Cybersecurity Blueprints
for Cloud Computing
Donna F Dodson
Division Chief, Computer Security Division
Acting Director, National Cybersecurity Center of Excellence

The U.S. economy and U.S. citizens are heavily reliant on
information technology (IT)
◦ No sector today could function without IT
◦ Energy, supply chain, finance, ecommerce, transportation, health care

Although considerable progress has been made in improving
cybersecurity capabilities to protect IT, there is much yet to
be done
◦ Determine how to mitigate new threats and secure new technologies

Cybersecurity needs to become more standards-based to
further improve quality and efficiency. Cybersecurity also
needs to become easier for people to adopt and use
◦ These changes would significantly reduce the cost of security
implementation and management, as well as the economic impact of
cybersecurity incidents

NIST is responsible for developing standards and guidelines, including minimum requirements, that provide
adequate information security for all agency operations and assets in furtherance of its statutory responsibilities
under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347, but such
standards and guidelines shall not apply to national security systems.

Under FISMA NIST shall “conduct research, as needed, to determine the nature and extent of information
security vulnerabilities and techniques for providing cost-effective information security.”

NIST develops guidelines consistent with the requirements of the Office of Management and Budget
(OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV:
Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.

In accordance with the Cyber Security Research and Development Act, The National Institute of Standards and
Technology develops, and revises as necessary, checklists setting forth settings and option selections
that minimize the security risks associated with each computer hardware or software system that is, or is
likely to become, widely used within the Federal Government.

Homeland Security Presidential Directive 7; “The Department of Commerce will work with private sector,
research, academic, and government organizations to improve technology for cyber systems and
promote other critical infrastructure efforts, including using its authority under the Defense Production Act to
assure the timely availability of industrial products, materials, and services to meet homeland security
requirements.”

Homeland Security Presidential Directive 12: “The Secretary of Commerce shall promulgate in accordance with
applicable law a Federal standard for secure and reliable forms of identification (the "Standard")”
Core Focus Area

Research, Development, and Specification
◦ Security Mechanisms (e.g. protocols, cryptographic,
access control, auditing/logging)
◦ Security Mechanism Applications
 Confidentiality
 Integrity
 Availability
 Authentication
 Non-Repudiation

Secure System and Component configuration

Assessment and assurance of security properties of products
and systems










Standards – FIPS, Internal Consensus, National
Consensus
Guidelines – NIST SPs and IRs
Journal and Conference Papers
Reference Materials
Workshops and Conferences
Consortia and Forums
Training
Reference Implementations and Demonstrations
Tests and Tools
Standards Development Organization Participation
• Industry
- Accessing Expertise and Leveraging Resources
- Coordinating Standards and Initiatives
• Academia
- Accessing Expertise and Leveraging Resources
- Representative Institutions and Consortia
• International
- Formal Standards Groups
- Accessing Expertise and Leveraging Resources
• Federal, State, and Local Government
- Interdepartmental
- Department of Commerce
- State and Local Governments
n●










Standards – FIPS, Internal Consensus, National
Consensus
Guidelines – NIST SPs and IRs
Journal and Conference Papers
Reference Materials
Workshops and Conferences
Consortia and Forums
Training
Reference Implementations and Demonstrations
Tests and Tools
Standards Development Organization Participation
NIST Work in Cyber Security

FISMA Phase II
◦ Continue to support the Joint Task Force Transformation Initiative (DoD,
IC, NIST, CNSS) and support unified information security framework
◦ Continue support for risk management and information security
publications
◦ Potential privacy and threat appendixes for SP 800-53, Revision 3
◦ Work toward system and security engineering and application security
guidelines

US Government Configuration Baseline (USGCB)
◦ Standardized security configurations for operating systems and automated
tools to test the configurations, improving security and saving IT security
management resources

Security Automation and Vulnerability Management
◦ Continue to develop tools and specifications that address situational
awareness, conformity and vulnerability management compliance etc
NIST Work in Cyber Security

Virtualization
◦ Support for cloud special publication and standards
activities to support security, portability and
interoperability

Key Management

Next Generation Cryptography
◦ Open competition for new Hash algorithm
◦ Developing new, light weight, quantum resistant
encryption for use in current and new technologies
◦ New modes of operation
© Lisa F. Young/Dreamstime.com
◦ Foster the requirements of large-scale key
management frameworks and designing key
management systems
◦ Support transitioning of cryptographic algorithms and
key sizes
NIST Work in Cyber Security
◦ Performing groundwork research to define factors that
enable usability in the area of multifactor authentication
and developing a framework for determining metrics that
are critical to the success of usability

Identity Management Systems
◦ Standards development work in biometrics, smart cards,
identity management, and privacy framework.
◦ R&D: Personal Identity Verification, Match-On-Card,
ontology for identity credentials, development of a
workbench
◦ ID Credential Interoperability

