Donna F. Dodson
Chief Cybersecurity Advisor
National Institute of Standards and Technology donna.dodson@nist.gov

NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
Priority Research Areas:
Advanced Manufacturing, IT and Cybersecurity,
Healthcare, Forensic Science, Disaster Resilience, Cyber-
Physical Systems, Advanced Communications

• Role in cybersecurity began in 1972 with the development of the Data Encryption Standard – began when commercial sector also has a legitimate need for cryptography, including in ATMs.
• Using widely-accepted standards helps create competitive markets around market need through combinations of price, quality, performance, and value to consumers. It then promotes faster diffusion of these technologies throughout industry.

• NIST’s Cybersecurity Standards and Best Practices
• NIST’s Cybersecurity Testing and Metrics
• National Strategy for Trusted Identities in Cyberspace
• National Initiative for Cybersecurity Education
• National Cybersecurity Center of Excellence
• Framework for Improving Critical Infrastructure
Cybersecurity

Research Areas:
• Authentication and Access Control
• Biometrics
•
Continuous Monitoring
• Cryptography
• Data Analytics
• Identity Management
• Information Sharing
• Key Management
• Network Security
• Privacy
• Risk Management
• Security Automation
• Software Quality
• Security Testing
• Usable Security
• Vulnerability Management
Secure Applications and
Engineering:
• Cloud
• Cyber Physical Systems
• Healthcare
• Mobility
• Public Safety Networks
• Smart Grid
• Voting

NIST has looked at the basics, definitions, security controls, privacy controls, architectures, software assurance and testing.

• Mobile device characteristics
• Threats and Vulnerabilities
– Lack of Physical Controls
– Untrusted Mobile Devices
– Untrusted Networks
– Untrusted Applications
– Interactions with Other Systems
– Untrusted Content
– Use of Location Services
• Policy
• Encryption – Communication and Storage
• Authentication
• Applications
• From NIST Special Publication 800-124, GUIDELINES FOR
MANAGING THE SECURITY OF MOBILE DEVICES IN THE
ENTERPRISE

• Manages the vetting of apps before being deployed on secure mobile devices,
• Helps decision-makers approve or reject apps based on risk assessments from multiple tools,
• Allows for the integration of tools to provide tailored analytic capability.
• NIST app testing framework:
– http://csrc.nist.gov/projects/appvet/download.
htm

The NCCoE: Bringing Together Mobility and Cloud
• Demonstrates how commercially available technologies can enable secure access to the organization’s sensitive email, contacts, and calendar information from users’ mobile devices.
• Approach to mobile device security includes:
– determining the security characteristics required to mitigate in large part the risks of storing enterprise data on mobile devices and transmitting enterprise data to and from mobile devices
– mapping security characteristics to standards and best practices from NIST and other organizations recognized for promulgating security information, such as the National
Security Agency (NSA) and the Defense Information Systems
Agency (DISA)
– architecting a design for our example solution
– selecting mobile devices and EMM systems that provide the necessary controls
– evaluating our example solution

NIST Computer Security Resource Center http://csrc.nist.gov/
Cybersecurity Framework www.nist.gov/cyberframework
National Strategy for Trusted Identities in Cyberspace http://www.nist.gov/nstic/
National Cybersecurity Center of Excellence https://nccoe.nist.gov
National Initiative for Cybersecurity Education http://csrc.nist.gov/nice/