Defining IT Security Requirements for Federal Systems and Networks

Similar documents
Building an Assurance Foundation for 21 st Century Information Systems and Networks

NIST Security Certification and Accreditation Project

Building More Secure Information Systems

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Guide for Assessing the Security Controls in Federal Information Systems

Progress Report National Information Assurance Partnership

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for

Risk-Based Cyber Security for the 21 st Century

Cybersecurity: Trust, Visibility, Resilience. Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

Tenable SCAP Standards Declarations. June 4, 2015 (Revision 11)

NIST SP , Revision 1 CNSS Instruction 1253

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

AnyConnect Secure Mobility Client for Windows 10

Common Criteria Certification (ISO15408) Update

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance Partnership

TEL2813/IS2820 Security Management

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Security Management Models And Practices Feb 5, 2008

Appendix 12 Risk Assessment Plan

The NIST Cybersecurity Framework

TEL2813/IS2621 Security Management

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

New Guidance on Privacy Controls for the Federal Government

Digital Health Cyber Security Centre

An introduction to the National Voluntary Laboratory Accreditation Program

Appendix 12 Risk Assessment Plan

UGANDA NATIONAL BUREAU OF STANDARDS LIST OF DRAFT UGANDA STANDARDS ON PUBLIC REVIEW

UNICOS/mp Common Criteria Evaluation

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

National Information Assurance Partnership

Common Criteria (CC) Introduction

Cybersecurity & Privacy Enhancements

National Information Assurance Partnership. Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

The Role of the American National Standards Institute (ANSI) Irwin Silverstein, Ph.D. IPEA

Erik Puskar Standards Coordination Office 30 May, 2013 World Trade Center Moscow

National Information Assurance Partnership

D4 Secure VPN Client for the HTC A9 Secured by Cog Systems

Cisco IoT Industrial Ethernet and Connected Grid Switches running IOS

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Rethinking Cybersecurity from the Inside Out

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

Brocade MLXe Family Devices with Multi- Service IronWare R

National Information Assurance Partnership

NW NATURAL CYBER SECURITY 2016.JUNE.16

Information Systems and Tech (IST)

National Information Assurance Partnership

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

Protecting the Nation s Critical Assets in the 21st Century

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

Aruba Virtual Intranet Access (VIA) Client Version 3.0

CCISO Blueprint v1. EC-Council

Threat and Vulnerability Assessment Tool

National Information Assurance Partnership

National Cybersecurity Challenges and NIST. Matthew Scholl Chief Computer Security Division

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. Tripp Lite Secure KVM Switch Series

Toward Credible IT Testing and Certification

Common Criteria Certificate

DoDD DoDI

Security Standards for Electric Market Participants

BUILD YOUR CYBERSECURITY SKILLS WITH TRASYS INTERNATIONAL

Synergies of the Common Criteria with Other Standards

The Office of Infrastructure Protection

3.0 NETWORX ARCHITECTURE FOR IP-BASED SERVICES (L ) (M.2.1) (a), M.2.1.1(a))

INFORMATION ASSURANCE DIRECTORATE

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Membership Categories and Benefits

ISA Security Compliance Institute

Samsung Electronics Co., Ltd. Samsung Galaxy Note 5 & Galaxy Tab S2 VPN Client

Solutions Technology, Inc. (STI) Corporate Capability Brief

Common Criteria Evaluation and Validation Scheme for. Information Technology Laboratory DRAFT

ISAO SO Product Outline

CCM 4350 Week 22. Security Architecture and Engineering. Dr A. Lasebae School of Science and Technology CCM4350 1

Certification Report

Evolving Cybersecurity Strategies

Implementing Executive Order and Presidential Policy Directive 21

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

NERC Staff Organization Chart Budget 2019

Cybersecurity Overview

MarkLogic Server Enterprise Edition Version 4.0

PARTNERING WITH THE REGULATORS: The Role for 3rd Party Accreditation in Food Safety

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

PRIOR LEARNING ASSESSMENT AND RECOGNITION (PLAR)

