1 / 29

NIST’s Role in Computer Security

NIST’s Role in Computer Security. Ed Roback Computer Security Division NIST Information Technology Laboratory. Agenda. Who we are Computer security program NIST partnerships Summary.

yosefu
Télécharger la présentation

NIST’s Role in Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIST’s Role in Computer Security Ed Roback Computer Security Division NIST Information Technology Laboratory

  2. Agenda • Who we are • Computer security program • NIST partnerships • Summary

  3. Promote the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure for information technology Advanced Network Technologies Computer Security Distributed Computing and Information Services High Performance Systems and Services Information Access and User Interfaces Mathematical and Computational Sciences Software Diagnostics and Conformance Testing Statistical Engineering

  4. NIST Mandate for Computer Security • Develop standards and guidelines for the Federal government • Improve the competitiveness of the American IT industry

  5. Guidance - to increase effective security planning and implementation of cost-effective security in Federal systems Standards, Metrics, Tests - to promote, measure, and validate security improvements and enable confidence for marketplace transactions and minimum standards for Federal systems Awareness - of IT vulnerabilities and protection requirements Computer Security Division MissionTo improve the state-of-the-art in information security through: Guidance Standards, Metrics, Tests Awareness

  6. Agenda • Who we are • Computer security program • NIST partnerships • Summary

  7. Security Program Strategy • Collaboration with industry and government • Work to develop IT specifications and conformance tests to promote secure, interoperable products and systems • Develop standards in cooperation with industry and voluntary consensus standards bodies to promote and protect USG and IT industry interests • Acting as “honest broker”

  8. Security Program Strategy (Concluded) • Focus on Improving the security of products and systems • Develop standards for secure, interoperable products • Validate conformance of commercial products to selected Federal Information Processing Standards (FIPS) • Perform research and conduct studies to identify vulnerabilities and devise solutions • Develop new test methods and procedures that will make testing of security requirements/ specifications more efficient and cost effective

  9. Key Components of NIST’s Computer Security Program • Security standards development • Security testing • Exploring new security technologies • Assistance and guidance

  10. Security Standards Development • Work with industry and government to develop standards for computer security • Cryptography • Policies, management, and operational controls • Best practices • Common Criteria • Public Key Infrastructure (PKI)

  11. Key Efforts -- Standards • AES Advanced Encryption Standard • FIPS 46-3 Triple Data Encryption Standard (DES) • DSS Upgrade to include RSA, Elliptic Curve • SHA-2 Upgrade of SHA-1 • FIPS 140-2 Upgrade of 140-1 • X9.82 Random Number Generator • Key Exchange Key Exchange/Agreement Standard(s) • ISO 15408 Common Criteria v.2 • IETF PKIX, IPSec, DNSSec, etc. • ISO 15292/15446 Protection Profile Registration and Development Guidance • FIPA Foundation for Intelligent Physical Agents • PKI Security Requirements for Certificate Issuing and Management Components (CIMCs)

  12. Security Testing • Develop the tests, tools, profiles, methods, and implementations for timely, cost effective evaluation and testing • Validation • Cryptographic Module Validation Program (CMVP) • National Information Assurance Partnership (NIAP) • Conformance and interoperability testing • MISPC • IPv6 test resource

  13. Key Efforts -- Testing • Crypto Module Validation Program • Algorithm Testing • Random Number Generator Testing • MISPC Testing • Certificate Authority Testing • Firewall Security & Evaluation Tests • Telecommunications Switch Security • Protection Profile Testing • Automated Test Development/Generation • Common Criteria Evaluation and Validation Scheme • Laboratory Accreditation

  14. Exploring New Security Technologies • Identify and use emerging technologies, especially infrastructure niches • Develop prototypes, reference implementations, and demonstrations • Transition new technology and tools to public & private sectors • Advise Federal agencies

  15. Key Efforts -- New Technologies • Role-Based Access Control • Policy Management • Intrusion Detection • Mobile Agents • Automated Security Test Generation • IPSec/web interface testing • Security Service Interfaces

  16. Assistance and Guidance • Assist U.S. Government agencies and other users with technical security and management issues • Assist in development of security infrastructures • Develop or point to cost-effective security guidance • Actively transfer security technology and guidance from NIST to agencies/industry • Support agencies on specific security projects on a cost-reimbursable basis

  17. Key Efforts -- Assistance and Guidance • NIST Special Publications: • 800-18, “Guide for Developing Security Plans for Information Technology Systems” • 800-16, “Information Technology Security Training Requirements” • “Guideline for Implementing Cryptography in the Federal Government” (Forthcoming) • “Security Incident Handling -- A Cooperative Approach” • ITL Bulletins (1999): • November Intrusion Detection • September Securing Web Servers • August The Advanced Encryption Standard: A Status Report • May Computer Attacks: What They Are and How to Defend Against Them

