National Cybersecurity Challenges and NIST. Matthew Scholl Chief Computer Security Division

Similar documents
Erik Puskar Standards Coordination Office 30 May, 2013 World Trade Center Moscow

National Cybersecurity Center of Excellence

The NIST Cybersecurity Framework

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

NIST & CATEGORY THEORY

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

National Institute of Standards and Technology

National Cybersecurity Center of Excellence

United States Government Cloud Standards Perspectives

Cybersecurity Risk Management:

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Smart Manufacturing and Standards: The NIST Role

Views on the Framework for Improving Critical Infrastructure Cybersecurity

National Cybersecurity Center of Excellence (NCCoE) Mobile Application Single Sign

Building an Assurance Foundation for 21 st Century Information Systems and Networks

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

NIST Security Certification and Accreditation Project

Strategies for the Implementation of PIV I Secure Identity Credentials

NIS Standardisation ENISA view

Track 4A: NIST Workshop

Build Your Cybersecurity Team: Create a Strong Cybersecurity Workforce Using Best Practices in Development

NIST is part of the Department of Commerce

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Risk-Based Cyber Security for the 21 st Century

NCSF Foundation Certification

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Defining IT Security Requirements for Federal Systems and Networks

Information Security Continuous Monitoring (ISCM) Program Evaluation

Measurement Challenges and Opportunities for Developing Smart Grid Testbeds

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

Smart Grid and Cyber Security

Security Management Models And Practices Feb 5, 2008

ENTERPRISE ARCHITECTURE

Security and resilience in Information Society: the European approach

Introducing Cyber Resiliency Concerns Into Engineering Education

Twilio cloud communications SECURITY

TEL2813/IS2820 Security Management

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

NIST Post- Quantum Cryptography Standardiza9on

Challenges and Opportunities in Cyber Physical System Research

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017

Electronic Signature Policy

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

INFORMATION ASSURANCE DIRECTORATE

NIST Working with Industry To Accelerate Innovation

NIST: Promoting U.S. Innovation and Industrial Competitiveness Opportunities for Interactions

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

MIS Week 9 Host Hardening

Future-Proof Security & Privacy in IoT

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

The NIS Directive and Cybersecurity in

What makes a hot topic hot? An NSF Perspective

ENISA s Position on the NIS Directive

Trustworthy Information Systems Program

Innovation policy for Industry 4.0

National Cybersecurity Center of Excellence (NCCoE) Energy Sector Asset Management

Updates to the NIST Cybersecurity Framework

NCSF Foundation Certification

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

Global Standards Information. Standards Simulation Training for the USG ICES Workshop. July 6, 2010

Dissecting NIST Digital Identity Guidelines

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in

Smart Grid Standards and Certification

Federal Mobility: A Year in Review

CSD Project Overview DHS SCIENCE AND TECHNOLOGY. Dr. Ann Cox. March 13, 2018

The Perfect Storm Cyber RDT&E

PKI and FICAM Overview and Outlook

IMPROVING MOBILE AUTHENTICATION FOR PUBLIC SAFETY AND FIRST RESPONDERS

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure:

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

Who s Protecting Your Keys? August 2018

STRATEGIC PLAN

RESOLUTION 47 (Rev. Buenos Aires, 2017)

POSITION DESCRIPTION

General Framework for Secure IoT Systems

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

NSF Transition to Practice Challenges. Anita Nikolich National Science Foundation Program Director, Advanced Cyberinfrastructure November, 2015

Architecting for Resiliency Army s Common Operating Environment (COE) SERC

National Strategies. Key Domain Primary Direction

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Cloud Security Alliance Quantum-safe Security Working Group

NIST s Lightweight Crypto Standardization Process

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Cyber Semantic Landscape Ontology and Taxonomy

NIST US Measurement System (USMS) Project Software Measurement & Technological Innovation

No More Excuses: Feds Need to Lead with Strong Authentication!

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Building a Resilient Security Posture for Effective Breach Prevention

Compliance with NIST

Position Description. Engagement Manager UNCLASSIFIED. Outreach & Engagement Information Assurance and Cyber Security Directorate.

Framework for Improving Critical Infrastructure Cybersecurity

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

Cybersecurity Risk Management Guide for Voluntary Use of the NIST Cybersecurity Framework

Transcription:

National Cybersecurity Challenges and NIST Matthew Scholl Chief Computer Security Division

National Archives The Importance of Standards Article I, Section 8: The Congress shall have the power to fix the standard of weights and measures National Bureau of Standards established by Congress in 1901 Eight different authoritative values for the gallon Electrical industry needed standards American instruments sent abroad for calibration Consumer products and construction materials uneven in quality and unreliable Estimated that 80% of global merchandise trade is influenced by testing and other measurement-related requirements of regulations and standards

NIST has two main campuses Gaithersburg, MD Boulder, CO Courtesy HDR Architecture, Inc./Steve Hall Hedrich Blessing Geoffrey Wheeler

Robert Rathe NIST Products and Services Measurement Research ~ 2,200 publications per year Standard Reference Data ~ 100 different types ~ 6,000 units sold per year ~ 226 million data downloads per year Standard Reference Materials ~ 1,300 products available ~ 30,000 units sold per year Calibration Tests ~ 18,000 tests per year Laboratory Accreditation ~ 800 accreditations of testing and calibration labs

ITL Mission Cultivating Trust in IT and Metrology. CSD Mission Inspire Trust and Confidence in IT. Goals Make effective, usable and impactful references to reduce risks to information and information systems.

