National Initiative For Cybersecurity Education (NICE)

superbshelfMobile - Wireless

Nov 12, 2013 (3 years and 11 months ago)

244 views

Though no
-
one knows for sure, corporate America is believed to lose anything from
$100 billion to $1 trillion a year from online theft of proprietary information

trade
secrets, research findings, internal costs, marketing plans, personal information, credit
-
card numbers, bank
-
account details and much more



Babbage (blog), The Economist, May 11,
2012



NIST’s Focus


Computer Security Division (CSD)


National Initiative For
Cybersecurity

Education (NICE)


National Strategy for Trusted Identities in Cyberspace (NSTIC)


National
Cybersecurity

Center of Excellence (
NCCoE
)


Executive Order
--

Improving Critical Infrastructure
Cybersecurity



Core Focus Area

Research, Development, and Specification

Security Mechanisms (e.g. protocols,
cryptographic, access control,
auditing/logging)

Security Mechanism Applications

Confidentiality

Integrity

Availability

Authentication

Non
-
Repudiation

Secure System and Component configuration

Assessment and assurance of security
properties of products and systems

NIST’s
Cybersecurity

Program Core
Focus
Areas


Research, Development, and Specification


Security Mechanisms (e.g. protocols, cryptographic, access control,
auditing/logging)


Security Mechanism Applications


Confidentiality


Integrity


Availability


Authentication


Non
-
Repudiation


Secure System and Component configuration


Assessment and assurance of security properties of products and systems


Risk Management


Continue to support the Joint Task Force Transformation Initiative (
DoD
,
IC, NIST, CNSS) and support unified information security framework


Continue support for risk management and information security
publications


P
rivacy
and threat appendixes for SP 800
-
53, Revision
4


Work toward system and security engineering and application security
guidelines


Configuration Baselines


Standardized
security configurations for operating systems and
automated tools to test the configurations, improving security and
saving IT security management resources


Security Automation and Vulnerability Management


Continue to develop tools and specifications that address situational
awareness, conformity and vulnerability management compliance
etc


Virtualization and Cloud


Support for cloud special publication and standards
activities to support security, portability and
interoperability


Key Management


Foster the requirements of large
-
scale key management
frameworks and designing key management systems


Support transitioning of cryptographic algorithms and key
sizes


Next Generation Cryptography


Open competition for new Hash algorithm


Developing new, light weight, quantum resistant
encryption for use in current and new technologies


New modes of operation



© Lisa F. Young/Dreamstime.com


Secure Mobility


F
ocuses
on research and development in the area of mobile
security including mobile application testing and mobile


Guidelines
for Testing and Vetting Mobile Applications


Mobile App Software Assurance Requirements


Supply Chain


Work
with industry, academic, and government stakeholders
to develop foundational definitions, baseline requirements,
general implementation methodologies, and a set of ICT SCRM
best practices encompassing the system development
lifecycle.





Trusted Roots of Hardware

o
Collaborate with industry to develop guidelines that identify
security properties for hardware trust
roots



Network Security

o
Foster requirements for secure networking technology such
as DNSSEC, IPv6 and BGP technologies



Security for Cyber Physical Systems

o
Collaboration
with industry in developing, integrating, and
utilizing
cybersecurity

standards and mechanisms capable of
providing appropriate protection for CPSs





Usability of Security


Performing groundwork research to define factors that enable
usability in the area of multifactor authentication and developing a
framework for determining metrics that are critical to the success of
usability


Identity Management Systems


Standards development work in biometrics, smart cards, identity
management, and privacy framework.


R&D: Personal Identity Verification, Match
-
On
-
Card, ontology for
identity credentials, development of a workbench


ID Credential Interoperability


Infrastructure support


Continued support for Health IT, Smart Grid and Voting


Standards Development Organizations


IETF



ANSI


IEEE



ISO

© Peto Zvonar | Dreamstime.com

© Peto Zvonar | Dreamstime.com

© Peto Zvonar | Dreamstime.com

© Graeme Dawes | Dreamstime.com


Raise national awareness about risks in
cyberspace.


Broaden the pool of individuals prepared to enter the
cybersecurity

workforce
.


Cultivate a globally competitive
cybersecurity

workforce.