COTS, Subversions, and the Foreign Supply Chain issues for DoD Systems. Dr. Ben A. Calloni, P.E. Lockheed Martin Fellow, Software Security

Security and Privacy Governance Program Guidelines

Forcepoint NGFW 6.3.1

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

National Cybersecurity Center of Excellence (NCCoE) Mobile Application Single Sign

Requirements for Building Effective Government WLANs

Transcription:

Defining IT Security Requirements for Federal Systems and Networks Employing Common Criteria Profiles in Key Technology Areas Dr. Ron Ross 1

The Fundamentals Building more secure systems depends on the use of--- Well defined IT security requirements and security specifications --- describing what types of security features we want and what the developer must do in the design and development of these features Quality security metrics and appropriate testing, evaluation, and assessment procedures --- providing assurance we received what we asked for 2

Strategic Goals Increase the level of assurance in Federal systems and networks in the near term by acquiring information technology (IT) products from the commercial marketplace with necessary security features and capabilities Promote the development of more advanced IT security products by industry in the mid-to-long term to further strengthen Federal systems and networks and create a more secure information infrastructure within the United States 3

Objectives Develop well defined sets of IT security requirements, or protection profiles, in key technology areas for Federal systems and networks using the international standard Common Criteria (ISO/IEC 15408) Create cost-effective IT security metrics and associated methods and procedures using standardized sets of Common Criteriabased assurance requirements Manage inventory of protection profiles in a life cycle process to evolve with technological advancements and to protect industry investments in product development/testing Promote the standardization of protection profiles, wherever possible, both nationally and internationally 4

Defining Requirements ISO/IEC Standard 15408 Profiles Access Control Identification Authentication Audit Cryptography! Operating Systems! Database Systems! Firewalls! Smart Cards! Applications! Biometrics! Routers! VPNs A flexible, robust catalogue of standardized IT security requirements (features and assurances) Consumer-driven security requirements in specific information technology areas 5

Principles of Development-I Security requirements will be expressed, whenever possible, using international standard ISO/IEC 15408 (Common Criteria) and be delivered in the form of protection profiles. profiles will be targeted at high impact areas within the critical infrastructure with broad constituency support to ensure adequate participation by industry. profiles will be developed in key technology areas, (e.g., operating systems, database systems, firewalls, smart cards, biometrics devices, public key infrastructure components, virtual private networks) and will employ a variety of security features and assurances according to projected environments of use. 6

Principles of Development-II Security requirements within the same technology area, (e.g., operating systems) will be characterized, whenever possible, by a family of protection profiles, hierarchically-related to promote comparability for consumers and cost-effective testing and evaluation for industry. profiles will be developed and vetted, whenever possible, in an open, public process in full partnership with industry, consortia, and standards groups to ensure maximum acceptance and usability. 7

Principles of Development-III profiles recommended for U.S. Government use will be evaluated by independent, private sector, Common Criteria Testing Laboratories and validated by the National Information Assurance Partnership (NIAP) or equivalent organizations under the international Common Criteria Recognition Arrangement. profiles will be managed in a life cycle process with adequate transition time between versions, (i.e., new releases), to balance advances in technology against a desire for stability of requirements and to protect previous investments in product and system security evaluations. 8

Principles of Development-IV Federal agencies will be encouraged to use protection profiles recommended by NIST and NSA for their respective constituencies (based upon respective authorities) according to the security and assurance needs of the organization or specific policies currently in effect. profiles recommended by NIST and NSA will be promoted to the national and international standards communities to facilitate consensus building on security requirements for critical infrastructure protection-related applications. 9

Principles of Development-V profiles recommended by NIST and NSA prior to the joint development project will be grandfathered into the list of recommended protection profiles for a reasonable period of time to facilitate a seamless transition and to protect previous investments in product or system security evaluations. 10

Profile Matrix Operating System Database System Firewall Smart Card Biometrics VPN PKI Intrusion Detection System Web Browser Operating System Database System Firewall Smart Card Biometrics VPN PKI Intrusion Detection System Web Browser Operating System Basic Database System Basic Firewall Basic Smart Card Basic Biometrics Basic VPN Basic PKI Basic Intrusion Detection System Basic Web Browser Basic Basic Key Technology Areas 11

