NIST Cyber Security Activities



Similar documents
Compliance Risk Management IT Governance Assurance

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Human Factors in Information Security

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Information Systems Security: A General Comparison of FISMA, HIPAA, ISO and PCI-DSS Standards

How To Get The Nist Report And Other Products For Free

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

FISMA Implementation Project

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

SECTION A: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

SECTION C: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT Article C.1 Introduction This contract is intended to provide IT solutions and services as

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

SECTION C: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

POSTAL REGULATORY COMMISSION

FITSP-Auditor Candidate Exam Guide

Get Confidence in Mission Security with IV&V Information Assurance

HHSN W 1 QSSI - Quality Software Services, Inc

Altius IT Policy Collection Compliance and Standards Matrix

Appendix B: Existing Guidance to Support HIE Implementation Opportunities

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

Bellevue University Cybersecurity Programs & Courses

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

POLICY ON WIRELESS SYSTEMS

Critical Controls for Cyber Security.

ORDER National Policy. Effective Date 09/21/09. Voice Over Internet Protocol (VoIP) Security Policy SUBJ:

Task Area 1: IT Services for Biomedical Research, Health Sciences, and Healthcare

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

DIVISION OF INFORMATION SECURITY (DIS)

Office of Inspector General

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security for Managers

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

NISTIR 7359 Information Security Guide For Government Executives

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

ITL BULLETIN FOR AUGUST 2012

Identity and Access Management Initiatives in the United States Government

Seeing Though the Clouds

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

2012 FISMA Executive Summary Report

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

John Essner, CISO Office of Information Technology State of New Jersey

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

FISMA / NIST REVISION 3 COMPLIANCE

Wireless and Mobile Technologies for Healthcare: Ensuring Privacy, Security, and Availability

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Dr. Ron Ross National Institute of Standards and Technology

FREQUENTLY ASKED QUESTIONS

I. U.S. Government Privacy Laws

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

How To Improve Nasa'S Security

Compliance and Industry Regulations

SECTION C: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B

Federal Body of Knowledge Guide

Big Data, Big Risk, Big Rewards. Hussein Syed

VA Office of Inspector General

Cybersecurity Enhancement Account. FY 2017 President s Budget

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Cisco Advanced Services for Network Security

Guide for the Security Certification and Accreditation of Federal Information Systems

System Security Certification and Accreditation (C&A) Framework

BMC s Security Strategy for ITSM in the SaaS Environment

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

CYBER SECURITY GUIDANCE

Patch and Vulnerability Management Program

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

NASA Information Technology Requirement

Cyber Security Risk Management: A New and Holistic Approach

External Supplier Control Requirements

Evaluation Report. Office of Inspector General

Transcription:

NIST Cyber Security Activities Dr. Alicia Clay Deputy Chief, Computer Security Division NIST Information Technology Laboratory U.S. Department of Commerce September 29, 2004 1

Computer Security Division Mission Mission: To improve information systems security by: Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies; Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems; Developing standards, metrics, tests and validation programs: to promote, measure, and validate security in systems and services to educate consumers and to establish minimum security requirements for Federal systems Developing guidance to increase secure IT planning, implementation, management and operation. 3

Cyber Security Statutory Mandates Federal Information Security Management Act of 2002 Federal security standards and guidelines Minimum requirements; categorization standards, incident handling, NSS identification, Support of ISPAB Cyber Security Research and Development Act of 2002 Extramural research support Fellowships Intramural research Checklists NRC study support 4

Current NIST Computer Security Activities Cryptographic Standards and E-Authentication Establish secure cryptographic standards for storage and communications & enable cryptographic security services in e-government applications through electronic authentication and key management protocols Emerging Technologies Identify & exploit emerging technologies especially infrastructure niches Develop prototypes, reference implementations, and demonstrations Transition new technology and tools to public & private sectors Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing Management and Assistance Provide computer security guidance to ensure sensitive government information technology systems and networks are sufficiently secure to meet the needs of government agencies and the general public Serve as focal point for Division outreach activities Facilitate exchange of security information among Federal government agencies Security Testing Improve the security and quality of IT products Foster development of test methods, tools, techniques, assurance metrics, and security requirements Promote the development and use of tested and validated IT 5 products Champion the development and use of national/international IT security standards

