As documented in Representative Examples of NIST Contributions to Cybersecurity,1 the NIST Computer Security Division (CSD) traces its history back to 1972. Its original projects, cryptography and risk management, are ongoing, alongside a variety of newer projects. Several years ago, the CSD’s projects focused more on applications and some of the staff supporting those projects, together with the National Cybersecurity Center of Excellence (NCCoE), which was then part of the Information Technology Laboratory (ITL) Office, became the core for a new division: the Applied Cybersecurity Division (ACD), discussed in Chapter 5.
The division’s technology focus areas are cryptography; risk management; identity and access management; testing and validation; software security, vulnerability metrics, and configurations; and emerging technologies. The CSD conducts joint work with the ACD and with other NIST ITL divisions—in particular, the Applied and Computational Mathematics Division (ACMD). CSD staff also collaborate extensively with academic researchers; more than 50 percent of CSD staff members who presented or published papers have external collaborators.
During the 2018 assessment, the CSD described the following projects: quantum-resistant cryptography, lightweight cryptography, FIPS 140 and the Crypto Module Validation Program (CMVP), derived credentials, access control, risk management, supply chain risk management, combinatorial methods in software testing, vulnerability metrics, and security for virtualized infrastructure.
CSD’s fiscal year 2018 budget is $32.5 million, of which $17.8 million is designated for directed research projects. The CSD has supplemental funding of $4.5 million, of which $3.2 million is funding from other agencies and $1.3 million is income from testing and certification programs (e.g., the CMVP) and from the sale of test artifacts (e.g., test Personal Identification Verification [PIV] cards).
QUALITY OF THE RESEARCH
The quality of work in CSD is uniformly excellent. Two CSD projects in particular are strategic national cybersecurity resources. The Cryptography project creates standards that are implemented by virtually every significant commercial encryption in a laptop computer, cell phone, or automated teller machine. NIST’s cryptographic standards are widely adopted by industry groups. For example, the Payment Card Industry Security Standards Council requires FIPS 140-2 compliance as part of its Payment Card Industry Data Security Standards (PCI-DSS)2 and Hardware Security Module (HSM) standards. Over the lifetime of the CMVP, the CSD has evaluated more than 24,000 cryptographic
1 National Institute of Standards and Technology (NIST), 2018, Representative Examples of NIST Contributions to Cybersecurity, Gaithersburg, Md.
algorithm implementations, including 4,000 implementations of its symmetric-key Advanced Encryption Standard. CSD’s latest cryptographic algorithm development effort, the Quantum-Resistant Cryptography (QRC) Algorithms Standardization project, received 69 submissions; 64 of these were found to meet the project’s quality criteria, and they are in the process of being analyzed by NIST staff and the cryptographic community.
The National Vulnerability Database (NVD) and the associated Common Vulnerability Scoring System (CVSS) are widely used, not only in government but also by private-sector firms and vulnerability and risk assessment product vendors. As of June 2018, the NVD contained more than 103,000 distinct vulnerability entries. At the time of the discontinuation of MITRE’s Common Vulnerabilities and Exposures (CVE) Compatibility Program in September 2017, 153 products and services from 84 organizations had been certified as CVE-compatible under the program.
Some CSD projects could benefit from more community outreach. The QRC project is timely and important, and its importance is well understood not only in the cryptographic community but also among government and commercial customers of cryptography. QRC’s impact will be felt on the time scale of decades.
The Combinatorial Methods in Software Testing project is mature and has generated numerous highly cited publications. The tools and techniques developed by the project promise substantial impact on real-world software testing efficiency and effectiveness; even naïve applications of CST techniques can reduce the number of test cases required to reliably detect most faults by two orders of magnitude. The work on combinatorial methods in software testing could beneficially be broadly adopted across the software development world; it is a rare example of a technique that can improve both schedules and quality. Other CSD projects could benefit from a clearer statement of the requirements that are driving them.
