Cyber Security Activities at The

Cyber Security Activities at the National Institute of Standards &

Technology (NIST)

Fran Nielsen, Deputy Chief

Computer Security Division (CSD)

Information Technology Lab/NIST

Presentation Outline

• The Need for Cyber Security• About NIST and ITL• CSD Mission and Responsibilities• Key Themes• Types of Deliverables and Products• Major Areas of Work• Example Activities

The Need

• More dependence on information technology

• More complex systems and more reliance on internetworking

• Increased frequency of computer security incidents

• September 11

National Institute of Standards and TechnologyNIST strengthens the U.S. economy and

improves the quality of life by working with

industry to develop and apply technology,

measurements, and standards.

NIST Assets Include:

National measurement standards: NIST Laboratories.

1,500 technical staff.

1,600 guest researchers.

$430 million FY 2001 Laboratory budget.

$83 million in measurement and research contracts to about 20 other agencies.

Unique measurement facilities.

Other programs: Advanced Technology Program, Manufacturing Extension Partnership, Baldrige National Quality Program.

ITL Organization and Program

RONBOISVERT

MATH NETWORKING

DAVID SU (Acting)

COMPUTERSECURITY

ED ROBACK

INFORMATIONACCESS

MARTYHERMAN

CONVERGENT INFORMATION

SYSTEMS

VICTORMCCRARY

INFORMATIONSERVICES

RAYHOFFMANN

SOFTWARETESTING

MARK SKALL

NELL SEDRANSK

STATISTICS

ITL Organization

DIRECTORWILLIAM MEHURON

DEPUTY DIRECTORSUSAN ZEVIN

ASSISTANT DIRECTOR FOR BOULDER

CATHY NICOLETTI, ACTING

COMPUTING SECURITY OPERATIONS

ROB GLENN

LABORATORY STAFF

KAMIE ROBERTS

SENIOR MANAGEMENT ADVISOR

KENDRA COLE

CIO OFFICE

BRUCE ROSEN

Computer Security Division

NIST Mandate for IT Security

• Develop standards and guidelines for the Federal government for sensitive (unclassified) systems

• Contribute to improving the security of commercial IT products and strengthening the security of users’ systems and infrastructures

Key Statutory Responsibilities• Develop technical, management, physical and administrative cost-effective

standards and guidelines for federal computer systems;

• Develop validation procedures for, and evaluate the effectiveness of, standards and guidelines;

• Perform research and conduct studies to determine the nature and extent of the vulnerabilities of sensitive systems;

• Devise techniques for the cost-effective security and privacy of sensitive information systems;

• Provide the staff services necessary to assist the Computer System Security and Privacy Board in carrying out its functions; and

• Assist the private sector, upon request, in using and applying the results of programs and activities.

• Provide technical assistance to Federal agencies; 

Computer Security Act of 1987 and IT Management Reform Act of 1996, reinforced in OMB Circular A-130, App. III

Computer Security DivisionMission

To improve information systems security by:

• raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies;  

• researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;

• developing standards, metrics, tests and validation programs:to promote, measure, and validate security in systems and services;to educate consumers; andto establish minimum security requirements for Federal systems; and

• developing guidance to increase secure IT planning, implementation, management and operation.

Key Themes• Security is important to sound and efficient functioning of the economy and

government;• Agency / OMB / Congress have high expectations of NIST re our Federal role;

– Reflected in bills such as HR 1259; H.R. 3394; HR 3316; • Security of commercial products in the marketplace is inadequate

– Standards help -- NIST’s role in helping to develop specifications (to drive the market) helps our customers – both Federal and industry users know what to specify; Federal ones used as procurement specs.

– Testing helps -- NIST’s role in testing helps users know they are getting what they think they are buying; Also adds legitimacy to vendors’ claims.

