Federal Information Technology Security Resources

1
Federal Information Technology Security Resources

• Marianne Swanson
• Computer Security Division
• Information Technology Laboratory
• National Institute of Standards and Technology

2
Resource Topics

• U.S. Government web sites
• U.S. Government security organizations

3
Federal CIO Council Best Security Practices (BSP)
Initiative and Web Site

• Security Practices Subcommittee (SPS)
• Pilot program
• BSPs are components of security programs
• Demonstrate BSPs on a web repository
• Demonstrate potential cost savings and results

4
Major Components of BSPs

• Description of the BSP being used, including
  processes
• BSP originator contact information
• Security requirements satisfied by the BSP
• Lessons learned by other users
• Links to related BSPs
• Implementation resource estimates

5
Major Components of BSPs - concluded

• Methods for measuring results
• Suggested tools and training
• Procurement information
• Artifacts

6
BSPs Work Together

• Collaborative effort is essential
• Cost-benefit and the price to reinvent the wheel
• Get the word out http//bsp.cio.gov

7
NIST Computer Security Resource Center Web Site

• http//csrc.nist.gov/
• News/announcements
• Hot topic areas
• Advanced Encryption Standard (AES)
• ICAT
• Virus Information

8
NIST Computer Security Resource Center Web Site
(continued)

• Services
• Research/testing
• Standards
• Vulnerabilities
• Training and education
• Projects
• Cryptographic Module Validation Program (CMVP)
• Common Criteria

9
NIST Computer Security Resource Center Web
Site(concluded)

• Library
• Events

10
What is ICAT?
ICAT is a fine-grained searchable index of over
2300 vulnerabilities that provides links to
vulnerability and patch information
Vulnerability Archive 1
Vulnerability Archive 2
ICAT Search Engine
Vulnerability Snapshots
Vulnerability Archive 3
http//icat.nist.gov
11
Features of ICAT

• Based on the CVE vulnerability naming standard
• Links from each vulnerability snapshot to
  vulnerability and patch information
• Non-competitive with public vulnerability
  databases
• Commonly indexed sources CERT, Security Focus,
  ISS X-Force, Bugtraq, and NT Bugtraq

http//icat.nist.gov
12
Uses of ICAT

• Securing a network or host
• tell ICAT what software is running and discover
  the known vulnerabilities and how to fix them
• Auditing
• Ask organizations if they have fixed the known
  vulnerabilities in their software
• Hacker Insurance
• Public Vulnerability database

• Forensics activities
• determine how a hacker have entered a computer or
  network
• Search engine for popular archives
• Vulnerability research
• Software evaluations
• test known vulnerabilities
• CVE Browser
• Software purchasing
• determine if software has a history of serious
  vulnerabilities

http//icat.nist.gov
13
ICAT Contact Information
http//icat.nist.gov
E-mail icat_at_nist.gov for more information
Technical Lead Peter Mell peter.mell_at_nist.gov
http//icat.nist.gov
14
Federal IT Security Organizations

• Federal Computer Security Program Mangers Forum
• CIO Council Subcommittee on Security, Privacy,
  and Critical Infrastructure Protection

15
Federal Computer Security Program Managers Forum

• Federal employees only
• Computer security program managers
• Meet bi-monthly
• E-mail list
• Annual two-day meeting

16
CIO Council Committee

• Security, Privacy, and Critical Infrastructure
  Protection Committee
• Three subcommittees
• Meet bi-monthly
• Web site http//cio.gov

17
Major Initiatives - Security Subcommittee

• Joint government effort with ITAA
• Security practices for common electronic services
  
• Public web sites
• Financial transactions
• Procurement transactions
• Risk management guide for executives
• IT security assessment framework

18
Federal Information Technology Security
Assessment Framework and the Draft NIST
Special Publication, Self-Assessment Guide for
Information Technology Systems

• Overview
• Description
• Benefits

19
Framework and NIST Guide Overview

• Determines the current performance of security
  programs relative to existing requirements
• Establishes a target for improvement, if
  necessary
• Assesses the performance of security controls of
  an asset or collection of assets

20
Framework and NIST Guide Overview - concluded

• Produces a security performance picture
• Built on existing Federal guidelines and
  legislative mandates
• Framework provides groundwork for standardizing
  and measuring IT security
• Assessment guide builds on the Framework

21
Framework and NIST Guide Description

• Five levels of IT security program effectiveness
• Each level contains criteria to determine whether
  the level is adequately implemented
• NIST Guide contains detailed questions that can
  be measured using the same five levels
• Asset owner determines whether the measurement
  criteria are being met

22
Framework and NIST Guide Five Levels

• Level 1 - Documented policy
• Level 2 - Documented procedures
• Level 3 - Implemented procedures and controls
• Level 4 - Tested and reviewed procedures and
  controls
• Level 5 - Fully integrated procedures and controls

23
Framework and NIST Guide Benefits

• Standard way of performing self assessments
• Assessment flexibility based on the size and
  complexity of the asset
• Data collection is basis for developing an
  overall security rating
• Informed judgments and investments determine
  security status
• Resulting action plan addresses gaps

24
Contact Information

• Marianne Swansonmarianne.swanson_at_nist.gov301-975
  -3293