Presentation is loading. Please wait.

Presentation is loading. Please wait.

DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing.

Published byTristin Burdon Modified over 9 years ago

Similar presentations

Presentation on theme: "DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing."— Presentation transcript:

1 DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing Division

2 Policy & Guidance –National Security Policy - NSTISSP #11 (Jan 2000) –National Security Policy – NSTISSP #11 (Revised Jul 2003) –DoD 8500.1 –DoD 8500.2 – NIST Special Publication 800-23 – NIST Special Publication 800.37

3 National Security Telecommunications and Information Systems Security Committee NSTISSP No. 11 January 2000 National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products - Effective 1 Jan 2001 Preference shall be given to acquisition of evaluated IA products - Effective 1 Jul 2002 (Revised Fact Sheet) Acquisitions must specify evaluated products UNCLASSIFIED

4 Acquisition of COTS IA products limited to those on NIAP Validated Products List or NIST Crypto Module Validation List Acquisition of GOTS IA products limited to NSA approved Waivers (Deferred Compliance Authorization (DCA)) reviewed by NSA and granted on case-by case basis – not available for encrypted products

5 FACTORS DRIVING NSTISSP 11 IA is broader than COMSEC GOTS to GOTS and COTS Philosophy Shift Explosion in number of COTS IA Products NSA resource constraints requires a NIAP approach No standardized evaluation language or methodology Create demand for evaluated products  The problem: Does the product provide the security it claims?

6 Requires compliance with NSTISSP 11 Defines generic “robustness” levels of basic, medium, high and assigns “baseline levels” for IA services of integrity, availability and confidentiality dependent upon value of information protected and environment Requires NSA: – Serve as DOD focal point for NIAP – Approve cryptographic devices used to protect classified information – Generate Protection Profiles for GIG core technologies DoD 8500.1 and DoD 8500.2

7 Guidelines for Federal Organizations Re: Information Security NIST Special Publication 800.23- Guide for the Security Certification and Accreditation of Federal Information Systems NIST Special Publication 800.37 – Guide for Security Assurance and Acquisition/Use of Tested/Evaluated Products

8 Other Policy influencing security concerns for IT equipment: Gramm Leach Bliley Act (GLBA) - Financial Modernization Act of 1999 Healthcare Information Portability and Accountability Act of 1996 (HIPPA) – National Standards to Protect the Privacy of Personal Health Information Family Education Rights Privacy Act (FERPA) – security for student privacy

9 Example of Policy Driving Canadian IT Security Intiatives: The Personal Information Protection and Electronic Documents Act (PIPEDA) became an official requirement on January 1, 2004 PIPEDA is Federal Privacy Legislation to regulate privacy compliance of collection of personal data of citizens during commercial activity by organizations.

10 THANK YOU.

Download ppt "DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing."

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
Research and Privacy Under HIPAA Professor Peter P. Swire Moritz College of Law Ohio State University National Academy of Science Panel on Science, Technology.

Research and Privacy Under HIPAA Professor Peter P. Swire Moritz College of Law Ohio State University National Academy of Science Panel on Science, Technology.
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
TECHNICAL OPERATION SUBCOMMITTEE Report to Operating Committee June 10 – June 11 2004 Gary S. Tarplee - Chair.

TECHNICAL OPERATION SUBCOMMITTEE Report to Operating Committee June 10 – June Gary S. Tarplee - Chair.
Steps towards E-Government in Syria

Steps towards E-Government in Syria
IT Security Policy Framework

IT Security Policy Framework
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Chapter 11 by Dee McGonigle, Kathleen Mastrian, and Nedra Farcus

Chapter 11 by Dee McGonigle, Kathleen Mastrian, and Nedra Farcus
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
© 2004 Property Casualty Insurers Association of America The Alphabet of Federal Legislation Kathleen Jensen Property and Casualty Insurers Association.

© 2004 Property Casualty Insurers Association of America The Alphabet of Federal Legislation Kathleen Jensen Property and Casualty Insurers Association.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
The Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

Similar presentations

Ads by Google