Cyber Security Activities at the National Institute of Standards &
Technology (NIST)
Fran Nielsen, Deputy Chief
Computer Security Division (CSD)
Information Technology Lab/NIST
Presentation Outline
• The Need for Cyber Security• About NIST and ITL• CSD Mission and Responsibilities• Key Themes• Types of Deliverables and Products• Major Areas of Work• Example Activities
The Need
• More dependence on information technology
• More complex systems and more reliance on internetworking
• Increased frequency of computer security incidents
• September 11
National Institute of Standards and TechnologyNIST strengthens the U.S. economy and
improves the quality of life by working with
industry to develop and apply technology,
measurements, and standards.
NIST Assets Include:
National measurement standards: NIST Laboratories.
1,500 technical staff.
1,600 guest researchers.
$430 million FY 2001 Laboratory budget.
$83 million in measurement and research contracts to about 20 other agencies.
Unique measurement facilities.
Other programs: Advanced Technology Program, Manufacturing Extension Partnership, Baldrige National Quality Program.
ITL Organization and Program
RONBOISVERT
MATH NETWORKING
DAVID SU (Acting)
COMPUTERSECURITY
ED ROBACK
INFORMATIONACCESS
MARTYHERMAN
CONVERGENT INFORMATION
SYSTEMS
VICTORMCCRARY
INFORMATIONSERVICES
RAYHOFFMANN
SOFTWARETESTING
MARK SKALL
NELL SEDRANSK
STATISTICS
ITL Organization
DIRECTORWILLIAM MEHURON
DEPUTY DIRECTORSUSAN ZEVIN
ASSISTANT DIRECTOR FOR BOULDER
CATHY NICOLETTI, ACTING
COMPUTING SECURITY OPERATIONS
ROB GLENN
LABORATORY STAFF
KAMIE ROBERTS
SENIOR MANAGEMENT ADVISOR
KENDRA COLE
CIO OFFICE
BRUCE ROSEN
Computer Security Division
NIST Mandate for IT Security
• Develop standards and guidelines for the Federal government for sensitive (unclassified) systems
• Contribute to improving the security of commercial IT products and strengthening the security of users’ systems and infrastructures
Key Statutory Responsibilities• Develop technical, management, physical and administrative cost-effective
standards and guidelines for federal computer systems;
• Develop validation procedures for, and evaluate the effectiveness of, standards and guidelines;
• Perform research and conduct studies to determine the nature and extent of the vulnerabilities of sensitive systems;
• Devise techniques for the cost-effective security and privacy of sensitive information systems;
• Provide the staff services necessary to assist the Computer System Security and Privacy Board in carrying out its functions; and
• Assist the private sector, upon request, in using and applying the results of programs and activities.
• Provide technical assistance to Federal agencies;
Computer Security Act of 1987 and IT Management Reform Act of 1996, reinforced in OMB Circular A-130, App. III
Computer Security DivisionMission
To improve information systems security by:
• raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies;
• researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;
• developing standards, metrics, tests and validation programs:to promote, measure, and validate security in systems and services;to educate consumers; andto establish minimum security requirements for Federal systems; and
• developing guidance to increase secure IT planning, implementation, management and operation.
Key Themes• Security is important to sound and efficient functioning of the economy and
government;• Agency / OMB / Congress have high expectations of NIST re our Federal role;
– Reflected in bills such as HR 1259; H.R. 3394; HR 3316; • Security of commercial products in the marketplace is inadequate
– Standards help -- NIST’s role in helping to develop specifications (to drive the market) helps our customers – both Federal and industry users know what to specify; Federal ones used as procurement specs.
– Testing helps -- NIST’s role in testing helps users know they are getting what they think they are buying; Also adds legitimacy to vendors’ claims.
