Transcript Security Technology Group - The Team for Research in

An Overview of the NIST’s
Cyber Security Program
Donna F. Dodson
Deputy Chief Cyber Advisor
October 2009
NIST’s Mission
• To promote U.S.
innovation and
industrial
competitiveness by
advancing
measurement science,
standards, and
technology …
©Robert Rathe
… in ways that enhance
economic security and
improve our quality of life.
©Geoffrey Wheeler
NIST At A Glance
• 2,800 employees
(Gaithersburg, Maryland; Boulder, Colorado;
Charleston, South Carolina)
• 1,800 guest researchers
• Hollings Manufacturing Extension
Partnership Program
• Baldrige National Quality Program
©Robert Rathe
• Advanced Technology Program
Photo by Barry Gardner
• NIST Laboratories
The NIST Laboratories
NIST’s work enables
• Science
• Technology innovation
• Trade
• Public benefit
NIST works with
• Industry
• Academia
• Government agencies
• Measurement laboratories
• Standards organizations
Information Technology Laboratory
ITL
Director
Deputy ITL
Director
Computer
Security
Division
Information
Access
Division
Cyber Security
Advisor
Advanced
Networks
Division
Cryptographic Technology Group
Security Research & Emerging Tech Group
Security Management and Assurance Group
Mathematics
Division
Software
And
Systems
Division
Director
ITL
Programs
Enabling Scientific Discovery
Pervasive Computing
Complex Systems
Identity Management
Cyber and Network Security
Trustworthy Computing
Virtual Measurement
Information Discovery,
Use, & Sharing
Responsibilities for Cyber Security
•
NIST is responsible for developing standards and guidelines, including minimum requirements,
that provide adequate information security for all agency operations and assets in furtherance
of its statutory responsibilities under the Federal Information Security Management Act (FISMA)
of 2002, Public Law 107-347, but such standards and guidelines shall not apply to national
security systems.
•
Under FISMA NIST shall “conduct research, as needed, to determine the nature and extent of
information security vulnerabilities and techniques for providing cost-effective information
security.”
•
NIST develops guidelines consistent with the requirements of the Office of Management and
Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed
in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130,
Appendix III.
•
In accordance with the Cyber Security Research and Development Act, The National Institute of
Standards and Technology develops, and revises as necessary, checklists setting forth settings
and option selections that minimize the security risks associated with each computer hardware
or software system that is, or is likely to become, widely used within the Federal Government.
•
Homeland Security Presidential Directive 7; “The Department of Commerce will work with
private sector, research, academic, and government organizations to improve technology for
cyber systems and promote other critical infrastructure efforts, including using its authority
under the Defense Production Act to assure the timely availability of industrial products,
materials, and services to meet homeland security requirements.”
•
Homeland Security Presidential Directive 12: “The Secretary of Commerce shall promulgate in
accordance with applicable law a Federal standard for secure and reliable forms of identification
(the "Standard")”
Development Model
• Research
– Internal
– Collaborations
• Development
– Prototypes
– Test beds
•
•
•
•
Standards and Guidelines
Metrics
Testing and Validations
Education and Outreach
Core Focus Areas
• Research, Development, and Specification
– Security Mechanisms (e.g. protocols,
cryptographic, access control, auditing/logging)
– Security Mechanism Applications
•
•
•
•
•
Confidentiality
Integrity
Availability
Authentication
Non-Repudiation
• Secure System and Component configuration
• Assessment and assurance of security properties of
products and systems
• Risk Management Framework and FISMA
- Federal Information Processing Standard (FIPS) 199 and FIPS 200 are
standards that specify minimum security requirements for Federal
information and information systems
– Ongoing research and outreach efforts to keep SP 800-53, which
contains the detailed requirements, up-to-date
• Security Automation Tools
– Support for Vulnerability Management through automation
specifications and automated checklists in support of continuous
system monitoring
– Includes work related to the National Vulnerability Database and
Secure Content Automation Protocol
• Internet Protocol Version 6 (IPv6)
– Providing test and measurement tools for hardening existing Internet
protocols: Standards, deployment, and testing of Internet Protocol
(IPv6)
– Published the U.S. Government IPv6 Profile, and developed strategies
for conformance and interoperability testing
9
• Seamless and Secure Mobility
– Standards and tools to provide users with ubiquitous connectivity and
the ability to roam seamlessly and securely across networks of different
types
– Collaborating on IEEE 802.21 Media Independent Handover standards,
IETF mobility optimization specification
• Cryptography and Cryptographic Mechanisms
– Provides cryptographic algorithms and protocols to support
confidentiality, integrity, authentication and digital signatures
– Develop specifications for tools and establish testing methodology
– Currently, running an international competition of a new Cryptographic
Hash Algorithm
• Key Management
– Developing a key management framework to include scalable, usable
and secure key management technologies
– Foster better use of established technologies; explore emerging
techniques
– SP 800-56 Key Management Guidelines
10
• Usability of Biometric Systems
– Standardize and improve usability of user interfaces of biometric
systems to enhance performance and user satisfaction
– Developing a methodology and guidelines for capturing user
requirements and transforming them into a design appropriate
for small platforms
• Identity Management Systems
– Standards development work in biometrics, smart cards, identity
management, and privacy framework.
