Cyber Security Activities at the

National Institute of Standards &

Technology (NIST)
Fran Nielsen, Deputy Chief
Computer Security Division (CSD)
Information Technology Lab/NIST
 Presentation Outline
• The Need for Cyber Security
• About NIST and ITL
• CSD Mission and Responsibilities
• Key Themes
• Types of Deliverables and Products
• Major Areas of Work
• Example Activities
 The Need
• More dependence on information
technology
• More complex systems and more reliance
on internetworking
• Increased frequency of computer security
incidents
• September 11
•
National Institute of Standards and Technology
NIST strengthens the U.S. economy and
improves the quality of life by working with
industry to develop and apply technology,
measurements, and standards.

NIST Assets Include:

lNational measurement standards: NIST
Laboratories.
l1,500 technical staff.
l1,600 guest researchers.
l$430 million FY 2001 Laboratory budget.

l$83 million in measurement and research contracts to about 20 other agencies.

lUnique measurement facilities.
lOther programs: Advanced Technology Program, Manufacturing Extension
Partnership, Baldrige National Quality Program.
ITL Organization and Program
 ITL Organization
DIRECTOR ASSISTANT DIRECTOR FOR BOULDER
WILLIAM MEHURON
CATHY NICOLETTI, ACTING

COMPUTING SECURITY OPERATIONS

ROB GLENN
DEPUTY DIRECTOR
SUSAN ZEVIN LABORATORY STAFF
KAMIE ROBERTS

SENIOR MANAGEMENT ADVISOR

KENDRA COLE

CIO OFFICE
BRUCE ROSEN

CONVERGENT SOFTWARE
COMPUTER INFORMATION INFORMATION STATISTICS
MATH NETWORKING INFORMATION TESTING
SECURITY ACCESS SERVICES
SYSTEMS

RON DAVID SU ED MARTY VICTOR RAY MARK NELL

BOISVERT (Acting) ROBACK HERMAN MCCRARY HOFFMANN SKALL SEDRANSK
Computer Security Division
 NIST Mandate for IT Security

• Develop standards and guidelines for the Federal

government for sensitive (unclassified) systems
•
• Contribute to improving the security of
commercial IT products and strengthening the
security of users’ systems and infrastructures
•
•
 Key Statutory Responsibilities
• Develop technical, management, physical and administrative cost-effective
standards and guidelines for federal computer systems;


• Develop validation procedures for, and evaluate the effectiveness of, standards and
guidelines;


• Perform research and conduct studies to determine the nature and extent of the
vulnerabilities of sensitive systems;
•
• Devise techniques for the cost-effective security and privacy of sensitive
information systems;
•
• Provide the staff services necessary to assist the Computer System Security and
Privacy Board in carrying out its functions; and
•
• Assist the private sector, upon request, in using and applying the results of
programs and activities.

Computer Security Act of 1987 and IT Management Reform Act of 1996, reinforced in OMB Circular A-130, App. III

 Computer Security Division
Mission
To improve information systems security by:
•
•raising awareness of IT risks, vulnerabilities and protection requirements,
particularly for new and emerging technologies;
•
• researching, studying, and advising agencies of IT vulnerabilities and
devising techniques for the cost-effective security and privacy of sensitive
Federal systems;
•
• developing standards, metrics, tests and validation programs:
to promote, measure, and validate security in systems and services;
to educate consumers; and
to establish minimum security requirements for Federal systems; and
•
• developing guidance to increase secure IT planning, implementation,
management and operation.
 Key Themes
• Security is important to sound and efficient functioning of the economy and
government;
• Agency / OMB / Congress have high expectations of NIST re our Federal role;
– Reflected in bills such as HR 1259; H.R. 3394; HR 3316;
• Security of commercial products in the marketplace is inadequate
– Standards help -- NIST’s role in helping to develop specifications (to
drive the market) helps our customers – both Federal and industry
users know what to specify; Federal ones used as procurement
specs.
– Testing helps -- NIST’s role in testing helps users know they are
getting what they think they are buying; Also adds legitimacy to
vendors’ claims.
• Product evaluation (e.g., OpSys) is difficult / time consuming at best – needs
rigor and standardizable testing – a long term challenge
• Longer term challenge: security and composablility


–
•
 Types of Deliverables
• Standards and Specifications • Security Outreach / Awareness
– FIPS (e.g., AES) / Leadership
– Forum
– Voluntary Industry – CSSPAB
Consensus Standards – ICCC
– Ad hoc specifications – CIO Security Committee
• Guidelines – CC MRA
– CSRC
– ITL Bulletins – Press articles
– Special Publications – ITL Bulletins
– NIST Recommendations – FPKI TWG