• Product evaluation (e.g., OpSys) is difficult / time consuming at best – needs rigor and standardizable testing – a long term challenge
• Longer term challenge: security and composablility
Types of Deliverables• Standards and Specifications
– FIPS (e.g., AES)– Voluntary Industry
Consensus Standards– Ad hoc specifications
• Guidelines– ITL Bulletins– Special Publications– NIST Recommendations
• Testing programs/services – CMVP– NIAP– IPSec– PKI
• Security Outreach / Awareness / Leadership– Forum – CSSPAB– ICCC– CIO Security Committee– CC MRA– CSRC– Press articles– ITL Bulletins– FPKI TWG
• Research– Mobile Agents– Intrusion detection– Security administration– Testing methods
Customers/Constituents – Categories / Examples
• Federal Community – OMB– Treasury– Federal PKI Steering Committee– FDIC– NSA– Federal Computer Security Program
Managers’ Forum– GSA– CIO Council & CIO Security Committee– HHS
• IT Industry Users / Consortia – Banking (ANSI X9)– Smart Card Consortia– Healthcare Open Systems and Trials (HOST)– Telecom Security Forum– Boeing
• IT Industry Producers/ Consortia– Intel– IETF– PKI Forum– Microsoft– RSA– Counterpane Systems– IBM– Motorola– Entrust– Certicom
Many, many organizations ask for our participation / assistance…
Wide Community Engagement• ANSI• IETF• Federal PKI Steering Committee• ISO • CIS• USG-OECD • Network Security Information Exchange• Critical Infrastructure Groups• IEEE• Federal Computer Security Program
Managers’ Forum• CIO Council Security Committee• Federal Information Systems Security
Educators Association• CC Mutual Recognition Management
Committee• Committee for National Security
Systems
• Executive Branch Information Systems Security
• CMVP Conference• International Common Criteria
Conference• RSA Conference 2001/2002• Key Management Workshop• Information Assurance Technical
Framework Forum• Univ. of Tulsa Telecommunications
Security Conference• Federal Information Assurance
Conference• Regional Security Awareness
Seminars• Other Homeland Defense & CIP
Committees
Wide engagement keeps us in touch with our customers and their needs.
Examples:
Key Focus Areas of NIST’s Computer Security Program
• Cryptographic Standards and Applications• Exploring New Security Technologies• Management and Assistance• Security Testing• Outreach
Cryptographic Standards and Applications
Work with industry and government to develop cryptographic-based standards – Cryptographic Standards Toolkit
• AES setting new baseline• Need for lightweight standards
– Public Key Infrastructure
1. Cryptographic Standards and Applications
Projects
• Cryptographic Standards
• Cryptographic Standards Toolkit• Advanced Encryption Standard (AES)
• Public Key Infrastructure & Applications
• Industry and Federal Security Standards • PKI and Client Security Assurance• Promoting PKI Deployment
Goals Establish secure cryptographic standards for storage and
communications & enable cryptographic security services in applications through the development of: PKI, key management protocols and secure application standards
Technical Areas• Secure encryption, authentication, non-repudiation, key
establishment, & random number generation algorithms.• PKI standards for protocols, standards and formats • PKI interoperability, assurance & scalability
Impacts• Strong cryptography used in COTS IT products• Standardized PKI & cryptography improves interoperability• Availability of secure applications through crypto & PKI
Collaborators
Industry: ANSI X9, IETF PKIX, AES submitters, Baltimore Technologies, CertCo, Certicom, Cylink, Digital Signature Trust, RSA Labs, Entrust Technologies, E-Lock Technologies, Getronics, IBM, ID Certify, Mastercard, Microsoft, Motorola, Netscape, Spyrus,
Network Associates, VeriSign, Verizon, Visa, World Talk
Federal: Department of Treasury, Agencies participating in Federal PKI Steering Committee and Bridge CA Project, FDIC, NSA
1/02
Cryptographic StandardsSecurity Requirements for
Cryptographic ModulesFIPS 140-2
Symmetric Alg. * DES (FIPS 46-3)* 3DES (FIPS 46-3, ANSI X9.52)* AES (FIPS 197)
• Modes of operation - DES (FIPS 81) - Recommendation for Block Cipher Modes of Operation (Encryption)- Methods and Techniques (800-38A)
• Message Authentication Code for Block Ciphers (800-38B)
Asymmetric Algs.* Dig. Sig. Std. (FIPS 186-2) DSA (ANSI X9.30) RSA (ANSI X9.31) ECDSA (ANSI X9.62)* Key Management - Diffie-Hellman -ANSI X9.42 - RSA - ANSI X9.44 - Elliptic Curves -ANSI X9.63 - Key wrapping
Secure Hash * SHA-1 (FIPS 180-1)* Expand to include:
SHA-256,
SHA-384
SHA-512
Advanced Encryption Standard (AES)
FY 2001• Selected the Rijndael algorithm as the AES • Developed draft AES FIPS & completed public comment. • Developed Draft AES Basic Modes of Operation • Hold Modes Workshop (4Q)• Issue NIST Recommendation on Basic Modes of Operation (4Q)
FY 2002• Announced Secretary’s approval of AES• Complete AES validation tests and software • Publish AES Validation Guideline; begin testing AES products. • Develop “Phase 2” AES Modes of Operation
Collaborators
Federal: National Security Agency (NSA)Industry: Protonworld International (Belgium), IBM,
RSA Security & Counterpane Systems participated in AES finalists; many companies provided extensive comments and papers on the AES selection & spec.
