LandWarNet 2008

1. LandWarNet 2008

2. PURPOSE: To present an update of the Army’s IA/IT Security Requirements to Industry and discuss how industry can innovate and meet the requirement

3. Federal Desktop Core ConfigurationDr. Amy Harding

4. Importance of Data Strategy & Data Naming Mr. Ralph Lowenthal

5. Army Network is segmented/layered Requires DOIM coordination and cooperation Collecting data from multiple tools -- complicated with each additional tool Open database schemas – DoD tools impact need for open schemas Must be automated User Defined Operational Pictures (UDOP) – Defining what you need and how you want it reported/displayed Lack of standard naming conventions impacts ability to consolidate information from multiple tools

6. Data Naming Strategy--Table of Baaaable Schaf (german) schaap (dutch) brebis (french) pecora (italian) oveja (spanish) hitsuji (japanese) Sheep (english)

8. Questions What do you expect from security tools vendors—they don’t own the applications being found? Who should be responsible for developing these naming schemas that you are talking about?

9. DODI 8500.2 CompliancyMr. Ted Hendy

10. Understand how you can contribute Security is achieved and sustained through 3 primary drivers: Securable components Secure design and implementation Organizational Security of the operating unit As a vendor you might play a role in any or all of these drivers To be effective, competitive and an overall value added component of Army security please study our rules: DODI 8500.2, AR 25-2, BBPs, etc

11. Securable Components Component Security Develop and deliver products that have the ability to be configured for DODI 8500.2 compliancy: Auditing Identity Management Secure Remote Administration Authorized and tested Encryption Develop systems based on least privilege STIG Compliancy, Ports and Protocol compliancy, etc Develop a secure configuration that is an installation option Deliver a security features and configuration guide with your product

12. Secure Implementation and Operation If you are contracted to integrate a solution: Be aware of DOD and Army IA Best Business Practices and IA Controls Bid a security compliant option Install to a secure configuration Design a solution set that can be securely sustained If you are contracted to provide O&M support: Be aware of the 8500.2 IA Controls that are operational controls, i.e., Configuration Management COOP/DR Secure Administration, Patch Management, etc.

13. Questions Why should I bother meeting all the requirements you stated when I can sell directly to Army customers who don’t demand them? How can I get my product accredited?

14. Preparing Your Technology for a Favorable EvaluationMr. Ken Acord

15. What to Expect We do not certify products We evaluate against all known DOD and Department of the Army requirements We evaluate and publish results We do NOT publish BETA results

16. How to Prepare your Technology for Evaluation Be prepared for evaluation Ensure all equipment is on hand and functioning Ensure system is configured properly Ensure tech support is ready and available You review the evaluation requirements and the report, the TIC controls the final content of the report

17. Recommendations for Favorable Evaluation Include certification (NIAP & FIPS) and DoD evaluation requirements into your product development cycle from the beginning Time Funding Conduct internal testing to STANDARDS, regulations, policies, and BBPs Common areas of concern/failure include: Passwords: Age Complexity History Length Account lock-out Secure connections to external authentication devices Interfaces for banner include: Web GUI CLI Console Telnet SSHPasswords: Age Complexity History Length Account lock-out Secure connections to external authentication devices Interfaces for banner include: Web GUI CLI Console Telnet SSH

18. Questions Why can’t you test in parallel to the NIAP & FIPS certification process? Why test all members of a product family?

19. 19 IA Product AcquisitionMs. Julia Conyers-Lucero

20. Acquisition Approval Process Letter to Industry, 31 July 2008 Products need to meet Federal, DoD and Army standards Manufacturers must work with the OIA&C to get IA tools approved Approved products are added to the Army’s Information Assurance Approved Product List Approved products and part numbers are submitted to Project Director Computer Hardware, Enterprise Software and Solutions (PD CHESS)

21. PD CHESS Process OIA&C submits approved products and part numbers PD CHESS will notify ITES-2H Contracts primes of new approved products and part their associated numbers Prime ITES-2H Contracts holders will work with their partners to add approved products and part numbers and add products and part numbers to their catalogs Manufacturers need to establish partnerships with either the ITES-2H contracts holders ITES-2H expire

