1.
Cybersecurity Issues Impacting Public Sector Financial Management OASIS e-Gov Washington Workshop, April John Sabo Director Global Government Relations CA, Inc. Member, OASIS IDtrust Member Section Steering Committee

2. Abstract
Public financial management systems, e-procurement, and other services vital to government operations and citizen trust increasingly make use of information technology, networked infrastructures and Internet services. 
Cybersecurity risks continue to multiply as the threat landscape broadens.  As governmental services migrate to Internet and Internet Protocol-based infrastructures, managing cyber security risk takes on greater importance as government agencies cut ties to old business processes and fully embrace Internet-based services. 
This presentation will provide an overview of cybersecurity risk issues, a number of public-private sector partnership efforts to assess and mitigate cyber risks, and examples of work underway by Technical Committees in the OASIS IDtrust Member Section to develop standards to help address these challenges.

3. Cybersecurity – Government and Business Risk Management Issues
2007 Business Roundtable Report – growing Internet dependence
Control System vulnerabilities
Critical Infrastructure interdependencies
e.g., network availability for e-Gov applications
Convergence of communications with Internet Protocol-based networks/devices/security
Major global and federal government cybersecurity initiatives
Major initiatives such as Health IT, Smart Grid

4. Obama Administration
E-Government – using cutting-edge technologies to create a new level of transparency, accountability, and participation for America's citizens, to reform government and to improve the exchange of information between the federal government and its citizens and partners.
Cybersecurity – deploying a new generation of secure hardware and software for our critical cyber infrastructure and protecting sensitive corporate and government information and industrial applications from unauthorized access, theft, and misuse, while ensuring the resilience of our information networks, systems and applications.
Data Privacy – managing data privacy and securing personal information by partnering with industry to develop and implement standards and solutions needed to protect the rights of individuals in the information age.

5. Foundation in Place for Cybersecurity Risk Management
Huge resource and intellectual investments
R&D – technology development in response to market needs – innovation
Technologies, standards – e.g., identity and access management, authorization, encryption
Evolving standards and standards development to address new risk management requirements
Operational capabilities via organizations such as Information Sharing and Analysis Centers
Trusted industry and industry - government working relationships
Increased focus on cyber risk management, e.g., IT Sector Coordinating Council risk assessment

6. IT Sector Critical Functions and Cybersecurity
IT Products and Services
Incident Management Capabilities
Domain Name Resolution
Identity Management and Trust Support Services
Internet-based Content, Information and Communications Services
Internet Routing, Access and Connection Services

7. Complexities of the IT Sector
Domain Name System (DNS) root and Generic Top Level Domain (GTLD) operators
Internet Service Providers (ISPs)
Internet backbone providers
Internet portal and providers
Networking hardware companies (e.g., fiber-optics makers and line acceleration hardware manufacturers) and other hardware manufacturers (e.g., PC and server manufacturers and information storage)
Software companies
Security services vendors
Communications companies that characterize themselves as having an IT role
Edge and core service providers
IT system integrators
Global, Federal, State, and local governments…end users, businesses

8. IT “Sector Specific Plan”
Prevention and protection through risk management
Understand and prioritize risks and implement protective measures
Situational awareness
share threat and vulnerability information among IT Sector, other sectors and government, including developing indications and warnings
Expand public-private analytical capabilities to proactively identify potential future incidents
Response, recovery and reconstitution
Communications, incident response and coordination, recovery, reconstitution, and law enforcement linkages

9. Federal Comprehensive National Cybersecurity Initiative (CNCI)
Trusted Internet Connections
Intrusion detection
Intrusion prevention
Research and development
Situational awareness
Cyber counter intelligence
Classified network security
Cyber education and training
Implementation of information security technologies
Deterrence strategies
Global supply chain security
Public/private collaboration

10. A Few Current Issues Administration’s 60-day Cybersecurity Review
What is the federal government’s role in protecting critical infrastructure and information networks against a nation state attack?
Role of private sector in protecting government networks – people, process, technology, regulation, and incentives
What thresholds do we recommend for defining and reporting cyber incidents and to whom does it get reported?
New Federal Leadership, Organizational Alignment
Legislation and Oversight
… all in context of incredible technological innovation

11. IDtrust Member Section

12. IDtrust Member Section
Evolution
PKI Forum (1999)
PKI Member Section (Nov 2002)
IDtrust Member Section (2007)
Steering Committee
June Leung, FundSERV
Abbie Barbir, Nortel
John Bradley
John Sabo, CA
Anil Saldhana, Red Hat
OASIS Staff – Dee Schur
31 Sponsors/Contributing Member Organizations

13. Strategic Focus Areas Identity and Trust Infrastructure Components
Standards, protocols, cost/benefits, risks
Identity and Trust Policies and Enforcement
Policy issues, policy mapping, assurance
Barriers and Emerging Issues
Data privacy, interoperability, extensible trust
Education and Outreach
White papers, research, conferences, Wiki
idtrust.xml.org

14. Technical Committees
Digital Signature Services eXtended (DSS-X) - Advancing new profiles for the DSS OASIS Standard
Identity Metasystem Interoperability (IMI) - Advancing interoperability standard for Information Cards
Open Reputation Management Systems (ORMS)- Advancing the ability to use common data formats for representing reputation data
Extensible Resource Identifier (XRI) - Defining a resolution protocol for abstract structured identifiers used to identify and share resources across domains and applications
XRI Data Interchange (XDI) - Creating a standard for sharing, linking, and synchronizing data over the Internet and other networks using XML documents and Extensible Resource Identifiers (XRIs)
Enterprise Key Management Infrastructure (EKMI) - Defining symmetric key management protocols
Key Management Interoperability Protocol (KMIP) - Advancing interoperability standard for enterprise encryption key management

15. What is KMIP
The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new encryption applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications.
KMIP defines the protocol for encryption client and key-management server communication. Supported key-lifecycle operations include generation, submission, retrieval, and deletion of cryptographic keys. Vendors will deliver KMIP-enabled encryption applications that support communication with compatible KMIP key-management servers.

16. Enterprise Key Management
KMIP: Single Protocol Supporting Enterprise Cryptographic Environments
Enterprise Cryptographic Environments
Enterprise Key Management
Disk
Arrays
Backup
Tape
System
Collaboration &
Content Mgmt
Systems
File Server
Portals
Production
Database
Replica
Staging
Key Management Interoperability Protocol
Enterprise
Applications
eCommerce
Business
Analytics
Dev/Test Obfuscation
WAN
LAN
VPN
CRM

17. John Sabo