NIST s Cybersecurity Core Program Research, Development, and Specification Security Mechanisms (e.g. protocols, cryptographic, access control, auditing/logging) Security Mechanism Applications Confidentiality Integrity Availability Authentication Non-Repudiation Secure System and Component configuration Assessment and assurance of security properties of products and systems

Example Current Research Areas Risk Management Focus on a complete Risk Management Framework that supports the lifecycle management of organization s traditional information and information infrastructure as well as cyber physical systems Configuration Baselines Standardized security configurations for operating systems and automated tools to test the configurations Security Automation and Vulnerability Management Continue to develop tools and specifications that address situational awareness, conformity and vulnerability management compliance

Virtualization and Cloud Support for cloud special publication and standards activities to support security, portability and interoperability Key Management Foster the requirements of large-scale key management frameworks and designing key management systems Support transitioning of cryptographic algorithms and key sizes Next Generation Cryptography Use and implementation of SHA 3Developing new, light weight, quantum resistant encryption for use in current and new technologies New modes of operation Lisa F. Young/Dreamstime.com

Secure Mobility Focuses on research and development in the area of mobile security including mobile application testing and mobile Guidelines for Testing and Vetting Mobile Applications Mobile App Software Assurance Requirements Mobile Roots of Trust Supply Chain Work with industry, academic, and government stakeholders to develop foundational definitions, baseline requirements, general implementation methodologies, and a set of supply chain risk management best practices encompassing the system development lifecycle

Trust Roots Collaborate with industry to develop guidelines that identify security properties for hardware trust roots and other trust roots to leverage and use Network Security Foster requirements for secure networking technology such as DNSSEC, IPv6 and BGP technologies Software Assurance Identifying and reducing the software bugs that are relevant to security, resilience and reliability. Understanding how the tools we use affect software. Collaboration with industry, US Agencies and international in developing, integrating, and creating software assurance metrics, measurements and conformance activities

Graeme Dawes Dreamstime.com Peto Zvonar Dreamstime.com Usability of Security Performing groundwork research to define factors that enable usability in the area of multifactor authentication and developing a framework for determining metrics that are critical to the success of usability Identity Management Systems Standards development work in biometrics, smart cards, identity management, and privacy framework. R&D: Personal Identity Verification, Match-On-Card, ontology for identity credentials, development of a workbench ID Credential Interoperability Infrastructure Support Cybersecurity for application infrastructure including Health Information Technology, Smart Grid and Voting

Testing and Conformance for the USG Cryptography Algorithms and modules. Undergoing change to how, when and who conducts testing and validation. ID Credential (PIV) USG identity in card form factor. Undergoing change to look at new modalities. SCAP Tools Automated tools using standards for security information. Looking to SDOs for next set of needed information

National Initiative For Cybersecurity Education (NICE) NICE is "enhancing the overall cybersecurity posture of the United States by accelerating the availability of educational and training resources designed to improve the cyber behavior, skills, and knowledge of every segment of the population. NIST, as the interagency lead for NICE, promotes the coordination of existing and future activities in cybersecurity education, training, and awareness to enhance and multiply their effectiveness Raise national awareness about risks in cyberspace. Broaden the pool of individuals prepared to enter the cybersecurity workforce. Cultivate a globally competitive cybersecurity workforce.

National Cybersecurity Center of Excellence (NCCoE) Accelerated adoption of practical, affordable, and usable cybersecurity solutions Integrated cybersecurity solutions, built on commercial technologies, designed to address a sector s specific business needs Increased opportunities for innovation through the identification of technology gaps Trusted environment for interaction among businesses and solution providers Further the understanding of current cybersecurity technology capabilities and the cost of their implementation Broader awareness of cyber security technologies and standards

Tools Data- References National Vulnerability Database Secure Configurations National Software Reference Library Combinatorial Software Testing Tools Randomness Beacon Security Control Catalogue

Develop Post-Quantum Cryptography Standards Call for proposals was released December 2016 Submission deadline is Nov. 30 2017 Main activities Research NIST researchers have been very productive 3 papers are presented at PQCrypto 2017 (and a NIST Q+A session) (A major conference in PQC) Outreach the community for the standardization process- presentations e.g. The National Academies of Science - Forum on Cyber Resilience Workshop Asia PQC Forum International Cryptography Module Conference Information Assurance Symposium Interactive with the community to discuss questions on submission requirements

Explore proper approaches for lightweight cryptography Published NISTIR 8114 Report on Lightweight Cryptography Call for Profiles to characterize lightweight Profile characteristics Physical, Performance, Security 20 questions for response Profile template includes function, design goal, and characteristics The profile will determine the approach in selecting lightweight cryptography algorithms and their specifications

Update existing standards To be consistent with well accepted industry practice, e.g. SDOs To respond advances in crypto research The following standards are under revision FIPS 186-4 Digital Signature Algorithms Special publication A/B/C Key agreements Outreach to user community to discuss updates and solicit feedback

Respond to advances in cryptanalysis Triple DEA Attack on its usage in major protocols, e.g. https Revise data limit encrypted by one key set in SP 800-67 Deprecate triple DEA for IKE (SP 800-196) and TLS (SP 800-52) FF3 Format preserve encryption (one of modes in NIST SP 800-38G) Announce NIST plan on revise 800-38G and call for public comment Practical SHA-1 collision Urge the users who haven t complied with NIST recommendations to stop using SHA-1 in the applications where collision resistance is needed

The 20 Year Question (or 5, 10, 15) Practical Quantum Compute? Divergence away From the Mobile Platform? Data Generation Everywhere? Compute on Everything? (New form HPC? ) Bandwidth to Connect at Scale? Abstraction of User Interface? Predictive/Responsive AI? Resilient Products and Components?

For Additional Information http://csrc.nist.gov http://csrc.nist.gov/nice/ http://www.nist.gov/nstic/ http://nccoe.nist.gov http://www.nist.gov/cyberframework/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback