go to NIST home page go to CSRC home page go to Focus Areas page go to Publications page go to Advisories page go to Events page go to Site Map page go to ITL home page CSRC home page link
header image with links

 CSRC Homepage
 
 CSRC Site Map

   Search CSRC:

 CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Assistance

 General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - National Vulnerability
        Database

 News & Events  
   - Federal News
   - Security Events


 Services For the: 
   - Federal Community
   - Vendor
   - User
   - Small/Medium
     Businesses


 Links & Organizations
   - Academic
   - Government
   - Professional
   - Additional Links

 NIST's National
 Vulnerability Database:
Search for Vulnerabilities
Enter vendor, software, or keyword

testimony header image - Dr. Arden L. Bement, Jr.


Statement of

Dr. Arden L. Bement, Jr.

Director
National Institute of Standards and Technology
U.S. Department of Commerce

Before the

Committee on Government Reform
Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations

House of Representatives
United States Congress

“ Lessons Learned from the Government Information Security Reform Act of 2000 ”

March 6, 2002


    Good morning Chairman Horn and Members of the Subcommittee.  On behalf of the National Institute of Standards and Technology (NIST), thank you for the invitation to speak to you today about cybersecurity issues.  I am Arden Bement, Director of the National Institute of Standards and Technology (NIST), which is part of the Department of Commerce’s Technology Administration.

    Let me commend the Subcommittee for focusing on the critical issue of cybersecurity in Federal departments and agencies.  As evidenced by the recent OMB report to the Congress on Federal Government Information Security Reform, cybersecurity is a continuing challenge that demands the attention of the Congress, the Executive Branch, industry, academia, and the public.  It is also vital to our homeland defense efforts.  The NIST security program supports the vision of strong cybersecurity and its crucial role both in homeland defense as well as in E-Government by enabling improvements in service to our citizens through secure electronic programs.

    In the area of cybersecurity, NIST has specific statutory responsibilities for developing standards and guidelines to assist Federal agencies in the protection of sensitive unclassified systems.  This is in addition to our broad mission of strengthening the U.S. economy – including improving the competitiveness of America’s information technology (IT) industry.  In support of this mission, we conduct standards and technology work to help industry produce more secure, yet cost-effective, products, which we believe will be more competitive in the marketplace.  Having more secure products available in the marketplace will, of course, also benefit Federal agencies, since they will be using commercial products to secure their systems.

    NIST’s Computer Security Division in our Information Technology Laboratory (ITL) is the focal point of our security program.  Our program focuses on a few key areas: cyrptographic standards and guidelines; public key infrastructure; security research; agency assistance and the National Information Assurance Partnership (NIAP), which is jointly managed by NIST and the National Security Agency (NSA) to focus on increasing the number and quality of IT security products.  NSA, as you may know, has IT security responsibilities for many of the classified government systems.

    To put our program in perspective, please keep in mind that approximately $10 million of direct Congressional appropriations, funding a NIST staff of about 45, supports both our Federal and industry computer security responsibilities.  This is a very small program when compared with NSA’s recently released Information Assurance budget of $755M for FY 2002.  However, NIST’s small program does provide a significant return on investment.  A new independent economic impact study conducted by the Research Triangle Institute (RTI) conservatively estimates that NIST’s security research into “role based access control (RBAC)” has saved U.S. industry $295 million and accelerated industry's adoption of this advanced access control method by a year. ITL's research cost taxpayers only $2.3 million.  RTI estimated that RBAC technology has saved U.S. industry a total of $671 million, and that our work was responsible for 44 percent of the savings.

NIST’s Statutory Responsibilities

    Before expanding on some of NIST contributions to cybersecurity, I would like to briefly review the IT responsibilities that Congress assigned to NIST under two key statues -- the Government Information Security Reform Act (GISRA) and the Computer Security Act.

