310 likes | 497 Views
UNCLASSIFIED. . PURPOSE: To present an update of the Army's IA/IT Security Requirements to Industry and discuss how industry can innovate and meet the requirement. LandWarNet 2008 . . Federal Desktop Core Configuration Dr. Amy Harding. Importance of Data Strategy
E N D
1. LandWarNet 2008
2. PURPOSE: To present an update of the Army’s IA/IT Security Requirements to Industry and discuss how industry can innovate and meet the requirement
3. Federal Desktop Core ConfigurationDr. Amy Harding
4. Importance of Data Strategy & Data Naming Mr. Ralph Lowenthal
5. Army Network is segmented/layered
Requires DOIM coordination and cooperation
Collecting data from multiple tools -- complicated with each additional tool
Open database schemas – DoD tools impact need for open schemas
Must be automated
User Defined Operational Pictures (UDOP) – Defining what you need and how you want it reported/displayed
Lack of standard naming conventions impacts ability to consolidate information from multiple tools
6. Data Naming Strategy--Table of Baaaable Schaf (german)
schaap (dutch)
brebis (french)
pecora (italian)
oveja (spanish)
hitsuji (japanese)
Sheep (english)
8. Questions What do you expect from security tools vendors—they don’t own the applications being found?
Who should be responsible for developing these naming schemas that you are talking about?
9. DODI 8500.2 CompliancyMr. Ted Hendy
10. Understand how you can contribute Security is achieved and sustained through 3 primary drivers:
Securable components
Secure design and implementation
Organizational Security of the operating unit
As a vendor you might play a role in any or all of these drivers
To be effective, competitive and an overall value added component of Army security please study our rules: DODI 8500.2, AR 25-2, BBPs, etc
11. Securable Components Component Security
Develop and deliver products that have the ability to be configured for DODI 8500.2 compliancy:
Auditing
Identity Management
Secure Remote Administration
Authorized and tested Encryption
Develop systems based on least privilege
STIG Compliancy, Ports and Protocol compliancy, etc
Develop a secure configuration that is an installation option
Deliver a security features and configuration guide with your product
12. Secure Implementation and Operation If you are contracted to integrate a solution:
Be aware of DOD and Army IA Best Business Practices and IA Controls
Bid a security compliant option
Install to a secure configuration
Design a solution set that can be securely sustained
If you are contracted to provide O&M support:
Be aware of the 8500.2 IA Controls that are operational controls, i.e.,
Configuration Management
COOP/DR
Secure Administration, Patch Management, etc.
13. Questions Why should I bother meeting all the requirements you stated when I can sell directly to Army customers who don’t demand them?
How can I get my product accredited?
14. Preparing Your Technology for a Favorable EvaluationMr. Ken Acord
15. What to Expect
We do not certify products
We evaluate against all known DOD and Department of the Army requirements
We evaluate and publish results
We do NOT publish BETA results
16. How to Prepare your Technology for Evaluation Be prepared for evaluation
Ensure all equipment is on hand and functioning
Ensure system is configured properly
Ensure tech support is ready and available
You review the evaluation requirements and the report, the TIC controls the final content of the report
17. Recommendations for Favorable Evaluation Include certification (NIAP & FIPS) and DoD evaluation requirements into your product development cycle from the beginning
Time
Funding
Conduct internal testing to STANDARDS, regulations, policies, and BBPs
Common areas of concern/failure include:
Passwords:
Age
Complexity
History
Length
Account lock-out
Secure connections to external authentication devices
Interfaces for banner include:
Web GUI
CLI
Console
Telnet
SSHPasswords:
Age
Complexity
History
Length
Account lock-out
Secure connections to external authentication devices
Interfaces for banner include:
Web GUI
CLI
Console
Telnet
SSH
18. Questions Why can’t you test in parallel to the NIAP & FIPS certification process?
Why test all members of a product family?
