national cybersecurity challenges and nist filethe importance of standards article i, section 8: the...
TRANSCRIPT
The Importance of Standards Article I, Section 8: The Congress shall have the power to…fix the standard of weights and measures
Estimated that 80% of global merchandise trade is influenced by testing and other measurement-related requirements of regulations and standards
• National Bureau of Standards established by Congress in 1901
• Eight different “authoritative” values for the gallon
• Electrical industry needed standards
• American instruments sent abroad for calibration
• Consumer products and construction materials uneven in quality and unreliable
Nat
ion
al A
rch
ives
NIST has… … two main campuses
Boulder, CO
Gaithersburg, MD
Courtesy HDR Architecture, Inc./Steve Hall © Hedrich Blessing
© Geoffrey Wheeler
NIST Products and Services Measurement Research
~ 2,200 publications per year
Standard Reference Data
~ 100 different types
~ 6,000 units sold per year
~ 226 million data downloads per year
Standard Reference Materials
• ~ 1,300 products available
• ~ 30,000 units sold per year
Calibration Tests
• ~ 18,000 tests per year
Laboratory Accreditation
• ~ 800 accreditations of testing and calibration labs
© R
ob
ert
Rat
he
ITL Mission
Cultivating Trust in IT and
Metrology.
CSD Mission Inspire Trust and Confidence in IT.
Goals – Make effective, usable and
impactful references to reduce risks
to information and information
systems.
NIST’s Cybersecurity Core Program
Research, Development, and Specification Security Mechanisms (e.g. protocols, cryptographic, access
control, auditing/logging)
Security Mechanism Applications
Confidentiality
Integrity
Availability
Authentication
Non-Repudiation
Secure System and Component configuration
Assessment and assurance of security properties of
products and systems
Example Current Research Areas Risk Management
Focus on a complete Risk Management Framework that supports the lifecycle management of organization’s traditional information and information infrastructure as well as cyber physical systems
Configuration Baselines Standardized security configurations for operating systems and automated tools to test the configurations
Security Automation and Vulnerability Management Continue to develop tools and specifications that address situational awareness, conformity and vulnerability management compliance…
Virtualization and Cloud Support for cloud special publication and
standards activities to support security, portability
and interoperability
Key Management Foster the requirements of large-scale key
management frameworks and designing key
management systems
Support transitioning of cryptographic algorithms
and key sizes
Next Generation Cryptography Use and implementation of SHA 3Developing
new, light weight, quantum resistant
encryption for use in current and new
technologies
New modes of operation
© L
isa
F. Y
ou
ng/
Dre
amst
ime.
com
Secure Mobility Focuses on research and development in the area of
mobile security including mobile application testing
and mobile
Guidelines for Testing and Vetting Mobile
Applications
Mobile App Software Assurance Requirements
Mobile Roots of Trust
Supply Chain Work with industry, academic, and government
stakeholders to develop foundational definitions,
baseline requirements, general implementation
methodologies, and a set of supply chain risk
management best practices encompassing the
system development lifecycle
Trust Roots
Collaborate with industry to develop guidelines that identify
security properties for hardware trust roots and other trust
roots to leverage and use
Network Security
Foster requirements for secure networking technology such
as DNSSEC, IPv6 and BGP technologies
Software Assurance Identifying and reducing the software bugs that are relevant to
security, resilience and reliability. Understanding how the tools
we use affect software. Collaboration with industry, US
Agencies and international in developing, integrating, and
creating software assurance metrics, measurements and
conformance activities
Usability of Security Performing groundwork research to define factors that
enable usability in the area of multifactor authentication and
developing a framework for determining metrics that are
critical to the success of usability
Identity Management Systems Standards development work in biometrics, smart cards,
identity management, and privacy framework.
R&D: Personal Identity Verification, Match-On-Card,
ontology for identity credentials, development of a
workbench
ID Credential Interoperability
Infrastructure Support Cybersecurity for application infrastructure including Health Information Technology, Smart Grid and Voting
© P
eto
Zvo
nar
| D
ream
stim
e.co
m
© P
eto
Zvo
nar
| D
ream
stim
e.co
m
© P
eto
Zvo
nar
| D
ream
stim
e.co
m
© G
raem
e D
awes
| D
ream
stim
e.co
m
Testing and Conformance for the USG
Cryptography – Algorithms and modules. Undergoing
change to how, when and who conducts testing and
validation.
ID Credential (PIV) – USG identity in card form factor.
Undergoing change to look at new modalities.
SCAP Tools – Automated tools using standards for security information. Looking to SDOs for next set of needed information
Raise national awareness about risks in cyberspace.
Broaden the pool of individuals prepared to enter the
cybersecurity workforce.
Cultivate a globally competitive cybersecurity workforce.
NICE is "enhancing the overall cybersecurity posture of the
United States by accelerating the availability of educational and
training resources designed to improve the cyber behavior, skills,
and knowledge of every segment of the population.”
NIST, as the interagency lead for NICE, promotes the
coordination of existing and future activities in cybersecurity
education, training, and awareness to enhance and multiply their
effectiveness
National Initiative For Cybersecurity Education
(NICE)
Accelerated adoption of practical, affordable, and usable cybersecurity
solutions
Integrated cybersecurity solutions, built on commercial technologies,
designed to address a sector’s specific business needs
Increased opportunities for innovation through the identification of
technology gaps
Trusted environment for interaction among businesses and solution
providers
Further the understanding of current cybersecurity technology
capabilities and the cost of their implementation
Broader awareness of cyber security technologies and standards
National Cybersecurity Center of Excellence
(NCCoE)
Tools –Data- References National Vulnerability Database
Secure Configurations
National Software Reference Library
Combinatorial Software Testing Tools
Randomness Beacon
Security Control Catalogue
Develop Post-Quantum Cryptography Standards
Call for proposals was released December 2016
Submission deadline is Nov. 30 2017
Main activities
– Research – NIST researchers have been very productive
• 3 papers are presented at PQCrypto 2017 (and a NIST Q+A session) (A major conference in PQC)
– Outreach the community for the standardization process- presentations e.g.
• The National Academies of Science - Forum on Cyber Resilience Workshop
• Asia PQC Forum
• International Cryptography Module Conference
• Information Assurance Symposium
– Interactive with the community to discuss questions on submission requirements
Explore proper approaches for lightweight cryptography
Published NISTIR 8114 Report on Lightweight Cryptography
Call for Profiles – to characterize “lightweight”
– Profile characteristics – Physical, Performance, Security
– 20 questions for response
– Profile template includes function, design goal, and characteristics
The profile will determine the approach in selecting lightweight
cryptography algorithms and their specifications
Update existing standards To be consistent with well accepted industry
practice, e.g. SDOs
To respond advances in crypto research
The following standards are under revision
– FIPS 186-4 Digital Signature Algorithms
– Special publication A/B/C Key agreements
Outreach to user community to discuss updates
and solicit feedback
Respond to advances in cryptanalysis Triple DEA –Attack on its usage in major protocols, e.g.
https
– Revise data limit encrypted by one key set in SP 800-67 – Deprecate triple DEA for IKE (SP 800-196) and TLS (SP 800-
52) FF3 – Format preserve encryption (one of modes in
NIST SP 800-38G)
– Announce NIST plan on revise 800-38G and call for public comment
Practical SHA-1 collision
– Urge the users who haven’t complied with NIST recommendations to stop using SHA-1 in the applications where collision resistance is needed
The 20 Year Question (or 5, 10, 15) Practical Quantum Compute ?
Divergence away From the Mobile Platform ?
Data Generation Everywhere ?
Compute on Everything ? (New form HPC ? )
Bandwidth to Connect at Scale ?
Abstraction of User Interface ?
Predictive/Responsive AI ?
Resilient Products and Components ?
For Additional Information http://csrc.nist.gov
http://csrc.nist.gov/nice/
http://www.nist.gov/nstic/
http://nccoe.nist.gov
http://www.nist.gov/cyberframework/