Nist s role in computer security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

NIST’s Role in Computer Security PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

NIST’s Role in Computer Security. Ed Roback Computer Security Division NIST Information Technology Laboratory. Agenda. Who we are Computer security program NIST partnerships Summary.

Download Presentation

NIST’s Role in Computer Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Nist s role in computer security

NIST’s Role in Computer Security

Ed Roback

Computer Security Division

NIST Information Technology Laboratory


Agenda

Agenda

  • Who we are

  • Computer security program

  • NIST partnerships

  • Summary


Nist s role in computer security

Promote the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure for information technology

Advanced Network Technologies

Computer Security

Distributed Computing and Information Services

High Performance Systems and Services

Information Access and User Interfaces

Mathematical and Computational Sciences

Software Diagnostics and Conformance Testing

Statistical Engineering


Nist mandate for computer security

NIST Mandate for Computer Security

  • Develop standards and guidelines for the Federal government

  • Improve the competitiveness of the American IT industry


Nist s role in computer security

Guidance -

to increase effective

security planning and implementation of cost-effective security in Federal systems

Standards,

Metrics, Tests -

to promote, measure, and validate security improvements and enable confidence for marketplace transactions and minimum standards for Federal systems

Awareness -

of IT

vulnerabilities

and

protection

requirements

Computer Security Division MissionTo improve the state-of-the-art in information security through:

Guidance

Standards,

Metrics, Tests

Awareness


Agenda1

Agenda

  • Who we are

  • Computer security program

  • NIST partnerships

  • Summary


Security program strategy

Security Program Strategy

  • Collaboration with industry and government

    • Work to develop IT specifications and conformance tests to promote secure, interoperable products and systems

    • Develop standards in cooperation with industry and voluntary consensus standards bodies to promote and protect USG and IT industry interests

  • Acting as “honest broker”


Security program strategy concluded

Security Program Strategy (Concluded)

  • Focus on Improving the security of products and systems

    • Develop standards for secure, interoperable products

    • Validate conformance of commercial products to selected Federal Information Processing Standards (FIPS)

    • Perform research and conduct studies to identify vulnerabilities and devise solutions

    • Develop new test methods and procedures that will make testing of security requirements/ specifications more efficient and cost effective


Key components of nist s computer security program

Key Components of NIST’s Computer Security Program

  • Security standards development

  • Security testing

  • Exploring new security technologies

  • Assistance and guidance


Security standards development

Security Standards Development

  • Work with industry and government to develop standards for computer security

    • Cryptography

    • Policies, management, and operational controls

    • Best practices

    • Common Criteria

    • Public Key Infrastructure (PKI)


Key efforts standards

Key Efforts -- Standards

  • AESAdvanced Encryption Standard

  • FIPS 46-3Triple Data Encryption Standard (DES)

  • DSS Upgradeto include RSA, Elliptic Curve

  • SHA-2 Upgrade of SHA-1

  • FIPS 140-2Upgrade of 140-1

  • X9.82Random Number Generator

  • Key ExchangeKey Exchange/Agreement Standard(s)

  • ISO 15408Common Criteria v.2

  • IETFPKIX, IPSec, DNSSec, etc.

  • ISO 15292/15446Protection Profile Registration and Development Guidance

  • FIPAFoundation for Intelligent Physical Agents

  • PKISecurity Requirements for Certificate Issuing and Management Components (CIMCs)


Security testing

Security Testing

  • Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing

  • Validation

    • Cryptographic Module Validation Program (CMVP)

    • National Information Assurance Partnership (NIAP)

  • Conformance and interoperability testing

    • MISPC

    • IPv6 test resource


Key efforts testing

Key Efforts -- Testing

  • Crypto Module Validation Program

  • Algorithm Testing

  • Random Number Generator Testing

  • MISPC Testing

  • Certificate Authority Testing

  • Firewall Security & Evaluation Tests

  • Telecommunications Switch Security

  • Protection Profile Testing

  • Automated Test Development/Generation

  • Common Criteria Evaluation and Validation Scheme

  • Laboratory Accreditation


Exploring new security technologies

Exploring New Security Technologies

  • Identify and use emerging technologies, especially infrastructure niches

  • Develop prototypes, reference implementations, and demonstrations

  • Transition new technology and tools to public & private sectors

  • Advise Federal agencies


Key efforts new technologies

Key Efforts -- New Technologies

  • Role-Based Access Control

  • Policy Management

  • Intrusion Detection

  • Mobile Agents

  • Automated Security Test Generation

  • IPSec/web interface testing

  • Security Service Interfaces


Assistance and guidance

Assistance and Guidance

  • Assist U.S. Government agencies and other users with technical security and management issues

  • Assist in development of security infrastructures

  • Develop or point to cost-effective security guidance

  • Actively transfer security technology and guidance from NIST to agencies/industry

  • Support agencies on specific security projects on a cost-reimbursable basis


Key efforts assistance and guidance

Key Efforts -- Assistance and Guidance

  • NIST Special Publications:

    • 800-18, “Guide for Developing Security Plans for Information Technology Systems”

    • 800-16, “Information Technology Security Training Requirements”

    • “Guideline for Implementing Cryptography in the Federal Government” (Forthcoming)

    • “Security Incident Handling -- A Cooperative Approach”

  • ITL Bulletins (1999):

    • November Intrusion Detection

    • September Securing Web Servers

    • August The Advanced Encryption Standard: A Status Report

    • May Computer Attacks: What They Are and How to Defend Against Them


Agenda2

Agenda

  • Who we are

  • Computer security program

  • NIST partnerships

  • Summary


In carrying out nist s programs we don t work alone

In carrying out NIST’s programs,we don’t work alone...