Infrastructure support
◦ Continued support for Health IT, Smart Grid and Voting

Standards Development Organizations
◦ IETF
◦ IEEE
ANSI
ISO
© Graeme Dawes | Dreamstime.com
Usability of Security
© Peto Zvonar | Dreamstime.com



Federal IT programs have a wide range of security
requirements among them:
◦ The Federal Information Security Management Act
(FISMA) requirements that include but are not limited to
compliance with with Federal Information Processing
Standards agency specific policies
◦ Authorization to Operate requirements
◦ Vulnerability and security event monitoring, logging and
reporting
It is essential that the decision to apply a specific cloud
computing model support mission capability considers
the above requirements

Accelerate the Federal government’s adoption of
cloud computing
◦ Build a USG Cloud Computing Technology Roadmap which
focuses on the highest priority USG cloud computing
security, interoperability and portability requirements
◦ Lead efforts to develop standards and guidelines in close
consultation and collaboration with standards bodies, the
private sector, and other stakeholders
•
SP 800-144 Guidelines on Security and Privacy
•
SP 800-145 Definition of Cloud Computing
•
SP 800-145 CC Synopsis & Recommendations
•
SP 500-291 CC Standards Roadmap
•
SP 500-292 CC Reference Architecture
•
SP 500-293 USG CC Technology Roadmap Draft
The NIST Cloud Definition Framework
Hybrid
Clouds
Deployment
Models
Service
Models
Essential
Characteristics
Common
Characteristics
Private
Cloud
Software as a
Service (SaaS)
Community
Cloud
Public
Cloud
Platform as a
Service (PaaS)
Infrastructure as
a Service (IaaS)
On Demand Self-Service
Broad Network Access
Rapid Elasticity
Resource Pooling
Measured Service
Massive Scale
Resilient Computing
Homogeneity
Virtualization
Geographic Distribution
Service Orientation
Low Cost Software
Advanced Security
14
Based upon original chart created by Alex Dowbor - http://ornot.wordpress.com
Draft NIST CC Reference Architect
Cloud Provider
Cloud
Consumer
Cloud
Auditor
Security
Audit
Privacy Impact
Audit
Performance
Audit
Cloud Orchestration
Cloud Service
Management
Service Layer
SaaS
Business
Support
PaaS
Service
Intermediation
IaaS
Resource Abstraction and Control
Layer
Physical Resource Layer
Hardware
Provisioning/
Configuration
Service
Aggregation
Portability/
Interoperability
Service
Arbitrage
Facility
Cloud Carrier
Cross Cutting Concerns: Security, Privacy, etc
15
Cloud Security Standards







ISO/IEC JTC 1 Subcommittee 27 Cybersecurity
Responsible for cloud computing security standards
Early development stages
ISO/IEC 27017 – Guidelines on information security controls
for the use of cloud computing services based on ISO/IEC
27002
US International Committee for Information Technical
Standards Technical Committee Cyber Security 1 (CS 1)
U.S. Technical Advisory Group to SC 27
Chaired by NIST
16
FEDRAMP
•Maintains Security Baseline including Controls & Continuous
Monitoring Requirements
•Maintains Assessment Criteria
•Maintains Active Inventory of Approved Systems
Consistency and Quality
Trustworthy & Re-useable
Independent Assessment
•
CSP must retain an
independent
assessor from
FedRAMP accredited
list of 3PAOs
•
•
Provisional
Authorization
Joint Authorization
Board reviews
assessment
packages and grants
provisional
authorizations
Agencies issue ATOs
using a risk-based
framework
Near Real-Time Assurance
Ongoing A&A
(Continuous Monitoring)
• DHS – CyberScope
Data Feeds
• DHS – US CERT
Incident Response and
Threat Notifications
• FedRAMP PMO –
POA&Ms
17

Foster the rapid adoption and broad deployment of
integrated cybersecurity tools and techniques that
enhance consumer confidence in U.S. information
systems
◦ Disseminate new principles and mechanics underlying security
standards, metrics, and best practices for secure and privacy-preserving
information technologies
◦ Develop and test methods for composing, monitoring, and measuring the
security posture of computer and enterprise systems
◦ Achieve broad adoption of practical, affordable, and useful cybersecurity
capabilities across the full range of commercial and government sectors
Planning Phase
Business
Engagement &
Problem
Statement
Use Case
Implementation Phase
IT Industry
Components
Selection
Implement in
Operational
Environment
• Computer Security Resource Center
http://csrc.nist.gov
• NIST Cloud Computing Program
http://www.nist.gov/itl/cloud
•National Cybersecurity Center of Excellence
http://csrc.nist.gov/nccoe/