The Access Control project has reached maturity and has had substantial academic and commercial impact, but it may have reached the point of diminishing return as an ITL activity. NIST’s Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) standards have been broadly influential. RBAC is now a standard feature of most commercial security products’ administrative subsystems. Commercial products from Oracle, SailPoint, and other vendors include robust RBAC features. ABAC is less broadly adopted by customers, but it is well supported by commercial security products for government use (e.g., from Jericho Systems), and for private-sector use (e.g., from Axiomatics and NextLabs). The 2011 National Research Council (NRC) panel report said this about the Access Control Project:
As a general principle, given constraints on resources and the dynamic nature of IT security technology, the division should be mindful of the relevance of its research projects to the remainder of its mission and should be willing to sunset projects in those cases in which the project has begun to achieve industrial or commercial success or the focus of the project has diverged from the mainstream direction of information technology or from the division’s work on standards and guidelines. The Role Based Access Control Program appears to have achieved a measure of industrial success and is perhaps a candidate for handing off to industry.3
The work of the Access Control Project is even more firmly established now in commercial practices and products than was the case in 2011.
RECOMMENDATION: The Access Control project’s resources should be directed toward more recently emergent risks in order to have higher impact.
3 National Research Council (NRC), 2011, An Assessment of the Information Technology Laboratory at the National Institute of Standards and Technology: Fiscal Year 2011, The National Academies Press, Washington, D.C., p. 23.
The CSD has hired and retained appropriately expert staff in all of its project areas, but some projects could benefit from additional staff, some emerging research areas will need to be staffed, and there are some issues relating to career progression and recruiting that could represent risks to the availability of necessary expertise in the medium term.
CSD staff members exhibit a bimodal age distribution: there is a large pool of young expert staff members, fewer mid-career professionals, and a large population of late-career staff members. Twenty-seven percent of CSD staff members are currently retirement eligible; an additional 7 percent will be retirement eligible within 3 years. The concentration of retirement-eligible CSD staff represents a potential risk to the availability of expertise if government retirement programs or incentives change.
ADEQUACY OF FACILITIES, EQUIPMENT, AND HUMAN RESOURCES
The CSD’s Lightweight Cryptography project is much less well-known to its potential customers than its QRC Algorithms Standardization project and its NVD and associated Common Vulnerability Scoring System. The Lightweight Cryptography project is not resourced as fully as the QRC project. The Lightweight Cryptography project currently has five staff members, all part time. Millions or even billions of Internet of Things (IoT) devices could be enabled for secure communications and data storage by the Lightweight Cryptography program in the near to medium term (the project aims to complete algorithm standardization in 2-4 years).
RECOMMENDATION: The CSD should take steps to publicize the Lightweight Cryptography program among potential users of the resulting algorithms—particularly Internet of Things vendors and customers.
Supply chain risk management is a vast problem space, in which much research could be done. However, the CSD is having trouble finding and hiring staff qualified to work on supply chain risk analysis. It may be necessary to sharpen the focus of the Supply Chain Risk Analysis Project if additional staff cannot be added.
RECOMMENDATION: The ITL should consider conducting a threat and risk assessment to identify areas of greatest impact for future supply chain risk analysis work, the number and expertise of additional staff needed, and the appropriate focus of the work if additional staff cannot be hired.
The Lightweight Cryptography and Combinatorial Methods in Software Testing projects both have the necessary core scientific expertise, but they could increase their impact if additional staff could be added. Also, expertise in supply chain security is limited in the market generally; hiring experts in this area, while desirable, may be difficult.
Some emerging areas of research are currently being handled by existing staff members but will require dedicated experts as the areas mature. Additional staff expertise will shortly be required in the areas of multiparty computation, artificial intelligence (AI) and machine learning, high-performance computing security, and IoT security. The Pathways program has proven to be effective for recruiting scientific experts who eventually join the CSD’s permanent staff.
The CSD facilities and equipment are adequate, although more space would be welcome, particularly if additional staff members are added to the division. The budget for CSD staff to attend conferences and host workshops is adequate.
DISSEMINATION OF OUTPUTS
The CSD disseminates its work via Federal Information Processing Standards (FIPS), guidance in the form of NIST Special Publications (SPs), tools and testing services, academic publications, workshops, and data references, including online products such as the National Vulnerability Database (NVD).
