National Institute of Standards and Technology: Difference between revisions

Jessica (talk | contribs)
Christiane (talk | contribs)
m Christiane moved page NIST to National Institute of Standards and Technology: Standardize
 
(22 intermediate revisions by one other user not shown)
Line 25: Line 25:
The Computer Security Resource Center (CSRC) has two subdivisions, the CSD and the ACD.<ref>[https://csrc.nist.gov/about About CSRC, NIST]</ref>
The Computer Security Resource Center (CSRC) has two subdivisions, the CSD and the ACD.<ref>[https://csrc.nist.gov/about About CSRC, NIST]</ref>
===Computer Security Division===
===Computer Security Division===
The CSD is focused on information systems and specializes in Cryptographic Technology; Secure Systems and Applications; Security Components and Mechanisms; Security Engineering and Risk Management; and Security Testing, Validation, and Measurement.
The CSD is focused on information systems and specializes in [[Cryptography#Cryptographic Technologies|cryptographic technologies]]; secure systems and applications; security components and mechanisms; security engineering and risk management; and security testing, validation, and measurement.
==Applied Cybersecurity Division==  
 
The ACD specializes in Cybersecurity and Privacy Applications, hosts the [[National Cybersecurity Center of Excellence]] (NCCoE), and runs the National Initiative for Cybersecurity Education (NICE).
===Applied Cybersecurity Division===  
The ACD specializes in [[Cybersecurity]] and [[Data Privacy]] applications, hosts the National Cybersecurity Center of Excellence ([[NCCoE]]), and runs the [[National Initiative for Cybersecurity Education]] (NICE).
 
====NCCoE====
''The NCCoE's mission'': to expand the use of a secure cyber infrastructure that inspires technological innovation and fosters economic growth.<ref>[https://www.nccoe.nist.gov/about-the-center/strategy NCCOE Strategy]</ref><br/>
 
''The NCCoE's strategy'': to accelerate the business sector's adoption of standards-based security technology by consulting with IT practitioners to identify the most pressing issues, generating technical descriptions of those problems, matching solutions with NIST standards and best practices, making the problem descriptions as broadly applicable as possible, and inviting technology vendors to collaborate on product modules of end-to-end example solutions.<ref>[https://www.nccoe.nist.gov/about-the-center/strategy NCCOE Strategy]</ref><br/>
 
''NCCoE Collaboratorations'':<ref>[https://www.nccoe.nist.gov/about-the-center/stakeholders Stakeholders, NCCoE]</ref><br/>
# IT users report problems.
# Integrators implement NCCoE reference designs and provide feedback to the NCCoE to help make the references easier to deploy.
# Vendors in the NCCoE labs with researchers, contributing expertise, hardware, and software to the development of the reference design for a specific problem.
# Reference design users deploy example solutions and provide feedback to validate/improve them.
# Other government agencies work with NCCoE through the National Cybersecurity Federally Funded Research and Development Center (NCF).<ref>[https://www.nccoe.nist.gov/sites/default/files/library/fact-sheets/work-for-others-fact-sheet.pdf NCF Fact Sheet, NCCoE]</ref>
# Core partners provide hardware, software, knowledge, and personnel. The current group of partners includes:<ref>[https://www.nccoe.nist.gov/partners Partners, NCCoE]</ref>
::* [[Amazon|Amazon Web Services]]
::* [[CableLabs]]
::* [[Cisco]]
::* [[Docker]]
::* [[f5]]
::* [[ForeScout]]
::* [[Global Cyber Alliance]]
::* [[Hewlett Packard]]
::* [[HyTrust]]
::* [[IBM]]
::* [[Juniper Networks]]
::* [[McAfee]]
::* [[Micro Focus]]
::* [[Microsoft]]
::* [[Motorola Solutions]]
::* [[NextLabs]]
::* [[VMware]]
::* [[ZIMPERIUM]]
<br/>
''NCCoE Projects'':<ref>[https://www.nccoe.nist.gov/projects/building-blocks Building Blocks, NCCoE]</ref><br/>
{| class="wikitable; "border="0"
| * [[5G Security]] || * [[Patching the Enterprise]]
|-
| * [[Adversarial Machine Learning]] || * [[Cryptography#Post-Quantum Cryptography|Post-Quantum Cryptography]]
|-
| * [[Data Security]] || * [[Supply Chain Assurance]]
|-
| * [[Derived PIV Credentials]] || * [[TLS]] Server Certificate Management
|-
| * Internet of Things ([[IoT]]) || * [[Trust]]ed Geolocation in the Cloud
|-
| * [[Mobile Device Security]] || * [[Zero Trust Architecture]]
|}
 