• Testing programs/services • Research

– CMVP – Mobile Agents
– NIAP – Intrusion detection
– IPSec – Security administration
– PKI – Testing methods
Customers/Constituents – Categories / Examples

• Federal Community • IT Industry Producers/

–
–
OMB
Treasury Consortia
– Federal PKI Steering Committee – Intel
– FDIC – IETF
– NSA – PKI Forum
– Federal Computer Security Program – Microsoft
Managers’ Forum
– RSA
– GSA
– Counterpane Systems
– CIO Council & CIO Security
Committee – IBM
– HHS – Motorola
– Entrust
• IT Industry Users / – Certicom
Consortia 
– Banking (ANSI X9)
– Smart Card Consortia
– Healthcare Open Systems and Trials 
(HOST)
– Telecom Security Forum
– Boeing
–
Many, many organizations ask for our participation / assistance…
Examples:
Wide Community Engagement
• ANSI • Executive Branch Information
• IETF Systems Security
• Federal PKI Steering Committee • CMVP Conference
• ISO • International Common Criteria
• CIS Conference
• USG-OECD • RSA Conference 2001/2002
• Network Security Information Exchange • Key Management Workshop
• Critical Infrastructure Groups • Information Assurance Technical
Framework Forum
• IEEE
• Univ. of Tulsa
• Federal Computer Security Program Telecommunications Security
Managers’ Forum Conference
• CIO Council Security Committee • Federal Information Assurance
• Federal Information Systems Security Conference
Educators Association • Regional Security Awareness
• CC Mutual Recognition Management Seminars
Committee • Other Homeland Defense & CIP
• Committee for National Security Committees
Systems •
•
Wide engagement keeps us in touch with our customers and their needs.
 Key Focus Areas of NIST’s
Computer Security Program

• Cryptographic Standards and Applications

• Exploring New Security Technologies
• Management and Assistance
• Security Testing
• Outreach
 Cryptographic Standards and
Applications

 Work with industry and government to develop

cryptographic-based standards
– Cryptographic Standards Toolkit
• AES setting new baseline
• Need for lightweight standards
– Public Key Infrastructure
 1/02

1. Cryptographic Standards and Applications

Goals
Establish secure cryptographic standards for storage and
communications & enable cryptographic security services in
applications through the development of: PKI, key
management protocols and secure application standards

Technical Areas
•Secure encryption, authentication, non-repudiation, key
establishment, & random number generation algorithms.
•PKI standards for protocols, standards and formats
•PKI interoperability, assurance & scalability

Impacts
•Strong cryptography used in COTS IT products
•Standardized PKI & cryptography improves interoperability
•Availability of secure applications through crypto & PKI

Projects
Collaborators

Industry: ANSI X9, IETF PKIX, AES submitters, •Cryptographic Standards

Baltimore Technologies, CertCo, Certicom, Cylink,
Digital Signature Trust, RSA Labs, Entrust •Cryptographic Standards Toolkit
•Advanced Encryption Standard (AES)
Technologies, E-Lock Technologies, Getronics, IBM, ID
Certify, Mastercard, Microsoft, Motorola, Netscape, •Public Key Infrastructure & Applications
Spyrus, •
Network Associates, VeriSign, Verizon, •Industry and Federal Security Standards
Visa, World Talk •PKI and Client Security Assurance
•Promoting PKI Deployment
Federal: Department of Treasury, Agencies
participating in Federal PKI Steering Committee and
Bridge CA Project, FDIC, NSA
 Cryptographic Standards
Security Requirements for
Cryptographic Modules
FIPS 140-2