Academia: Katholieke Univ. (Belgium), MIT, Technicon, Cambridge Univ., & Univ. of Bergen faculty participated in finalist submissions; many others helped in analysis
Global: ISO JTC1/SC27
Goals • Develop a new, royalty-free encryption standard that can be used by
government and business to protect information for 30-50 years.
Technical Areas• Clear specification of the AES algorithm and NIST’s requirements for
its implementation.• Cryptographic test suite development for testing and validation of the
conformance of AES implementations with the standard.
Impacts• Secure e-commerce and data protection through highly secure
encryption that keeps pace with rapid advances in technology.• Validation that COTS products comply with the AES standard.• Banking and international standards communities are looking to
adopt the AES, which will promote its use outside of government
Cryptographic Standards Toolkit
FY 2001• Prepared draft AES and HMAC FIPS and completed public reviews• AES and HMAC FIPS approval by SoC (4Q)• Public Review of revised SHA with new algorithms (FIPS 180-2)• Revision and public review of DSS (FIPS 186-3)• Draft NIST basic AES Modes of Operation Recommendation (4Q)• Modes Workshop (4Q)• First Draft of Key Mgmt. Schemes & Guidance documents (4Q)
FY 2002• FIPS 180-2 and FIPS 186-3 approval by SoC• Validation tests for: AES modes, DSA, SHA, HMAC, ANSI X9.42• Key Management Workshop• Complete Key Establishment Scheme & Guidance Documents• Develop phase 2 Modes of Operation recommendation• Develop a Random Number Generation standard (ANSI X9.82)
Goals • Improve information security and facilitate electronic commerce by
developing and standardizing strong cryptographic algorithms• Provide guidance for the use of cryptography
Technical Areas• Secure cryptographic algorithms for encryption, authentication, non-
repudiation, key establishment, and random number generation.
Impacts• Worldwide government and industry use of strong cryptography• Guidance and education available in the use of cryptography.• Secure interoperability achieved through standard algorithms• Secure electronic commerce enabled through cryptography
Collaborators
Industry: ANSI X9, RSA Security, Certco, Certicom, Chase Manhattan Bank, Cybersafe, Cygnacom, Deloitte &B Touche Security Services, IBM, Entrust, BBN, Booz-Allen, Ernst & Young, First Data Corp., First Union Corp., IDA, KPMG, Motorola, Gemplus, Jones Futurex, Mastercard, Merrill Lynch, GTE Cyber Trust, Pitney Bowes, PNC Bank, Price Waterhouse Coopers, TecSec, Spyrus, Verifone, VeriSign, Visa, Xcert, AES submitters and commenters
Federal: NSA, BXA, Federal Reserve, CSE, Treasury
First impact: Near-Term (Immediate to 2 years)
Promoting PKI Deployment
FY 2002• Federal PKI Technical Working Group
- Federal Bridge CA cross certifications- FBCA Certificate, CRL, and Directory Profiles
• PKI Policy Development Tools- Generic Certificate Policies- Certification Practice Statement templates
• Federal PKI Guidance Document (1Q)• PKI directory guidance document• High-Level PKI Services API Draft• Federal Deposit Insurance Corporation PKI Deployment (OG)• Army Corps of Engineers PKI consultation• Treasury FMS PKI application development
Collaborators
Federal: Federal PKI Policy Authority, Federal PKI Steering Committee, General Services Administration, General Accounting Office, National Security Agency, FDIC, Treasury FMS, Army Corps of Engineers, Office of Management and Budget
Academia: EduCause (1,800 universities, colleges, and educational institutions)
State: Illinois, Washington
Goals • Promote development of an interoperable PKI to support security
services for Internet systems and applications. Establish baseline PKI security policies and procedures. Assist federal agencies in the deployment of PKI infrastructure and applications through guidance and consultation.
