Chairmen Quayle and Brooks, Ranking Members Wu and Lipinski and Members of the Subcommittees, I am Cita M. Furlani, Director of the Information Technology Laboratory at the Department of Commerce’s National Institute of Standards and Technology (NIST). Thank you for the opportunity to appear before you today to discuss our role in protecting information in the digital age.
As Secretary of Commerce Gary Locke said at the White House during the launch of the U.S. International Strategy for Cyberspace: “To preserve and even improve on people’s confidence in cyberspace, we need an environment that not only rewards innovation and empowers entrepreneurs, but one that also is constantly improving upon the integrity of the interactions that take place online.” NIST’s mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life is well positioned to support that goal.
As one of the major research components of NIST, the Information Technology Laboratory (ITL) accelerates, through standards, tests and metrics, the development, deployment and use of secure, usable, interoperable and reliable information systems that enable American businesses to be more innovative competitive. ITL enables world-class measurement and testing through research innovations in the areas of computer science and systems engineering, mathematics, and statistics. We balance our research portfolio to be responsive to pressing national priorities while pursuing research necessary to meet future challenges in measurement science and technology.
Our R&D agenda focuses on the following broad program areas: cloud computing, complex systems, cybersecurity, biometrics, health information technology, National Initiative for Cybersecurity Education (NICE), National Strategy for Trusted Identities in Cyberspace (NSTIC), quantum information, pervasive information technology, security automation, smart grid, virtual measurement systems, and voting standards.
ITL addresses technical challenges through an integrated, multidisciplinary and systems approach that emphasizes collaboration with other NIST organizations, the Department of Commerce, other government agencies, the U.S. private sector, standards development organizations, and other national and international stakeholders. Our rich programmatic diversity derives from our mission and mandates like the Federal Information Security Management Act (FISMA), which charges ITL to develop cybersecurity standards, guidelines, and associated methods and techniques. Charged under other legislation, such as the USA PATRIOT Act, the HITECH Act and the Help America Vote Act, we are addressing major challenges faced by the nation in the areas of homeland security, health IT and electronic voting.
As you are aware, beginning in the early 1970s with enactment of the Brooks Act, NIST has developed standards to support federal agencies’ information assurance requirements. Through FISMA, Congress again reaffirmed NIST’s leadership role in developing standards for cybersecurity. FISMA provides for the development and promulgation of Federal Information Processing Standards (FIPS) that are "compulsory and binding" for Federal computer systems. The responsibility for the development of FIPS rests with NIST, and the authority to promulgate mandatory FIPS is given to the Secretary of Commerce. Section 303 of FISMA states that NIST shall:
NIST’s mission in cybersecurity is to work with federal agencies, industry, and academia to research, develop and deploy information security standards and technology to protect information systems against threats to the confidentiality, integrity and availability of information and services. Consistent with this mission and with the recommendations of the President’s Cyberspace Policy Review, NIST is actively engaged with private industry, academia, non-national security federal departments and agencies, the intelligence community, and other elements of the law enforcement and national security communities in coordination and prioritization of cybersecurity research, standards development, standards conformance demonstration and cybersecurity education and outreach activities. Research activities range from innovations in identity management and verification, to metrics for complex systems, to development of practical and secure cryptography in a quantum computing environment, to automation of discovery and maintenance of system security configurations and status, to techniques for specification and automation of access authorization in line with many different kinds of access policies.
NIST addresses cybersecurity challenges throughout the information and communications infrastructure through its cross-community engagements. Enabled by Congressional funding increases in 2002 and in response to FISMA, NIST is responsible for establishing and updating, on a recurring basis, the federal government risk management framework and cybersecurity controls. The national security community, a number of state governments and major private sector organizations are also adopting the risk management framework and cybersecurity controls designed by NIST. NIST is engaging industry to harmonize standards conformance requirements to align with industry business models and system development practices. NIST is also playing a leading security role in supply chain risk management, Health Information Technology, the Smart Grid, biometrics/face authentication, cybersecurity education and training beyond the federal government, next generation voting systems, and cloud computing. NIST is working with the intelligence and counterterrorism communities to facilitate cross sector information sharing among federal, state and local government organizations.
Recognizing the importance of security-related standards beyond the federal government, NIST leads national and international consensus standards activities in cryptography, identity management, biometrics, electronic credentialing, secure network protocols, software and systems reliability, and security conformance testing.