Asymmetric Algs. Secure Hash

Symmetric Alg. * Dig. Sig. Std. (FIPS 186-2) * SHA-1 (FIPS 180-1)
* DES (FIPS 46-3) DSA (ANSI X9.30) * Expand to include:
* 3DES (FIPS 46-3, RSA (ANSI X9.31)
ANSI X9.52) ECDSA (ANSI X9.62) SHA-256,
* AES (FIPS 197) * Key Management SHA-384
- Diffie-Hellman -ANSI X9.42
•Modes of operation SHA-512
- DES (FIPS 81)
- RSA - ANSI X9.44
- Recommendation for
- Elliptic Curves -ANSI X9.63
Block Cipher Modes of
- Key wrapping
Operation (Encryption)-
Methods and Techniques
(800-38A)
•Message Authentication
Code for Block Ciphers
(800-38B)
 Advanced Encryption Standard (AES)
Collaborators
Federal: National Security Agency (NSA)
Industry: Protonworld International (Belgium), IBM,
RSA Security & Counterpane Systems
participated in AES finalists; many companies
provided extensive comments and papers on
the AES selection & spec.
Academia: Katholieke Univ. (Belgium), MIT,
Technicon, Cambridge Univ., & Univ. of
Bergen faculty participated in finalist
submissions; many others helped in analysis
Global: ISO JTC1/SC27
Goals
•Develop a new, royalty-free encryption standard that can be used by
government and business to protect information for 30-50 years.
•
Technical Areas
•Clear specification of the AES algorithm and NIST’s requirements for
its implementation.
•Cryptographic test suite development for testing and validation of the
conformance of AES implementations with the standard.
Impacts
•Secure e-commerce and data protection through highly secure
encryption that keeps pace with rapid advances in technology.
•Validation that COTS products comply with the AES standard.
•Banking and international standards communities are looking to adopt
the AES, which will promote its use outside of government
FY 2001
•Selected the Rijndael algorithm as the AES
•Developed draft AES FIPS & completed public comment.
•Developed Draft AES Basic Modes of Operation
•Hold Modes Workshop (4Q)
•Issue NIST Recommendation on Basic Modes of Operation (4Q)
FY 2002
•Announced Secretary’s approval of AES
•Complete AES validation tests and software
•Publish AES Validation Guideline; begin testing AES products.
•Develop “Phase 2” AES Modes of Operation
 Cryptographic Standards Toolkit
Goals
•Improve information security and facilitate electronic commerce by
developing and standardizing strong cryptographic algorithms
•Provide guidance for the use of cryptography

Technical Areas
•Secure cryptographic algorithms for encryption, authentication, non-
repudiation, key establishment, and random number generation.

C Impacts

T
•Worldwide government and industry use of strong cryptography
•Guidance and education available in the use of cryptography.

R
•Secure interoperability achieved through standard algorithms
•Secure electronic commerce enabled through cryptography

o •

Y
ol FY 2001
Collaborators

P
ki
•Prepared draft AES and HMAC FIPS and completed public reviews
•AES and HMAC FIPS approval by SoC (4Q)
Industry: ANSI X9, RSA Security, Certco, Certicom, •Public Review of revised SHA with new algorithms (FIPS 180-2)
Chase Manhattan Bank, Cybersafe, Cygnacom, •Revision and public review of DSS (FIPS 186-3)

Tt
Deloitte &B Touche Security Services, IBM,
Entrust, BBN, Booz-Allen, Ernst & Young,
First Data Corp., First Union Corp., IDA,
KPMG, Motorola, Gemplus, Jones Futurex,
•Draft NIST basic AES Modes of Operation Recommendation (4Q)
•Modes Workshop (4Q)
•First Draft of Key Mgmt. Schemes & Guidance documents (4Q)

O
Mastercard, Merrill Lynch, GTE Cyber Trust,
Pitney Bowes, PNC Bank, Price Waterhouse
Coopers, TecSec, Spyrus, Verifone, VeriSign,
Visa, Xcert, AES submitters and commenters
Federal: NSA, BXA, Federal Reserve, CSE,
Treasury
First impact: Near-Term (Immediate to 2 years)
FY 2002
•FIPS 180-2 and FIPS 186-3 approval by SoC
•Validation tests for: AES modes, DSA, SHA, HMAC, ANSI X9.42
•Key Management Workshop
•Complete Key Establishment Scheme & Guidance Documents
•Develop phase 2 Modes of Operation recommendation
•Develop a Random Number Generation standard (ANSI X9.82)
•
 1/02

Promoting PKI Deployment

Goals
•Promote development of an interoperable PKI to support security
services for Internet systems and applications. Establish baseline
PKI security policies and procedures. Assist federal agencies in the
deployment of PKI infrastructure and applications through guidance
and consultation.
Technical Areas
•Bridge certification authorities
•Certificate Policies (CP) and Certification Practice Statements (CPS)
•Certification and accreditation of CAs
•X.500 and LDAP directory servers
Impacts
•Federal Bridge CA links agency PKIs to form a federal PKI and
promotes development of private sector bridge CAs
•Accelerate federal agency PKI deployment

