WWW.DISSERTATION.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Dissertations, online materials
 
<< HOME
CONTACTS



Pages:   || 2 |

«Charles H. Romine Director Information Technology Laboratory National Institute of Standards and Technology United States Department of Commerce ...»

-- [ Page 1 ] --

Testimony of

Charles H. Romine

Director

Information Technology Laboratory

National Institute of Standards and Technology

United States Department of Commerce

United States House of Representatives

Committee on Science, Space and Technology

Subcommittee on Research and Technology

“The Expanding Cyber Threat”

January 27, 2015

1

Introduction

Chairwoman Comstock, Ranking Member and Members of the Subcommittee, I am

Dr. Charles Romine, the Director of the Information Technology Laboratory (ITL) at the Department of Commerce’s National Institute of Standards and Technology (NIST). Thank you for the opportunity to appear before you today to discuss our role in cybersecurity.

The Role of NIST in Cybersecurity With programs focused on national priorities from the Smart Grid and electronic health records to forensics, atomic clocks, advanced nanomaterials, and computer chips and more, NIST’s overall mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

In the area of cybersecurity, NIST has worked with Federal agencies, industry, and academia since 1972, starting with the development of the Data Encryption Standard, when the potential commercial benefit of this technology became clear. Our role, to research, develop and deploy information security standards and technology to protect the Federal government’s information systems against threats to the confidentiality, integrity and availability of information and services, was strengthened through the Computer Security Act of 1987 (Public Law 100-235), broadened through the Federal Information Security Management Act of 2002 (FISMA; 44 U.S.C. §

35411) and recently reaffirmed in the Federal Information Security Modernization Act of 2014 (Public Law 113-283). In addition, the Cybersecurity Enhancement Act of 2014 (Public Law 113-274) authorizes NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure.

NIST accomplishes its mission in cybersecurity through collaborative partnerships with our customers and stakeholders in industry, government, academia, standards bodies, consortia and international partners.

We employ collaborative partnerships with our customers and stakeholders to take advantage of their technical and operational insights and to leverage the resources of a global community. These collaborative efforts and our private sector collaborations in particular, are constantly being expanded by new initiatives, including in recent years through the National Strategy for Trusted Identities in Cyberspace (NSTIC), the National Cybersecurity Center of Excellence (NCCoE), in implementation of Executive Order13636, “Improving Critical Infrastructure Cybersecurity,” and the National Initiative for Cybersecurity Education (NICE).

FISMA was enacted as Title III of the E-Government Act of 2002 (Public Law 107-347;

1

–  –  –

The NIST Special Publications and Interagency Reports provide management, operational, and technical security guidelines for Federal agency information systems, and cover a broad range of topics such as Basic Input/Output System (BIOS) management and measurement, key management and derivation, media sanitization, electronic authentication, security automation, Bluetooth and wireless protocols, incident handling and intrusion detection, malware, cloud computing, public key infrastructure, risk assessments, supply chain risk management, authentication, access control, security automation and continuous monitoring.

Beyond these documents - which are peer-reviewed throughout industry, government, and academia - NIST conducts workshops, awareness briefings, and outreach to ensure comprehension of standards and guidelines, to share ongoing and planned activities, and to aid in scoping guidelines in a collaborative, open, and transparent manner.

In addition, NIST maintains the National Vulnerability Database (NVD), a repository of standards-based vulnerability management reference data. The NVD makes available information on vulnerabilities, impact measurements, detection techniques, and remediation assistance. It provides reference data that enable government, industry and international security automation capabilities. The NVD also plays a role in the efforts of the Payment Card Industry (PCI) to identify and mitigate vulnerabilities. The PCI uses the NVD vulnerability metrics to discern the IT vulnerability in point-of-sale devices and determine what risks are unacceptable for that industry.

NIST researchers develop and standardize cryptographic mechanisms that are used throughout the world to protect information at rest and in transit. These mechanisms provide security services, such as confidentiality, integrity, authentication, nonrepudiation and digital signatures, to protect sensitive information. The NIST algorithms and associated cryptographic guidelines are developed in a transparent and inclusive process, leveraging cryptographic expertise around the world. The results are in standard, interoperable cryptographic mechanisms that can be used by all industries.