Technical Areas• Bridge certification authorities• Certificate Policies (CP) and Certification Practice Statements (CPS)• Certification and accreditation of CAs• X.500 and LDAP directory servers
Impacts• Federal Bridge CA links agency PKIs to form a federal PKI and
promotes development of private sector bridge CAs• Accelerate federal agency PKI deployment• Chained X.500 directories US Federal
1/02
Exploring New Security Technologies
• Identify and use emerging technologies, especially infrastructure niches
• Develop models, reference implementations, and demonstrations
• Transition new technology and tools to public & private sectors
• Advise Federal agencies to facilitate planning for secure use
Emerging Technologies and Testing
Major Projects
• Access Control & Authorization Management• ICAT Vulnerability/Patch Search Tool• National Smart Card Infrastructure• Intrusion Detection • Mobile Agents• Wireless/Device Security• IPSec/web interface testing • Quantum Computing Support• CIP Grants• Automated Testing
Goals • Identify & exploit emerging technologies especially infrastructure niches• Develop prototypes, reference implementations, and demonstrations• Transition new technology and tools to public & private sectors• Develop the tests, tools, profiles, methods, and implementations for timely,
cost effective evaluation and testing
Technical Areas• Authorization Management, Access Control, System Management• Vulnerability Analysis, Intrusion Detection, Attack Signatures• Mobile Code, Agents, Aglets, Java, PDAs, Wireless, Telecomm/IP• Models, Cost-models, Prototyping, Reference Implementations• Automated Testing, Security Specification
Impacts• Better cheaper and more intuitive methods of authorization management• Creating internal competence in emerging technologies (i.e. mobile code, etc.) • Developed world class vulnerability search engine• IPSec/web Interface testing widely used & referenced• Significant support & funding especially in RBAC and Wireless Device Security
Collaborators
Industry: IBM, Microsoft, SUN, Boeing, Intel, GTE, VDG, SCC, Sybase, SAIC, SUN, Lincoln Labs, Lucent, Trident, ISS, Symantec, MIT, 3Com, Interlink, Ford, BBN, CISCO, Lucent, Checkpoint, MCI, Oracle, Mitre, Mitretek, Intel, SAIC
Academic: University of Maryland, Ohio State, University of Tulsa, George Mason, Rutgers University, Univ of Pittsburgh, Purdue University, Univ of Washington
Federal: NSA, DoD, NRL, DARPA
1/02
Technical Security Guidance
TechnicalSecurity Guidance
Technical Lead: Tim Grance
Goals • Guide Federal Agencies in using new technology• Assist industry and small business• Present recent findings in security research
Technical Areas
• Firewalls and Network Security• Intrusion Detection • Incident Handling• Security Testing• Web and downloadable content security
Impacts
• ITL Security Bulletins extremely popular and widely read• Agencies rely on technical guidance from NIST• NIST publications frequently cited and reused in industry literature
Proposed Collaborators
Industry: MIS Training Institute, Booz Allen Hamilton, Microsoft, I4
Federal: NIST, NSA, OMB, GSA
Academic: University of Maryland, Purdue University
Milestones
FY2001• Intrusion Detection• Active Content & Mobile Code• Firewall Policy• Network Security Testing & Incident Handling• Telecommuting/Broadband Security• PKI• IT Security Engineering Principles & IT Security Models
FY 2002• Public Web Server & E-Mail Server• Wireless & Device Security• Microsoft Windows 2000 Security Guidance• Smart Card guidance and Security Patches• Interconnecting Systems and Contingency Planning• Procurement of products/services
1/02
ICAT
ICAT Metabase
A standards based searchable index of virtually all known computer vulnerabilities
Technical Lead:Peter Mellhttp://icat.nist.gov
Goals Provide the IT community a fine grained searchable index of all
known computer vulnerabilities using a standard naming scheme linking users to publicly available vulnerability databases.
