logging in or signing up nstissp Waldarrama Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 432 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: October 07, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript A Policy Review: NSTISSP-11 to DoDD 8500: A Policy Review: NSTISSP-11 to DoDD 8500 Vivian Cocca OASD (C3I) IA July 15, 2002 Discussion Topics: Discussion Topics Factors Driving NSTISSP* 11 NSTISSP 11 Requirements NSTISSP 11 Pros and Cons DoDD 8500.aa/DoDI 8500.bb Requirements * National Security Telecommunications and Information Systems Security PublicationFactors Driving NSTISSP 11: Factors Driving NSTISSP 11 The Problem: Does the product provide the security it claims? GOTS To GOTS and COTS Philosophy Shift IA is broader than COMSEC Explosion in Number of COTS IA Products NSA resource constraints requires a NIAP approach No standardized evaluation language or methodology Create demand for evaluated products Provisions of NSTISSP 11: Provisions of NSTISSP 11 Effective 1 Jan 2001: Preference given to acquisition of evaluated Information Assurance (IA) products Effective 1 Jul 2002 : Acquisition of COTS IA products limited to those on NIAP* Validated Products List or NIST** Crypto Module Validation List Acquisition of GOTS IA products limited to NSA approved Waivers reviewed by NSA and granted on case-by case basis by CNSS*** * National IA Partnership *** Committee on National Security Systems ** National Institute of Technology & StandardsIA Product: IA Product An IA product is an IT product or technology whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control and non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non authorized or malicious penetrations of information systems or networks. Examples include data/network encryptors, firewalls and intrusion detection devices. IA Enabled Product: IA Enabled Product An IA -enabled product is a product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such product as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems. Pros and Cons of NSTISSP 11: Pros and Cons of NSTISSP 11 Pros Hard to argue against the fact that before users acquire an IA product they ought to know that it really does what the vendor claims Lets user and vendor decide “what is the right evaluation level” Cons No “goodness” levels established Onus is on the customer to determine if any product is “good enough” for his applicationDODD 8500.aa: DODD 8500.aa Requires compliance with NSTISSP 11 Defines generic “robustness” levels of basic, medium, high and assigns “baseline levels” for IA services of integrity, availability and confidentiality dependent upon value of information protected and environment Requires NSA to: Serve as DOD focal point for NIAP Approve cryptographic devices used to protect classified information Generate Protection Profiles (PP) for GIG core technologies Security Robustness: Security Robustness Security Robustness is the strength of a security function, mechanism, service or solution, and the assurance (or confidence) that it is implemented and functioning correctly. DoD has three levels of robustness; High, Medium, and Basic. Generating Protection Profiles: Generating Protection Profiles NSA-NIST Working Group established to coordinate PP activities government-wide and internationally Profiles being designed against technology areas at “basic”,”medium” and “high” robustness “Top Ten” PP technology list developed Operating Systems, Firewalls, VPNs, Wireless, PKI, IDS, Databases, Token, Web, Biometrics Process established to draft and publicly vet PP’s Details at http://niap.nist.gov Slide11: Protection Profiles Published Basic Robustness Firewall Medium Robustness Firewall Basic Robustness Operating System Medium Robustness Operating System Certificate Issuing and Management Components Peripheral Sharing Switch (PSS) for Human Interface DevicesSlide12: -Manufacturer identifies market for IT product with a security capability (may or may not be represented by a PP) -Builds product, following PP specified requirements and the developer assurance requirements in the EAL -Once product is built, manufacturer prepares ST addressing compliance with a PP - which covers the functional and assurance requirements for the product. -Submit ST, the product, and the documents to an accredited independent testing lab for evaluation -Lab evaluates the ST, if