• Product evaluation (e.g., OpSys) is difficult / time consuming at best – needs rigor and standardizable testing – a long term challenge

• Longer term challenge: security and composablility

Types of Deliverables• Standards and Specifications

– FIPS (e.g., AES)– Voluntary Industry

Consensus Standards– Ad hoc specifications

• Guidelines– ITL Bulletins– Special Publications– NIST Recommendations

• Testing programs/services – CMVP– NIAP– IPSec– PKI

• Security Outreach / Awareness / Leadership– Forum – CSSPAB– ICCC– CIO Security Committee– CC MRA– CSRC– Press articles– ITL Bulletins– FPKI TWG

• Research– Mobile Agents– Intrusion detection– Security administration– Testing methods

Customers/Constituents – Categories / Examples

• Federal Community – OMB– Treasury– Federal PKI Steering Committee– FDIC– NSA– Federal Computer Security Program

Managers’ Forum– GSA– CIO Council & CIO Security Committee– HHS

• IT Industry Users / Consortia – Banking (ANSI X9)– Smart Card Consortia– Healthcare Open Systems and Trials (HOST)– Telecom Security Forum– Boeing

• IT Industry Producers/ Consortia– Intel– IETF– PKI Forum– Microsoft– RSA– Counterpane Systems– IBM– Motorola– Entrust– Certicom

Many, many organizations ask for our participation / assistance…

Wide Community Engagement• ANSI• IETF• Federal PKI Steering Committee• ISO • CIS• USG-OECD • Network Security Information Exchange• Critical Infrastructure Groups• IEEE• Federal Computer Security Program

Managers’ Forum• CIO Council Security Committee• Federal Information Systems Security

Educators Association• CC Mutual Recognition Management

Committee• Committee for National Security

Systems

• Executive Branch Information Systems Security

• CMVP Conference• International Common Criteria

Conference• RSA Conference 2001/2002• Key Management Workshop• Information Assurance Technical

Framework Forum• Univ. of Tulsa Telecommunications

Security Conference• Federal Information Assurance

Conference• Regional Security Awareness

Seminars• Other Homeland Defense & CIP

Committees

Wide engagement keeps us in touch with our customers and their needs.

Examples:

Key Focus Areas of NIST’s Computer Security Program

• Cryptographic Standards and Applications• Exploring New Security Technologies• Management and Assistance• Security Testing• Outreach

Cryptographic Standards and Applications

Work with industry and government to develop cryptographic-based standards – Cryptographic Standards Toolkit

• AES setting new baseline• Need for lightweight standards

– Public Key Infrastructure

1. Cryptographic Standards and Applications

Projects

• Cryptographic Standards

• Cryptographic Standards Toolkit• Advanced Encryption Standard (AES)

• Public Key Infrastructure & Applications

• Industry and Federal Security Standards • PKI and Client Security Assurance• Promoting PKI Deployment

Goals Establish secure cryptographic standards for storage and

communications & enable cryptographic security services in applications through the development of: PKI, key management protocols and secure application standards

Technical Areas• Secure encryption, authentication, non-repudiation, key

establishment, & random number generation algorithms.• PKI standards for protocols, standards and formats • PKI interoperability, assurance & scalability

Impacts• Strong cryptography used in COTS IT products• Standardized PKI & cryptography improves interoperability• Availability of secure applications through crypto & PKI

Collaborators

Industry: ANSI X9, IETF PKIX, AES submitters, Baltimore Technologies, CertCo, Certicom, Cylink, Digital Signature Trust, RSA Labs, Entrust Technologies, E-Lock Technologies, Getronics, IBM, ID Certify, Mastercard, Microsoft, Motorola, Netscape, Spyrus,

Network Associates, VeriSign, Verizon, Visa, World Talk

Federal: Department of Treasury, Agencies participating in Federal PKI Steering Committee and Bridge CA Project, FDIC, NSA

1/02

Cryptographic StandardsSecurity Requirements for

Cryptographic ModulesFIPS 140-2

Symmetric Alg. * DES (FIPS 46-3)* 3DES (FIPS 46-3, ANSI X9.52)* AES (FIPS 197)

• Modes of operation - DES (FIPS 81) - Recommendation for Block Cipher Modes of Operation (Encryption)- Methods and Techniques (800-38A)

• Message Authentication Code for Block Ciphers (800-38B)

Asymmetric Algs.* Dig. Sig. Std. (FIPS 186-2) DSA (ANSI X9.30) RSA (ANSI X9.31) ECDSA (ANSI X9.62)* Key Management - Diffie-Hellman -ANSI X9.42 - RSA - ANSI X9.44 - Elliptic Curves -ANSI X9.63 - Key wrapping

Secure Hash * SHA-1 (FIPS 180-1)* Expand to include:

SHA-256,

SHA-384

SHA-512

Advanced Encryption Standard (AES)

FY 2001• Selected the Rijndael algorithm as the AES • Developed draft AES FIPS & completed public comment. • Developed Draft AES Basic Modes of Operation • Hold Modes Workshop (4Q)• Issue NIST Recommendation on Basic Modes of Operation (4Q)

FY 2002• Announced Secretary’s approval of AES• Complete AES validation tests and software • Publish AES Validation Guideline; begin testing AES products. • Develop “Phase 2” AES Modes of Operation

Collaborators

Federal: National Security Agency (NSA)Industry: Protonworld International (Belgium), IBM,

RSA Security & Counterpane Systems participated in AES finalists; many companies provided extensive comments and papers on the AES selection & spec.