22. Category of Products for PD CHESS Contracts Types of IA products being added to the PD CHESS contracts for use in the Army for strategic, operational, or tactical networked environments include, but not limited to: Firewalls IDS/IPS VPNs Encryption Wireless Security Network Assessment Tool (Vulnerability Scanners) Purge DIACAP Data-at-Rest Malicious Code Detectors (anti-virus and anti-spyware) Management consoles Network Access Protection/Network Access Control tools

23. Questions I have met all the Federal, DoD, and Army requirements and have been added to the IA-APL, what can my company do to ensure we get added to the ITES-2H Contracts? How long are products listed on the PD CHESS ITES-2H contracts? What is the value to getting a product on the IA-APL and added to the PD CHESS ITES-2H contracts?

24. Supply ChainRisk ManagementMs. Kathy Laymon

25. 25 Supply Chain Risk Management What is it? In a global economy, industry needs to be cognizant of what they are buying and from whom If industry is buying from locations or companies they feel may be of concern, they should put in place possible security checks to ensure the US Government purchase is not at risk. Keep records and declare clearly what they know on the SF- 328

26. 26 IA Approved Products ListProcess & SuccessMs. Joudi M. Henoud

27. Core Requirements - Letter to Industry IA Tools Vetting Process Recurring Issues/Challenges – How industry can help Measuring Success

28. 28

29. DoD Lab = is in addition to NIAP testing. DoD Lab is NOT the same as a C&A (DIACAP), Networthiness DoD Lab is an depth test and examination of the product’s claims in the Army’s simulated environments. DoD Lab tests the Products in FIPS Operated Mode. NIAP Certification –is required for the appropriate robustness level against U.S. protection profile. IPv6 - final certification is not required, but road map is with actual dates. Removal from the IA APL requires Army surveys to ensure maintenance agreements are honored, legal, and acquisition review. Products on the IA APL for 12 months or longer will be moved to Legacy status If product is supported beyond end of sale, product remains on Legacy Maintenance status with date for end of support. Product is retired as End of Sale and End of Support are declared by manufacturer. Products undergoing the approval process will not be posted on the IA APL, nor be made available to PD CHESS for sales. DoD Lab = is in addition to NIAP testing. DoD Lab is NOT the same as a C&A (DIACAP), Networthiness DoD Lab is an depth test and examination of the product’s claims in the Army’s simulated environments. DoD Lab tests the Products in FIPS Operated Mode. NIAP Certification –is required for the appropriate robustness level against U.S. protection profile. IPv6 - final certification is not required, but road map is with actual dates. Removal from the IA APL requires Army surveys to ensure maintenance agreements are honored, legal, and acquisition review. Products on the IA APL for 12 months or longer will be moved to Legacy status If product is supported beyond end of sale, product remains on Legacy Maintenance status with date for end of support. Product is retired as End of Sale and End of Support are declared by manufacturer. Products undergoing the approval process will not be posted on the IA APL, nor be made available to PD CHESS for sales.

30. 30 Step 1: Kick Off Meeting: identify key technology offered Army. Step 2: Develop Product Certification Plan. Product Certification plan assists is presented to corporate leadership as well as NIAP, and DoD Lab of choice. Plan NOTE: FIPS/CMPV – Per NIST 95% of product documentation is incorrect; 50% of crypto modules fail to pass federal standards. Step 1: Kick Off Meeting: identify key technology offered Army. Step 2: Develop Product Certification Plan. Product Certification plan assists is presented to corporate leadership as well as NIAP, and DoD Lab of choice. Plan NOTE: FIPS/CMPV – Per NIST 95% of product documentation is incorrect; 50% of crypto modules fail to pass federal standards.

31. 31 FIPS testing requires me to re-architect my technology, it is too expensive. It takes too long 95 % of vendors do not have proper documentation 50 % have a flawed security 27% of flaws remediated during testing 50 % of crypto modules fail to launch FIPS testing and validation is critical otherwise you will have 50-50 chance of buying correctly implemented cryptography – Source NIST Annual Report 2007 NIAP/CCEVS US Government Protection Profiles Resellers not synchronizing with Manufacturers for compliant and approved products

32. 32 How do We Measure Success? Picture of Success - Army Assured Supply Chain Vetted Pedigree Risk Management Compliant technology ROI for Security and IT Portfolio Management