US Federal •Chained X.500 directories

Collaborators
Federal: Federal PKI Policy Authority, Federal PKI
Steering Committee, General Services
Administration, General Accounting Office,
National Security Agency, FDIC, Treasury
FMS, Army Corps of Engineers, Office of
Management and Budget
Academia: EduCause (1,800 universities, colleges, and
educational institutions)
State: Illinois, Washington
FY 2002
•Federal PKI Technical Working Group
-Federal Bridge CA cross certifications
- FBCA Certificate, CRL, and Directory Profiles
•PKI Policy Development Tools
-Generic Certificate Policies
-Certification Practice Statement templates
•Federal PKI Guidance Document (1Q)
•PKI directory guidance document
•High-Level PKI Services API Draft
•Federal Deposit Insurance Corporation PKI Deployment (OG)
•Army Corps of Engineers PKI consultation
•Treasury FMS PKI application development
•
 Exploring New Security
Technologies
• Identify and use emerging technologies,
especially infrastructure niches
• Develop models, reference implementations,
and demonstrations
• Transition new technology and tools to public &
private sectors
• Advise Federal agencies to facilitate planning
for secure use
 1/02

Emerging Technologies and Testing

Goals
•Identify & exploit emerging technologies especially infrastructure niches
•Develop prototypes, reference implementations, and demonstrations
•Transition new technology and tools to public & private sectors
•Develop the tests, tools, profiles, methods, and implementations for timely,
cost effective evaluation and testing
Technical Areas
•Authorization Management, Access Control, System Management
•Vulnerability Analysis, Intrusion Detection, Attack Signatures
•Mobile Code, Agents, Aglets, Java, PDAs, Wireless, Telecomm/IP
•Models, Cost-models, Prototyping, Reference Implementations
•Automated Testing, Security Specification
Impacts
•Better cheaper and more intuitive methods of authorization management
•Creating internal competence in emerging technologies (i.e. mobile code, etc.)
•Developed world class vulnerability search engine
•IPSec/web Interface testing widely used & referenced
•Significant support & funding especially in RBAC and Wireless Device Security
•

Collaborators Major Projects

Industry: IBM, Microsoft, SUN, Boeing, Intel, GTE, •Access Control & Authorization Management
VDG, SCC, Sybase, SAIC, SUN, Lincoln Labs, •ICAT Vulnerability/Patch Search Tool
Lucent, Trident, ISS, Symantec, MIT, 3Com, •National Smart Card Infrastructure
Interlink, Ford, BBN, CISCO, Lucent, Checkpoint, •Intrusion Detection
MCI, Oracle, Mitre, Mitretek, Intel, SAIC •Mobile Agents
•Wireless/Device Security
Academic: University of Maryland, Ohio State, University •IPSec/web interface testing
of Tulsa, George Mason, Rutgers University, Univ
•Quantum Computing Support
of Pittsburgh, Purdue University, Univ of
Washington •CIP Grants
•Automated Testing
Federal: NSA, DoD, NRL, DARPA •
 1/02

Technical Security Guidance

Goals
•Guide Federal Agencies in using new technology
•Assist industry and small business
•Present recent findings in security research
•
Technical Areas
•Firewalls and Network Security
•Intrusion Detection
•Incident Handling
•Security Testing
•Web and downloadable content security
Technical •
Impacts
Security Guidance •ITL Security Bulletins extremely popular and widely read
•Agencies rely on technical guidance from NIST
Technical Lead: Tim Grance •NIST publications frequently cited and reused in industry literature

Milestones
FY2001
Proposed Collaborators •Intrusion Detection
•Active Content & Mobile Code
Industry: MIS Training Institute, Booz Allen Hamilton, •Firewall Policy
•Network Security Testing & Incident Handling
Microsoft, I4 •Telecommuting/Broadband Security
Federal: NIST, NSA, OMB, GSA •PKI
•IT Security Engineering Principles & IT Security Models
Academic: University of Maryland, Purdue University •
FY 2002
•Public Web Server & E-Mail Server
•Wireless & Device Security
•Microsoft Windows 2000 Security Guidance
•Smart Card guidance and Security Patches
•Interconnecting Systems and Contingency Planning
•Procurement of products/services
 1/02

ICAT
ICAT Metabase Goals
Provide the IT community a fine grained searchable index of all
known computer vulnerabilities using a standard naming scheme
linking users to publicly available vulnerability databases.
Technical Areas
• Developing classification schemes for vulnerabilities
A standards based searchable index of • Collecting and evaluating vulnerability information
virtually all known computer vulnerabilities • Measuring the characteristics of vulnerabilities
Impacts
• ICAT enables system administrators to identify flawed systems and
Technical Lead: to find the patches
Peter Mell • Provides the security community with a free standards based index
of all vulnerabilities
http://icat.nist.gov • Complementary and non-competitive with industry
• ICAT has received praise in over 12 news articles
“Your dedication to making ICAT into one of the premier
databases is admirable” (Internet Security Systems)