passes, then submits to evaluation authority for validation by NIST of the evaluation results. The ‘NIAP’ Process Product EvaluationProtection Profiles & Security Targets: Protection Profiles & Security Targets Protection Profile (PP) - Technical statement of security requirements produced by the user. Security Target (ST) - Technical statement of the security functionality of a product produced by the vendor/developer.Slide14: Products on NIAP MR List Lucent Managed Firewall Cisco PIX Firewall CheckPoint Firewall 1 ITT Dragonfly Guard Borderware Firewall Cyberguard Firewall Entrust/Authority Entrust/RA Entrust TrueDelete Oracle 8 Sun SunScreen Signal 9 Private Desktop Firewall KyberPass Secure Session VPN VeriSgn Processing Center Finjan SurfinGate Fujitsu Safegate Firewall IBM Crypto Security Chip Sharp DataSecurity Kit Voltaire 2in1 PC Watchguard Live Security System Philips SmartCard Controller MIS SENTRY 2020 Bull B1/EST-X MilkyWay Blackhole Firewall SecureLogix TeleWall System WinMagic Secure Doc EESI SuperNet 2000 CTAM Cyphercell ATM Encryptor Baltimore Technologies Timestamp Market Central Secure SwitchSlide15: Products In Evaluation Microsoft Windows 2000 Network Associates Gauntlet Finjan SurfinShield Cryptek DiamondTEK Argus Pitbull BMC Software Patrol Data Security Sentinel Geotronics Access Control Library Infoassure Secure Mobile office Intrusion.com SecureNetPro IDS LCI Smart Pen Owl Data Diode SCC Sidewinder Silicon Graphics IRIX Cisco IPSEC Crypto Tumbleweed MMS Authentic8 Secure Remote Access Baltimore Tech. Secret Access SecureNet TrustedNet Rainbow Tech. iKey ERACOM PC Vault DODI 8500.bb: DODI 8500.bb E3.5.3.1. For all new acquisitions, if an approved U.S. Government protection profile exists for a particular product type and there are validated products available for use, then acquisition is restricted to those products or to new products that vendors, as a condition of purchase, submit for evaluation and validation to the approved protection profile. E3.5.3.2. If an approved U.S. Government protection profile exists for a particular product type and no validated products exist, acquisition documentation must require, as a condition of purchase, that the vendor submit its product for evaluation and validation to the approved protection profile E3.5.3.3. If no U.S. Government protection profile exists for a particular product type, then acquisition documentation must require, as a condition of purchase, that vendors provide a security target that describes the security attributes of their products, and that vendors submit their products for evaluation by a NIAP certified laboratory at a minimum of EAL 2 (Basic Robustness).Slide17: Back - UpSlide18: EAL1 - functionally tested EAL2 - structurally tested EAL3 - methodically tested and checked EAL4 - methodically designed, tested & reviewed EAL5 - semi-formally designed & tested EAL6 - semi-formally verified design & tested EAL7 - formally verified design & tested Evaluated Assurance Levels Predefined packages of assurance components that make up the Common Criteria scale for rating confidence in the security of IT products and systemsSlide19: Common Criteria *Standards that specify and evaluate the security features of computer products and systems. *Specifies tests and level of testing to be performed or evidence to be provided to aid in verifying the robustness of the specified security functions (assurance) Slide20: Evolution of Security Criteria 1980’s - NSA developed TCSEC or “Orange Book” (Trusted Computer System Evaluation Criteria) 1991 - European Commission published ITSEC (Information Technology Security Evaluation Criteria) 1993 - Canada CTCPEC as ITSEC + TCSEC (Canadian Trusted Computer Product Evaluation Criteria) 1993 - NIST/NSA Federal Criteria for ITSEC 1996 - v.1 of Common Criteria one international set of standardsSlide21: *CC specifications and evaluations applies to any IT product - very broad and flexible, international *FIPS 140-1,2 US/CAN cryptographic module validation standard - narrow application to crypto-modules *CC cryptographic requirements tailoring typically refers to cryptographic standard *Products with both IT security functionality and embedded cryptography need both validations, e.g. -Firewalls or IDS system with remote management protected by encryption -Web servers, browsers (SSL encryption) CC & FIPS You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
