specific security projects on a cost-reimbursable basis
key efforts assistance and guidance
Key Efforts -- Assistance and Guidance
  • NIST Special Publications:
    • 800-18, “Guide for Developing Security Plans for Information Technology Systems”
    • 800-16, “Information Technology Security Training Requirements”
    • “Guideline for Implementing Cryptography in the Federal Government” (Forthcoming)
    • “Security Incident Handling -- A Cooperative Approach”
  • ITL Bulletins (1999):
    • November Intrusion Detection
    • September Securing Web Servers
    • August The Advanced Encryption Standard: A Status Report
    • May Computer Attacks: What They Are and How to Defend Against Them
agenda2
Agenda
  • Who we are
  • Computer security program
  • NIST partnerships
  • Summary
slide21

ACM Workshops on Access Control

  • Agency Assistance Federal Computer
  • Security Training Resource Center
  • Best Practice Task Force
  • CIO Council Security Privacy-Critical
  • Infrastructure
  • Computer System Security & Privacy
  • Advisory Board (CSSPAB)
  • Critical Infrastructure Protection
  • Department of Justice Executive Advisory
  • Team
  • Director Forum of CIO Council
  • DoC/CIO Contingency Planning Affinity Group
  • FedCIRC Partners
  • Federal Computer Security Program Managers\'
  • Forum
  • Federal Information Systems Security Educators\'
  • Association (FISSEA)
  • Federal Public Key Infrastructure Steering
  • Committee & Subgroups
  • Forum for Privacy & Security in Healthcare
  • High Performance Computing and
  • Communications
  • Information Industry Group
  • INFOSEC Research Council
  • National Colloquium for Information Systems
  • Security Education (NCISSE)
  • National Science Foundation Career Proposal
  • Review Panel
  • National Security Telecommunications &
  • Information
  • Systems Security Committee (NSTISSC)
  • Network Security Information Exchange
  • NIST-NSA Technical Working Group
  • Open Source Security Working Group
  • Smart Card Security Users Group
  • American Bar Association Information Security
  • Ctte
  • Common Criteria Mutual Recognition
  • Arrangement Management Ctte
  • Critical Infrastructure Coordination Group
  • Education & Awareness Ctte
  • Federal Public Key Infrastructure Technical
  • Working Group
  • Forum for Privacy & Security in Healthcare
  • Information Industry Group
  • National Colloquium for Information Systems
  • Security Education (NCISSE)
  • National Science Foundation Career Proposal
  • Review Panel
  • Nat\'l Ctte for Information Technology Standards,
  • T3-Open Distributed Processing
  • Network Security Information Exchange
  • Smart Card Security Users Group
  • Steering Ctte Member of ACM Workshop on
  • Access Control
  • CEAL: a Cygnacom Solutions Laboratory
  • DOMUS IT Security Laboratory, A Division of LGS
  • Group, Inc.
  • InfoGard Laboratories, Inc.
  • ANSI Accredited Standards Committee X9F3
  • ANSI X9.82 Random Number Generation
  • Standard
  • ANSI X9F, X9F1, X9F3
  • ANSI-NCITS T4 Computer Security
  • Nat\'l Committee for Information Technology
  • Standards, Technical Committee T3-Open
  • Distributed Processing
  • NIST-NSA Technical Working Group
  • IETF S/MIME V3 Working Group
  • IETF Public Key Infrastructure Working Group
  • (PKIX)
  • IETF Internet Protocol Security (IPSEC)
  • Internet Protocol Secure Policy (IPSP)
  • Internet Protocol Secure Remote Access (IPSRA)
  • ISO/Internat\'l Electrotechnical Commission Joint
  • Technical Committee 1
  • ISO JTCI SC27 Computer Security
  • Smart Card Security Users Group
  • Critical Infrastructure Coordination Group
  • Education & Awareness Ctte
  • National Colloquium for Information Systems
  • Security Education (NCISSE)

NIST

Outreach

Federal

Agencies

IT

Industry

Testing

Labs

Standards

Community

Academia

slide22

Key Theme: Improving Security Products

How we improve security

through standards and testing

slide23

Test products against

security standards

Develop security

standards

Identify needs for security standards

- industry and government

Vendors improve

products

Users get more

secure products

Therefore… Security is Improved!

agenda3
Agenda
  • Who we are
  • Computer security program
  • NIST partnerships
  • Summary
summary conclusions
Summary & Conclusions

NIST is improving security by:

  • Raising awareness of the need for cost-effective security
  • Engaging in key U.S. voluntary standards activities
  • Developing standards and guidelines to secure Federal systems (often adopted voluntarily by private sector)
    • Cryptographic algorithms
    • Policy, management, operations, and best practices guidance
    • PKI
  • Providing National leadership role for security testing and evaluation
    • Cryptographic Module Validation Program
    • National Information Assurance Partnership
president s 9 99 proposal for increasing nist cip activities
President’s 9/99 Proposal for Increasing NIST CIP Activities
  • Establish an Expert Review Team at NIST
    • Assist Government-wide agencies in adhering to Federal computer security requirements
    • Director to consult with OMB and NSC on plans to protect and enhance computer security for Federal agencies
  • Fund a permanent 15-member team responsible for
    • Helping agencies identify vulnerabilities
    • Plan secure systems, and implement CIP plans
president s 9 99 proposal for increasing nist cip activities concluded
President’s 9/99 Proposal for Increasing NIST CIP Activities (Concluded)
  • Establish an operational fund at NIST for computer security projects among Federal agencies
    • Independent vulnerability assessments
    • Computer intrusion drills
    • Emergency funds to cover security fixes for systems identified to have unacceptable security risks
ad