NIST was specifically tasked under GISRA to:

  • Develop, issue, review and update standards and guidance for security of Federal information systems;
  • Develop, issue, review and update guidelines for training in computer security awareness and accepted computer security practices;
  • Provide agencies with guidance for security planning to assist in development of applications and system security plans;
  • Provide guidance and assistance to agencies on cost-effective controls for interconnecting systems; and
  • Evaluate information technologies to assess security vulnerabilities in Federal systems.
    The GISRA-assigned responsibilities build upon the long-standing responsibilities of NIST under the Computer Security Act and other statutes.   The Computer Security Act was established to improve security and privacy of sensitive information in federal computer systems.  It gave statutory authority to NIST to:
  • Develop uniform security standards and guidelines for the protection of sensitive information in non-classified federal computer systems;
  • Develop technical, management, physical and administrative standards and guidelines for cost-effective security and privacy of sensitive information in non-classified federal computer systems;
  • Develop guidelines for use by operators of federal computer systems containing sensitive information in training their employees in security awareness and good security practices;
  • Develop validation procedures to evaluate the effectiveness of the security standards and guidelines developed;
  • Assist the private sector, upon request, in using and applying NIST standards and guidelines;
  • Provide technical assistance to operators of federal computer systems in implementing these standards and guidelines; and
  • Coordinate closely with other agencies such as the Departments of Energy and  Defense, the Office of Management and Budget, and others as appropriate, to assure to the maximum extent feasible that standards and guidelines developed are consistent and compatible across the entire federal sector (classified and non-classified).
    We work very closely with the Office of Management and Budget (OMB) in carrying out our security responsibilities under GISRA and the Computer Security Act.   We work with OMB representatives on the Federal Chief Information Officers Council, the Federal Computer Security Program Managers’ Forum, and the Committee on National Security Systems.  We will soon also serve on the newly formed Committee on Executive Branch Information Systems Security.  We have had security personnel on detail to OMB.  All of our Federal Information Processing Standards are formally coordinated with OMB prior to promulgation by the Secretary of Commerce.  We also solicit comments on draft guidance and standards from Federal agencies and departments via the CIO Council, the Federal Computer Security Program Managers’ Forum, and our Computer System Security and Privacy Advisory Board (on which Federal agencies are represented).  We also distribute our final guidelines and standards to these groups, and others, and make them widely available via our popular Computer Security Resource Center (http://csrc.nist.rip/) web site.  While on the subject of our Federal agencies, let me take this opportunity to commend my OMB colleague for OMB’s steadfast support in promoting our security standards and guidelines with Federal departments and agencies.

    Let me highlight some of the recent NIST contributions in meeting these important responsibilities.

Security Guidelines and Standards

    In 2001-2002, NIST published the following guidance:

  • Firewalls and Firewall Policy,
  • Recommendation for Block Cipher Modes of Operation - Methods and Techniques,
  • Underlying Technical Models for Information Technology Security,
  • Introduction to Public Key Technology and the Federal Public Key Infrastructure,
  • Intrusion Detection Systems,
  • Risk Management Guide for Information Technology Systems,
  • A Comparison of the Security Requirements for Cryptographic Modules in Federal Information Processing Standards 140-1 and FIPS 140-2,
  • Guidelines on Active Content and Mobile Code,
  • Engineering Principles for Information Technology Security (A Baseline for Achieving Security), and
  • Security Self-Assessment Guide for Information Technology Systems.
    We also published draft guidelines currently under review by Federal departments and agencies as well as other interested organizations and individuals concerning:
  • Guideline on Network Security Testing,
  • System Administration Guidance for Windows 2000 Professional,
  • Use of the Common Vulnerabilities and Exposure (CVE) Naming Scheme,
  • Contingency Planning Guide,
  • Security for Telecommuting and Broadband Communications, and
  • Security Guide for Interconnecting Information Technology Systems.
    In addition, during the same timeframe, we completed the following Federal Information Processing Standards (FIPS):
  • Advanced Encryption Standard (FIPS 197);
  • Security Requirements for Cryptographic Modules (FIPS 140-2)
    Late last year, the Secretary of Commerce approved the Advanced Encryption Standard, (or AES) as a federal security standard.  Within days of the AES announcement, commercial firms were announcing products that incorporated the AES, making it clear that the AES will soon be used extensively internationally -- and be available in a wide array of commercial products to protect sensitive Federal information.   As AES is deployed, we expect that it will be used daily to secure trillions of dollars in electronic transactions and protect sensitive personal, business, and government information.