19. 19 IA Product AcquisitionMs. Julia Conyers-Lucero
20. Acquisition Approval Process Letter to Industry, 31 July 2008
Products need to meet Federal, DoD and Army standards
Manufacturers must work with the OIA&C to get IA tools approved
Approved products are added to the Army’s Information Assurance Approved Product List
Approved products and part numbers are submitted to Project Director Computer Hardware, Enterprise Software and Solutions (PD CHESS)
21. PD CHESS Process OIA&C submits approved products and part numbers
PD CHESS will notify ITES-2H Contracts primes of new approved products and part their associated numbers
Prime ITES-2H Contracts holders will work with their partners to add approved products and part numbers and add products and part numbers to their catalogs
Manufacturers need to establish partnerships with either the ITES-2H contracts holders
ITES-2H expire
22. Category of Products for PD CHESS Contracts Types of IA products being added to the PD CHESS contracts for use in the Army for strategic, operational, or tactical networked environments include, but not limited to:
Firewalls
IDS/IPS
VPNs
Encryption
Wireless Security
Network Assessment Tool (Vulnerability Scanners)
Purge
DIACAP
Data-at-Rest
Malicious Code Detectors (anti-virus and anti-spyware)
Management consoles
Network Access Protection/Network Access Control tools
23. Questions I have met all the Federal, DoD, and Army requirements and have been added to the IA-APL, what can my company do to ensure we get added to the ITES-2H Contracts?
How long are products listed on the PD CHESS ITES-2H contracts?
What is the value to getting a product on the IA-APL and added to the PD CHESS ITES-2H contracts?
24. Supply ChainRisk ManagementMs. Kathy Laymon
25. 25 Supply Chain Risk Management What is it?
In a global economy, industry needs to be cognizant of what they are buying and from whom
If industry is buying from locations or companies they feel may be of concern, they should put in place possible security checks to ensure the US Government purchase is not at risk.
Keep records and declare clearly what they know on the SF- 328
26. 26 IA Approved Products ListProcess & SuccessMs. Joudi M. Henoud
27. Core Requirements - Letter to Industry
IA Tools Vetting Process
Recurring Issues/Challenges – How industry can help
Measuring Success
28. 28
29. DoD Lab = is in addition to NIAP testing.
DoD Lab is NOT the same as a C&A (DIACAP), Networthiness
DoD Lab is an depth test and examination of the product’s claims in the Army’s simulated environments.
DoD Lab tests the Products in FIPS Operated Mode.
NIAP Certification –is required for the appropriate robustness level against U.S. protection profile.
IPv6 - final certification is not required, but road map is with actual dates.
Removal from the IA APL requires Army surveys to ensure maintenance agreements are honored, legal, and acquisition review.
Products on the IA APL for 12 months or longer will be moved to Legacy status
If product is supported beyond end of sale, product remains on Legacy Maintenance status with date for end of support.
Product is retired as End of Sale and End of Support are declared by manufacturer.
Products undergoing the approval process will not be posted on the IA APL, nor be made available to PD CHESS for sales.
DoD Lab = is in addition to NIAP testing.
DoD Lab is NOT the same as a C&A (DIACAP), Networthiness
DoD Lab is an depth test and examination of the product’s claims in the Army’s simulated environments.
DoD Lab tests the Products in FIPS Operated Mode.
NIAP Certification –is required for the appropriate robustness level against U.S. protection profile.
IPv6 - final certification is not required, but road map is with actual dates.
Removal from the IA APL requires Army surveys to ensure maintenance agreements are honored, legal, and acquisition review.
Products on the IA APL for 12 months or longer will be moved to Legacy status
If product is supported beyond end of sale, product remains on Legacy Maintenance status with date for end of support.
Product is retired as End of Sale and End of Support are declared by manufacturer.
Products undergoing the approval process will not be posted on the IA APL, nor be made available to PD CHESS for sales.
30. 30 Step 1: Kick Off Meeting: identify key technology offered Army. Step 2: Develop Product Certification Plan. Product Certification plan assists is presented to corporate leadership as well as NIAP, and DoD Lab of choice.
Plan
NOTE: FIPS/CMPV – Per NIST 95% of product documentation is incorrect; 50% of crypto modules fail to pass federal standards.
Step 1: Kick Off Meeting: identify key technology offered Army. Step 2: Develop Product Certification Plan. Product Certification plan assists is presented to corporate leadership as well as NIAP, and DoD Lab of choice.
Plan
NOTE: FIPS/CMPV – Per NIST 95% of product documentation is incorrect; 50% of crypto modules fail to pass federal standards.
31. 31
FIPS testing requires me to re-architect my technology, it is too expensive. It takes too long
95 % of vendors do not have proper documentation
50 % have a flawed security
27% of flaws remediated during testing
50 % of crypto modules fail to launch
FIPS testing and validation is critical otherwise you will have 50-50 chance of buying correctly implemented cryptography – Source NIST Annual Report 2007
NIAP/CCEVS US Government Protection Profiles
Resellers not synchronizing with Manufacturers for compliant and approved products
32. 32 How do We Measure Success? Picture of Success - Army
Assured Supply Chain
Vetted Pedigree
Risk Management
Compliant technology
ROI for Security and IT Portfolio Management