– R&D: Personal Identity Verification, Match-On-Card, ontology for
identity credentials, development of a workbench
– ID Credential Interoperability
11
© Graeme Dawes | Dreamstime.com
– Performing groundwork research to define factors that enable
usability in the area of multifactor authentication and developing
a framework for determining metrics that are critical to the
success of usability
© Peto Zvonar | Dreamstime.com
• Usability of Security
•
Security for emerging virtualization
technologies
–
•
–
Foster the development of voluntary consensus
guidelines on implementing election-related technologies
Establish accreditation program for voting system testing
© Lisa F. Young/Dreamstime.com
Voting security
–
12
Research for viable security isolation techniques including
platform virtualization, process sandboxes, virtual
networks and encrypted storage
• Smart grid security
– Coordinate development of cybersecurity elements of a framework
of protocols and model standards; continuously coordinated with
networking standards and guidance
– Selecting use cases from existing sources, e.g., IntelliGrid, Electric
Power Research Institute (EPRI), and Southern California Edison (SCE)
– Use cases provide a common framework for performing the risk
assessment, developing the security architecture, and selecting and
tailoring the security requirements
13
© Andrzej Tokarski | Dreamstime.com
– NIST provides security specifications for enabling communicating
parties to transmit health information securely and to ensure privacy
and confidentiality
– Developing guidelines for HIPAA Security Rule and Security
Architecture Design Process for Health Information Exchanges
– Leveraging prior cybersecurity efforts
©Shutterstock
• Healthcare information technology
• Quantum Communications
• Foundations of Measurement Science for
Information Systems
– Large-scale systems (e.g., the Internet, power grid) deployed
without fundamental understanding of their range of
behaviors, security; Information systems lack same
foundations as physical sciences
– Basic research program: mathematical foundations underlying
development of a measurement science for information
systems; Initial Focus: Abstract models of information systems
structure, dynamics
14
ISP connection topology. Source: caida.org
– Demonstrate and test secure, commercial-grade
communication components, systems and protocols for the
quantum era
Future and Ongoing Challenges
• Long Term Research
– Advanced Cryptography (e.g., hash, public key,
quantum, light footprint)
– Inherently Secure, High Assurance, and Provably
Secure Systems and Architectures
– Composable and Scalable Secure Systems
– Autonomic Systems
– Ad-hoc Networks and Wireless Security
– Network Measurement and Visualization Tools
– Secure Distributed Systems
– Infrastructure for Information Security R&D
18
For Additional Information
22
• NIST
 http://www.nist.gov/
• NIST’s Information Technology Lab
 http://www.itl.nist.gov/
• Computer Security Resource Center
– http://[email protected]
• National Vulnerability Database
– http://nvd.nist.gov
• Biometrics Resource Center
– http://www.itl.nist.gov/div893/biometrics
• Biometrics Research
– Finger: http://fingerprint.nist.gov
– Face: http://face.nist.gov
– Iris: http://iris.nist.gov