Nist s role in computer security

  • ACM Workshops on Access Control

  • Agency Assistance Federal Computer

  • Security Training Resource Center

  • Best Practice Task Force

  • CIO Council Security Privacy-Critical

  • Infrastructure

  • Computer System Security & Privacy

  • Advisory Board (CSSPAB)

  • Critical Infrastructure Protection

  • Department of Justice Executive Advisory

  • Team

  • Director Forum of CIO Council

  • DoC/CIO Contingency Planning Affinity Group

  • FedCIRC Partners

  • Federal Computer Security Program Managers'

  • Forum

  • Federal Information Systems Security Educators'

  • Association (FISSEA)

  • Federal Public Key Infrastructure Steering

  • Committee & Subgroups

  • Forum for Privacy & Security in Healthcare

  • High Performance Computing and

  • Communications

  • Information Industry Group

  • INFOSEC Research Council

  • National Colloquium for Information Systems

  • Security Education (NCISSE)

  • National Science Foundation Career Proposal

  • Review Panel

  • National Security Telecommunications &

  • Information

  • Systems Security Committee (NSTISSC)

  • Network Security Information Exchange

  • NIST-NSA Technical Working Group

  • Open Source Security Working Group

  • Smart Card Security Users Group

  • American Bar Association Information Security

  • Ctte

  • Common Criteria Mutual Recognition

  • Arrangement Management Ctte

  • Critical Infrastructure Coordination Group

  • Education & Awareness Ctte

  • Federal Public Key Infrastructure Technical

  • Working Group

  • Forum for Privacy & Security in Healthcare

  • Information Industry Group

  • National Colloquium for Information Systems

  • Security Education (NCISSE)

  • National Science Foundation Career Proposal

  • Review Panel

  • Nat'l Ctte for Information Technology Standards,

  • T3-Open Distributed Processing

  • Network Security Information Exchange

  • Smart Card Security Users Group

  • Steering Ctte Member of ACM Workshop on

  • Access Control

  • CEAL: a Cygnacom Solutions Laboratory

  • DOMUS IT Security Laboratory, A Division of LGS

  • Group, Inc.

  • InfoGard Laboratories, Inc.

  • ANSI Accredited Standards Committee X9F3

  • ANSI X9.82 Random Number Generation

  • Standard

  • ANSI X9F, X9F1, X9F3

  • ANSI-NCITS T4 Computer Security

  • Nat'l Committee for Information Technology

  • Standards, Technical Committee T3-Open

  • Distributed Processing

  • NIST-NSA Technical Working Group

  • IETF S/MIME V3 Working Group

  • IETF Public Key Infrastructure Working Group

  • (PKIX)

  • IETF Internet Protocol Security (IPSEC)

  • Internet Protocol Secure Policy (IPSP)

  • Internet Protocol Secure Remote Access (IPSRA)

  • ISO/Internat'l Electrotechnical Commission Joint

  • Technical Committee 1

  • ISO JTCI SC27 Computer Security

  • Smart Card Security Users Group

  • Critical Infrastructure Coordination Group

  • Education & Awareness Ctte

  • National Colloquium for Information Systems

  • Security Education (NCISSE)

NIST

Outreach

Federal

Agencies

IT

Industry

Testing

Labs

Standards

Community

Academia


Nist s role in computer security

Key Theme: Improving Security Products

How we improve security

through standards and testing


Nist s role in computer security

Test products against

security standards

Develop security

standards

Identify needs for security standards

- industry and government

Vendors improve

products

Users get more

secure products

Therefore… Security is Improved!


Agenda3

Agenda

  • Who we are

  • Computer security program

  • NIST partnerships

  • Summary


Summary conclusions

Summary & Conclusions

NIST is improving security by:

  • Raising awareness of the need for cost-effective security

  • Engaging in key U.S. voluntary standards activities

  • Developing standards and guidelines to secure Federal systems (often adopted voluntarily by private sector)

    • Cryptographic algorithms

    • Policy, management, operations, and best practices guidance

    • PKI

  • Providing National leadership role for security testing and evaluation

    • Cryptographic Module Validation Program

    • National Information Assurance Partnership


Yet there is more we could do

Yet, there is more we could do...


President s 9 99 proposal for increasing nist cip activities

President’s 9/99 Proposal for Increasing NIST CIP Activities

  • Establish an Expert Review Team at NIST

    • Assist Government-wide agencies in adhering to Federal computer security requirements

    • Director to consult with OMB and NSC on plans to protect and enhance computer security for Federal agencies

  • Fund a permanent 15-member team responsible for

    • Helping agencies identify vulnerabilities

    • Plan secure systems, and implement CIP plans


President s 9 99 proposal for increasing nist cip activities concluded

President’s 9/99 Proposal for Increasing NIST CIP Activities (Concluded)

  • Establish an operational fund at NIST for computer security projects among Federal agencies

    • Independent vulnerability assessments

    • Computer intrusion drills

    • Emergency funds to cover security fixes for systems identified to have unacceptable security risks


Questions

Questions?


  • Login