Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Blueprints

Published byBria Proffit Modified over 9 years ago

Similar presentations

Presentation on theme: "Cybersecurity Blueprints"— Presentation transcript:

1 Cybersecurity Blueprints
for Cloud Computing Donna F Dodson Division Chief, Computer Security Division Acting Director, National Cybersecurity Center of Excellence

2 Background The U.S. economy and U.S. citizens are heavily reliant on information technology (IT) No sector today could function without IT Energy, supply chain, finance, ecommerce, transportation, health care Although considerable progress has been made in improving cybersecurity capabilities to protect IT, there is much yet to be done Determine how to mitigate new threats and secure new technologies Cybersecurity needs to become more standards-based to further improve quality and efficiency. Cybersecurity also needs to become easier for people to adopt and use These changes would significantly reduce the cost of security implementation and management, as well as the economic impact of cybersecurity incidents

3 NIST Responsibilities for Cybersecurity
NIST is responsible for developing standards and guidelines, including minimum requirements, that provide adequate information security for all agency operations and assets in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law , but such standards and guidelines shall not apply to national security systems. Under FISMA NIST shall “conduct research, as needed, to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security.” NIST develops guidelines consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. In accordance with the Cyber Security Research and Development Act, The National Institute of Standards and Technology develops, and revises as necessary, checklists setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government. Homeland Security Presidential Directive 7; “The Department of Commerce will work with private sector, research, academic, and government organizations to improve technology for cyber systems and promote other critical infrastructure efforts, including using its authority under the Defense Production Act to assure the timely availability of industrial products, materials, and services to meet homeland security requirements.” Homeland Security Presidential Directive 12: “The Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the "Standard")”

4 Computer Security Division
Core Focus Area Research, Development, and Specification Security Mechanisms (e.g. protocols, cryptographic, access control, auditing/logging) Security Mechanism Applications Confidentiality Integrity Availability Authentication Non-Repudiation Secure System and Component configuration Assessment and assurance of security properties of products and systems

5 Delivery Mechanisms Standards – FIPS, Internal Consensus, National Consensus Guidelines – NIST SPs and IRs Journal and Conference Papers Reference Materials Workshops and Conferences Consortia and Forums Training Reference Implementations and Demonstrations Tests and Tools Standards Development Organization Participation

6 Community Engagement Industry Academia International
Accessing Expertise and Leveraging Resources Coordinating Standards and Initiatives Academia Representative Institutions and Consortia International Formal Standards Groups Federal, State, and Local Government Interdepartmental Department of Commerce State and Local Governments n ●

7 Delivery Mechanisms Standards – FIPS, Internal Consensus, National Consensus Guidelines – NIST SPs and IRs Journal and Conference Papers Reference Materials Workshops and Conferences Consortia and Forums Training Reference Implementations and Demonstrations Tests and Tools Standards Development Organization Participation

8 NIST Work in Cyber Security
FISMA Phase II Continue to support the Joint Task Force Transformation Initiative (DoD, IC, NIST, CNSS) and support unified information security framework Continue support for risk management and information security publications Potential privacy and threat appendixes for SP , Revision 3 Work toward system and security engineering and application security guidelines US Government Configuration Baseline (USGCB) Standardized security configurations for operating systems and automated tools to test the configurations, improving security and saving IT security management resources Security Automation and Vulnerability Management Continue to develop tools and specifications that address situational awareness, conformity and vulnerability management compliance etc

9 NIST Work in Cyber Security
Virtualization Support for cloud special publication and standards activities to support security, portability and interoperability Key Management Foster the requirements of large-scale key management frameworks and designing key management systems Support transitioning of cryptographic algorithms and key sizes Next Generation Cryptography Open competition for new Hash algorithm Developing new, light weight, quantum resistant encryption for use in current and new technologies New modes of operation © Lisa F. Young/Dreamstime.com

10 NIST Work in Cyber Security
Usability of Security Performing groundwork research to define factors that enable usability in the area of multifactor authentication and developing a framework for determining metrics that are critical to the success of usability Identity Management Systems Standards development work in biometrics, smart cards, identity management, and privacy framework. R&D: Personal Identity Verification, Match-On-Card, ontology for identity credentials, development of a workbench ID Credential Interoperability Infrastructure support Continued support for Health IT, Smart Grid and Voting Standards Development Organizations IETF ANSI IEEE ISO © Peto Zvonar | Dreamstime.com © Graeme Dawes | Dreamstime.com