NIST has a complementary program, in coordination with the Government of Canada, to certify independent commercial calibration laboratories to test commercially available IT cryptographic modules, to ensure that they have implemented the NIST cryptographic standards and guidelines correctly. These testing laboratories exist around the globe and test hundreds of individual cryptographic modules yearly.





Recently, NIST initiated a research program in usability of cybersecurity, focused on passwords and password policies; user perceptions of cybersecurity risk and privacy concerns; and privacy in general. The concept of “usability” refers generally to “the effectiveness, efficiency, and satisfaction with which the intended users can achieve

–  –  –

NIST Engagement with Industry It is important to note that the impact of NIST's activities under FISMA extend beyond providing the means to protect Federal IT systems. They provide the cybersecurity foundations for the public trust that is essential to our realization of the national and global productivity and innovation potential of electronic business and its attendant economic benefits. Many organizations voluntarily follow NIST standards and guidelines, reflecting their wide acceptance throughout the world.

Beyond NIST’s responsibilities under FISMA, under the provisions of the National Technology Transfer and Advancement Act (PL 104-113) and related OMB Circular A-119, NIST is tasked with the key role of encouraging and coordinating Federal agency use of voluntary consensus standards and participation in the development of relevant standards, as well as promoting coordination between the public and private sectors in the development of standards and in conformity assessment activities.

NIST works with other agencies, such as the Department of State, to coordinate standards issues and priorities with the private sector through consensus standards organizations such as the American National Standards Institute (ANSI), the International Organization for Standardization (ISO), the Institute of Electrical and Electronics Engineers (IEEE), the Internet Engineering Task Force (IETF), and the International Telecommunications Union (ITU).

Partnership with industry to develop, maintain, and implement voluntary consensus standards related to cybersecurity best ensures the interoperability, security and resiliency of the global infrastructure needed to make us all more secure. It also allows this infrastructure to evolve in a way that embraces both security and innovation – allowing a market to flourish to create new types of secure products for the benefit of all Americans.

NIST works extensively in smart card standards, guidelines and best practices. NIST developed the standard for the US Government Personal Identity Verification (PIV) Card, and actively works with the ANSI and the ISO on global cybersecurity standards for use in smart cards, smart card cryptography and the standards for the international integrated circuit card. [ANSI 504; ISO 7816 and ISO 24727] NIST also conducts cybersecurity research and development in forward looking technology areas, such as security for federal mobile environments and techniques for measuring and managing security. These efforts focus on improving the trustworthiness of IT components such as claimed identities, data, hardware, and software for networks and devices. Additional research areas include developing approaches to balancing safety, security, and reliability in the nation’s information and International Organization for Standardization (ISO), ISO 9241-11 (1998): “Ergonomic requirements for 2 office work with visual display terminals (VDTs) – Guidance on usability.” 4 communications technology supply chain; enabling mobile device and application security; securing the nation’s cyber-physical systems and public safety networks;

enabling continuous security monitoring; providing advanced security measurements and testing; investigating security analytics and big data; developing standards, modeling, and measurements to achieve end-to-end security over heterogeneous, multi-domain networks; and investigating technologies for detection of anomalous behavior and quarantines.

In addition, further development of cybersecurity standards will be needed to improve the security and resiliency of critical U.S. information and communication infrastructure. The availability of cybersecurity standards and associated conformity assessment schemes is essential in these efforts, which NIST supports to help enhance the deployment of sound security solutions and builds trust among those creating and those using the solutions throughout the country.

National Strategy for Trusted Identities in Cyberspace

NIST also houses the National Program Office established to lead implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is an initiative that aims to address one of the most commonly exploited vectors of attack in cyberspace: the inadequacy of passwords for authentication.

The 2013 Data Breach Investigations Report noted that in 2012, 76% of network intrusions exploited weak or stolen credentials. In line with the results of this report, Target has revealed that the compromised credential of one of its business partners was the vector used to access its network.

NSTIC aims to address this issue by collaborating with the private sector to catalyze a marketplace of better identity and authentication solutions – an “Identity Ecosystem” that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online. NIST has funded 13 pilots to help jumpstart the marketplace and test new approaches to overcome barriers, such as usability, privacy and interoperability, which have hindered market acceptance and wider use of stronger authentication technologies.