The CSD has long been a prolific producer and effective disseminator of high-quality, frequently cited publications, broadly implemented standards, and influential guidance. The 2011 NRC assessment cited above noted this history and cited examples; since that assessment NIST Cybersecurity staff have published 4 FIPS standards or standard updates, more than 150 Special Publications, more than 75 conference papers, and more than 65 journal papers. The CSD tracks these outputs carefully. The CSD’s online resources, and especially the NVD, are also heavily utilized. However, these are production and dissemination metrics rather than impact metrics.
The CSD’s impact is in fact strong; its guidelines and standards are widely adopted. However, evidence for the impact of many projects is anecdotal rather than systematic. Some projects have effective systematic impact metrics. The Cryptography project, for example, has a very useful impact metric; because the CSD is involved in the full life cycle of cryptographic technology development, from algorithm selection to standardization to validation. The CMVP serves as an impact metric collector by quantifying how many implementations of NIST algorithms are submitted for validation against the standards that the CSD publishes. The numbers are strong: the CMVP has validated more than 24,000 cryptographic module implementations over its lifetime, including 4,400 validations of implementations of CSD’s Advanced Encryption Standard in products submitted by 497 companies. Across the CSD broadly, impact is less consistently measured than output and dissemination. Impact metrics could be quite valuable when making decisions about balancing CSD’s relatively scarce resources across its projects.
Some important CSD projects, including Risk Management, Supply Chain Security, and Virtualization Security, perform well on production and dissemination metrics but have no systematic impact metrics. Impact metrics would be very helpful in quantifying the effectiveness of the standards, guidance, and tools developed by the CSD.
RECOMMENDATION: Recognizing that impact is sometimes difficult to measure without deep insight into stakeholder products and processes, the ITL should work toward the development of impact metrics for projects in the CSD where development of such metrics is feasible.
One measure of project impact is the influence on international and commercial standards. The CSD cryptographic standards have had broad commercial and international adoption. Another recent example is the adoption of NIST SP-800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection as the basis for the guidance in the draft ISO/IEC FDIS 21878 “Information Technology—Security Techniques—Security Guidelines for Design and Implementation of Virtualized Servers.” The NIST Cybersecurity Framework, owned by the ACD, has also seen significant international adoption, which continues to grow—leading to a level of de facto international harmonization that is a major benefit for U.S. companies that operate worldwide.
One recommendation from the 2011 CSD assessment remains only partially addressed: “The CSD is also encouraged to investigate, as appropriate, NIST’s role in metrics and guidelines for privacy, a subject that was not specifically presented to the panel.”4 While the CSD and the ACD have incorporated privacy recommendations into their respective Risk Management guidance documents, there are still no metrics. This subject has become more urgent since 2011.
4 NRC, 2011, An Assessment of the Information Technology Laboratory at the National Institute of Standards and Technology: Fiscal Year 2011, The National Academies Press, Washington, D.C., p. 23.
RECOMMENDATION: The CSD, in partnership with the ACD, should investigate and, if possible, develop and disseminate metrics for privacy.
On the topic of Risk Management guidance from the CSD and the ACD, the question of alignment between these bodies of work needs to be considered. The CSD has recently released an updated draft of SP 800-37 (revision 2)5—a core document in the SP800-39 series of Risk Management Framework (RMF) guidance. One of the stated objectives of this draft is to demonstrate how the Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes. For its part, the ACD has recently published version 1.1 of the Cybersecurity Framework; that document states: “The Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes. Examples of cybersecurity risk management processes include NIST Special Publication (SP) 800-39.
The alignment of the NIST Risk Management Framework (owned by the CSD) and the NIST Cybersecurity Framework (owned by the ACD) is proceeding, but the work is not yet complete; the relevant documents are either in draft status or recently finalized. It is too early to tell how effective this alignment will be in organizations that implement both elements of NIST Risk Management guidance, and what adjustments to the guidance will be desirable.
RECOMMENDATION: The CSD and the ACD should consider jointly hosting one or more implementer’s workshops to test the emerging alignment of these two bodies of guidance.
5 NIST, 2018, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, Draft NIST Special Publication 800-37: Revision 2, U.S. Department of Commerce, Washington, D.C.