Academia: Katholieke Univ. (Belgium), MIT, Technicon, Cambridge Univ., & Univ. of Bergen faculty participated in finalist submissions; many others helped in analysis

Global: ISO JTC1/SC27

Goals • Develop a new, royalty-free encryption standard that can be used by

government and business to protect information for 30-50 years.

Technical Areas• Clear specification of the AES algorithm and NIST’s requirements for

its implementation.• Cryptographic test suite development for testing and validation of the

conformance of AES implementations with the standard.

Impacts• Secure e-commerce and data protection through highly secure

encryption that keeps pace with rapid advances in technology.• Validation that COTS products comply with the AES standard.• Banking and international standards communities are looking to

adopt the AES, which will promote its use outside of government

Cryptographic Standards Toolkit

FY 2001• Prepared draft AES and HMAC FIPS and completed public reviews• AES and HMAC FIPS approval by SoC (4Q)• Public Review of revised SHA with new algorithms (FIPS 180-2)• Revision and public review of DSS (FIPS 186-3)• Draft NIST basic AES Modes of Operation Recommendation (4Q)• Modes Workshop (4Q)• First Draft of Key Mgmt. Schemes & Guidance documents (4Q)

FY 2002• FIPS 180-2 and FIPS 186-3 approval by SoC• Validation tests for: AES modes, DSA, SHA, HMAC, ANSI X9.42• Key Management Workshop• Complete Key Establishment Scheme & Guidance Documents• Develop phase 2 Modes of Operation recommendation• Develop a Random Number Generation standard (ANSI X9.82)

Goals • Improve information security and facilitate electronic commerce by

developing and standardizing strong cryptographic algorithms• Provide guidance for the use of cryptography

Technical Areas• Secure cryptographic algorithms for encryption, authentication, non-

repudiation, key establishment, and random number generation.

Impacts• Worldwide government and industry use of strong cryptography• Guidance and education available in the use of cryptography.• Secure interoperability achieved through standard algorithms• Secure electronic commerce enabled through cryptography

Collaborators

Industry: ANSI X9, RSA Security, Certco, Certicom, Chase Manhattan Bank, Cybersafe, Cygnacom, Deloitte &B Touche Security Services, IBM, Entrust, BBN, Booz-Allen, Ernst & Young, First Data Corp., First Union Corp., IDA, KPMG, Motorola, Gemplus, Jones Futurex, Mastercard, Merrill Lynch, GTE Cyber Trust, Pitney Bowes, PNC Bank, Price Waterhouse Coopers, TecSec, Spyrus, Verifone, VeriSign, Visa, Xcert, AES submitters and commenters

Federal: NSA, BXA, Federal Reserve, CSE, Treasury

First impact: Near-Term (Immediate to 2 years)

Promoting PKI Deployment

FY 2002• Federal PKI Technical Working Group

- Federal Bridge CA cross certifications- FBCA Certificate, CRL, and Directory Profiles

• PKI Policy Development Tools- Generic Certificate Policies- Certification Practice Statement templates

• Federal PKI Guidance Document (1Q)• PKI directory guidance document• High-Level PKI Services API Draft• Federal Deposit Insurance Corporation PKI Deployment (OG)• Army Corps of Engineers PKI consultation• Treasury FMS PKI application development

Collaborators

Federal: Federal PKI Policy Authority, Federal PKI Steering Committee, General Services Administration, General Accounting Office, National Security Agency, FDIC, Treasury FMS, Army Corps of Engineers, Office of Management and Budget

Academia: EduCause (1,800 universities, colleges, and educational institutions)

State: Illinois, Washington

Goals • Promote development of an interoperable PKI to support security

services for Internet systems and applications. Establish baseline PKI security policies and procedures. Assist federal agencies in the deployment of PKI infrastructure and applications through guidance and consultation.