NICE
will “enhance the overall
cybersecurity

posture of the United
States by
accelrating

the availability of educational and training
resources designed to improve the cyber behavior, skills, and
knowledge of every segment of the population.” NIST, as the
interagency lead for NICE, will promote the coordination of existing
and future activities in
cybersecurity

education, training, and
awareness to enhance and multiply their effectiveness.


National Initiative For
Cybersecurity

Education (NICE)

Raise national awareness about risks in cyberspace



Improve knowledge of risks and vulnerabilities in cyberspace.



Promote the use of
cybersecurity

resources and tools.

National Initiative For
Cybersecurity

Education (NICE)



Cultivate
a globally competitive
cybersecurity

workforce



Encourage the development and adoption of the National
Cybersecurity

Workforce Framework.


Develop
cybersecurity

workforce forecasting tools.


Establish
standards and guidelines for
cybersecurity

training and
professional development.



Analyze
and identify best practices to help organizations recruit and
retain
cybersecurity

professionals.


Evaluate
the professionalization of the
cybersecurity

workforce.


National Initiative
For
Cybersecurity

Education (NICE)


President

s
Cyberspace Policy Review (May 2009):

a

cybersecurity

focused identity management vision and strategy…that
addresses privacy and civil
-
liberties interests, leveraging privacy
-
enhancing
technologies for the nation.




Guiding Principles


Privacy
-
Enhancing and Voluntary


Secure and Resilient


Interoperable


Cost
-
Effective and Easy To
Use



NSTIC
calls for an
Identity Ecosystem
,

an online environment where
individuals
and
organizations will be able to trust each other
because
they
follow agreed upon standards to obtain
and
authenticate their digital
identities.



National Strategy for Trusted Identities in Cyberspace (NSTIC)

National Strategy for Trusted Identities in Cyberspace
Pilots

2
_ 2012 NSTIC Pilots:


American Association for Motor Vehicle Administrators

o
AAMVA
leads
a consortium of private industry and government partners to
implement and pilot the Cross Sector Digital Identity Initiative (
CSDII)


Criterion Systems

o
Allows consumers to selectively share shopping and other preferences and
information to both reduce fraud and enhance the user experiences


Daon

o
Demonstrates how senior citizens and all consumers can benefit from a
digitally connected, consumer friendly ecosystem with multiple parties online


Resilient Network
Systems

o
Demonstrates that sensitive health and education transaction on the Internet
can earn patient and parent trust


University
Corporation for Advanced Internet
Development

o
Internet 2 is building a consistent and robust privacy infrastructure through
common attributes


Accelerated
adoption of practical, affordable, and usable
cybersecurity

solutions



Integrated
cybersecurity

solutions, built on commercial technologies, designed to
address a sector’s specific business needs



Increased opportunities for innovation through the identification of technology
gaps



Trusted environment for interaction among businesses and solution providers



Further the understanding of current
cybersecurity

technology capabilities and the
cost of their implementation



Broader awareness of cyber security technologies and standards


y gaps technology
capabilities and
the

National
Cybersecurity

Center of Excellence (
NCCoE
)

National
Cybersecurity

Center of Excellence (
NCCoE
)


Describe the Business Problem and Use Case



Partner with the Communities

o
Partners from industry, government, academia and the IT community



Implement and Test

o
Practical,
usable, repeatable and secure
cybersecurity

platform n
that addresses
the business problem



Transfer and Learn

o
Set of all material necessary to implement and easily adopt the platform

Executive
Order 13636 Improving
Critical Infrastructure
Cybersecurity



Framework will consist of standards, methodologies, procedures and processes that
align policy, business and technical approaches to allow organizations to achieve a
sufficient level of
cybersecurity

performance and system resiliency.


Incorporate voluntary consensus standard and industry best practices


Technology neutral



RFI
-

http
://
www.nist.gov/itl/csd/framework
-
022613.cfm


First workshop April 3

THANK YOU


Donna

Dodson

Division Chief, Computer Security Division


Cyber Security
Advisor

Acting Director, National
Cybersecurity

Center of Excellence

Donna.Dodson@nist.gov


Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology



Computer Security Resource Center:
http://
csrc.nist.gov