Technical Areas• Developing classification schemes for vulnerabilities• Collecting and evaluating vulnerability information• Measuring the characteristics of vulnerabilities
Impacts• ICAT enables system administrators to identify flawed systems and
to find the patches• Provides the security community with a free standards based index
of all vulnerabilities• Complementary and non-competitive with industry• ICAT has received praise in over 12 news articles
Collaborators
Educational: SANS Institute (sponsor)Military: NSA, DISAAcademia: Purdue/CERIASIndustry: TrustWave, SecuritySaint.com,
CyberCopsEurope.com, IpNSA,Securityinfos.com,
Hideaway.net, VISC Software and Security, SOC GmbH
Milestones
FY 2001• ICAT web hits have increased by a factor of 17 in one year• Analyzed over 2000 vulnerabilities for ICAT• Started a vulnerability mailing list that now has 1600 subscribers• Integrated ICAT into the SANS/FBI top 20 vulnerability list• Helped mirror ICAT on the NSA network• Enable organizations to integrate their products into ICAT• Began offering an off-line version of ICAT• Vulnerability notification system developed by Purdue • Provided top ten vulnerability service• Joined the CVE vulnerability standard’s editorial board
FY 2002• Analyze over 1000 vulnerabilities• Transition ICAT into being a more timely vulnerability service
Awarded Commerce Department Bronze MedalAveraging 50,000 hits per monthOver 100,000 hits in November 2001
“Your dedication to making ICAT into one of the premier databases is admirable” (Internet Security Systems)
1/02
Collaborators
Federal: NIST Internetworking Division, NSA
NIST IPSec Product Users
Industry: Bay Networks, BBN, Cabletron, Cisco, Compaq, CyberGuard, Digital, Frontiertech, Gartner Group, GTE Internetworking,Hewlett Packard, IBM, Intel, Interlink, Lucent Technologies, MCI, MIT, Microsoft, Routerware, SAIC, S-Cubed, Secure Computing, Spyrus, SUN, TIS, 3Com and many others
Government: GSA, NRL, Oak Ridge National Labs and others
Goals
Work with world-wide industry leaders to promote the development of IP security standards, technology, and tests. This will ensure early, reliable and interoperable deployment of IPsec, the technology that is used to build VPNs and to protect the next generation Internet infrastructure and applications.
Technical Areas• International standardization of Internet security protocols• WWW-based Interoperability Testing• Reference implementations of next generation network and
security technology
Impacts
• Developed reference implementation of the IETF IPSec and IKE standards - used for education, experimentation, testing
• Web-based IPSec interoperability test facility http:ipsec-wit.antd.nist.gov
• Over 250 organizations have used NIST’s interoperability tester• Over 650 organizations have requested NIST’s IPSec reference
implementation
MilestonesFY 2001
• Added dynamic certificate request and transmissions capability to PlutoPlus
• Updated AES Internet Draft to reflect AES selection• Wrote Internet Drafts on the use of SHA-256 and AES-XCBC-
MAC with IPsec and IKE• Wrote NIST Security Bulletin on IPsec Status/Issues/Security• Incorporated AES Algorithm (& other finalists) into PlutoPlus• Published Book, “Demystifying the IPsec Puzzle”• Presented invited talks and tutorial on IPsec
FY 2002• Add PKI Interaction to IPsec-WIT• Implement Version 2 of IKE• Add IKE Version 2 to IPsec-WIT• Publish guidance on the use of PKI within IPsec and IKE
IPSec ProjectTechnical Lead: Sheila Frankel
Applications of IPsec TechnologyApplications of IPsec Technology
Easy Denial ofService Attacks
Unauthorized Accessto Private Data
Malicious Sniffers
Router to
R
outer Protection
Host to Host Protection
Rou
ter to Host P
rotectionConfidentiali ty
Data Integri ty
Authentication
Replay Protection
InternetIPsec Services
Internet Protocol Security
1/02
Government Smart Card ProgramGoal
Create a ubiquitous Smart Card Infrastructure to foster widespread use of smart card technology, improving the security of information systems within the U.S.
