DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing.

Slides:

Advertisements

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Advertisements

Research and Privacy Under HIPAA Professor Peter P. Swire Moritz College of Law Ohio State University National Academy of Science Panel on Science, Technology.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

TECHNICAL OPERATION SUBCOMMITTEE Report to Operating Committee June 10 – June Gary S. Tarplee - Chair.

Steps towards E-Government in Syria

IT Security Policy Framework

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

Chapter 11 by Dee McGonigle, Kathleen Mastrian, and Nedra Farcus

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

© 2004 Property Casualty Insurers Association of America The Alphabet of Federal Legislation Kathleen Jensen Property and Casualty Insurers Association.

Effective Design of Trusted Information Systems Luděk Novák,

The Common Criteria for Information Technology Security Evaluation

Data Ownership Responsibilities & Procedures

Chapter 20 Additional Assurance Services: Other Information

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

Security Controls – What Works

The U.S. Federal PKI and the Federal Bridge Certification Authority

Agenda Scope of Requirement Security Requirements

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

1 DoD Public Key-Enabling (PK-E) of Applications 1st Annual PKI Research Workshop NIST 4/25/02.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.

 An Overview of IE 4382/5382 Cybersecurity for Information Systems Susan D. Urban, Ph.D Department of Industrial Engineering Texas Tech University Lubbock,

1 General Awareness Training Security Awareness Module 1 Overview and Requirements.

Move over DITSCAP… The DIACAP is here!

Certification and Accreditation CS Unit 1: Background LTC Tim O’Hara Ms Jocelyne Farah Mr Clinton Campbell.

Compliance with FDA Regulations: Collecting, Transmitting and Managing Clinical Information Dan C Pettus Senior Vice President iMetrikus, Inc.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

Background. History TCSEC Issues non-standard inflexible not scalable.

Department of the Navy Information Security Program

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

Page 1 ©1999 InfoGard Laboratories, Inc Centre for Applied Cryptographic Research workshop, Nov. 8, 1999 Third party evaluations of CA cryptographic implementations.

Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Defense Security Service Contractor SIPRNet Process June 2013

Fax: (703) DoD BIOMETRICS PROGRAM DoD Biometrics Management Office Phone: (703)

Strawman operating environment proposal Presented to P2600 Meeting #16, Las Vegas NV January 16-17, 2006 Brian Smithson.

Privacy Act United States Army (Managerial Training)

Confidentiality Annual Training. Board Policy JG Please follow the link below to access the board policy dealing with student discipline and confidentiality.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Cybersecurity Presentation Insert Name CSIA 412. Agenda 0 Purpose of Legislation 0 Influence of Legislation 0 Legislation vs. Other Regulatory Demands.

Information Management System Ali Saeed Khan 29 th April, 2016.

What is Program Evaluation? Allegheny Intermediate Unit Evaluation, Grants, and Data.

An Information Security Management System

The Common Criteria for Information Technology Security Evaluation

Data Destruction Standards & Compliance

Partnerships for VoIP Security VoIP Protection Profiles

E&O Risk Management: Meeting the Challenge of Change

To start the presentation, click on this button in the lower right corner of your screen. The presentation will begin after the screen changes and you.

IS4680 Security Auditing for Compliance

Matthew Christian Dave Maddox Tim Toennies

IS4550 Security Policies and Implementation

CompTIA Security+ Study Guide (SY0-401)

MBUG 2018 Session Title: NIST in Higher Education

Chapter 20 Additional Assurance Services: Other Information

Making Your IRBs and Clinical Investigators HIPAA-Ready

IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA

Presentation transcript:

DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing Division

Policy & Guidance –National Security Policy - NSTISSP #11 (Jan 2000) –National Security Policy – NSTISSP #11 (Revised Jul 2003) –DoD –DoD – NIST Special Publication – NIST Special Publication

National Security Telecommunications and Information Systems Security Committee NSTISSP No. 11 January 2000 National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products - Effective 1 Jan 2001 Preference shall be given to acquisition of evaluated IA products - Effective 1 Jul 2002 (Revised Fact Sheet) Acquisitions must specify evaluated products UNCLASSIFIED

Acquisition of COTS IA products limited to those on NIAP Validated Products List or NIST Crypto Module Validation List Acquisition of GOTS IA products limited to NSA approved Waivers (Deferred Compliance Authorization (DCA)) reviewed by NSA and granted on case-by case basis – not available for encrypted products

FACTORS DRIVING NSTISSP 11 IA is broader than COMSEC GOTS to GOTS and COTS Philosophy Shift Explosion in number of COTS IA Products NSA resource constraints requires a NIAP approach No standardized evaluation language or methodology Create demand for evaluated products  The problem: Does the product provide the security it claims?

Requires compliance with NSTISSP 11 Defines generic “robustness” levels of basic, medium, high and assigns “baseline levels” for IA services of integrity, availability and confidentiality dependent upon value of information protected and environment Requires NSA: – Serve as DOD focal point for NIAP – Approve cryptographic devices used to protect classified information – Generate Protection Profiles for GIG core technologies DoD and DoD

Guidelines for Federal Organizations Re: Information Security NIST Special Publication Guide for the Security Certification and Accreditation of Federal Information Systems NIST Special Publication – Guide for Security Assurance and Acquisition/Use of Tested/Evaluated Products

Other Policy influencing security concerns for IT equipment: Gramm Leach Bliley Act (GLBA) - Financial Modernization Act of 1999 Healthcare Information Portability and Accountability Act of 1996 (HIPPA) – National Standards to Protect the Privacy of Personal Health Information Family Education Rights Privacy Act (FERPA) – security for student privacy

Example of Policy Driving Canadian IT Security Intiatives: The Personal Information Protection and Electronic Documents Act (PIPEDA) became an official requirement on January 1, 2004 PIPEDA is Federal Privacy Legislation to regulate privacy compliance of collection of personal data of citizens during commercial activity by organizations.

THANK YOU.