nstissp Waldarrama Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 432 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: October 07, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript A Policy Review: NSTISSP-11 to DoDD 8500: A Policy Review: NSTISSP-11 to DoDD 8500 Vivian Cocca OASD (C3I) IA July 15, 2002 Discussion Topics: Discussion Topics Factors Driving NSTISSP* 11 NSTISSP 11 Requirements NSTISSP 11 Pros and Cons DoDD 8500.aa/DoDI 8500.bb Requirements * National Security Telecommunications and Information Systems Security PublicationFactors Driving NSTISSP 11: Factors Driving NSTISSP 11 The Problem: Does the product provide the security it claims? GOTS To GOTS and COTS Philosophy Shift IA is broader than COMSEC Explosion in Number of COTS IA Products NSA resource constraints requires a NIAP approach No standardized evaluation language or methodology Create demand for evaluated products Provisions of NSTISSP 11: Provisions of NSTISSP 11 Effective 1 Jan 2001: Preference given to acquisition of evaluated Information Assurance (IA) products Effective 1 Jul 2002 : Acquisition of COTS IA products limited to those on NIAP* Validated Products List or NIST** Crypto Module Validation List Acquisition of GOTS IA products limited to NSA approved Waivers reviewed by NSA and granted on case-by case basis by CNSS*** * National IA Partnership *** Committee on National Security Systems ** National Institute of Technology & StandardsIA Product: IA Product An IA product is an IT product or technology whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control and non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non authorized or malicious penetrations of information systems or networks. Examples include data/network encryptors, firewalls and intrusion detection devices. IA Enabled Product: IA Enabled Product An IA -enabled product is a product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such product as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems. Pros and Cons of NSTISSP 11: Pros and Cons of NSTISSP 11 Pros Hard to argue against the fact that before users acquire an IA product they ought to know that it really does what the vendor claims Lets user and vendor decide “what is the right evaluation level” Cons No “goodness” levels established Onus is on the customer to determine if any product is “good enough” for his applicationDODD 8500.aa: DODD 8500.aa Requires compliance with NSTISSP 11 Defines generic “robustness” levels of basic, medium, high and assigns “baseline levels” for IA services of integrity, availability and confidentiality dependent upon value of information protected and environment Requires NSA to: Serve as DOD focal point for NIAP Approve cryptographic devices used to protect classified information Generate Protection Profiles (PP) for GIG core technologies Security Robustness: Security Robustness Security Robustness is the strength of a security function, mechanism, service or solution, and the assurance (or confidence) that it is implemented and functioning correctly. DoD has three levels of robustness; High, Medium, and Basic. Generating Protection Profiles: Generating Protection Profiles NSA-NIST Working Group established to coordinate PP activities government-wide and internationally Profiles being designed against technology areas at “basic”,”medium” and “high” robustness “Top Ten” PP technology list developed Operating Systems, Firewalls, VPNs, Wireless, PKI, IDS, Databases, Token, Web, Biometrics Process established to draft and publicly vet PP’s Details at http://niap.nist.gov Slide11: Protection Profiles Published Basic Robustness Firewall Medium Robustness Firewall Basic Robustness Operating System Medium Robustness Operating System Certificate Issuing and Management Components Peripheral Sharing Switch (PSS) for Human Interface DevicesSlide12: -Manufacturer identifies market for IT product with a security capability (may or may not be represented by a PP) -Builds product, following PP specified requirements and the developer assurance requirements in the EAL -Once product is built, manufacturer prepares ST addressing compliance with a PP - which covers the functional and assurance requirements for the product. -Submit ST, the product, and the documents to an accredited independent testing lab for evaluation -Lab evaluates