Technical Areas
• Develop technical guidance required by Federal contracting vehicles for procurement of standard smart card products
• In conjunction with the Government and vendor communities, develop interoperability specifications and standards
• Develop reference implementations, prototype conformance test suites, security testing criteria, and architectural models
Impacts
• Increased overall security of U.S. information systems• Reduced cost of smart card system integration• Simplification of user access control processes • Enable development of consistent conformance test methodologies
for smart card products and systems
Milestones
FY 2001• NIST designated lead agency for GSC conformance test
development• Establish GSC testbed at NIST • Develop GSC Interoperability Conformance Test Program• Develop GSC automated test suite
FY 2002• NIST publications on smart card technolgoy and GSC
interoperability framework• Java smart card collaboration (prototype implementation)• Establish a Smart Card security test program; coalesce
with Common Criteria methodology• International standards coordination• GSC developer workshops and implementation guidance• Identify and execute relevant R&D projects to promote
smart card interoperability and standards
Collaborators
Industry: EDS,Northrup/Grumann, MAXIMUS,KPMG, eEurope, British Telecom, W3C,
RSA Labs, Australian National Office of the Information Economy
Federal: NIST, GSA, DoD, State Dept, USPS, SSA, VA, IRS, DoJ, DoT
Government Smart Card Program
Technical Lead: Jim Dray
1/02
Assistance and Guidance / Outreach
• Assist U.S. Government agencies and other users with technical security and management issues
• Assist in development of security infrastructures• Develop or point to cost-effective security guidance• Assist agencies in using security technology guidance• Support agencies on specific security projects on a cost-
reimbursable basis• Expanding use of recently-developed “NIST
Recommendations” series to complement existing publication methods
• Raise awareness of our programs, value of evaluated products, and need for security
3. Security Management and Guidance
Goals • Provide computer security guidance to ensure sensitive government
information technology systems and networks are sufficiently secure to meet the needs of government agencies and the general public
• Serve as focal point for Division outreach activities• Facilitate exchange of security information among Federal
government agenciesTechnical Areas
• Computer security policy/management guidance• Computer Security Expert Assist Team (CSEAT) security support to
Federal agencies• Outreach to government, industry, academia, citizens
Impacts• Agencies use standard, interoperable solutions• Increased federal agency computer security programs• Reduced costs to agencies from reduction of duplication of efforts• Use of “Best Security Practices” among federal agencies
Collaborators
Federal: All Federal AgenciesFederal Computer Security Program Managers’
ForumOMBGSANSA
CIOsIndustry: Security Product VendorsAcademia:Major Universities with Computer Security
curricula
Major Projects• Computer security expert assist team (CSEAT)• Federal computer security program managers forum• Computer system security and privacy advisory board (CSSPAB)• Computer security resource center (CSRC)• Computer security conferences• Risk management guidance• Federal IT Security Self-Assessment Tool• NIST Security Program Manager’s Handbook• Contingency Planning Guidance• Small and Medium Businesses Outreach
1/02
CSRC Redesigned 7/00
Computer Security Expert Assist Team
FY 2001• CSEAT methodology established• Received multiple requests from agencies• Review of FEMA completed (Q4)
FY 2002• First high-risk program review of Indian Trust Management initiated• Methodology provided on web site• Initiate cost-reimbursable model if funding for administrative costs
received• Develop sanitized case studies• Initiate development of CSEAT review methodology guideline
Collaborators
Federal: All Federal AgenciesOMB
Goals • Increase Federal agency IT security• Help protect against economic loss or injury due to disruption of
critical Federal systems/services• Improve Federal agency Critical Infrastructure Protection (CIP)
planning and implementation efforts Technical Areas
• Security assistance to federal agencies computer security well-being • Security assistance to high risk federal computer security programs• Development of computer security lessons learned• Computer security risks and vulnerabilities
Impacts• Lessons learned available to the federal IT security community• Agencies understand how to maintain computer system security• Agencies plan and budget appropriately for computer security• New guidance development efforts directed at identified need areas• Improved Federal IT security
1/02
Small and Medium Sized Business Regional Security Meetings
FY 2001• Plan for conducting regional meetings completed (Q4)• Meeting educational material developed (Q4)
FY 2002• First 2 regional meetings conducted• Third regional meeting scheduled for February• Build community of small business owners, IT professionals, and
researchers • Generate a plan to provide web based IT security information in areas
of specific importance to small businesses
FY 2003• Continue conducting regional meetings• Train local trainers, members of local chapters of industrial
associations, or other small business resources
Collaborators
Federal: Small Business AdministrationNational Infrastructure Protection Center –