Profile Family Operating System Database System Firewall Smart Card Biometrics VPN PKI Intrusion Detection System Web Browser Operating System Database System Firewall Smart Card Biometrics VPN PKI Intrusion Detection System Web Browser Operating System Basic Database System Basic Firewall Basic Smart Card Basic Biometrics Basic VPN Basic PKI Basic Intrusion Detection System Basic Web Browser Basic Basic Key Technology Areas 12

Potential Key Technology Areas Operating Systems Database Systems Firewalls Biometrics Smart Cards Intrusion Detection Systems Public Key Infrastructure Virtual Private Networks Routers and Gateways Web Browsers Telecommunications Switching Devices Applications 13

Profile Matrix (Characteristics) profiles organized into families by key technology areas profiles within families and across technology areas policy and organization neutral Three protection profiles per technology family offering basic, extended and advanced levels of protection profiles hierarchically related within technology family 14

Use of Profiles Generalized, Consumer Driven Security Requirements Technology Area Profiles Technology Area Profiles Technology Area Profiles Technology Area Profiles Operating Systems Database Systems Firewalls Applications Operating System DBMS Firewall Application IT System Security Requirements Enterprise Information Systems 15

Industry Response Generalized, Consumer Driven Security Requirements Technology Area Profiles Technology Area Profiles Technology Area Profiles Technology Area Profiles Operating Systems Database Systems Firewalls Applications Enterprise Information Systems Operating System DBMS Firewall Application Security Architectures IT System Security Requirements IT Product IT Product IT Product IT Product Variety of Vendor Driven IT Products 16

Assurance Requirements Profile Assurance Packages Key Technology Area Security Assurances!!! Basic Consumer statement of IT security requirements to industry in a specific information technology area Selection of one of three core assurance packages, augmented by exception when needed 17

Derived Evaluation Methodology Profile Family Generalized Evaluation Requirements Technology-Specific Evaluation Methods Biometrics Assurance Package Biometrics Assurance Package Biometrics Basic Assurance Package! Common Evaluation Methodology! Common Evaluation Methodology! Basic Common Evaluation Methodology Derived Evaluation Methods Derived Evaluation Methods Derived Evaluation Methods 18

Benefits of Derived Evaluation Methodology-I Greater specificity in IT security testing and evaluation processes; traceable to Common Criteria requirements in protection profiles More objective, consistent, and repeatable IT security testing and evaluation More cost-effective and timely security evaluation results for consumers and producers of commercial off-the-shelf (COTS) products 19

Benefits of Derived Evaluation Methodology-II Potential for incorporation into laboratory accreditation process to ensure competency in specialized technology testing Reduced need for interpretations of functional and assurance requirements and for technical oversight by validation authority Potential for exportability of technology-based test methods for use by Common Criteria partners and participating certification bodies leading to greater comparability of evaluations internationally 20

A Comprehensive Approach Linking Critical Assessment Activities Products Laboratory Environment Product s Validated Products Operational Environment Accreditation Authority Real World Threats and Vulnerabilities Accredited Testing Labs NIAP CCEVS CC Evaluations Products Generic Systems e System-level Profile Specific IT System Products Generic Systems Technical Security Systems Generic Systems (Configuration of Products) Evidence Security Target Evaluation Report Validation Report Evaluation Work Packages! Risk Management! Security Policies Standards Guidelines! Personnel Security! Procedural Security Certification Accreditation 21

Director Contact Information Dr. Ron S. Ross 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Deputy Director Terry Losonsky NIST-ITL NSA-V1 (301) 975-5390 (301) 975-4060 rross@nist.gov tmloson@missi.ncsc.mil Senior Advisor Chief Scientist Dr. Stuart Katzke R. Kris Britton NIST-ITL NSA-V1 (301) 975-4768 (410) 854-4384 skatzke@nist.gov rkbritt@missi.ncsc.mil Email: niap-info@nist.gov World Wide Web: http://niap.nist.gov 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback