Overview of NIST Role in Cybersecurity Standards - PowerPoint PPT Presentation

Loading...

PPT – Overview of NIST Role in Cybersecurity Standards PowerPoint presentation | free to download - id: 3c4e18-Zjg1N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Overview of NIST Role in Cybersecurity Standards

Description:

Cybersecurity Blueprints for Cloud Computing Donna F Dodson Division Chief, Computer Security Division Acting Director, National Cybersecurity Center of Excellence – PowerPoint PPT presentation

Number of Views:211
Avg rating:3.0/5.0
Slides: 21
Provided by: infosecsu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Overview of NIST Role in Cybersecurity Standards


1
Cybersecurity Blueprints for Cloud
Computing Donna F Dodson Division Chief,
Computer Security Division Acting Director,
National Cybersecurity Center of Excellence
2
Background
  • The U.S. economy and U.S. citizens are heavily
    reliant on information technology (IT)
  • No sector today could function without IT
  • Energy, supply chain, finance, ecommerce,
    transportation, health care
  • Although considerable progress has been made in
    improving cybersecurity capabilities to protect
    IT, there is much yet to be done
  • Determine how to mitigate new threats and secure
    new technologies
  • Cybersecurity needs to become more
    standards-based to further improve quality and
    efficiency. Cybersecurity also needs to become
    easier for people to adopt and use
  • These changes would significantly reduce the cost
    of security implementation and management, as
    well as the economic impact of cybersecurity
    incidents

3
NIST Responsibilities for Cybersecurity
  • NIST is responsible for developing standards and
    guidelines, including minimum requirements, that
    provide adequate information security for all
    agency operations and assets in furtherance of
    its statutory responsibilities under the Federal
    Information Security Management Act (FISMA) of
    2002, Public Law 107-347, but such standards and
    guidelines shall not apply to national security
    systems.
  • Under FISMA NIST shall conduct research, as
    needed, to determine the nature and extent of
    information security vulnerabilities and
    techniques for providing cost-effective
    information security.
  • NIST develops guidelines consistent with the
    requirements of the Office of Management and
    Budget (OMB) Circular A-130, Section 8b(3),
    Securing Agency Information Systems, as analyzed
    in A-130, Appendix IV Analysis of Key Sections.
    Supplemental information is provided in A-130,
    Appendix III.
  • In accordance with the Cyber Security Research
    and Development Act, The National Institute of
    Standards and Technology develops, and revises as
    necessary, checklists setting forth settings and
    option selections that minimize the security
    risks associated with each computer hardware or
    software system that is, or is likely to become,
    widely used within the Federal Government.
  • Homeland Security Presidential Directive 7 The
    Department of Commerce will work with private
    sector, research, academic, and government
    organizations to improve technology for cyber
    systems and promote other critical infrastructure
    efforts, including using its authority under the
    Defense Production Act to assure the timely
    availability of industrial products, materials,
    and services to meet homeland security
    requirements.
  • Homeland Security Presidential Directive 12 The
    Secretary of Commerce shall promulgate in
    accordance with applicable law a Federal standard
    for secure and reliable forms of identification
    (the "Standard")

4
Computer Security Division
  • Core Focus Area
  • Research, Development, and Specification
  • Security Mechanisms (e.g. protocols,
    cryptographic, access control, auditing/logging)
  • Security Mechanism Applications
  • Confidentiality
  • Integrity
  • Availability
  • Authentication
  • Non-Repudiation
  • Secure System and Component configuration
  • Assessment and assurance of security properties
    of products and systems

5
Delivery Mechanisms
  • Standards FIPS, Internal Consensus, National
    Consensus
  • Guidelines NIST SPs and IRs
  • Journal and Conference Papers
  • Reference Materials
  • Workshops and Conferences
  • Consortia and Forums
  • Training
  • Reference Implementations and Demonstrations
  • Tests and Tools
  • Standards Development Organization Participation

6
Community Engagement
  • Industry
  • Accessing Expertise and Leveraging Resources
  • Coordinating Standards and Initiatives
  • Academia
  • Accessing Expertise and Leveraging Resources
  • Representative Institutions and Consortia
  • International
  • Formal Standards Groups
  • Accessing Expertise and Leveraging Resources
  • Federal, State, and Local Government
  • Interdepartmental
  • Department of Commerce
  • State and Local Governments

7
Delivery Mechanisms
  • Standards FIPS, Internal Consensus, National
    Consensus
  • Guidelines NIST SPs and IRs
  • Journal and Conference Papers
  • Reference Materials
  • Workshops and Conferences
  • Consortia and Forums
  • Training
  • Reference Implementations and Demonstrations
  • Tests and Tools
  • Standards Development Organization Participation

8
NIST Work in Cyber Security
  • FISMA Phase II
  • Continue to support the Joint Task Force
    Transformation Initiative (DoD, IC, NIST, CNSS)
    and support unified information security
    framework
  • Continue support for risk management and
    information security publications
  • Potential privacy and threat appendixes for SP
    800-53, Revision 3
  • Work toward system and security engineering and
    application security guidelines
  • US Government Configuration Baseline (USGCB)
  • Standardized security configurations for
    operating systems and automated tools to test the
    configurations, improving security and saving IT
    security management resources
  • Security Automation and Vulnerability Management
  • Continue to develop tools and specifications that
    address situational awareness, conformity and
    vulnerability management compliance etc