Technical Areas• Bridge certification authorities• Certificate Policies (CP) and Certification Practice Statements (CPS)• Certification and accreditation of CAs• X.500 and LDAP directory servers

Impacts• Federal Bridge CA links agency PKIs to form a federal PKI and

promotes development of private sector bridge CAs• Accelerate federal agency PKI deployment• Chained X.500 directories US Federal

1/02

Exploring New Security Technologies

• Identify and use emerging technologies, especially infrastructure niches

• Develop models, reference implementations, and demonstrations

• Transition new technology and tools to public & private sectors

• Advise Federal agencies to facilitate planning for secure use

Emerging Technologies and Testing

Major Projects

• Access Control & Authorization Management• ICAT Vulnerability/Patch Search Tool• National Smart Card Infrastructure• Intrusion Detection • Mobile Agents• Wireless/Device Security• IPSec/web interface testing • Quantum Computing Support• CIP Grants• Automated Testing

Goals • Identify & exploit emerging technologies especially infrastructure niches• Develop prototypes, reference implementations, and demonstrations• Transition new technology and tools to public & private sectors• Develop the tests, tools, profiles, methods, and implementations for timely,

cost effective evaluation and testing

Technical Areas• Authorization Management, Access Control, System Management• Vulnerability Analysis, Intrusion Detection, Attack Signatures• Mobile Code, Agents, Aglets, Java, PDAs, Wireless, Telecomm/IP• Models, Cost-models, Prototyping, Reference Implementations• Automated Testing, Security Specification

Impacts• Better cheaper and more intuitive methods of authorization management• Creating internal competence in emerging technologies (i.e. mobile code, etc.) • Developed world class vulnerability search engine• IPSec/web Interface testing widely used & referenced• Significant support & funding especially in RBAC and Wireless Device Security

Collaborators

Industry: IBM, Microsoft, SUN, Boeing, Intel, GTE, VDG, SCC, Sybase, SAIC, SUN, Lincoln Labs, Lucent, Trident, ISS, Symantec, MIT, 3Com, Interlink, Ford, BBN, CISCO, Lucent, Checkpoint, MCI, Oracle, Mitre, Mitretek, Intel, SAIC

Academic: University of Maryland, Ohio State, University of Tulsa, George Mason, Rutgers University, Univ of Pittsburgh, Purdue University, Univ of Washington

Federal: NSA, DoD, NRL, DARPA

1/02

Technical Security Guidance

TechnicalSecurity Guidance

Technical Lead: Tim Grance

Goals • Guide Federal Agencies in using new technology• Assist industry and small business• Present recent findings in security research

Technical Areas

• Firewalls and Network Security• Intrusion Detection • Incident Handling• Security Testing• Web and downloadable content security

Impacts

• ITL Security Bulletins extremely popular and widely read• Agencies rely on technical guidance from NIST• NIST publications frequently cited and reused in industry literature

Proposed Collaborators

Industry: MIS Training Institute, Booz Allen Hamilton, Microsoft, I4

Federal: NIST, NSA, OMB, GSA

Academic: University of Maryland, Purdue University

Milestones

FY2001• Intrusion Detection• Active Content & Mobile Code• Firewall Policy• Network Security Testing & Incident Handling• Telecommuting/Broadband Security• PKI• IT Security Engineering Principles & IT Security Models

FY 2002• Public Web Server & E-Mail Server• Wireless & Device Security• Microsoft Windows 2000 Security Guidance• Smart Card guidance and Security Patches• Interconnecting Systems and Contingency Planning• Procurement of products/services

1/02

ICAT

ICAT Metabase

A standards based searchable index of virtually all known computer vulnerabilities

Technical Lead:Peter Mellhttp://icat.nist.gov

Goals Provide the IT community a fine grained searchable index of all

known computer vulnerabilities using a standard naming scheme linking users to publicly available vulnerability databases.

Technical Areas• Developing classification schemes for vulnerabilities• Collecting and evaluating vulnerability information• Measuring the characteristics of vulnerabilities

Impacts• ICAT enables system administrators to identify flawed systems and

to find the patches• Provides the security community with a free standards based index

of all vulnerabilities• Complementary and non-competitive with industry• ICAT has received praise in over 12 news articles

Collaborators

Educational: SANS Institute (sponsor)Military: NSA, DISAAcademia: Purdue/CERIASIndustry: TrustWave, SecuritySaint.com,