Collaborators Milestones
•
Educational: SANS Institute (sponsor) FY 2001
Military: NSA, DISA •ICAT web hits have increased by a factor of 17 in one year
•Analyzed over 2000 vulnerabilities for ICAT
Academia: Purdue/CERIAS •Started a vulnerability mailing list that now has 1600 subscribers
Industry: TrustWave, SecuritySaint.com, •Integrated ICAT into the SANS/FBI top 20 vulnerability list
CyberCopsEurope.com, IpNSA, •Helped mirror ICAT on the NSA network
Securityinfos.com, Hideaway.net, •Enable organizations to integrate their products into ICAT
•Began offering an off-line version of ICAT
VISC Software and Security, •Vulnerability notification system developed by Purdue
SOC GmbH •Provided top ten vulnerability service
•Joined the CVE vulnerability standard’s editorial board
Awarded Commerce Department Bronze Medal •
FY 2002
Averaging 50,000 hits per month •Analyze over 1000 vulnerabilities
Over 100,000 hits in November 2001 •Transition ICAT into being a more timely vulnerability service
 1/02

Internet Protocol Security

Goals
Work with world-wide industry leaders to promote
the development of IP security standards, technology, and tests.
This will ensure early, reliable and interoperable deployment of
IPsec, the technology that is used to build VPNs and to protect
the next generation Internet infrastructure and applications.
•
Technical Areas
•International standardization of Internet security protocols
•WWW-based Interoperability Testing
•Reference implementations of next generation network and

IPSec Project
security technology
•
Impacts
Technical Lead: Sheila Frankel •Developed reference implementation of the IETF IPSec and IKE
standards - used for education, experimentation, testing
•Web-based IPSec interoperability test facility
http:ipsec-wit.antd.nist.gov
•Over 250 organizations have used NIST’s interoperability tester
•Over 650 organizations have requested NIST’s IPSec reference
implementation

Collaborators Milestones
FY 2001
Federal: NIST Internetworking Division, NSA •Added dynamic certificate request and transmissions capability
to PlutoPlus
•Updated AES Internet Draft to reflect AES selection
NIST IPSec Product Users •Wrote Internet Drafts on the use of SHA-256 and AES-XCBC-
MAC with IPsec and IKE
Industry: Bay Networks, BBN, Cabletron, Cisco, Compaq, •Wrote NIST Security Bulletin on IPsec Status/Issues/Security
CyberGuard, Digital, Frontiertech, Gartner Group, •Incorporated AES Algorithm (& other finalists) into PlutoPlus
GTE Internetworking,Hewlett Packard, IBM, Intel, Interlink, •Published Book, “Demystifying the IPsec Puzzle”
Lucent Technologies, MCI, MIT, Microsoft, Routerware, SAIC, •Presented invited talks and tutorial on IPsec
S-Cubed, Secure Computing, Spyrus, SUN, TIS, 3Com and FY 2002
many others •Add PKI Interaction to IPsec-WIT
•Implement Version 2 of IKE
Government: GSA, NRL, Oak Ridge National Labs and others •Add IKE Version 2 to IPsec-WIT
•Publish guidance on the use of PKI within IPsec and IKE
 1/02

Government Smart Card Program

Goal

GSC
Create a ubiquitous Smart Card Infrastructure to foster
widespread use of smart card technology, improving the security of
information systems within the U.S.
Technical Areas
•Develop technical guidance required by Federal contracting
vehicles for procurement of standard smart card products
•In conjunction with the Government and vendor communities,
develop interoperability specifications and standards
•Develop reference implementations, prototype conformance test
Government Smart Card suites, security testing criteria, and architectural models
Impacts
Program •Increased overall security of U.S. information systems
•Reduced cost of smart card system integration
Technical Lead: Jim Dray •Simplification of user access control processes
•Enable development of consistent conformance test methodologies
for smart card products and systems

Milestones
Collaborators FY 2001
•NIST designated lead agency for GSC conformance test
Industry: EDS,Northrup/Grumann, MAXIMUS, development
KPMG, eEurope, British Telecom, W3C, RSA Labs, •Establish GSC testbed at NIST
Australian National Office of the Information •Develop GSC Interoperability Conformance Test Program
•Develop GSC automated test suite
Economy
•
FY 2002
Federal: NIST, GSA, DoD, State Dept, USPS, SSA, •NIST publications on smart card technolgoy and GSC
VA, IRS, DoJ, DoT interoperability framework
•Java smart card collaboration (prototype implementation)
•Establish a Smart Card security test program; coalesce
with Common Criteria methodology
•International standards coordination
•GSC developer workshops and implementation guidance
•Identify and execute relevant R&D projects to promote
smart card interoperability and standards
Assistance and Guidance / Outreach
• Assist U.S. Government agencies and other users with
technical security and management issues
• Assist in development of security infrastructures
• Develop or point to cost-effective security guidance
• Assist agencies in using security technology guidance
• Support agencies on specific security projects on a cost-
reimbursable basis
• Expanding use of recently-developed “NIST
Recommendations” series to complement existing
publication methods
• Raise awareness of our programs, value of evaluated
products, and need for security
 1/02

