Secure Systems and Applications Group's (SSAG) security research focuses on identifying emerging and high-priority technologies, and on developing security solutions that will have a high impact on U.S. critical infrastructure. The group conducted research and development related to both public and private sector use cases. The research considered many aspects of the system’s lifecycle from the earliest stages of technology development through proof-of-concept, reference and prototype implementations, and demonstrations. In addition, the group worked to transfer new technologies to industry; to produce new standards and guidance for federal agencies and industry; and to develop tests, test methodologies, and assurance methods.
SSAG investigated security concerns associated with such areas as mobile devices, cloud computing and virtualization, identity management, access control and authorization management, and software assurance. SSAG’s research helps to meet federal information security requirements that may not be fully addressed by existing technology. The group collaborated extensively with government, academia, and private sector entities.
Example successes from this work include:
- Tools for access control policy testing;
- New concepts in access control and policy enforcement;
- Several Personal Identity Verification (PIV) documents to support interagency use of the PIV Card;
- Methods for architecting a secure cloud ecosystem in a capability-oriented approach;
- Guidance and tools for orchestrating a secure cloud ecosystem;
- Guidance for secure deployment of virtualized infrastructure components – Hypervisor, Virtual Machines (VMs) and Virtual Network;
- Methods for achieving comprehensive policy enforcement and data interoperability across enterprise data services; and
- Test methods for mobile device (smart phone) application security.
In particular, the SSAG led the NIST Security and Forensics Working Group that published draft NISTIR 8006, NIST Cloud Computing - Security Reference Architecture, that aggregates forensics challenges in a cloud ecosystem. The working group has been working on developing a draft of SP 800-173, Guidance for Applying the Risk Management Framework to Federal-based Information Systems (target release date: spring/summer 2016). In response to the rapidly emerging use of virtualization in enterprise data centers for supporting both in-house mission-critical applications and for providing cloud services, two guidance documents were published: Draft SP 800-125A, Security Recommendations for Hypervisor Deployment, and Draft SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection. In support of the revised FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, two new PIV-related SP 800-series were released and five SP 800 documents were revised. One of the new publications, SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, guides the implementation and deployment of PIV credentials for mobile devices. In addition, the PIV team participated in the Office of Management and Budget (OMB) cybersecurity Sprint effort with a goal to strengthen the cybersecurity of federal networks, systems, and data through multi-factor authentication using the PIV Card. To improve access to new technologies, the group also chaired, edited, and participated in the development of a wide variety of national and international security standards.