Included in the scope of NIST cybersecurity activities are the usability of systems such as voting machines, electronic health records and software interfaces; network security, including standards and tests for Internet Protocol version 6, Domain Network Security (DNSSec), and wireless network protocols; research in mathematical foundations to determine the security of information systems; the National Software Reference Library, computer forensics tool testing, and mobile device forensics; software assurance metrics, tools, and evaluation; approaches to balancing safety, security, reliability, and performance in SCADA and other Industrial Control Systems used in manufacturing and other critical infrastructure industries; technologies for detection of anomalous behavior, quarantines; standards, modeling, and measurements to achieve end-to-end security over heterogeneous, multi-domain networks; biometrics evaluation, usability, and standards (fingerprint, face, iris, voice/speaker, multimodal biometrics) and an international competition for a next generation Secure Hash Algorithm (SHA-3).
NIST is actively participating in meeting the objectives of several of the near- and mid-term action plan activities from the Cyberspace Policy review.
National Initiative for Cybersecurity Education
The National Initiative for Cybersecurity Education (NICE) represents the evolution of the Comprehensive National Cybersecurity Initiative (CNCI) work on cybersecurity education. The scope of the initiative has been expanded from a federal focus to a broader national focus. NIST has assumed the overall coordination role for the effort, and is finalizing a strategic framework and a tactical plan of operation to support that framework. This expansion and the overall coordination role by NIST are in response to the President’s priorities as expressed in Chapter II, Building Capacity for a Digital Nation, of the President’s Cyberspace Policy Review.
NIST is currently readying the NICE strategic plan for public review, which should be available this summer. The strategic plan describes the goals and objectives that support the NICE Vision: a secure digital nation capable of advancing America’s economic prosperity and national security in the 21st century through innovative cybersecurity education, training, and awareness on a grand scale.
NIST’s NICE Team is working to unify and coordinate federal resources to enable the larger national effort to improve cybersecurity awareness, education, and training for the entire country. This effort is targeted to all U.S. citizens of all ages, and all types of professions whether it be academia, federal/state/local government, business partners (small-medium to large size businesses/companies), and local community groups. NICE is comprised of four components.
In addition, NIST co-chairs the Networking and Information Technology Research and Development (NITRD) Social, Economic, and Workforce Implications of IT and IT Workforce Development (SEW) Coordinating Group Education Team. The NITRD SEW Education Team was recently established to focus on workforce development, training, and education needs arising from the growing demand for productive information technology-skilled workers and the role of innovative IT applications in education and training. The group is currently developing a draft set of priority federal research areas in education and IT.
International Cybersecurity Policy Framework
To support the U.S. Government’s international cybersecurity policy framework and strengthen our international partnerships, NIST and the National Security Agency lead an interagency activity to establish strategic objectives in pursuing the development of timely, technically sound international voluntary consensus cybersecurity standards. This includes commitment to the development of an international standards framework that:
Game Changing Technologies
NIST is an active member in the groups that coordinate the cybersecurity research and development agenda for federal agencies. The NITRD Cyber Security and Information Assurance Interagency Working Group (CSIA IWG), co-chaired by NIST, coordinates research and development to prevent, resist, detect, respond to, and/or recover from actions that compromise or threaten to compromise the availability, integrity, or confidentiality of computer- and network-based systems. The Special Cyber Operations Research and Engineering (SCORE) Interagency Working Group works in parallel to the CSIA IWG to coordinate classified cybersecurity R&D. Representatives from both of these groups participate together in the Senior Steering Group (SSG) for CSIA R&D, to actively share cybersecurity R&D information across the policy, fiscal, and research levels of the Government.
In May 2010, the CSIA IWG released its “Cybersecurity Game-Change Research & Development Recommendations,”1 identifying three primary R&D themes to motivate future Federal cybersecurity research activities: (a) Moving Target, (b) Tailored Trustworthy Spaces, and (c) Cyber Economic Incentives. These themes are designed to inspire Federal and private cybersecurity researchers to discover novel solutions to increase the nation’s cybersecurity protections. The NITRD CSIA IWG is currently developing a “Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program.”
Many of NIST’s research activities include standards and technologies that will address the three R&D themes recommended by the CSIA IWG, including, but not limited to,
National Strategy for Trusted Identities in Cyberspace
Under the leadership of the National Cybersecurity Coordinator, a multi-agency team, of which NIST was a substantial partner, created “The National Strategy for Trusted Identities in Cyberspace,” which laid out the vision for individuals and organizations to be able to utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation. The Strategy calls for a National Program Office to facilitate the carrying out of the Strategy and the development of interoperable technology standards and policies—an "Identity Ecosystem"—where individuals, organizations, and underlying infrastructure—such as routers and servers—can be authoritatively authenticated. The goals of the Strategy are to promote private sector capabilities for protecting individuals, businesses, and public agencies from the high costs of cyber crimes like identity theft and fraud, while simultaneously helping to ensure that the Internet continues to support innovation and a thriving marketplace of products and ideas in a privacy enhancing manner.
