NCCoE Seeks Vendors to Develop Model Systems for Controlling Access to IT Assets
From NIST Tech Beat: August 14, 2015
The National Cybersecurity Center of Excellence (NCCoE) is seeking collaborators to provide products and technical expertise on three projects to help organizations improve their cybersecurity. The projects focus on access control, personal identity verification credentials and mobile devices. Each project will result in an example cybersecurity design that can be used by organizations in multiple industry sectors.
Collaborators in the “Attribute Based Access Control” (ABAC) project will help create a model, standards-based system to help companies better control who has access—and to what degree—to applications, networks and data on their IT systems.
An individual’s access to an organization’s network or its assets usually is defined by job or role. If roles change or an employee leaves the company, an administrator must manually change access rights accordingly—perhaps within several systems.
An ABAC system uses granular attributes, such as title, division, certifications and training, rather than a person’s role, to authorize an individual’s access—information that could be available to systems across an organization, or even among organizations. For example, a physician responding to a disaster in a neighboring state could quickly gain access to a hospital’s patient records and radiology and pharmacy ordering systems, based on authentication of his or her credentials and attributes such as employee status, medical specialization and certifications, even if the physician has never had an account on that system. To collaborate on this project, see the Federal Register notice document 2015-20041.
In the “Derived Personal Identity Verification (PIV) Credentials” project, vendor partners will help develop a reference design that demonstrates how government agencies and businesses can authenticate mobile device users that need access to controlled facilities, information systems and applications.
PIV credentials are often delivered through a smart card or badge, which work well with desktop or laptop computers that support built-in smart card readers. But with the proliferation of mobile devices, such as smartphones or tablets, using PIV credentials for authentication becomes complicated. Using an external smart card reader that attaches to mobile phones or tablets creates portability challenges and makes the card impractical as an authentication token. To collaborate on this project, see the Federal Register notice document 2015-0039.
For the “Mobile Device Security” project, vendors will help demonstrate how companies can implement mobile device security that provides enterprise-class protection without sacrificing usability.
In the past, organizations have cordoned off their trusted internal IT networks from untrusted external networks. But with mobile devices blurring the lines of personal and business use, coupled with a rapidly changing array of mobile platforms, companies must now ensure that the cell phones, tablets and other devices connected to their enterprise systems will protect sensitive data. This project’s reference design will detail technologies that enable users to work inside and outside a corporate network with securely configured mobile devices, while also allowing system administrators more granular control. To collaborate on this project, see the Federal Register notice document 2015-20040.
These three projects are NCCoE “building blocks,” example cybersecurity implementations that apply to multiple industry sectors and can be incorporated into many of the center's sector-specific use cases. The projects will result in freely available NIST Cybersecurity Practice Guides, Special Publication series 1800, which include a materials list and instructions for implementing the reference design. The NCCoE will seek the public's feedback on these example solutions, improving them accordingly.
Interested companies must submit a letter of interest in which they outline their proposed contribution. Full details of this process are published in the Federal Register notices for each project. Those selected to participate will enter into a Cooperative Research and Development Agreement with NIST.
The NCCoE, the U.S. cybersecurity national lab, is a partnership of the National Institute of Standards and Technology (NIST), the State of Maryland and Maryland's Montgomery County. The center is dedicated to furthering rapid adoption of practical, standards-based cybersecurity solutions for businesses and public organizations using commercially available and open-source technologies. To learn more about the center’s projects, visit the NCCoE website.