CyberCopsEurope.com, IpNSA,Securityinfos.com,

Hideaway.net, VISC Software and Security, SOC GmbH

Milestones

FY 2001• ICAT web hits have increased by a factor of 17 in one year• Analyzed over 2000 vulnerabilities for ICAT• Started a vulnerability mailing list that now has 1600 subscribers• Integrated ICAT into the SANS/FBI top 20 vulnerability list• Helped mirror ICAT on the NSA network• Enable organizations to integrate their products into ICAT• Began offering an off-line version of ICAT• Vulnerability notification system developed by Purdue • Provided top ten vulnerability service• Joined the CVE vulnerability standard’s editorial board

FY 2002• Analyze over 1000 vulnerabilities• Transition ICAT into being a more timely vulnerability service

Awarded Commerce Department Bronze MedalAveraging 50,000 hits per monthOver 100,000 hits in November 2001

“Your dedication to making ICAT into one of the premier databases is admirable” (Internet Security Systems)

1/02

Collaborators

Federal: NIST Internetworking Division, NSA

NIST IPSec Product Users

Industry: Bay Networks, BBN, Cabletron, Cisco, Compaq, CyberGuard, Digital, Frontiertech, Gartner Group, GTE Internetworking,Hewlett Packard, IBM, Intel, Interlink, Lucent Technologies, MCI, MIT, Microsoft, Routerware, SAIC, S-Cubed, Secure Computing, Spyrus, SUN, TIS, 3Com and many others

Government: GSA, NRL, Oak Ridge National Labs and others

Goals

Work with world-wide industry leaders to promote the development of IP security standards, technology, and tests. This will ensure early, reliable and interoperable deployment of IPsec, the technology that is used to build VPNs and to protect the next generation Internet infrastructure and applications.

Technical Areas• International standardization of Internet security protocols• WWW-based Interoperability Testing• Reference implementations of next generation network and

security technology

Impacts

• Developed reference implementation of the IETF IPSec and IKE standards - used for education, experimentation, testing

• Web-based IPSec interoperability test facility http:ipsec-wit.antd.nist.gov

• Over 250 organizations have used NIST’s interoperability tester• Over 650 organizations have requested NIST’s IPSec reference

implementation

MilestonesFY 2001

• Added dynamic certificate request and transmissions capability to PlutoPlus

• Updated AES Internet Draft to reflect AES selection• Wrote Internet Drafts on the use of SHA-256 and AES-XCBC-

MAC with IPsec and IKE• Wrote NIST Security Bulletin on IPsec Status/Issues/Security• Incorporated AES Algorithm (& other finalists) into PlutoPlus• Published Book, “Demystifying the IPsec Puzzle”• Presented invited talks and tutorial on IPsec

FY 2002• Add PKI Interaction to IPsec-WIT• Implement Version 2 of IKE• Add IKE Version 2 to IPsec-WIT• Publish guidance on the use of PKI within IPsec and IKE

IPSec ProjectTechnical Lead: Sheila Frankel

Applications of IPsec TechnologyApplications of IPsec Technology

Easy Denial ofService Attacks

Unauthorized Accessto Private Data

Malicious Sniffers

Router to

R

outer Protection

Host to Host Protection

Rou

ter to Host P

rotectionConfidentiali ty

Data Integri ty

Authentication

Replay Protection

InternetIPsec Services

Internet Protocol Security

1/02

Government Smart Card ProgramGoal

Create a ubiquitous Smart Card Infrastructure to foster widespread use of smart card technology, improving the security of information systems within the U.S.

Technical Areas

• Develop technical guidance required by Federal contracting vehicles for procurement of standard smart card products

• In conjunction with the Government and vendor communities, develop interoperability specifications and standards

• Develop reference implementations, prototype conformance test suites, security testing criteria, and architectural models

Impacts

• Increased overall security of U.S. information systems• Reduced cost of smart card system integration• Simplification of user access control processes • Enable development of consistent conformance test methodologies

for smart card products and systems

Milestones

FY 2001• NIST designated lead agency for GSC conformance test

development• Establish GSC testbed at NIST • Develop GSC Interoperability Conformance Test Program• Develop GSC automated test suite

FY 2002• NIST publications on smart card technolgoy and GSC

interoperability framework• Java smart card collaboration (prototype implementation)• Establish a Smart Card security test program; coalesce

with Common Criteria methodology• International standards coordination• GSC developer workshops and implementation guidance• Identify and execute relevant R&D projects to promote

smart card interoperability and standards

Collaborators

Industry: EDS,Northrup/Grumann, MAXIMUS,KPMG, eEurope, British Telecom, W3C,

RSA Labs, Australian National Office of the Information Economy

Federal: NIST, GSA, DoD, State Dept, USPS, SSA, VA, IRS, DoJ, DoT

Government Smart Card Program

Technical Lead: Jim Dray

1/02

Assistance and Guidance / Outreach

• Assist U.S. Government agencies and other users with technical security and management issues

