Title: Federal Information Technology Security Resources
1Federal Information Technology Security Resources
- Marianne Swanson
- Computer Security Division
- Information Technology Laboratory
- National Institute of Standards and Technology
2Resource Topics
- U.S. Government web sites
- U.S. Government security organizations
3Federal CIO Council Best Security Practices (BSP)
Initiative and Web Site
- Security Practices Subcommittee (SPS)
- Pilot program
- BSPs are components of security programs
- Demonstrate BSPs on a web repository
- Demonstrate potential cost savings and results
4Major Components of BSPs
- Description of the BSP being used, including
processes - BSP originator contact information
- Security requirements satisfied by the BSP
- Lessons learned by other users
- Links to related BSPs
- Implementation resource estimates
5Major Components of BSPs - concluded
- Methods for measuring results
- Suggested tools and training
- Procurement information
- Artifacts
6BSPs Work Together
- Collaborative effort is essential
- Cost-benefit and the price to reinvent the wheel
- Get the word out http//bsp.cio.gov
7NIST Computer Security Resource Center Web Site
- http//csrc.nist.gov/
- News/announcements
- Hot topic areas
- Advanced Encryption Standard (AES)
- ICAT
- Virus Information
8NIST Computer Security Resource Center Web Site
(continued)
- Services
- Research/testing
- Standards
- Vulnerabilities
- Training and education
- Projects
- Cryptographic Module Validation Program (CMVP)
- Common Criteria
9NIST Computer Security Resource Center Web
Site(concluded)
10What is ICAT?
ICAT is a fine-grained searchable index of over
2300 vulnerabilities that provides links to
vulnerability and patch information
Vulnerability Archive 1
Vulnerability Archive 2
ICAT Search Engine
Vulnerability Snapshots
Vulnerability Archive 3
http//icat.nist.gov
11Features of ICAT
- Based on the CVE vulnerability naming standard
- Links from each vulnerability snapshot to
vulnerability and patch information - Non-competitive with public vulnerability
databases - Commonly indexed sources CERT, Security Focus,
ISS X-Force, Bugtraq, and NT Bugtraq
http//icat.nist.gov
12Uses of ICAT
- Securing a network or host
- tell ICAT what software is running and discover
the known vulnerabilities and how to fix them - Auditing
- Ask organizations if they have fixed the known
vulnerabilities in their software - Hacker Insurance
- Public Vulnerability database
- Forensics activities
- determine how a hacker have entered a computer or
network - Search engine for popular archives
- Vulnerability research
- Software evaluations
- test known vulnerabilities
- CVE Browser
- Software purchasing
- determine if software has a history of serious
vulnerabilities
http//icat.nist.gov
13ICAT Contact Information
http//icat.nist.gov
E-mail icat_at_nist.gov for more information
Technical Lead Peter Mell peter.mell_at_nist.gov
http//icat.nist.gov
14Federal IT Security Organizations
- Federal Computer Security Program Mangers Forum
- CIO Council Subcommittee on Security, Privacy,
and Critical Infrastructure Protection
15Federal Computer Security Program Managers Forum
- Federal employees only
- Computer security program managers
- Meet bi-monthly
- E-mail list
- Annual two-day meeting
16CIO Council Committee
- Security, Privacy, and Critical Infrastructure
Protection Committee - Three subcommittees
- Meet bi-monthly
- Web site http//cio.gov
17Major Initiatives - Security Subcommittee
- Joint government effort with ITAA
- Security practices for common electronic services
- Public web sites
- Financial transactions
- Procurement transactions
- Risk management guide for executives
- IT security assessment framework
18Federal Information Technology Security
Assessment Framework and the Draft NIST
Special Publication, Self-Assessment Guide for
Information Technology Systems
- Overview
- Description
- Benefits
19Framework and NIST Guide Overview
- Determines the current performance of security
programs relative to existing requirements - Establishes a target for improvement, if
necessary - Assesses the performance of security controls of
an asset or collection of assets
20Framework and NIST Guide Overview - concluded
- Produces a security performance picture
- Built on existing Federal guidelines and
legislative mandates - Framework provides groundwork for standardizing
and measuring IT security - Assessment guide builds on the Framework
21Framework and NIST Guide Description
- Five levels of IT security program effectiveness
- Each level contains criteria to determine whether
the level is adequately implemented - NIST Guide contains detailed questions that can
be measured using the same five levels - Asset owner determines whether the measurement
criteria are being met
22Framework and NIST Guide Five Levels
- Level 1 - Documented policy
- Level 2 - Documented procedures
- Level 3 - Implemented procedures and controls
- Level 4 - Tested and reviewed procedures and
controls - Level 5 - Fully integrated procedures and controls
23Framework and NIST Guide Benefits
- Standard way of performing self assessments
- Assessment flexibility based on the size and
complexity of the asset - Data collection is basis for developing an
overall security rating - Informed judgments and investments determine
security status - Resulting action plan addresses gaps
24Contact Information
- Marianne Swansonmarianne.swanson_at_nist.gov301-975
-3293