Remarks at CyberMontgomery 2015

From Research to Application: The Evolution of Applied Cybersecurity at NIST

As prepared.

The Information Technology Laboratory at the National Institute of Standards and Technology (NIST) has the broad mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology through research and development in information technology, mathematics and statistics.

NIST accomplishes its mission through collaborative partnerships with our customers and stakeholders in industry, government, academia, standards bodies, consortia and international partners. With our collaborators, we develop and deploy standards, tests and metrics to make our information systems more secure, usable, interoperable and reliable.

In the area of cybersecurity, NIST has worked with federal agencies, industry and academia since 1972, starting with the development of the Data Encryption Standard, when the potential commercial benefit of this technology became clear. Our role, to research, develop and deploy information security standards and technology to protect the federal government's information systems against threats to the confidentiality, integrity and availability of information and services, was recently reaffirmed in the Federal Information Security Modernization Act of 2014.

In addition, the Cybersecurity Enhancement Act of 2014 authorizes NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. Our foundational cybersecurity research programs advance the state of the art in many areas, including cryptography, roots of trust, and identity and access management.

Our applied cybersecurity programs are a natural progression from our foundational research and focus on the development, application and promotion of security standards, guidelines and technologies to address cybersecurity needs in many important areas, including the information and communications technologies supply chain, cyber physical and industrial control systems, electronic voting, health IT and the National Public Safety Broadband Network.

NIST is also leading several national initiatives to advance applied cybersecurity.

The National Strategy for Trusted Identities in Cyberspace, or NSTIC, is a White House initiative that works collaboratively with the private sector, advocacy groups, public-sector agencies, and other organizations to catalyze a marketplace of better identity and authentication solutions—an "Identity Ecosystem" that raises the level of trust associated with the identities of individuals, organizations, networks, services and devices online.

As part of NSTIC's efforts, NIST has funded 15 pilots to help jumpstart the marketplace and test new approaches to overcome barriers such as usability, privacy and interoperability, which have hindered market acceptance and wider use of stronger authentication technologies.

But fixing online identity requires an applied approach that goes further than issuing grants to launch new solutions. NIST also partners with the privately led Identity Ecosystem Steering Group to establish a framework of standards and business rules so organizations' practices are more transparent and consistent—and thus easier for both individuals and other organizations to trust.

NIST also partnered with GSA and the U.S. Postal Service to launch and mature Connect.Gov, a federated hub for accessing government services. Connect.Gov means fewer login credentials for individuals while also providing a greater level of privacy. It's only fair to demonstrate the federal government "eats its own dog food" when it comes to doing identity right online.

The National Initiative for Cybersecurity Education, or NICE, is a public-private partnership between government, academia and the private sector that addresses the cybersecurity workforce needs of the nation by building upon existing successful programs and catalyzing new innovations and experiments to help meet the growing demand for a skilled cybersecurity workforce.

NICE expects to work closely with Montgomery College, recipient of a $15 million Trade Adjustment Assistance Community College and Career Training grant from the Department of Labor, as they develop Cyber Technology Pathways Across Maryland that will leverage the industry connections of NIST and utilize the NICE Workforce Framework. NICE also is coordinating closely with the National CyberWatch Center, headquartered at Prince George's Community College, to help connect CyberWatch's priorities with NICE's strategic directions.

NICE's emerging strategic directions include programs and initiatives that will:

• accelerate learning and skills development to more rapidly address the widening skills gap between demand for and supply of cybersecurity workers;
• nurture a diverse learning community that ensures equal educational and workplace opportunity for women, minorities and veterans who are presently underrepresented in the cybersecurity workforce; and,
• help employers use workforce development strategies and talent management systems that allow them to recruit and retain a competitive workforce.

As the cybersecurity threats and technology environments evolve, the cybersecurity education ecosystem and our approaches to workforce planning must adapt. We need an agile and flexible system that produces the workforce needed by both the public and the private sector to protect citizens, consumers and our critical infrastructure.

Developing cybersecurity standards is critical, but demonstrating how those standards work in the real world is also a critical initiative for NIST—such as our efforts to develop and amplify use of the Framework to Improve Critical Infrastructure Cybersecurity, or "the Framework."

Recognizing that the national and economic security of the U.S. depends on the reliable functioning of critical infrastructure, in February 2013, President Obama issued Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, directing NIST to work with stakeholders to develop a voluntary framework—based on existing standards, guidelines and practices—for reducing cyber risks to critical infrastructure.

Since its release in February 2014, NIST has been educating different sectors about the Framework's use and value. The results can be seen in the variety of organizations employing the Framework, ranging from multinationals like Intel, Chevron, and Bank of America to small businesses like Silver Star Communications in Wyoming.

One of the most frequently cited benefits of the Framework is a common cyber risk management language, so that more efficient and precise discussions can be held up, down and across a company's management structure, with auditors, and with supply chain partners.

The Framework is now being used as a basis for security-oriented discussions and decision making in corporate boardrooms, the C-Suite, and among line managers and staff with cyber responsibilities.

Framework usage and value were further validated at the April 2015 RSA conference in San Francisco, where the Framework was perhaps one of the most discussed topics.

As some of you are aware, the National Cybersecurity Center of Excellence, or NCCOE, founded in 2012, is a partnership between NIST, the State of Maryland, and Montgomery County to accelerate the adoption of security technologies that are based on standards and best practices.

The NCCoE helps organizations increase their security posture by collaborating with industry, academia and government to create and promote new example cybersecurity solutions, demonstrating how existing standards-based technologies can be applied in the real world. This helps reduce businesses' technical, economic and educational barriers to widespread adoption of secure technologies.

The NCCoE works with industry to inform cybersecurity challenges and projects and then partners with the creators of off-the-shelf products to use them as modules in end-to-end solutions to cybersecurity problems that affect whole sectors of industry, or even multiple sectors.

The NCCoE is currently working on cybersecurity challenges across sectors such as mobile device security and attribute based access control, as well as on concerns specific to the health care, energy, financial services, transportation and retail sectors.

Last week, the NCCoE released a draft of its first practice guide:  Securing Electronic Health Records on Mobile Devices. The NCCoE collaborated with health care industry and technology vendors to develop an example solution to show health care providers how they can secure electronic health records on mobile devices. The guide provides a detailed architecture so that they can recreate the security characteristics of the example solution with the same or similar technologies. The solution is guided by standards and best practices from NIST and others, including the Health Insurance Portability and Accountability Act rules. The NCCoE will be releasing a practice guide for the energy sector shortly.

How can you get involved?

This afternoon, you will hear from technology partners working with the NCCoE to build example cybersecurity solutions. They will give you some insight into how technology vendors partner in our applied cybersecurity initiatives at that center.

Please provide us feedback on our guidelines, reports and projects. We are always looking for input on the challenges you are facing and what would help you strengthen your cybersecurity efforts.

For example, NIST recently released, and is seeking feedback on, a draft report developing a privacy risk management framework. The draft report supports methods to develop a common vocabulary, objectives to facilitate privacy engineering, and a risk model for assessing privacy risk in information systems. But we understand that it's only relevant if the report is useful, necessary and adoptable, which is why we want feedback from the public on the work thus far. Please also review the recently released health IT practice guide from the NCCoE and let us know what you think.

We believe that applied cybersecurity efforts will only be successful with strong partnerships with industry—both businesses and technology vendors. We look forward to working with you to strengthen the nation's cybersecurity.