3. Security Management and Guidance

Goals
•Provide computer security guidance to ensure sensitive government
information technology systems and networks are sufficiently secure
to meet the needs of government agencies and the general public
•Serve as focal point for Division outreach activities
•Facilitate exchange of security information among Federal
government agencies
Technical Areas
•Computer security policy/management guidance
•Computer Security Expert Assist Team (CSEAT) security support to
Federal agencies
•Outreach to government, industry, academia, citizens
Impacts
•Agencies use standard, interoperable solutions
•Increased federal agency computer security programs
•Reduced costs to agencies from reduction of duplication of efforts
•Use of “Best Security Practices” among federal agencies

Major Projects
Collaborators •Computer security expert assist team (CSEAT)
•Federal computer security program managers forum
Federal: All Federal Agencies •Computer system security and privacy advisory board (CSSPAB)
Federal Computer Security Program
•Computer security resource center (CSRC)
Managers’ Forum
OMB •Computer security conferences
GSA •Risk management guidance
NSA •Federal IT Security Self-Assessment Tool
CIOs •NIST Security Program Manager’s Handbook
Industry: Security Product Vendors
•Contingency Planning Guidance
Academia:Major Universities with Computer Security
curricula •Small and Medium Businesses Outreach
CSRC Redesigned 7/00
 1/02

Computer Security Expert Assist Team

Goals
•Increase Federal agency IT security
•Help protect against economic loss or injury due to disruption of
critical Federal systems/services
•Improve Federal agency Critical Infrastructure Protection (CIP)
planning and implementation efforts
Technical Areas
•Security assistance to federal agencies computer security well-being
•Security assistance to high risk federal computer security programs
•Development of computer security lessons learned
•Computer security risks and vulnerabilities
Impacts
•Lessons learned available to the federal IT security community
•Agencies understand how to maintain computer system security
•Agencies plan and budget appropriately for computer security
•New guidance development efforts directed at identified need areas
•Improved Federal IT security

FY 2001
Collaborators •CSEAT methodology established
•Received multiple requests from agencies
Federal: All Federal Agencies •Review of FEMA completed (Q4)
OMB
FY 2002
•First high-risk program review of Indian Trust Management initiated
•Methodology provided on web site
•Initiate cost-reimbursable model if funding for administrative costs
received
•Develop sanitized case studies
•Initiate development of CSEAT review methodology guideline

Small and Medium Sized Business Regional Security Meetings
Collaborators
Federal: Small Business Administration
National Infrastructure Protection Center –
InfraGard Program
Manufacturing Extension Partnership
Industry: Security Product Vendors
Regional business consortia
Selected business partners
1/02
Goals
•Inform small businesses (< 500 employees) of useful security
mechanisms
•Provide computer security training that is practical and cost-effective
•Help small businesses become more educated consumers
•Form NIST-SBA_InfraGard Resource Group, connecting small
business owners to local IS resources.
Technical Areas
•Small business viable computer security solutions
•Low-cost computer security methodologies
•Computer security training for the novice
•Business-relevant computer security tools
Impacts
•Improved small and medium sized business security
•Small and medium sized businesses become more aware of
information security
FY 2001
•Plan for conducting regional meetings completed (Q4)
•Meeting educational material developed (Q4)
FY 2002
•First 2 regional meetings conducted
•Third regional meeting scheduled for February
•Build community of small business owners, IT professionals, and
researchers
•Generate a plan to provide web based IT security information in areas
of specific importance to small businesses
FY 2003
•Continue conducting regional meetings
•Train local trainers, members of local chapters of industrial
associations, or other small business resources
 Security Testing

• Develop the tests, tools, profiles, methods, and

implementations for timely, cost effective evaluation
and testing
• Raising user confidence
• Lead conformance and evaluation programs
• Supporting security testing industry
 1/02