====NICE====


==SP 800 Series==
==SP 800 Series==
NIST’s Special Publication (SP) 800 series shares computer security information. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and collaborations with industry, government, and academic organizations.<ref>[https://www.nist.gov/itl/publications-0/nist-special-publication-800-series-general-information SP 800, NIST]</ref>
NIST’s Special Publication (SP) 800 series shares computer security information. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and collaborations with industry, government, and academic organizations.<ref>[https://www.nist.gov/itl/publications-0/nist-special-publication-800-series-general-information SP 800, NIST]</ref>


==SP 800-37==
===SP 800-37===
The “Guide for Applying the Risk Management Framework to Federal Information Systems” promotes near real-time risk management, encourages the use of automation, integrates information security, emphasizes the selection, implementation, assessment, and overall monitoring of information security controls, links risk management at the information systems level to risks at the organizational level, and establishes responsibility and accountability for security controls.<ref>[https://flank.org/faqs/what-is-nist-sp-800-37 About SP 800-37, Flank]</ref>  
The “Guide for Applying the Risk Management Framework to Federal Information Systems” promotes near real-time risk management, encourages the use of automation, integrates information security, emphasizes the selection, implementation, assessment, and overall monitoring of information security controls, links risk management at the information systems level to risks at the organizational level, and establishes responsibility and accountability for security controls.<ref>[https://flank.org/faqs/what-is-nist-sp-800-37 About SP 800-37, Flank]</ref>  


Line 44: Line 93:
* reduces the complexity of the IT infrastructure; and
* reduces the complexity of the IT infrastructure; and
* provides methods to identify, prioritize and focus resources based on risk/value analysis.<ref>[https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2019-02.pdf RMF 2.0 Bulletin pg. 4]</ref>
* provides methods to identify, prioritize and focus resources based on risk/value analysis.<ref>[https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2019-02.pdf RMF 2.0 Bulletin pg. 4]</ref>
===SP 800-171===


==Cybersecurity Framework==
==Cybersecurity Framework==
===Version 1.0===
===Version 1.0===
====History====
====History====
In February 2013, recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, President [[Barak Obama]] issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," ordering NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber-risks to [[Critical Infrastructure]]. On December 18, 2014, the Cybersecurity Enhancement Act of 2014 (CEA) authorized the Department of Commerce, through NIST, to develop voluntary standards to reduce cyber-risks to critical infrastructure.<ref>[https://itlaw.wikia.org/wiki/Cybersecurity_Enhancement_Act_of_2014 CEA, IT Law Wiki]</ref> The law also ordered the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan. Section 502 required the Director of NIST to ensure interagency coordination toward the development of international technical standards for IT security and transmit to Congress a plan.  
In February 2013, recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, President [[Barak Obama]] issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," ordering NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber-risks to [[CISA#Critical Infrastructure|Critical Infrastructure]]. On December 18, 2014, the Cybersecurity Enhancement Act of 2014 (CEA) authorized the Department of Commerce, through NIST, to develop voluntary standards to reduce cyber-risks to critical infrastructure.<ref>[https://itlaw.wikia.org/wiki/Cybersecurity_Enhancement_Act_of_2014 CEA, IT Law Wiki]</ref> The law also ordered the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan. Section 502 required the Director of NIST to ensure interagency coordination toward the development of international technical standards for IT security and transmit to Congress a plan.  
=====Framework Development=====
=====Framework Development=====
February 26, 2013: RFI to Develop a Framework to Improve Critical Infrastructure Cybersecurity - February 12, 2014: Framework 1.0 Publication.  
February 26, 2013: RFI to Develop a Framework to Improve Critical Infrastructure Cybersecurity - February 12, 2014: Framework 1.0 Publication.  
Line 65: Line 116:
The Department of Homeland Security's Critical Infrastructure Cyber Community (C3) Voluntary Program helps owners and operators align their organizations with the framework and manage their cyber risks.
The Department of Homeland Security's Critical Infrastructure Cyber Community (C3) Voluntary Program helps owners and operators align their organizations with the framework and manage their cyber risks.


===Version 2.0===
===Version 1.1===
On April 16, 2018, NIST released the updates to version 1.0, which:<ref>[https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf Description of CF Version 1.1]</ref>
# Clarified that compliance terminology,
# Added Section on Self-Assessing Cybersecurity Risk,
# Expanded Section 3.3 on Communicating how to use Cyber Supply Chain Risk Management (SCRM),
# Added the Section 3.4 Buying Decisions, which highlights understanding the risk associated with commercial off-the-shelf products and services,
# Added Cyber SCRM criteria to the Tiers,
# Added Supply Chain Risk Management Category to the Framework Core,
# Refined the language of the Access Control Category to better account for authentication, authorization, and identity proofing, 
# Explained the relationship between Tiers and Profiles,
# Integrated Framework considerations within organizational risk management programs, and
# Included a subcategory for coordinated vulnerability disclosure lifecycle.


==References==
==References==


[[Category:Government Agencies]]
[[Category:Government Agencies]]