• Assist in development of security infrastructures• Develop or point to cost-effective security guidance• Assist agencies in using security technology guidance• Support agencies on specific security projects on a cost-

reimbursable basis• Expanding use of recently-developed “NIST

Recommendations” series to complement existing publication methods

• Raise awareness of our programs, value of evaluated products, and need for security

3. Security Management and Guidance

Goals • Provide computer security guidance to ensure sensitive government

information technology systems and networks are sufficiently secure to meet the needs of government agencies and the general public

• Serve as focal point for Division outreach activities• Facilitate exchange of security information among Federal

government agenciesTechnical Areas

• Computer security policy/management guidance• Computer Security Expert Assist Team (CSEAT) security support to

Federal agencies• Outreach to government, industry, academia, citizens

Impacts• Agencies use standard, interoperable solutions• Increased federal agency computer security programs• Reduced costs to agencies from reduction of duplication of efforts• Use of “Best Security Practices” among federal agencies

Collaborators

Federal: All Federal AgenciesFederal Computer Security Program Managers’

ForumOMBGSANSA

CIOsIndustry: Security Product VendorsAcademia:Major Universities with Computer Security

curricula

Major Projects• Computer security expert assist team (CSEAT)• Federal computer security program managers forum• Computer system security and privacy advisory board (CSSPAB)• Computer security resource center (CSRC)• Computer security conferences• Risk management guidance• Federal IT Security Self-Assessment Tool• NIST Security Program Manager’s Handbook• Contingency Planning Guidance• Small and Medium Businesses Outreach

1/02

CSRC Redesigned 7/00

Computer Security Expert Assist Team

FY 2001• CSEAT methodology established• Received multiple requests from agencies• Review of FEMA completed (Q4)

FY 2002• First high-risk program review of Indian Trust Management initiated• Methodology provided on web site• Initiate cost-reimbursable model if funding for administrative costs

received• Develop sanitized case studies• Initiate development of CSEAT review methodology guideline

Collaborators

Federal: All Federal AgenciesOMB

Goals • Increase Federal agency IT security• Help protect against economic loss or injury due to disruption of

critical Federal systems/services• Improve Federal agency Critical Infrastructure Protection (CIP)

planning and implementation efforts Technical Areas

• Security assistance to federal agencies computer security well-being • Security assistance to high risk federal computer security programs• Development of computer security lessons learned• Computer security risks and vulnerabilities

Impacts• Lessons learned available to the federal IT security community• Agencies understand how to maintain computer system security• Agencies plan and budget appropriately for computer security• New guidance development efforts directed at identified need areas• Improved Federal IT security

1/02

Small and Medium Sized Business Regional Security Meetings

FY 2001• Plan for conducting regional meetings completed (Q4)• Meeting educational material developed (Q4)

FY 2002• First 2 regional meetings conducted• Third regional meeting scheduled for February• Build community of small business owners, IT professionals, and

researchers • Generate a plan to provide web based IT security information in areas

of specific importance to small businesses

FY 2003• Continue conducting regional meetings• Train local trainers, members of local chapters of industrial

associations, or other small business resources

Collaborators

Federal: Small Business AdministrationNational Infrastructure Protection Center –

InfraGard ProgramManufacturing Extension Partnership

Industry: Security Product VendorsRegional business consortiaSelected business partners

Goals • Inform small businesses (< 500 employees) of useful security

mechanisms• Provide computer security training that is practical and cost-effective • Help small businesses become more educated consumers• Form NIST-SBA_InfraGard Resource Group, connecting small

business owners to local IS resources.Technical Areas

• Small business viable computer security solutions• Low-cost computer security methodologies• Computer security training for the novice• Business-relevant computer security tools

Impacts• Improved small and medium sized business security• Small and medium sized businesses become more aware of

information security

1/02

Security Testing

• Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing

• Raising user confidence • Lead conformance and evaluation programs• Supporting security testing industry

Major Projects

• Cryptographic Security Testing• Cryptographic Module Validation Program• National Information Assurance Partnership • Common Criteria Evaluation and Validation Program• International Recognition Arrangements• Laboratory Accreditation• Automated Security Testing and Test Suite Development• Assessment program for system certifications• Protection profile development effort with government/industry• Industry Forums• Testing, Education, Outreach Programs, Conferences and Workshops

