What began as an initiative between the Defense Department and the National Information Assurance Partnership to validate the security of a wide range of mobile devices has blossomed into a broader effort.
Last year, the Defense Information Systems Agency announced plans to migrate certification testing for mobile devices used on classified and unclassified networks to NIAP, which depends extensively on private laboratories to conduct reviews. Founded 14 years ago as a partnership between the National Security Agency and the National Institute of Standards and Technology, NIAP provides agencies with a central program for gauging the security of consumer technologies.
“Our goal is not to pick a specific product or vendor or any one security technology,” says Janine Pedersen, NIAP’s director. “Our process is open to the public. Any company interested in selling to DOD or other national security agencies is welcome to go through the process.”
Helping the Pentagon
NIAP’s partnership with the Defense Department originally focused on mobile devices and mobile device management software, Pedersen says, but now NIAP and DISA intend to approve a wide range of technologies for use within DOD agencies.
“We want to make it easy for the vendor community in the computer industry to get products approved for both classified and unclassified uses in the national security establishment,” Pedersen says. “For us, it allows for our employees to use the latest innovations industry has to offer.”
Todd Finkler, an NSA information assurance expert, says NIAP will review numerous technologies, including network monitoring, identity management and authentication, intrusion detection and protection, operating systems and firewalls.
“This is a much broader security effort,” Finkler says. “The idea is to work with government, industry and academia to develop the best possible security posture for national security purposes.”
The NIAP process will be the first step in a two-pronged approach to help get tested technology into the hands of Defense personnel.
How the Process Works
This change is a response to criticisms from the vendor community that previous technology approval processes were time-consuming and expensive. In the past, a NIST-accredited lab would test products one by one, assigning them an assurance standard.
Now, NIAP collaborates with industry, end users and academia to develop security standards, called “Protection Profiles,” for product categories, Pedersen says. These are publically available specifications that vendors can follow to develop products that meet federal requirements. The labs NIAP works with will use the profiles too — to ensure commercial IT products meet specified requirements.
The profiles include DOD-developed configuration requirements. These requirements detail the specifications that commercial products must meet for use on DOD networks.
This approach means that software and hardware makers can create products that will meet the security requirements, rather than having to reverse-engineer products after the review pocess. That should hasten the review and make it easier to get technology into the hands of users.
To further encourage broad adoption by vendors, the profiles also include Commercial Solutions for Classified use cases. These CSfC cases flesh out details about how commercial products must protect classified information.
Moving forward, vendors will develop products based on the profiles and submit them to commercial labs for testing. The labs will then issue reports to NIAP outlining how products either meet or fail to meet profile requirements.
Necessary Second Step
Getting the NIAP nod is step one, says Gregory Youst, chief mobility engineer at DISA. Before DOD agencies deploy NIAP-approved technology, vendors need to develop security technical implementation guides, or STIGs. Each guide must identify potential vulnerabilities and how the vendor will mitigate those in a particular product for use within DOD.
“Think of the STIG as the action plan for how to configure the product for DOD and make it secure,” Youst says.
STIGs are not new, but creating them outside the government will be, Youst says. By taking this approach, building STIGs — which used to be based on a teardown and detailed examination of a product by government engineers — should take place faster, he says. Why? Because most of the underlying data needed to create them will be generated when vendors put their technology through the NIAP process.
Community of Practice
Pedersen has great hopes for the two-step process — in part, because of the involvement of more experts.
NIAP formed technical communities to develop the profiles, and these groups will enlist subject matter experts from government, industry and academia. NIAP and DISA are developing a collaborative process that they expect will lead to security products being approved not only faster, but more efficiently and at lower cost.
Any subject matter expert in a technical community can make decisions and offer input into the profiles. Each technical community will be responsible for developing a set of technology-specific threats, the minimal security functionality sufficient to mitigate the threats identified, and a collection of assurance activities tailored to the technology that covers each functional requirement.
Ultimately, DISA also hopes in the months and years ahead that the new requirements will gain acceptance beyond the federal government — even internationally. That will make projects with other government organizations and ally nations far less complex and ease the sharing of information.