NSTIC exemplifies NIST’s robust collaboration with industry, in large part, because the initiative calls on the private sector to play a lead role in its implementation. NIST has partnered with a privately led Identity Ecosystem Steering Group (IDESG) to craft better standards and tools to improve authentication online.

National Cybersecurity Center of Excellence

In 2012, the National Cybersecurity Center of Excellence (NCCoE) was formed as a partnership between NIST, the State of Maryland, and Montgomery County to accelerate the adoption of security technologies that are based on standards and best practices. Recently, NIST established the Nation’s first Federally Funded Research and Development Center (FFRDC) dedicated to cybersecurity to support the NCCoE. The center is a vehicle for NIST to work directly with businesses across 5 various industry sectors on applied solutions to cybersecurity challenges. Today the NCCoE has programs working with the healthcare, financial services, and energy sectors in addition to addressing challenges that cut across sectors including: mobile device security, software asset management, cloud security, and identity management.

Today NIST’s NCCoE is working with government and industry partners on a number of projects including the Security Exchange of Electronic Health Information. This project focuses on securely exchanging information through the use of mobile devices. NIST plans to publish a practice guide for this project in the near future which will provide members of the technology community the materials list, configuration settings and other information they need to replicate this standardsbased security solution.

Cybersecurity Framework

Almost one year ago, NIST issued the Framework for Improving Critical Infrastructure Cybersecurity (Framework) in accordance with Section 7 of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

Since the release of the Framework, NIST has strengthened its collaborations with critical infrastructure owners and operators, industry leaders, government partners, and other stakeholders to raise awareness about the Framework, encourage use by organizations across and supporting the critical infrastructure, and develop implementation guides and resources. The Framework continues to be voluntarily implemented by industry and adopted by infrastructure sectors, and this is contributing to reducing cyber risks to our Nation’s critical infrastructure.

National Initiative for Cybersecurity Education As the cybersecurity threat and technology environment evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve cybersecurity, including in our Nation’s critical infrastructure.



Pages:   || 2 |


Similar works:

«UNPUBLISHED UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT No. 13-4878 UNITED STATES OF AMERICA, Plaintiff Appellee, v. TORRICK JOHNTRELLE RODGERS, a/k/a Trelle, Defendant Appellant. Appeal from the United States District Court for the Eastern District of North Carolina, at Greenville. Louise W. Flanagan, District Judge. (4:11-cr-00087-FL-1) Argued: December 11, 2014 Decided: December 23, 2014 Before MOTZ and THACKER, Circuit Judges, and DAVIS, Senior Circuit Judge. Affirmed by...»

«Stress Processing Sensitivity in Reading Korean and English Words * Yongsoon Kanga, Seunghyun Baeka, and Mira Yima a Department of English Language and Literature, Sungkyunkwan University 53 Myungryun 3-ga, Chongno-gu, Seoul, 110-745, Korea E-mail: yskang@skku.edu; sh3940@hanmail.net; yimmira@hanmail.net Abstract. The present study explored the sensitivity to stress patterns of sixty-four ninthgraders learning to speak and read in Korean as a first language (L1) and English as a second language...»

«BOLETÍN OFICIAL DEL REGISTRO MERCANTIL Núm. 17 Martes 27 de enero de 2015 Pág. 3502 SECCIÓN PRIMERA Empresarios Actos inscritos LLEIDA 33367 DUCH I PONS, DISTRIBUCIO ALIMENTARIA SL. Situación concursal. Procedimiento concursal 389/2009. FIRME: Si, Fecha de resolución 27/02/2013. Sentencia de calificación del concurso. Culpable. Juzgado: num. 1 JUZGADO MERCANTIL DE LLEIDA. Juez: ENRECH LARREA, EDUARDO MARIA. Resoluciones: Declaro el concurso núm. 389/09, correspondiente al deudor DUCH I...»

