NCCoE Seeks Vendors to Develop Model IT Asset Management System for Financial Services Companies
From NIST Tech Beat: May 6, 2014
The National Cybersecurity Center of Excellence (NCCoE) is seeking collaborators to provide products and technical expertise to create a model, standards-based system that companies in the financial services sector could use to integrate their existing asset management, hardware and software support and information technology security into a single comprehensive system.
The NCCoE is a partnership of the National Institute of Standards and Technology (NIST), the State of Maryland and Maryland's Montgomery County. The center is dedicated to furthering rapid adoption of practical, standards-based cybersecurity solutions for business and public organizations using commercially available technologies.
As in many organizations, IT assets in the financial services industry can range from company smart phones and laptops up through major database and network servers and office systems. Managing them is a complex task that goes far beyond simply keeping track of where they are. Software—both operating systems and programs—must be kept current with periodic upgrades and "patches," and the organization must be able to rapidly and seamlessly respond to new threats from malware or cyber attacks. That's the job of an IT asset management (ITAM) system.
The NCCoE is looking for technology vendors interested in working on a standards-based model solution—a "reference design"—to demonstrate how companies can tie their existing data systems for physical assets and security, and IT security and support, into a comprehensive ITAM. The details of the challenge are laid out in a recently released IT Asset Management "use case"—a tool software engineers use to define specific function requirements of a system. The center invited public comment on a draft version of the use case in 2013, and used that input to develop the final version.
Technology vendors who participate provide commercially available products that will serve as modules in an end-to-end sample solution. NIST will not endorse particular products, but will use them as references that provide certain capabilities and conform to existing standards. To adopt this ITAM system, financial services companies can use similar products with the same capabilities. The goal is to help companies answer questions about their IT assets' operation and vulnerabilities. Companies can employ this ITAM system, or one like it, to apply business and security rules dynamically to make better use of information assets and protect enterprise systems and data.
The project also will result in a freely available NIST practice guide that includes a materials list and instructions for implementing the reference design. The NCCoE will seek the public's feedback on reference designs, improving them accordingly.
Companies interested in participating in the reference design project must submit a letter of interest in which they outline their proposed contribution. Full details of this process are published in a Federal Register notice (docket number140321260-4260-01) at https://federalregister.gov/a/2014-10349. Those selected to participate will enter into a cooperative research and development agreement with NIST.
To learn more about the NCCoE and how to collaborate on its projects, visit http://nccoe.nist.gov.