In a move to help organizations improve their cyber security, a center of excellence is seeking collaborators.
The projects focus on access control, personal identity verification credentials and mobile devices, said officials at the National Cybersecurity Center of Excellence (NCCoE).
Each project will result in a cyber security design that organizations can use in multiple industry sectors.
Collaborators in the “Attribute Based Access Control” (ABAC) project will help create a model, standards-based system to help companies better control who has access — and to what degree — to applications, networks and data on their IT systems.
An individual’s access to an organization’s network or its assets usually end up defined by job or role. If roles change or an employee leaves the company, an administrator must manually change access rights accordingly — perhaps within several systems.
An ABAC system uses granular attributes, such as title, division, certifications and training, rather than a person’s role, to authorize an individual’s access; information that could be available to systems across an organization, or even among organizations. For example, a physician responding to a disaster in a neighboring state could quickly gain access to a hospital’s patient records and radiology and pharmacy ordering systems, based on authentication of his or her credentials and attributes such as employee status, medical specialization and certifications, even if the physician has never had an account on that system. To collaborate on this project, see the Federal Register notice document 2015-20041.
In the “Derived Personal Identity Verification (PIV) Credentials” project, vendor partners will help develop a reference design that demonstrates how government agencies and businesses can authenticate mobile device users that need access to controlled facilities, information systems and applications.
PIV credentials often end up delivered through a smart card or badge, which work well with desktop or laptop computers that support built-in smart card readers. But with the proliferation of mobile devices, such as smartphones or tablets, using PIV credentials for authentication becomes complicated. Using an external smart card reader that attaches to mobile phones or tablets creates portability challenges and makes the card impractical as an authentication token. To collaborate on this project, see the Federal Register notice document 2015-0039.
For the “Mobile Device Security” project, vendors will help demonstrate how companies can implement mobile device security that provides enterprise-class protection without sacrificing usability.
In the past, organizations have cordoned off their trusted internal IT networks from untrusted external networks. But with mobile devices blurring the lines of personal and business use, coupled with a rapidly changing array of mobile platforms, companies must now ensure the cell phones, tablets and other devices connected to their enterprise systems will protect sensitive data. This project’s reference design will detail technologies that enable users to work inside and outside a corporate network with securely configured mobile devices, while also allowing system administrators more granular control. To collaborate on this project, see the Federal Register notice document 2015-20040.
These three projects are NCCoE “building blocks,” example cyber security implementations that apply to multiple industry sectors and can incorporate into many of the center’s sector-specific use cases. The projects will result in freely available NIST Cybersecurity Practice Guides, Special Publication series 1800, which include a materials list and instructions for implementing the reference design. The NCCoE will seek the public’s feedback on these example solutions, improving them accordingly.
Interested companies must submit a letter of interest in which they outline their proposed contribution. Full details of this process are in the Federal Register notices for each project. Those selected to participate will enter into a Cooperative Research and Development Agreement with NIST.