InfraGard ProgramManufacturing Extension Partnership
Industry: Security Product VendorsRegional business consortiaSelected business partners
Goals • Inform small businesses (< 500 employees) of useful security
mechanisms• Provide computer security training that is practical and cost-effective • Help small businesses become more educated consumers• Form NIST-SBA_InfraGard Resource Group, connecting small
business owners to local IS resources.Technical Areas
• Small business viable computer security solutions• Low-cost computer security methodologies• Computer security training for the novice• Business-relevant computer security tools
Impacts• Improved small and medium sized business security• Small and medium sized businesses become more aware of
information security
1/02
Security Testing
• Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing
• Raising user confidence • Lead conformance and evaluation programs• Supporting security testing industry
Major Projects
• Cryptographic Security Testing• Cryptographic Module Validation Program• National Information Assurance Partnership • Common Criteria Evaluation and Validation Program• International Recognition Arrangements• Laboratory Accreditation• Automated Security Testing and Test Suite Development• Assessment program for system certifications• Protection profile development effort with government/industry• Industry Forums• Testing, Education, Outreach Programs, Conferences and Workshops
CollaboratorsFederal: NVLAP, State Dept., DoC, DoD, GSA, NASA, NIST, NSA,
DoE, OMB
Industry: American National Standards Institute (ANSI), InfoGard Laboratories Inc., CygnaCom Solutions, DOMUS IT Security Laboratory, COACT, Inc. CAFÉ Lab, Atlan Laboratories, EWA,CORSEC Security Inc., Oracle, CISCO, Hewlett-Packard, Lucent, SAIC, Microsoft, Computer Sciences Corp., IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun Microsystems, Network Assoc., Booz-Allen, Seculab Inc., Entrust, Silicon Graphics, Arca
Global: United Kingdom, France, Germany, Japan, Korea, Canada, Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, Norway, Greece, Israel, ECMA, JCB, Europay, Mondex
Goals • Improve the security and quality of IT products• Foster development of test methods, tools, techniques, assurance
metrics, and security requirements• Promote the development and use of tested and validated IT products• Champion the development and use of national/international IT security
standardsTechnical Areas
• Provide Federal agencies, industry, and the public with a proven set of IT security testing methodologies and test metrics
• Promote joint work between NIST, the American National Standard Institute (ANSI) and the international standards community
Impacts• Timely, cost-effective IT security testing • Increased security in IT systems through availability of tested products• Creates business opportunities for vendors of security products, testing
laboratories, and security consultants
UserSecurity
Needs
Standardsand
Metrics
Testingand
Evaluation
ProductValidation IT Security
4. Security Testing and Metrics
1/02
Cryptographic Module Validation Program
Collaborators
Federal: National Voluntary Laboratory Accreditation Program
Industry: American National Standards Institute (ANSI) InfoGard Laboratories Inc.CygnaCom SolutionsDOMUS IT Security Laboratory, a Division of LGSCOACT, Inc. CAFÉ LabAtlan LaboratoriesEWA-Canada LTD, IT Security Evaluation FacilityCORSEC Security Inc.
Global: Communication Security Establishment (CSE) of the Government of Canada
Goals • Improve the security and quality of cryptographic products• Provide U.S. and Canadian Federal agencies with a security metric to use in
procuring cryptographic equipment• Promote the use of tested and validated cryptographic algorithms, modules,
and products
Technical Areas• Development of Implementation Guidance, metrics and test methods• Validation of test results• Accreditation of testing laboratories• Joint work between NIST, ANSI and international standards bodies
Impacts• Provide Federal agencies with confidence that a validated cryptographic
product meets a claimed level of security • Supply a documented methodology for conformance testing • Create business opportunities for vendors of cryptographic products, testing
laboratories, and security consultants
FY 2001 Finalized FIPS 140-2: Security Requirements for Cryptographic Modules Implemented Cost Recovery Plan as of February 15, 2001 Developed FIPS 140-2 Derived Test Requirements and Automated Tool (Q4) Validated 45 crypto modules and 46 crypto algorithm implementations Coordinated ANSI X9.42-2001: Key Agreements Using Diffie-Hellam and MQV Finalized SD-012 Guideline for Validating Implementations Conforming to ANSI
Standards Completed Cryptographic Module Reference Implementation (Q4)
FY 2002 Revise Cryptographic Module Testing (CMT) laboratory accreditation process,
NVLAP Handbook 150-17 Accredit 2-3 additional CMT Laboratories, including international Expand the agreement with CSE to include additional countries Conduct second Cryptographic Module Validation Program
Workshop/Conference Develop Validation Test Suites for new algorithms/protocols
1/02
National Information Assurance Partnership
Building More Secure Systems for the New Millennium (sm)
Goals Promote the development and use of evaluated and validated IT products Champion the development and use of national/international IT security
standards Develop state-of the-art test methods, tools, techniques and assurance metrics Support a framework for international recognition of testing results Foster development of IT security requirements in key technology areas
