Federal officials unveiled details of a new public-private partnership aimed at speeding industry’s development of secure information technology products.
The new National Cybersecurity Center of Excellence (NCCoE) launched in February is a project of the National Institute of Standards and Technology (NIST). It aims to bring companies together to create and discuss security management solutions that can be used by agencies and private companies.
Acting Executive Director Donna Dodson on Tuesday said NCCoE’s vision is to provide a world-class collaborative environment for integrating cybersecurity solutions that stimulate economies and national economic groups.
Initially, the center will focus on adopting secure health IT products and gradually focus on other areas such as cloud and mobile computing, based on industry’s needs and challenges.
“We do not envision building our own solution from scratch. What we want to do is work collaboratively … to do that in conjunction with industry,” she said.
Here’s how the center will operate:
Step 1: Engage the business community.
Step 2: Propose “use cases”.
Step 3: Select applicable IT components.
Step 4: Generate feedback and implement new cyber prototype solutions.
To engage businesses, the center plans to conduct what it calls “deep dive” workshops, in which it gathers inputs from a broad variety of groups to address a specific challenge.
The center will engage all participants — small businesses, large businesses, the academic sector and federal agencies alike — to develop an integrated solution that has clear benefits for particular industry sectors. The goal is to find integrated, affordable and useful security tools for all technology consumers.
“Federal agencies are one of those business communities that rely on a commercial product to build infrastructures that support their business needs,” said Matt Scholl, deputy chief of NIST’s Computer Security Division.
The need is especially great in the health care arena. A collaborative, “use case” example was the work NCCoE has done with Health IT solutions with the Health and Human Services Department.
NIST Director Dr. Patrick Gallagher said that between 2005 and 2008, 230 million electronic records were breached, which included 40 million electronic medical records, according to the American National Standards Institute. In November 2001, a study showed 96 percent of healthcare providers responding to a survey reported at least one data breach in the last two years.
The $10 million center operates at a state-of-the-art computing facility near NIST’s Gaithersburg, Md., campus.
View video from the NIST workshop
The National Institute for Standards and Technology wants to demystify cloud computing.
NIST released a special publication on Tuesday to “explain cloud systems in plain language” and provide information technology executives with recommendations, concerns and the benefits of migrating to the cloud.
The 81-page document explains the level of service agencies can expect in various cloud environments and what potential pitfalls they should be aware of, such as abrupt changes in service agreements by the cloud providers and scheduled service outages, depending on the type of cloud.
- Develop a plan for migrating data to and from the cloud and for accessing the data once it is in the cloud.
- Require that a cloud provider offer a mechanism for deleting user data on request and providing evidence that the data was deleted.
- Request that a provider allow visibility into the operating services that affect your data or operations on that data, including monitoring of the system’s welfare.
The National Institute of Standards and Technology on Tuesday released proposed revisions to its requirements that govern how agencies secure their federal information systems.
Proposed changes to Special Publication 800-53, Revision 4, address new challenges that agencies face, including insider threats, supply chain risk, mobile and cloud computing technologies, and other cybersecurity issues and challenges, NIST said in a news release.
“The changes we propose in Revision 4 are directly linked to the current state of the threat space — the capabilities, intentions and targeting activities of adversaries — and analysis of attack data over time,” NIST fellow Ron Ross said in a statement.
“Many organizations are concerned about advanced persistent threats, so we added new controls that will allow organizations to use different strategies to combat those types of threats,” Ross said.
The proposed revisions add new security controls, or descriptions of what agencies must do to properly manage an information system, clarify security control requirements and enhance others.
Once approved, the changes will be used by the Federal Risk and Authorization Management Program (FedRAMP) to asses the security of cloud computing service providers. The administration plans to begin certifying cloud computing solutions under the mandatory security assessment program in June.
The public comment period for NIST’s revisions is from Feb. 28 to April 6, and the final document is expected to be released in July, after FedRAMP reviews begin.
It isn’t clear how long cloud vendors will have to adjust to the changes. And those details were not included in a new charter that defines the role of FedRAMP’s Joint Authorization Board, composed of chief information officers at the General Services Administration and Homeland Security and Defense departments.
The board will prioritize which cloud vendors will be first to undergo FedRAMP reviews, define security authorization requirements for vendors and provide the criteria for approving independent assessors to review the security of cloud solutions. The board is required to meet formally at least twice a year and appoint technical representatives that meet on a monthly basis.