CollaboratorsFederal: NVLAP, State Dept., DoC, DoD, GSA, NASA, NIST, NSA,

DoE, OMB

Industry: American National Standards Institute (ANSI), InfoGard Laboratories Inc., CygnaCom Solutions, DOMUS IT Security Laboratory, COACT, Inc. CAFÉ Lab, Atlan Laboratories, EWA,CORSEC Security Inc., Oracle, CISCO, Hewlett-Packard, Lucent, SAIC, Microsoft, Computer Sciences Corp., IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun Microsystems, Network Assoc., Booz-Allen, Seculab Inc., Entrust, Silicon Graphics, Arca

Global: United Kingdom, France, Germany, Japan, Korea, Canada, Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, Norway, Greece, Israel, ECMA, JCB, Europay, Mondex

Goals • Improve the security and quality of IT products• Foster development of test methods, tools, techniques, assurance

metrics, and security requirements• Promote the development and use of tested and validated IT products• Champion the development and use of national/international IT security

standardsTechnical Areas

• Provide Federal agencies, industry, and the public with a proven set of IT security testing methodologies and test metrics

• Promote joint work between NIST, the American National Standard Institute (ANSI) and the international standards community

Impacts• Timely, cost-effective IT security testing • Increased security in IT systems through availability of tested products• Creates business opportunities for vendors of security products, testing

laboratories, and security consultants

UserSecurity

Needs

Standardsand

Metrics

Testingand

Evaluation

ProductValidation IT Security

4. Security Testing and Metrics

1/02

Cryptographic Module Validation Program

Collaborators

Federal: National Voluntary Laboratory Accreditation Program

Industry: American National Standards Institute (ANSI) InfoGard Laboratories Inc.CygnaCom SolutionsDOMUS IT Security Laboratory, a Division of LGSCOACT, Inc. CAFÉ LabAtlan LaboratoriesEWA-Canada LTD, IT Security Evaluation FacilityCORSEC Security Inc.

Global: Communication Security Establishment (CSE) of the Government of Canada

Goals • Improve the security and quality of cryptographic products• Provide U.S. and Canadian Federal agencies with a security metric to use in

procuring cryptographic equipment• Promote the use of tested and validated cryptographic algorithms, modules,

and products

Technical Areas• Development of Implementation Guidance, metrics and test methods• Validation of test results• Accreditation of testing laboratories• Joint work between NIST, ANSI and international standards bodies

Impacts• Provide Federal agencies with confidence that a validated cryptographic

product meets a claimed level of security • Supply a documented methodology for conformance testing • Create business opportunities for vendors of cryptographic products, testing

laboratories, and security consultants

FY 2001 Finalized FIPS 140-2: Security Requirements for Cryptographic Modules Implemented Cost Recovery Plan as of February 15, 2001 Developed FIPS 140-2 Derived Test Requirements and Automated Tool (Q4) Validated 45 crypto modules and 46 crypto algorithm implementations Coordinated ANSI X9.42-2001: Key Agreements Using Diffie-Hellam and MQV Finalized SD-012 Guideline for Validating Implementations Conforming to ANSI

Standards Completed Cryptographic Module Reference Implementation (Q4)

FY 2002 Revise Cryptographic Module Testing (CMT) laboratory accreditation process,

NVLAP Handbook 150-17 Accredit 2-3 additional CMT Laboratories, including international Expand the agreement with CSE to include additional countries Conduct second Cryptographic Module Validation Program

Workshop/Conference Develop Validation Test Suites for new algorithms/protocols

1/02

National Information Assurance Partnership

Building More Secure Systems for the New Millennium (sm)

Goals Promote the development and use of evaluated and validated IT products Champion the development and use of national/international IT security

standards Develop state-of the-art test methods, tools, techniques and assurance metrics Support a framework for international recognition of testing results Foster development of IT security requirements in key technology areas

Technical Areas Development of implementation guidance, requirements, metrics and test

methods Validation of test results and accreditation of testing laboratories Joint work among NIST, NSA and international partners

Impacts More timely, cost-effective IT security evaluations with greater consistency Less duplication of security testing globally New test methods for specific information technologies Increased security in IT systems and networks through greater availability of evaluated and validated products Greater availability of common security requirements and specifications for key technologies and sectors