The National Program Office (NPO), to be established within the Department of Commerce, will coordinate the federal activities – including coordination of cooperative public/private efforts—needed to implement NSTIC. The office will be led by NIST with activities involving public policy development and privacy protections to be led by the National Telecommunications and Information Administration. The NPO will have full access to NIST technical expertise, both in the development and acceptance of broad consensus-based standards. NIST has been actively involved in the development and interoperability of secure identity management for many years and recently initiated research into how to make such identity schemes easy to use and hard to misuse.
NIST has hired an internationally recognized expert in identity management to manage the establishment of the NSTIC NPO. NIST has also announced the first in a series of workshops to collect public comments on possible private-sector led governance structures for the Identity Ecosystem. This first workshop will be held June 9-10, 2011 in Washington, D.C. Finally, NIST is working with others in the Department of Commerce to develop and release a Notice of Inquiry to achieve even greater public comment on the issue of governance.
Risk Management Framework
NIST has produced Special Publication 800-34 “Contingency Planning Guide for Federal Information Systems” to assist with planning for system recovery and is currently working on Special Publication 800-30 revision 1, “Risk Management Guide,” which will provide guidance to agencies in threat identification, threat modeling, and threat metrics for use in risk management decisions. The current set of NIST Security Automation specifications includes the Common Vulnerability Scoring System which is a metric-based score for known vulnerabilities in the National Vulnerability Database. This information is used by federal agencies, industry, and internationally as an input to threat metrics for risk based decision making. NIST plans to extend these specifications into additional information areas to further facilitate threat discovery, identification, and measurement.
As mentioned above, NIST is actively engaged with private industry, academia, and other Federal agencies, including those in the NITRD community, in coordination of cybersecurity research and development.
In addition, under the provisions of the National Technology Transfer and Advancement Act (PL 104-113) and OMB Circular A-119, NIST is tasked with the key role of encouraging and coordinating federal agency use of voluntary consensus standards and participation in the development of relevant standards, as well as promoting coordination between the public and private sectors in the development of standards and in conformity assessment activities. NIST works with other agencies to coordinate standards issues and priorities with the private sector through consensus standards organizations such as the American National Standards Institute (ANSI), the International Organization for Standardization (ISO), the Institute of Electrical and Electronic Engineers (IEEE), the Internet Engineering Task Force (IETF), the Organization for the Advancement of Structured Information Standards (OASIS), and the International Telecommunication Union (ITU). Key contributions NIST has made include:
The President made cybersecurity an Administration priority upon taking office. During the release of his Cyberspace Policy Review in 2009, the President declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.”
Over the past two years, the Administration has taken significant steps to ensure that Americans, our businesses, and our government are building better protections against cyber threats.
Departments and agencies have implemented programs to enhance their risk management with regard to federal systems.
NIST believes that effective cybersecurity legislation requires an appropriate balance between short and long term goals, as well as providing motivation for strong collaborations between federal agencies, industry, academia, state and local governments and other interested stakeholders. The proposed legislation is focused on improving cybersecurity for the American people, our Nation’s critical infrastructure, and the Federal Government’s own networks and computers. NIST looks forward to playing its part, leveraging its legacy of research, development, and standards in this area with other federal and private sector partners.
NIST is actively involved with other federal agencies, industry and academia to address the highest priority cybersecurity research and development needs. NIST’s expertise and mission provide the best environment for performing the research necessary to enable the innovative cybersecurity specifications, standards, assurance processes, and training needed for securing
U.S. Government and critical infrastructure information systems as well as many other elements of the Nation’s digital infrastructure to mitigate the growing threat. Finally, consistent with the NIST 3-Year Planning Report, NIST plans to expand its focus on cybersecurity challenges associated with healthcare IT, the Smart Grid, automation of federal systems security conformance, and cybersecurity game-changing research.
Thank you for the opportunity to testify today on NIST’s Federal cybersecurity research and development efforts. I would be happy to answer any questions that you may have.
1 The full document is available at http://nitrd.gov/PUBS/CSIA_IWG_%20Cybersecurity_%20GameChange_RD_%20Rec…