Editor’s Note: The most recent public draft of the Executive Order on cybersecurity and critical infrastructure protection emphasizes the use of voluntary consensus standards. Specifically, Section 7 of the draft Order states “The Cybersecurity Framework shall incorporate existing consensus-based standards and industry best practices to the fullest extent possible, The Cybersecurity Framework shall be consistent with intemational standards whenever feasible, and shall meet the requirements of the National Institute of Standards and Technology Act, Public Law 104-113, and OMB Circular A-119.”
As the lead agency responsible for administering the Tech Transfer Act, it is incumbent on NIST to ensure their own compliance with the law in developing cybersecurity guidance documents.
It is important to note that, even though NIST is a non-regulatory agency, their cyber security guidance publications are required to the quality standards specified by OMB, and the Secretary of Commerce in implementing the Data Quality Act. The requirements of the DQA include that information presented by an agency be Objective which means that the information must be “presented within a proper context.” As OMB explains, “Sometimes, in disseminating certain types of information to the public, other information must also be disseminated in order to ensure an accurate, clear, complete, and unbiased presentation.” Thus, a gudiance publication which does not discuss all types of security techologies capable of meeting the publication’s goal may not be compliant with the DQA.
From: Network World
TIA trade group says NIST preference for hardware-based security might mean vendors either make drastic changes or leave federal market altogether
By Ellen Messmer
A mobile security technology proposal drafted by the National Institute of Standards and Technology (NIST) is being soundly rejected by one of the main trade groups representing a broad cross-section of industry.
NIST’s “Guidelines on Hardware-Rooted Security in Mobile Devices,” issued in draft form in October and out for public comment until last Friday, has drawn sharp criticism from the Telecommunications Industry Association, which labeled NIST’s proposal as “over-prescriptive” because it “suggests that security in mobile devices can only be realized using a specific architectural implementation of secure or trustworthy environment, namely the Trusted Platform Module (TPM) architecture specified by the Trusted Computing Group (TCG).
TPM is “one way to implement security in mobile devices but it’s isn’t the only way,” said Brian Scarpelli, senior manager of government affairs at Arlington, Va.-based TIA, adding that software-based security can also be relied on. He indicated the TIA membership of carriers and software vendors would prefer not to have to adhere to a specific implementation to meet new federal guidelines for mobile devices, and TIA is reaching out to NIST to voice its objections. TIA industry membership includes carriers such as Verizon Communications and Sprint Nextel, as well as Apple, Dell and VMware.
The TPM specification from the TCG is a hardware-based cryptographic-processing technology that can be used for several security purposes, primarily device integrity. TPM is used in desktops and servers but not mobile devices at present. The National Security Agency, for example, which influences technology decisions made at the U.S. Department of Defense, has been an enthusiastic proponent of TPM.
TPM exists in much internal computer hardware today, though it appears to suffer from lack of widespread deployment in part due to lack of applications making it easy to deploy.
NIST argues for TPM by saying that “many mobile devices are not capable of providing strong security assurances to end users and organizations. Current mobile devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts.”
NIST says it wants to “accelerate industry efforts” to use hardware-rooted trust technologies, and specifically TPM, in mobile devices such as smartphones and tablets that the federal government would acquire. NIST criticizes today’s mobile devices, saying they are “vulnerable to ‘jailbreaking’ and ‘rooting,’ which provide device owners with greater flexibility and control over the devices, but also bypass important security features which may introduce vulnerabilities.”
NIST asserts in its guidelines proposal that TPM and hardware-based root of trust is the model the federal government would like to see for use in assuring device integrity and verification, and that this would also help the government in adopting a bring-your-own-device approach where government employees could use their personally owned devices for work as well.
In its rebuttal to the NIST proposal, TIA’s comments reject NIST’s contention that “mobile devices are not as secure as laptops and personal computers,” calling NIST’s statements “inaccurate reflections of the state-of-the-art security supported by today’s smartphones and tablets. Today’s smartphones and tablet implementations support immutable, hardware-based root of trust that provide security features equivalent to those supported by laptops and personal computers.”
In its comments, TIA pleads with NIST to reconsider its drafted guidelines proposal for mobile. “We urge NIST to ensure that any security requirements that it places on Federal agencies do not in effect cause the information and communications technology (ICT) manufacturers and vendors on which these agencies rely to choose between either making significant design and/or system alterations inconsistent with existing measures taken to ensure that private information systems are secure or to refrain from directly participating in the Federal market.”
The TIA adds, “If this were to happen, it would bifurcate the ICT market that currently successfully serves both government and private entity alike, and would deprive Federal users of the benefits of the dynamic private research and development ecosystem.”
Leave a Reply