«HUNGARIAN, GERMAN, AND JEWISH CALCULATIONS AND MISCALCULATIONS in the Last Chapter of the Holocaust Randolph L. Braham Hungarian, German, and Jewish Calculations and Miscalculations in the Last Chapter of the Holocaust Randolph L. Braham CENTER FOR ADVANCED HOLOCAUST STUDIES UNITED STATES HOLOCAUST MEMORIAL MUSEUM 2010 The assertions, opinions, and conclusions in this occasional paper are those of the author. They do not necessarily reflect those of the United States Holocaust Memorial Museum....»

«New Zealand Journal of Asian Studies 5, 1 (June, 2003): 156-177. JAPANESE AND NON-JAPANESE PERCEPTIONS OF JAPANESE COMMUNICATION MICHAEL HAUGH1 University of Queensland Perceptions of the communicative style of different languages can influence the way in which non-native speakers and native speakers of a particular language interact. For example, second-language learners of Japanese often believe that using a lot of honorifics (keigo) to introduce themselves to other students at universities...»

«AGU International Journal of Professional Studies & Research http://www.aguijpsr.com (AGUIJPSR) 2016, Vol. No. 2, Jan-Jun e-ISSN: 2455-1708; p-ISSN: 2455-6106 A CASE STUDY ON RECRUITMENT AND SELECTION PROCESS IN “INDIAN STAR CATEGORY HOTELS” *Vidit Chauhan, **Rajeev Verma *School of Hospitality and Tourism Management AP Goyal Shimla University Shimla, India Email: vidit2111@gmail.com **School of Hospitality and Tourism Management AP Goyal Shimla University Shimla, India Email:...»

«Thanksgiving Lesson for Youth Sunday School Center www.SundaySchoolCenter.com Being Thankful Teacher Pep Talk: Teaching our youth to be thankful is something we do with varied success! And while we often talk about things to be thankful for, we don’t always talk about who we should be thankful to. From its roots in colonial days, our traditional Thanksgiving had to do with being thankful to God for what He has done for us, and for the provisions He has given to us. In this lesson you get to...»

«Value: Love Lesson M1.8 FRIENDSHIP Objective: To stimulate thinking about the effect that caring has on me and on others. To recognise that friends should care for each other. Key Words: cobweb, seaweed, slight, smugglers, specks, spotted, stashed, steep, symbol Curriculum Links: Citizenship & PSHE at KS1: 1a,b,c. 2a,c. 4d. Literacy: Drama Materials Needed: The Manual or copy of lesson plan • Silent sitting exercises from the ‘Introduction’ Manual • CD player • CD 1 track 27 (music...»

«TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Procedures Allowed Inconsistent Processing of Streamlined Installment Agreements July 8, 2011 Reference Number 2011-30-063 This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.Redaction Legend: 1 = Tax Return/Return Information Phone Number | 202-622-6500 Email Address |...»

«Information archived on the Web Scroll down to see this document. You can request alternate formats from the Canadian Conservation Institute via the website www.cci-icc.gc.ca. What’s Going on With Guts: Assessing Adhesives Used to Repair Cultural Objects Made of Gut Skin Lauren Anne Horelick, Kelly McHugh, and Odile Madden (biographies and contact information for authors can be found at the end of this paper) Abstract The use of adhesives for tear repair on artifacts created from gut skin is...»

«No. 07-290 ================================================================ In The Supreme Court of the United States -♦DISTRICT OF COLUMBIA AND ADRIAN M. FENTY, MAYOR OF THE DISTRICT OF COLUMBIA, Petitioners, v. DICK ANTHONY HELLER, Respondent.-♦On Writ Of Certiorari To The United States Court Of Appeals For The District Of Columbia Circuit -♦AMICUS CURIAE BRIEF OF THE LIBERTARIAN NATIONAL COMMITTEE, INC. IN SUPPORT OF RESPONDENT -♦BOB BARR LAW OFFICES OF EDWIN MARGER, LLC 44 N. Main...»

«Tronox CEO discusses TiO2 market softness and new direction by John Ollett Tom Casey, CEO of Tronox, speaks to IM about the market, and a revamped Tronox Tronox Inc. has changed significantly since it filed for Chapter 11 bankruptcy on 12 January 2009. It has emerged a slimmed down and revamped company that eventually purchased the mineral sands business that belonged to Exxaro Resources, which was a leader in the production of titanium feedstock. Tronox went into Chapter 11 bankruptcy, what...»





 
<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.