A Policy Review: NSTISSP11 to DoDD 8500

1
A Policy ReviewNSTISSP-11 to DoDD 8500

• Vivian Cocca
• OASD (C3I) IA
• July 15, 2002

2
Discussion Topics

• Factors Driving NSTISSP 11
• NSTISSP 11 Requirements
• NSTISSP 11 Pros and Cons
• DoDD 8500.aa/DoDI 8500.bb Requirements

National Security Telecommunications and
Information Systems Security Publication
3
Factors Driving NSTISSP 11

• GOTS To GOTS and COTS Philosophy Shift
• IA is broader than COMSEC
• Explosion in Number of COTS IA Products
• NSA resource constraints requires a NIAP approach
• No standardized evaluation language or
  methodology
• Create demand for evaluated products

The Problem Does the product provide the
security it claims?
4
Provisions of NSTISSP 11

• Effective 1 Jan 2001 Preference given to
  acquisition of evaluated Information Assurance
  (IA) products
• Effective 1 Jul 2002
• Acquisition of COTS IA products limited to those
  on NIAP Validated Products List or NIST Crypto
  Module Validation List
• Acquisition of GOTS IA products limited to NSA
  approved
• Waivers reviewed by NSA and granted on case-by
  case basis by CNSS

National IA Partnership
National Institute of Technology
Standards
Committee on National Security
Systems
5
IA Product

• An IA product is an IT product or technology
  whose primary purpose is to provide security
  services (e.g., confidentiality, authentication,
  integrity, access control and non-repudiation of
  data) correct known vulnerabilities and/or
  provide layered defense against various
  categories of non authorized or malicious
  penetrations of information systems or networks.
  Examples include data/network encryptors,
  firewalls and intrusion detection devices.

6
IA Enabled Product

• An IA -enabled product is a product or
  technology whose primary role is not security,
  but which provides security services as an
  associated feature of its intended operating
  capabilities. Examples include such product as
  security-enabled web browsers, screening routers,
  trusted operating systems, and security-enabled
  messaging systems.

7
Pros and Cons of NSTISSP 11

• Pros
• Hard to argue against the fact that before users
  acquire an IA product they ought to know that it
  really does what the vendor claims
• Lets user and vendor decide what is the right
  evaluation level
• Cons
• No goodness levels established
• Onus is on the customer to determine if any
  product is good enough for his application

8
DODD 8500.aa

• Requires compliance with NSTISSP 11
• Defines generic robustness levels of basic,
  medium, high and assigns baseline levels for IA
  services of integrity, availability and
  confidentiality dependent upon value of
  information protected and environment
• Requires NSA to
• Serve as DOD focal point for NIAP
• Approve cryptographic devices used to protect
  classified information
• Generate Protection Profiles (PP) for GIG core
  technologies

9
Security Robustness

• Security Robustness is the strength of a security
  function, mechanism, service or solution, and the
  assurance (or confidence) that it is implemented
  and functioning correctly.
• DoD has three levels of robustness High, Medium,
  and Basic.

10
Generating Protection Profiles

• NSA-NIST Working Group established to coordinate
  PP activities government-wide and internationally
• Profiles being designed against technology areas
  at basic,medium and high robustness
• Top Ten PP technology list developed
• Operating Systems, Firewalls, VPNs, Wireless,
  PKI, IDS, Databases, Token, Web, Biometrics
• Process established to draft and publicly vet
  PPs
• Details at http//niap.nist.gov

11
Protection Profiles Published

• Basic Robustness Firewall
• Medium Robustness Firewall
• Basic Robustness Operating System
• Medium Robustness Operating System
• Certificate Issuing and Management Components
• Peripheral Sharing Switch (PSS) for Human
  Interface Devices

12
The NIAP Process Product Evaluation
-Manufacturer identifies market for IT product
with a security capability (may or may not be
represented by a PP) -Builds product, following
PP specified requirements and the developer
assurance requirements in the EAL -Once
product is built, manufacturer prepares ST
addressing compliance with a PP - which covers
the functional and assurance requirements for
the product. -Submit ST, the product, and the
documents to an accredited independent testing
lab for evaluation -Lab evaluates the ST, if
passes, then submits to evaluation authority for
validation by NIST of the evaluation results.
13
Protection Profiles Security Targets

• Protection Profile (PP) - Technical statement of
  security requirements produced by the user.
• Security Target (ST) - Technical statement of the
  security functionality of a product produced by
  the vendor/developer.