4. Security Testing and Metrics

Goals
User •Improve the security and quality of IT products
Securit •Foster development of test methods, tools, techniques, assurance
metrics, and security requirements
y •Promote the development and use of tested and validated IT products
Needs •Champion the development and use of national/international IT security
Standa standards
Produc Technical Areas
rds •Provide Federal agencies, industry, and the public with a proven set of
t
Validat
IT Security and IT security testing methodologies and test metrics
•Promote joint work between NIST, the American National Standard
Metric Institute (ANSI) and the international standards community
ion Impacts
s •Timely, cost-effective IT security testing
Testing •Increased security in IT systems through availability of tested products
and •Creates business opportunities for vendors of security products, testing
laboratories, and security consultants
Evalua
tion

Collaborators Major Projects

Federal: NVLAP, State Dept., DoC, DoD, GSA, NASA, NIST, NSA,
DoE, OMB
Industry: American National Standards Institute (ANSI), InfoGard
Laboratories Inc., CygnaCom Solutions, DOMUS IT Security
Laboratory, COACT, Inc. CAFÉ Lab, Atlan Laboratories,
EWA,CORSEC Security Inc., Oracle, CISCO, Hewlett-
Packard, Lucent, SAIC, Microsoft, Computer Sciences Corp.,
IBM, EDS, VISA, MasterCard, Amex, Checkpoint, Computer
Assoc., RSA, Sun Microsystems, Network Assoc., Booz-
Allen, Seculab Inc., Entrust, Silicon Graphics, Arca
Global: United Kingdom, France, Germany, Japan, Korea, Canada,
Netherlands, Australia, Italy, Spain, New Zealand, Finland,
Sweden, Norway, Greece, Israel, ECMA, JCB, Europay,
Mondex
•Cryptographic Security Testing
•Cryptographic Module Validation Program
•National Information Assurance Partnership
•Common Criteria Evaluation and Validation Program
•International Recognition Arrangements
•Laboratory Accreditation
•Automated Security Testing and Test Suite Development
•Assessment program for system certifications
•Protection profile development effort with government/industry
•Industry Forums
•Testing, Education, Outreach Programs, Conferences and Workshops

•
 1/02

Cryptographic Module Validation Program

Goals
•Improve the security and quality of cryptographic products
•Provide U.S. and Canadian Federal agencies with a security metric to use in
procuring cryptographic equipment
•Promote the use of tested and validated cryptographic algorithms, modules, and
products
Technical Areas
•Development of Implementation Guidance, metrics and test methods
•Validation of test results
•Accreditation of testing laboratories
•Joint work between NIST, ANSI and international standards bodies
•
Impacts
•Provide Federal agencies with confidence that a validated cryptographic
product meets a claimed level of security
•Supply a documented methodology for conformance testing
•Create business opportunities for vendors of cryptographic products, testing
laboratories, and security consultants

Collaborators
FY 2001
Federal: National Voluntary Laboratory Accreditation Program §Finalized FIPS 140-2: Security Requirements for Cryptographic Modules
§Implemented Cost Recovery Plan as of February 15, 2001
§Developed FIPS 140-2 Derived Test Requirements and Automated Tool (Q4)
Industry: American National Standards Institute (ANSI)
§Validated 45 crypto modules and 46 crypto algorithm implementations
InfoGard Laboratories Inc.
§Coordinated ANSI X9.42-2001: Key Agreements Using Diffie-Hellam and MQV
CygnaCom Solutions
§Finalized SD-012 Guideline for Validating Implementations Conforming to ANSI
DOMUS IT Security Laboratory, a Division of LGS
COACT, Inc. CAFÉ Lab Standards
§Completed Cryptographic Module Reference Implementation (Q4)
Atlan Laboratories
EWA-Canada LTD, IT Security Evaluation Facility
CORSEC Security Inc.
FY 2002
§ReviseCryptographic Module Testing (CMT) laboratory accreditation process,
NVLAP Handbook 150-17
Global: Communication Security Establishment (CSE) of the §Accredit 2-3 additional CMT Laboratories, including international
Government of Canada §Expand the agreement with CSE to include additional countries
§Conduct second Cryptographic Module Validation Program Workshop/Conference
§Develop Validation Test Suites for new algorithms/protocols
 1/02

National Information Assurance Partnership

Goals
§Promote the development and use of evaluated and validated IT products
§Champion the development and use of national/international IT security standards
§Develop state-of the-art test methods, tools, techniques and assurance metrics
§Support a framework for international recognition of testing results
§Foster development of IT security requirements in key technology areas
Technical Areas
§Development of implementation guidance, requirements, metrics and test methods
§Validation of test results and accreditation of testing laboratories
§Joint work among NIST, NSA and international partners
Impacts
§More timely, cost-effective IT security evaluations with greater consistency
§Less duplication of security testing globally
§New test methods for specific information technologies
§Increased security in IT systems and networks through greater availability of
evaluated and validated products
§Greater availability of common security requirements and specifications for key
technologies and sectors
Building More Secure Systems for the New Millennium (sm)