the ST, if passes, then submits to evaluation authority for validation by NIST of the evaluation results. The ‘NIAP’ Process Product EvaluationProtection Profiles & Security Targets: Protection Profiles & Security Targets Protection Profile (PP) - Technical statement of security requirements produced by the user. Security Target (ST) - Technical statement of the security functionality of a product produced by the vendor/developer.Slide14: Products on NIAP MR List Lucent Managed Firewall Cisco PIX Firewall CheckPoint Firewall 1 ITT Dragonfly Guard Borderware Firewall Cyberguard Firewall Entrust/Authority Entrust/RA Entrust TrueDelete Oracle 8 Sun SunScreen Signal 9 Private Desktop Firewall KyberPass Secure Session VPN VeriSgn Processing Center Finjan SurfinGate Fujitsu Safegate Firewall IBM Crypto Security Chip Sharp DataSecurity Kit Voltaire 2in1 PC Watchguard Live Security System Philips SmartCard Controller MIS SENTRY 2020 Bull B1/EST-X MilkyWay Blackhole Firewall SecureLogix TeleWall System WinMagic Secure Doc EESI SuperNet 2000 CTAM Cyphercell ATM Encryptor Baltimore Technologies Timestamp Market Central Secure SwitchSlide15: Products In Evaluation Microsoft Windows 2000 Network Associates Gauntlet Finjan SurfinShield Cryptek DiamondTEK Argus Pitbull BMC Software Patrol Data Security Sentinel Geotronics Access Control Library Infoassure Secure Mobile office Intrusion.com SecureNetPro IDS LCI Smart Pen Owl Data Diode SCC Sidewinder Silicon Graphics IRIX Cisco IPSEC Crypto Tumbleweed MMS Authentic8 Secure Remote Access Baltimore Tech. Secret Access SecureNet TrustedNet Rainbow Tech. iKey ERACOM PC Vault DODI 8500.bb: DODI 8500.bb E3.5.3.1. For all new acquisitions, if an approved U.S. Government protection profile exists for a particular product type and there are validated products available for use, then acquisition is restricted to those products or to new products that vendors, as a condition of purchase, submit for evaluation and validation to the approved protection profile. E3.5.3.2. If an approved U.S. Government protection profile exists for a particular product type and no validated products exist, acquisition documentation must require, as a condition of purchase, that the vendor submit its product for evaluation and validation to the approved protection profile E3.5.3.3. If no U.S. Government protection profile exists for a particular product type, then acquisition documentation must require, as a condition of purchase, that vendors provide a security target that describes the security attributes of their products, and that vendors submit their products for evaluation by a NIAP certified laboratory at a minimum of EAL 2 (Basic Robustness).Slide17: Back - UpSlide18: EAL1 - functionally tested EAL2 - structurally tested EAL3 - methodically tested and checked EAL4 - methodically designed, tested & reviewed EAL5 - semi-formally designed & tested EAL6 - semi-formally verified design & tested EAL7 - formally verified design & tested Evaluated Assurance Levels Predefined packages of assurance components that make up the Common Criteria scale for rating confidence in the security of IT products and systemsSlide19: Common Criteria *Standards that specify and evaluate the security features of computer products and systems. *Specifies tests and level of testing to be performed or evidence to be provided to aid in verifying the robustness of the specified security functions (assurance) Slide20: Evolution of Security Criteria 1980’s - NSA developed TCSEC or “Orange Book” (Trusted Computer System Evaluation Criteria) 1991 - European Commission published ITSEC (Information Technology Security Evaluation Criteria) 1993 - Canada CTCPEC as ITSEC + TCSEC (Canadian Trusted Computer Product Evaluation Criteria) 1993 - NIST/NSA Federal Criteria for ITSEC 1996 - v.1 of Common Criteria one international set of standardsSlide21: *CC specifications and evaluations applies to any IT product - very broad and flexible, international *FIPS 140-1,2 US/CAN cryptographic module validation standard - narrow application to crypto-modules *CC cryptographic requirements tailoring typically refers to cryptographic standard *Products with both IT security functionality and embedded cryptography need both validations, e.g. -Firewalls or IDS system with remote management protected by encryption -Web servers, browsers (SSL encryption) CC & FIPS