14
Products on NIAP MR List

• Lucent Managed Firewall
• Cisco PIX Firewall
• CheckPoint Firewall 1
• ITT Dragonfly Guard
• Borderware Firewall
• Cyberguard Firewall
• Entrust/Authority
• Entrust/RA
• Entrust TrueDelete
• Oracle 8
• Sun SunScreen
• Signal 9 Private Desktop Firewall
• KyberPass Secure Session VPN
• VeriSgn Processing Center
• Finjan SurfinGate

• Fujitsu Safegate Firewall
• IBM Crypto Security Chip
• Sharp DataSecurity Kit
• Voltaire 2in1 PC
• Watchguard Live Security System
• Philips SmartCard Controller
• MIS SENTRY 2020
• Bull B1/EST-X
• MilkyWay Blackhole Firewall
• SecureLogix TeleWall System
• WinMagic Secure Doc
• EESI SuperNet 2000
• CTAM Cyphercell ATM Encryptor
• Baltimore Technologies Timestamp
• Market Central Secure Switch

15
Products In Evaluation

• Microsoft Windows 2000
• Network Associates Gauntlet
• Finjan SurfinShield
• Cryptek DiamondTEK
• Argus Pitbull
• BMC Software Patrol
• Data Security Sentinel
• Geotronics Access Control Library
• Infoassure Secure Mobile office
• Intrusion.com SecureNetPro IDS
• LCI Smart Pen

• Owl Data Diode
• SCC Sidewinder
• Silicon Graphics IRIX
• Cisco IPSEC Crypto
• Tumbleweed MMS
• Authentic8 Secure Remote Access
• Baltimore Tech. Secret Access
• SecureNet TrustedNet
• Rainbow Tech. iKey
• ERACOM PC Vault

16
DODI 8500.bb

• E3.5.3.1. For all new acquisitions, if an
  approved U.S. Government protection profile
  exists for a particular product type and there
  are validated products available for use, then
  acquisition is restricted to those products or to
  new products that vendors, as a condition of
  purchase, submit for evaluation and validation to
  the approved protection profile.
• E3.5.3.2. If an approved U.S. Government
  protection profile exists for a particular
  product type and no validated products exist,
  acquisition documentation must require, as a
  condition of purchase, that the vendor submit its
  product for evaluation and validation to the
  approved protection profile
• E3.5.3.3. If no U.S. Government protection
  profile exists for a particular product type,
  then acquisition documentation must require, as a
  condition of purchase, that vendors provide a
  security target that describes the security
  attributes of their products, and that vendors
  submit their products for evaluation by a NIAP
  certified laboratory at a minimum of EAL 2 (Basic
  Robustness).

17
Back - Up
18
Evaluated Assurance Levels
Predefined packages of assurance components that
make up the Common Criteria scale for rating
confidence in the security of IT products and
systems
EAL1 - functionally tested EAL2 - structurally
tested EAL3 - methodically tested and
checked EAL4 - methodically designed, tested
reviewed EAL5 - semi-formally designed
tested EAL6 - semi-formally verified design
tested EAL7 - formally verified design tested
19
Common Criteria
Standards that specify and evaluate the security
features of computer products and systems.
Specifies tests and level of testing to be
performed or evidence to be provided to aid in
verifying the robustness of the specified
security functions (assurance)
20
Evolution of Security Criteria
1980s - NSA developed TCSEC or Orange Book
(Trusted Computer System Evaluation Criteria)
1991 - European Commission published
ITSEC (Information Technology Security Evaluation
Criteria)
1993 - Canada CTCPEC as ITSEC TCSEC (Canadian
Trusted Computer Product Evaluation Criteria)
1993 - NIST/NSA Federal Criteria for ITSEC
1996 - v.1 of Common Criteria one
international set of standards
21
CC FIPS
CC specifications and evaluations applies to any
IT product - very broad and flexible,
international FIPS 140-1,2 US/CAN cryptographic
module validation standard - narrow application
to crypto-modules CC cryptographic requirements
tailoring typically refers to cryptographic
standard Products with both IT security
functionality and embedded cryptography need both
validations, e.g. -Firewalls or IDS system with
remote management protected by encryption -Web
servers, browsers (SSL encryption)