    We also have prepared updates to the Secure Hash Standard (FIPS 180) and are producing the final standard in response to public comments we have received.  In addition we have issued numerous ITL Bulletins during the last year to provide guidance to agencies and others on a broad list of topics.

Reducing Vulnerabilities Through Research and Security Testing

    Both research and security testing can help reduce vulnerabilities in the commercial IT products used to support the nation’s critical infrastructures.

    Research on information technology vulnerabilities and the development of techniques for cost-effective security are urgently needed. When we identify new technologies that could potentially influence our customers’ security practices, we research the technologies and their potential vulnerabilities.  We also work to find ways to apply new technologies in a secure manner. The solutions that we develop are made available to both public and private users.  Some examples are methods for authorization management and policy management, ways to detect intrusions to systems, and demonstrations of mobile agents.  Research helps us find more cost-effective ways to implement and address security requirements.

    Security testing complements security standards by providing consumers with confidence that security standards and specifications are correctly implemented in the products they buy.  Implementing cryptography correctly and securely can be complicated.  However, unless it is correctly implemented, it may provide no protection.  Therefore, in conjunction with the Government of Canada’s Communication Security Establishment we operate the Cryptographic Module Validation Program, which helps ensure correct and secure implementation of the particular cryptography.  The Cryptographic Module Validation Program has now validated over 200 modules with another 75 or more expected this year.  This successful program utilizes private sector accredited laboratories to conduct security conformance testing of cryptographic modules against the cryptographic Federal standards NIST develops and maintains.  The testing by the laboratories and our work with Canada involves access to unclassified public algorithms and test suites, and not to any Federal government operational cryptographic keys or classified information.

    Statistics from the testing laboratories show that 48% of the modules brought in for voluntary testing had security flaws that were corrected during testing.  In other words, without our program, the Federal government would have had only a 50/50 chance of buying correctly implemented cryptography!

    In addition, in recent years we have worked to develop the “Common Criteria” (ISO/IEC 15408), which can be used to specify security requirements.  These requirements are then used by private-sector laboratories, accredited by NIST, for the voluntary evaluation of commercial products needed for the protection of government systems and networks. This work is undertaken in cooperation with the Defense Department’s National Security Agency in our National Information Assurance Partnership.

    We have developed a web-based tool known as ICAT that allows users to identify known vulnerabilities for their specific software.  NIST’s ICAT then provides links to vendor sites at which the users can obtain patches to address these vulnerabilities.  This is important because many computer break-ins exploit known vulnerabilities.

Training and Awareness

    Timely, relevant, and easily accessible information to raise awareness about the risks, vulnerabilities and requirements for protection of information systems is urgently needed.  This is particularly true for new and rapidly emerging technologies, which are being delivered with such alacrity by our industry.

    We also host and sponsor information sharing among security educators, the Federal Computer Security Program Managers’ Forum, and industry.  We sponsor the web-based Computer Security Resource Center to provide a wide-range of security materials and information to the community and link to the Federal Computer Incident Response Center at GSA and other emergency response centers.  We actively support information sharing through our conferences, workshops, web pages, publications, and bulletins.  Finally, we also have a guideline available to assist agencies with their training activities and are an active supporter of the Federal Information Systems Security Educators’ Association.

Security Assessment Framework and Self-Assessment Guideline

    The Chief Information Officers Council and NIST developed a security assessment Framework to assist agencies with a very high level review of their security status.  The Framework established the groundwork for standardizing on five levels of security and defined criteria agencies could use to determine if the levels were adequately implemented. By using the Framework levels, an agency can prioritize agency efforts as well as to evaluate progress.