Technical Areas Development of implementation guidance, requirements, metrics and test
methods Validation of test results and accreditation of testing laboratories Joint work among NIST, NSA and international partners
Impacts More timely, cost-effective IT security evaluations with greater consistency Less duplication of security testing globally New test methods for specific information technologies Increased security in IT systems and networks through greater availability of evaluated and validated products Greater availability of common security requirements and specifications for key technologies and sectors
CollaboratorsFederal: State Dept., DoC, DoD, GSA, NIST, NSA, DoE, OMB
Industry: Oracle, CISCO, Hewlett-Packard, Lucent, SAIC, Microsoft, Computer Sciences Corp., Cygnacom, Arca, IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun Microsystems, Network Assoc., Booz-Allen, Seculab, Entrust, Silicon Graphics, COACT
Global: United Kingdom, France, Germany, Japan, Korea, Canada, The Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, Norway, Greece, Israel, Russia, ECMA, JCB, Europay, Mondex
Forums: Healthcare, Information Assurance, Process Control, Smart Card, Insurance
FY 2001 Accredited 5 Common Criteria (CC) Testing Laboratories Expanded CC Recognition Arrangement to 14 nations adding Israel Hosted national-level Government-Industry IT Security Forum Conducted international IT security outreach training for Japan and Israel Developed comprehensive operations manual for CC Recognition Arrangement Completed smart card protection profile and corresponding evaluation Initiated new security requirements forum for process control systems Validated 4 security products and 4 protection profiles
FY 2002 Accredit 1-2 additional CC Testing Laboratories Expand CC Recognition Arrangement by 1-2 nations Develop technology-based lab accreditation program with smart card prototype Initiate cooperative protection profile development effort with
government/industry Develop guidance, procedures and assessment program for system certifications Enhance outreach program and activities
1/02
Common Criteria
What the standard is –• Common structure and language for expressing
product/system IT security and assurance requirements
How the standard is used –• Develop protection profiles and security targets • Evaluate products and systems against known and
understood IT security requirements
Defining IT Security Requirements for Federal Systems and Networks
International Standards-Based Common Criteria Protection Profiles
PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3
PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2
PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1
Operating Systems
Database Systems
PKI Smart Cards
Biometrics Devices
Firewalls Wireless Web Apps & Browsers
Intrusion Detectio
n Systems
Virtual Private
Networks
Families of Protection Protection Profiles
Thre
at
Lev
els
Key Technology Areas
Beyond IT product testing…• Homeland Security/Cybersecurity needs demand attention
beyond just security evaluation of IT products
• Complementing the current NIAP focus on product evaluation, NIST plans to use its unique position to focus on Federal system certifications by: Developing unified Federal procedures and guidelines for system
certification (NIST Special Publication 800-37) Developing test methods traceable to 800-37 to ensure competent and
consistent application of the certification procedures Developing a certification program with network of NVLAP-
accredited assessment organizations capable of conducting system and network certifications for Federal agencies (and also available for use by to State/Local governments and private sector).
Organization
Security T echnology G roupB ill B u rr, M g r.
System s and Netw ork Security G roupTim G ran ce, M g r.
Security M anagem ent and G uidance G roupJoan H ash , M g r.
Security T esting and M etrics G roupR ay S n ou ffe r, A c t. M g r.
Com puter Security DivisionE d R ob ack , C h ie f
F ran N ie lsen , D ep u ty
Division Budget Trends
0
5,000
10,000
15,000
20,000
25,000
$KCIP GrantsOtherSTRS - base
As of 12-01
FY-02 Other figure is as of 12/01.
http://csrc.nist.gov
• http://csrc.nist.gov/cryptval - CMVP• http://niap.nist.gov - NIAP• http://csrc.nist.gov/pki - PKI• http://icat.nist.gov - ICAT• http://fasp.nist.gov – agency practices
Summary & ConclusionsImpacts from NIST work:
Multiple opportunities exist for collaboration:
• Cryptographic standards development• Public Key Infrastructure• Product security validation/evaluation• Review of guidance• Visiting “guest researchships” at NIST • Cooperative research
• Improved security, availability, integrity, operation, and effectiveness of IT • Enhanced IT security through wider availability of products that meet security
standards • Increased global market for U.S. IT products• Achieved cost savings and security via public-private collaboration and
information sharing
Further Information• NIST Computer Security Resource Center
– http://csrc.nist.gov• Points of Contact
– General and Guest Researchships• Ed Roback [email protected]
– Cryptographic standards & PKI• Bill Burr [email protected]
– Security Testing• Ray Snouffer [email protected]
– Cryptographic Module Validation Program• Anabelle Lee [email protected]
– National Information Assurance Partnership• Ron Ross [email protected]
– Security Research• Tim Grance [email protected]
– Security Management• Joan Hash [email protected]
Questions?