Recently Completed NIST Security Guidelines 800-30, Risk Management Guide for Information Technology Systems 800-31, Intrusion Detection Systems 800-34, Contingency Planning Guide for Information Technology System 800-37, Security Certification and Accreditation 800-40, Procedures for Handling Security Patches 800-41, Guidelines on Firewalls and Firewall Policy 800-42, Guideline on Network Security Testing 800-44, Guidelines on Securing Public Web Servers 800-45, Guidelines on Electronic Mail Security 800-46, Security for Telecommuting and Broadband Communications 800-47, Security Guide for Interconnecting Information Technology Systems 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices 800-63, Electronic Authentication Guideline 800-67, Recommendation for the Triple Data Encryption Algorithm Block Cipher 6

Select Guidelines Under Development 800-53, Security Controls for Federal Information Systems (DRAFT) 800-56, Recommendation on Key Establishment Schemes (DRAFT) 800-57, Recommendation on Key Management (DRAFT) 800-58, Security Considerations for Voice Over IP (DRAFT) 800-61, Computer Security Incident Handling Guide (DRAFT) 800-65, Integrating Security into the Capital Planning and Investment Control Process (DRAFT) 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (DRAFT) 800-68, Securing Microsoft Windows XP Systems for IT Professionals (DRAFT) 800-70, The NIST Security Configuration Checklists Program (DRAFT) 800-72, Guidelines on PDA Forensics (DRAFT) Media Destruction/Sanitization Penetration Testing & Vulnerability Management Trust frameworks 7

3 High Visibility Projects Minimum Standards for all Federal Systems Cyber Security Checklists Personal Identity Verification 8

Risk Management Framework SP 800-53 / FIPS 200 Security Control Selection Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP 800-18 Security Control Documentation In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place FIPS 199 / SP 800-60 Security Categorization Defines category of information system according to potential impact of loss SP 800-70 Security Control Implementation Implements security controls in new or legacy information systems; implements security configuration checklists SP 800-37 Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness SP 800-37 System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-53A / SP 800-37 Security Control Assessment Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements 9

Cyber Security Checklists Task to NIST Develop checklists: setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal government. NIST developing web-based database DHS Support FISMA requirements for agencies 800-70 out for comment ~December 2004 Target for Launch Outreach NCSP, CISWG, ITAA, BSA, etc. Draft 800-70 available at http://csrc.nist.gov/publications/nistpubs/index.html 10

Personal Identity Verification HSPD #12 Six Month Deadline to create a secure and reliable automated system that may be used Government-wide to: 1) Establish the authentic true identity of an individual; 2) Issue an identity credential token to each authenticated individual containing an electronic representation of the identity and the person to whom it is issued which can later be verified using appropriate technology when access to a secure Federal facility or information system is requested; 3) Provide graduated criteria that provide appropriate levels of assurance and security to the application; 4) Be strongly resistant to identity fraud, counterfeiting, and exploitation by individuals, terrorist organizations, or conspiracy groups; 5) Initiate development and use of interoperable automated systems meeting these requirements. 11

Deployment of Outcomes What Guidelines and standards How Buy-in through collaboration Bulletins and brochures Workshops (examples) Strong Web Presence http://csrc.nist.gov PRISM Direct agency support Voluntary standards participation Sharing information with other National Bodies 12

Objectives NIST s cyber security work provides: Increased protection against cyber security disruptions; Increased trust and confidence in the security of the IT infrastructure leading to increased usage for transactions, increased productivity, and enhanced flexibility of use; Improved cyber security for government information systems enhancing the ability of agencies to deliver services electronically and ensuring continuity of operations; and Decreased life-cycle costs of government IT 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information