11 Federal Cloud Computing Strategy
Federal IT programs have a wide range of security requirements among them: The Federal Information Security Management Act (FISMA) requirements that include but are not limited to compliance with with Federal Information Processing Standards agency specific policies Authorization to Operate requirements Vulnerability and security event monitoring, logging and reporting It is essential that the decision to apply a specific cloud computing model support mission capability considers the above requirements

12 NIST Cloud Computing Program
Accelerate the Federal government’s adoption of cloud computing Build a USG Cloud Computing Technology Roadmap which focuses on the highest priority USG cloud computing security, interoperability and portability requirements Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders

13 NIST Cloud Computing Special Publications
SP Guidelines on Security and Privacy SP Definition of Cloud Computing SP CC Synopsis & Recommendations SP CC Standards Roadmap SP CC Reference Architecture SP USG CC Technology Roadmap Draft

14 The NIST Cloud Definition Framework
Hybrid Clouds Deployment Models Community Cloud Private Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Essential Characteristics Cloud diagram idea inspired by Maria Spinola Low Cost Software Virtualization Service Orientation Advanced Security Massive Scale Resilient Computing Homogeneity Geographic Distribution Common Characteristics Based upon original chart created by Alex Dowbor -

15 Draft NIST CC Reference Architect
Cloud Consumer Cloud Provider Cloud Orchestration Cloud Service Management Service Layer SaaS Service Intermediation Business Support Cloud Auditor PaaS IaaS Provisioning/ Configuration Service Aggregation Security Audit Resource Abstraction and Control Layer Privacy Impact Audit Physical Resource Layer Portability/ Interoperability Service Arbitrage Hardware Performance Audit Facility Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc

16 Cloud Security Standards
ISO/IEC JTC 1 Subcommittee 27 Cybersecurity Responsible for cloud computing security standards Early development stages ISO/IEC – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC US International Committee for Information Technical Standards Technical Committee Cyber Security 1 (CS 1) U.S. Technical Advisory Group to SC 27 Chaired by NIST

17 FEDRAMP Maintains Security Baseline including Controls & Continuous Monitoring Requirements Maintains Assessment Criteria Maintains Active Inventory of Approved Systems Ongoing A&A (Continuous Monitoring) Provisional Authorization Joint Authorization Board reviews assessment packages and grants provisional authorizations Agencies issue ATOs using a risk-based framework Independent Assessment CSP must retain an independent assessor from FedRAMP accredited list of 3PAOs DHS – CyberScope Data Feeds DHS – US CERT Incident Response and Threat Notifications FedRAMP PMO – POA&Ms Consistency and Quality Trustworthy & Re-useable Near Real-Time Assurance

18 National Cybersecurity Center of Excellence (NCCoE)
Foster the rapid adoption and broad deployment of integrated cybersecurity tools and techniques that enhance consumer confidence in U.S. information systems Disseminate new principles and mechanics underlying security standards, metrics, and best practices for secure and privacy-preserving information technologies Develop and test methods for composing, monitoring, and measuring the security posture of computer and enterprise systems Achieve broad adoption of practical, affordable, and useful cybersecurity capabilities across the full range of commercial and government sectors

19 NCCoE Use Case: Secure Cloud Policy Enforcement
Planning Phase Implementation Phase Business Engagement & Problem Statement Use Case IT Industry Components Selection Implement in Operational Environment

20 For Additional Information
Computer Security Resource Center NIST Cloud Computing Program National Cybersecurity Center of Excellence

Download ppt "Cybersecurity Blueprints"

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
FGDC Steering Committee June 7, 2011 Federal Geographic Data Committee Overview Ivan DeLoatch, Executive Director FGDC Secretariat, USGS.

FGDC Steering Committee June 7, 2011 Federal Geographic Data Committee Overview Ivan DeLoatch, Executive Director FGDC Secretariat, USGS.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.

Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.
NIST Computer Security Activities William C. Barker April 2009 U.S. Department of Commerce.

NIST Computer Security Activities William C. Barker April 2009 U.S. Department of Commerce.
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.

National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Alabama GIS Executive Council November 17, 2009. Alabama GIS Executive Council Governor Bob Riley signs Executive Order No. 38 on November 27 th, 2007.

Alabama GIS Executive Council November 17, Alabama GIS Executive Council Governor Bob Riley signs Executive Order No. 38 on November 27 th, 2007.
Cloud Usability Framework

Cloud Usability Framework
National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”

Similar presentations

Ads by Google