  18. Agenda • Who we are • Computer security program • NIST partnerships • Summary

  19. In carrying out NIST’s programs,we don’t work alone...

  20. ACM Workshops on Access Control • Agency Assistance Federal Computer • Security Training Resource Center • Best Practice Task Force • CIO Council Security Privacy-Critical • Infrastructure • Computer System Security & Privacy • Advisory Board (CSSPAB) • Critical Infrastructure Protection • Department of Justice Executive Advisory • Team • Director Forum of CIO Council • DoC/CIO Contingency Planning Affinity Group • FedCIRC Partners • Federal Computer Security Program Managers' • Forum • Federal Information Systems Security Educators' • Association (FISSEA) • Federal Public Key Infrastructure Steering • Committee & Subgroups • Forum for Privacy & Security in Healthcare • High Performance Computing and • Communications • Information Industry Group • INFOSEC Research Council • National Colloquium for Information Systems • Security Education (NCISSE) • National Science Foundation Career Proposal • Review Panel • National Security Telecommunications & • Information • Systems Security Committee (NSTISSC) • Network Security Information Exchange • NIST-NSA Technical Working Group • Open Source Security Working Group • Smart Card Security Users Group • American Bar Association Information Security • Ctte • Common Criteria Mutual Recognition • Arrangement Management Ctte • Critical Infrastructure Coordination Group • Education & Awareness Ctte • Federal Public Key Infrastructure Technical • Working Group • Forum for Privacy & Security in Healthcare • Information Industry Group • National Colloquium for Information Systems • Security Education (NCISSE) • National Science Foundation Career Proposal • Review Panel • Nat'l Ctte for Information Technology Standards, • T3-Open Distributed Processing • Network Security Information Exchange • Smart Card Security Users Group • Steering Ctte Member of ACM Workshop on • Access Control • CEAL: a Cygnacom Solutions Laboratory • DOMUS IT Security Laboratory, A Division of LGS • Group, Inc. • InfoGard Laboratories, Inc. • ANSI Accredited Standards Committee X9F3 • ANSI X9.82 Random Number Generation • Standard • ANSI X9F, X9F1, X9F3 • ANSI-NCITS T4 Computer Security • Nat'l Committee for Information Technology • Standards, Technical Committee T3-Open • Distributed Processing • NIST-NSA Technical Working Group • IETF S/MIME V3 Working Group • IETF Public Key Infrastructure Working Group • (PKIX) • IETF Internet Protocol Security (IPSEC) • Internet Protocol Secure Policy (IPSP) • Internet Protocol Secure Remote Access (IPSRA) • ISO/Internat'l Electrotechnical Commission Joint • Technical Committee 1 • ISO JTCI SC27 Computer Security • Smart Card Security Users Group • Critical Infrastructure Coordination Group • Education & Awareness Ctte • National Colloquium for Information Systems • Security Education (NCISSE) NIST Outreach Federal Agencies IT Industry Testing Labs Standards Community Academia

  21. Key Theme: Improving Security Products How we improve security through standards and testing

  22. Test products against security standards Develop security standards Identify needs for security standards - industry and government Vendors improve products Users get more secure products Therefore… Security is Improved!

  23. Agenda • Who we are • Computer security program • NIST partnerships • Summary

  24. Summary & Conclusions NIST is improving security by: • Raising awareness of the need for cost-effective security • Engaging in key U.S. voluntary standards activities • Developing standards and guidelines to secure Federal systems (often adopted voluntarily by private sector) • Cryptographic algorithms • Policy, management, operations, and best practices guidance • PKI • Providing National leadership role for security testing and evaluation • Cryptographic Module Validation Program • National Information Assurance Partnership

  25. Yet, there is more we could do...

  26. President’s 9/99 Proposal for Increasing NIST CIP Activities • Establish an Expert Review Team at NIST • Assist Government-wide agencies in adhering to Federal computer security requirements • Director to consult with OMB and NSC on plans to protect and enhance computer security for Federal agencies • Fund a permanent 15-member team responsible for • Helping agencies identify vulnerabilities • Plan secure systems, and implement CIP plans

  27. President’s 9/99 Proposal for Increasing NIST CIP Activities (Concluded) • Establish an operational fund at NIST for computer security projects among Federal agencies • Independent vulnerability assessments • Computer intrusion drills • Emergency funds to cover security fixes for systems identified to have unacceptable security risks

  28. Questions?

More Related