Collaborators FY 2001
Federal: State Dept., DoC, DoD, GSA, NIST, NSA, DoE, OMB §Accredited 5 Common Criteria (CC) Testing Laboratories
§Expanded CC Recognition Arrangement to 14 nations adding Israel
Industry: Oracle, CISCO, Hewlett-Packard, Lucent, SAIC, §Hosted national-level Government-Industry IT Security Forum
Microsoft, Computer Sciences Corp., Cygnacom, Arca, IBM, EDS, VISA, §Conducted international IT security outreach training for Japan and Israel
MasterCard, Amex, Checkpoint, Computer Assoc., RSA, Sun §Developed comprehensive operations manual for CC Recognition Arrangement
Microsystems, Network Assoc., Booz-Allen, Seculab, Entrust, Silicon §Completed smart card protection profile and corresponding evaluation
Graphics, COACT §Initiated new security requirements forum for process control systems
§Validated 4 security products and 4 protection profiles
Global: United Kingdom, France, Germany, Japan, Korea, Canada,
The Netherlands, Australia, Italy, Spain, New Zealand, Finland, Sweden, FY 2002
Norway, Greece, Israel, Russia, ECMA, JCB, Europay, Mondex §Accredit 1-2 additional CC Testing Laboratories
§Expand CC Recognition Arrangement by 1-2 nations
Forums: Healthcare, Information Assurance, Process Control, Smart §Develop technology-based lab accreditation program with smart card prototype
Card, Insurance §Initiate cooperative protection profile development effort with government/industry
§Develop guidance, procedures and assessment program for system certifications
§Enhance outreach program and activities
 Common Criteria

What the standard is –

• Common structure and language for expressing
product/system IT security and assurance
requirements
How the standard is used –

• Develop protection profiles and security targets

• Evaluate products and systems against known and
understood IT security requirements
 Defining IT Security
Requirements for Federal
Systems and Networks
Key Technology Areas
PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3 PP-3
Levels
Threat

PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2 PP-2

PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1 PP-1

Operating Database PKI Smart Biometrics Firewall Wireless Web Apps Intrusio Virtual
Systems Systems Cards Devices s & n Private
Browsers Detectio Networks
n
Families of Protection Protection Profiles Systems

International Standards-Based Common Criteria Protection Profiles

 Beyond IT product testing…
• Homeland Security/Cybersecurity needs demand attention
beyond just security evaluation of IT products
• Complementing the current NIAP focus on product
evaluation, NIST plans to use its unique position to focus
on Federal system certifications by:
ü Developing unified Federal procedures and guidelines for system
certification (NIST Special Publication 800-37)
ü Developing test methods traceable to 800-37 to ensure competent
and consistent application of the certification procedures
ü Developing a certification program with network of NVLAP-
accredited assessment organizations capable of conducting
system and network certifications for Federal agencies (and also
available for use by to State/Local governments and private
sector).
Organization
 As of 12-01

Division Budget Trends

FY-02 Other figure is as of 12/01.

 http://csrc.nist.gov
• http://csrc.nist.gov/cryptval - CMVP
• http://niap.nist.gov - NIAP
• http://csrc.nist.gov/pki - PKI
• http://icat.nist.gov - ICAT
• http://fasp.nist.gov – agency practices
•
 Summary & Conclusions
Impacts from NIST work:
•
•Improved security, availability, integrity, operation, and effectiveness of IT
•Enhanced
• IT security through wider availability of products that meet security
standards
•
•Increased global market for U.S. IT products
•Achieved cost savings and security via public-private collaboration and
information sharing
•
Multiple opportunities exist for collaboration:
•Cryptographic standards development
•Public Key Infrastructure
•Product security validation/evaluation
•Review of guidance
•Visiting “guest researchships” at NIST
•Cooperative research
 Further Information
• NIST Computer Security Resource Center
– http://csrc.nist.gov
• Points of Contact
– General and Guest Researchships
• Ed Roback edward.roback@nist.gov
– Cryptographic standards & PKI
• Bill Burr william.burr@nist.gov
– Security Testing
• Ray Snouffer ray.snouffer@nist.gov
– Cryptographic Module Validation Program
• Anabelle Lee annabelle.lee@nist.gov
– National Information Assurance Partnership
• Ron Ross ronald.ross@nist.gov
– Security Research
• Tim Grance timothy.grance@nist.gov
– Security Management
• Joan Hash joan.hash@nist.gov
•
•
Questions?
Contact Information

Fran.nielsen@nist.gov
301/975-3669