    Building from this Framework, NIST issued a more detailed security questionnaire that most agencies used to conduct their program and system reviews.  This document (NIST Special Publication 800-26) provides guidance on applying the Framework by identifying 17 control areas, such as those pertaining to identification and authentication and contingency planning. In addition, the guide provides control objectives and techniques that can be measured for each area.  Many agencies used this to prepare their GISRA responses to OMB.

Federal Agency Security Practices Web Site

    NIST recently inaugurated the Federal Agency Security Practices (FASP) website (http://csrc.nist.rip/fasp/), building upon past successful work of the Federal CIO Council’s Best Security Practices pilot effort to identify, evaluate, and disseminate best practices for CIP and security.  NIST was asked to undertake the transition of this pilot effort to an operational program.  As a result, NIST developed the FASP site, which contains agency policies, procedures and practices; the CIO pilot best practices; and, a Frequently-Asked-Questions section.  Agencies are encouraged to share their IT security information and IT security practices and submit them for posting on the FASP site.  Over 60 practices are now available via the site.  Some practices have been modified so as not to identify the specific submitting agencies.

Establishment of the NIST Computer Security Expert Assist Team

    To assist agencies in securing their IT through improved management, Congress appropriated $3M in new funding in FY 2001 for NIST to establish the Computer Security Expert Assist Team (CSEAT).  This team performs a review of an agency's computer security program from a management, not a technical, perspective.  The team’s efforts help improve federal cybersecurity planning and implementation efforts by assisting governmental entities in improving the security of their information and cyber assets.  The CSEAT accomplishes this by performing a review of an agency's computer security program. The review is based on a combination of proven techniques and best practices and results in an action plan that provides a Federal agency with a business case-based roadmap to cost-effectively enhance the protection of their information system assets.

    The CSEAT has three primary purposes:

        1.  to assist agencies in improving the security of Federal IT systems,
        2. to help reduce disruption of critical Federal systems/services, and
        3. to improve Federal agency CIP planning and implementation efforts.

    The CSEAT also helps Federal agencies understand how to protect information systems, identify and fix existing vulnerabilities, and prepare for future security threats. The CSEAT also facilitates exchange of best security practices among government agencies and between the government and private sector.

    These reviews are important not only to the specific agencies, but also to NIST.  One of the key objectives in implementing the CSEAT initiative was to assist NIST in identifying systemic security issues and challenges specific to distinct agency environments in order to support development of needed computer security guidance. The CSEAT visits and subsequent reviews of agency’s processes help NIST obtain a “first hand” understanding of how NIST guidance is implemented at the working level in diverse federal organizations. This is invaluable to NIST in meeting its statutory requirements for deployment of effective security standards and guidelines. The CSEAT reviews provide critical information for NIST strategic planning in support of technical assistance for Federal agencies.

    No funding was provided for this team in FY 2002. The Executive Order on Critical Infrastructure Protection states that the heads of Executive Branch departments and agencies are responsible and accountable for providing and maintaining adequate levels of security for information systems.  The President’s FY 2003 budget proposes funding CSEAT as a cost-reimbursable program where Federal agencies pay for CSEAT reviews.  The requested funding of $1 million will cover administrative costs to maintain a small staff to oversee and administer CSEAT activities, review methodology, and ensure currency of information and approach.

Conclusion

    Let me close by emphasizing that our national commitment to improve cybersecurity must be increased -- in Federal agencies and elsewhere.  There is still much more to be done to address the continuing challenges of IT security.  NIST has a proven track record of success and stands ready to play a key role in this and other facets of homeland defense.  While we have a small effort in terms of funding NIST has a very critical role in Federal IT security.  We will continue to work to meet our statutory responsibilities in protecting sensitive systems of Federal departments and agencies, leading our security research, standards development, and testing programs, running the Computer Security Resource Center, and raising awareness and demand for security products and services.  Thank you, Mr. Chairman.  I will be pleased to answer any questions.
 


 

Last updated: July 21, 2005
Page created: March 29, 2002