9
NIST Work in Cyber Security
  • Virtualization
  • Support for cloud special publication and
    standards activities to support security,
    portability and interoperability
  • Key Management
  • Foster the requirements of large-scale key
    management frameworks and designing key
    management systems
  • Support transitioning of cryptographic algorithms
    and key sizes
  • Next Generation Cryptography
  • Open competition for new Hash algorithm
  • Developing new, light weight, quantum resistant
    encryption for use in current and new
    technologies
  • New modes of operation

10
NIST Work in Cyber Security
  • Usability of Security
  • Performing groundwork research to define factors
    that enable usability in the area of multifactor
    authentication and developing a framework for
    determining metrics that are critical to the
    success of usability
  • Identity Management Systems
  • Standards development work in biometrics, smart
    cards, identity management, and privacy
    framework.
  • RD Personal Identity Verification,
    Match-On-Card, ontology for identity credentials,
    development of a workbench
  • ID Credential Interoperability
  • Infrastructure support
  • Continued support for Health IT, Smart Grid and
    Voting
  • Standards Development Organizations
  • IETF ANSI
  • IEEE ISO

11
Federal Cloud Computing Strategy
  • Federal IT programs have a wide range of security
    requirements among them
  • The Federal Information Security Management Act
    (FISMA) requirements that include but are not
    limited to compliance with with Federal
    Information Processing Standards agency specific
    policies
  • Authorization to Operate requirements
  • Vulnerability and security event monitoring,
    logging and reporting
  • It is essential that the decision to apply a
    specific cloud computing model support mission
    capability considers the above requirements

12
NIST Cloud Computing Program
  • Accelerate the Federal governments adoption of
    cloud computing
  • Build a USG Cloud Computing Technology Roadmap
    which focuses on the highest priority USG cloud
    computing security, interoperability and
    portability requirements
  • Lead efforts to develop standards and guidelines
    in close consultation and collaboration with
    standards bodies, the private sector, and other
    stakeholders

13
NIST Cloud Computing Special Publications
  • SP 800-144 Guidelines on Security and Privacy
  • SP 800-145 Definition of Cloud Computing
  • SP 800-145 CC Synopsis Recommendations
  • SP 500-291 CC Standards Roadmap
  • SP 500-292 CC Reference Architecture
  • SP 500-293 USG CC Technology Roadmap Draft

14
The NIST Cloud Definition Framework
Deployment Models
Service Models
Essential Characteristics
Massive Scale
Resilient Computing
Homogeneity
Geographic Distribution
Common Characteristics
Based upon original chart created by Alex Dowbor
- http//ornot.wordpress.com
15
Draft NIST CC Reference Architect
Cloud Provider
Cloud Consumer
Cloud Service Management
Cloud Orchestration
Service Layer
Service Intermediation
Business Support
Cloud Auditor
IaaS
Service Aggregation
Provisioning/ Configuration
Security Audit
Resource Abstraction and Control Layer
Privacy Impact Audit
Physical Resource Layer
Portability/ Interoperability
Service Arbitrage
Hardware
Performance Audit
Facility
Cloud Carrier
Cross Cutting Concerns Security, Privacy, etc
16
Cloud Security Standards
  • ISO/IEC JTC 1 Subcommittee 27 Cybersecurity
  • Responsible for cloud computing security
    standards
  • Early development stages
  • ISO/IEC 27017 Guidelines on information
    security controls for the use of cloud computing
    services based on ISO/IEC 27002
  • US International Committee for Information
    Technical Standards Technical Committee Cyber
    Security 1 (CS 1)
  • U.S. Technical Advisory Group to SC 27
  • Chaired by NIST

17
FEDRAMP

18
National Cybersecurity Center of Excellence
(NCCoE)
  • Foster the rapid adoption and broad deployment of
    integrated cybersecurity tools and techniques
    that enhance consumer confidence in U.S.
    information systems
  • Disseminate new principles and mechanics
    underlying security standards, metrics, and best
    practices for secure and privacy-preserving
    information technologies
  • Develop and test methods for composing,
    monitoring, and measuring the security posture of
    computer and enterprise systems
  • Achieve broad adoption of practical, affordable,
    and useful cybersecurity capabilities across the
    full range of commercial and government sectors

19
NCCoE Use Case Secure Cloud Policy Enforcement
Planning Phase
Implementation Phase
Business Engagement Problem Statement
Use Case
IT Industry Components Selection
Implement in Operational Environment
20
For Additional Information
  • Computer Security Resource Center
    http//csrc.nist.gov
  • NIST Cloud Computing Program http//www.nist.gov
    /itl/cloud
  • National Cybersecurity Center of Excellence
  • http//csrc.nist.gov/nccoe/
About PowerShow.com