CollaboratorsFederal: State Dept., DoC, DoD, GSA, NIST, NSA, DoE, OMB

Industry: Oracle, CISCO, Hewlett-Packard, Lucent, SAIC, Microsoft, Computer Sciences Corp., Cygnacom, Arca, IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun Microsystems, Network Assoc., Booz-Allen, Seculab, Entrust, Silicon Graphics, COACT

Global: United Kingdom, France, Germany, Japan, Korea, Canada, The Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, Norway, Greece, Israel, Russia, ECMA, JCB, Europay, Mondex

Forums: Healthcare, Information Assurance, Process Control, Smart Card, Insurance

FY 2001 Accredited 5 Common Criteria (CC) Testing Laboratories Expanded CC Recognition Arrangement to 14 nations adding Israel Hosted national-level Government-Industry IT Security Forum Conducted international IT security outreach training for Japan and Israel Developed comprehensive operations manual for CC Recognition Arrangement Completed smart card protection profile and corresponding evaluation Initiated new security requirements forum for process control systems Validated 4 security products and 4 protection profiles

FY 2002 Accredit 1-2 additional CC Testing Laboratories Expand CC Recognition Arrangement by 1-2 nations Develop technology-based lab accreditation program with smart card prototype Initiate cooperative protection profile development effort with

government/industry Develop guidance, procedures and assessment program for system certifications Enhance outreach program and activities

1/02

Common Criteria

What the standard is –• Common structure and language for expressing

product/system IT security and assurance requirements

How the standard is used –• Develop protection profiles and security targets • Evaluate products and systems against known and

understood IT security requirements

Defining IT Security Requirements for Federal Systems and Networks

International Standards-Based Common Criteria Protection Profiles

PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3

PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2

PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1

Operating Systems

Database Systems

PKI Smart Cards

Biometrics Devices

Firewalls Wireless Web Apps & Browsers

Intrusion Detectio

n Systems

Virtual Private

Networks

Families of Protection Protection Profiles

Thre

at

Lev

els

Key Technology Areas

Beyond IT product testing…• Homeland Security/Cybersecurity needs demand attention

beyond just security evaluation of IT products

• Complementing the current NIAP focus on product evaluation, NIST plans to use its unique position to focus on Federal system certifications by: Developing unified Federal procedures and guidelines for system

certification (NIST Special Publication 800-37) Developing test methods traceable to 800-37 to ensure competent and

consistent application of the certification procedures Developing a certification program with network of NVLAP-

accredited assessment organizations capable of conducting system and network certifications for Federal agencies (and also available for use by to State/Local governments and private sector).

Organization

Security T echnology G roupB ill B u rr, M g r.

System s and Netw ork Security G roupTim G ran ce, M g r.

Security M anagem ent and G uidance G roupJoan H ash , M g r.

Security T esting and M etrics G roupR ay S n ou ffe r, A c t. M g r.

Com puter Security DivisionE d R ob ack , C h ie f

F ran N ie lsen , D ep u ty

Division Budget Trends

0

5,000

10,000

15,000

20,000

25,000

$KCIP GrantsOtherSTRS - base

As of 12-01

FY-02 Other figure is as of 12/01.

http://csrc.nist.gov

• http://csrc.nist.gov/cryptval - CMVP• http://niap.nist.gov - NIAP• http://csrc.nist.gov/pki - PKI• http://icat.nist.gov - ICAT• http://fasp.nist.gov – agency practices

Summary & ConclusionsImpacts from NIST work:

Multiple opportunities exist for collaboration:

• Cryptographic standards development• Public Key Infrastructure• Product security validation/evaluation• Review of guidance• Visiting “guest researchships” at NIST • Cooperative research

• Improved security, availability, integrity, operation, and effectiveness of IT • Enhanced IT security through wider availability of products that meet security

standards • Increased global market for U.S. IT products• Achieved cost savings and security via public-private collaboration and

information sharing

Further Information• NIST Computer Security Resource Center

– http://csrc.nist.gov• Points of Contact

– General and Guest Researchships• Ed Roback [email protected]

– Cryptographic standards & PKI• Bill Burr [email protected]

– Security Testing• Ray Snouffer [email protected]

– Cryptographic Module Validation Program• Anabelle Lee [email protected]

– National Information Assurance Partnership• Ron Ross [email protected]

– Security Research• Tim Grance [email protected]

– Security Management• Joan Hash [email protected]

Questions?

Contact Information

[email protected]

301/975-3669