12 1 3 1 1. 2. 3 (Office of Management and Budget OMB)2000 (National Institute of Standards and Technology NIST) OMB 1. (Audit) 2. (Certification and Accreditation) 3. (Common Criteria) 4. (Framework) 5. (Information Assurance) 6. (Standard) Information Technology IT Certification and Accreditation C&A National Institute of Standards and Technology NIST 4 IT C&A IT IT 够 1 1. IT 2. IT 3. 够 决 C&A 够 IT IT 1983 9 102 Federal Information Process Standard FIPS 102 1.1 1.2 1.3 NIST C&A SP 800-53 International Organization for Standardization ISO ISO/IEC TR 197912-35-
1.1 1. NSTISSC: National Security Telecommunications and Information System Security Committee 2. NSTISSI: National Security Telecommunications and Information System Security Instruction 3. NSTISS NSTISSI No.4011 180 1.2-36-
1.3 IT 2000 1999 7 ~2000 6 Office of Management and Budget OMB 3~5 C&A 够 OMB 够 1. IT 2. IT 够 决 减 IT 3 1. 2. 撑 - 37-
况 IT 5 NIST 6 NIST IT 2.1 5 1 2 3 4 5 IT 63 7 (National Security Agency NSA)1999 8 2003 10 3 OMB 减 4 2000 2 28 OMB M00-07 1 2 3 4 5 2.1 IT IT 4 5 够 强 决 OMB 2000 1.1 OMB2000~2003 2.2~2.6 IT 2.2 (Information Technology IT) 1. 2. 2002 12 17 (Federal Information Security Management Act FISMA) IT - 38-
2.3 (Information Technology IT) (Security Cost) 1 ( ) (Inspector General IG) 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 (Office of Management and Budget OMB) 1.10 1.11 1.12 1.13 1.14 (Review) (Check) 2 IT (Privacy) (Program) 3 2.4 (Security Program ) 1 1 (General Support System) (Major Application) 2 OMB DoC(NIST) GSA OPM 2.1 2.2 IT 2.3 2.4 3 3.1 DoC: Department of Commerce 3.2 GSACeneral Services Administration 3.3 OMBOffice of Management and Budget 3.4 OPMOffice of Personal Management 3.5 NISTNational Institute of Standards and Technology - 39-
2.5 (Plam of Action and Milestone POA&M) (Plan of Action and Milestone POA&M) POA&M POA&M 2.6 (Program Review) (Federal Information Security Management Act FISMA) 1. 2. (Office of Management and Budget OMB) 3. 4. 5. 6. 撑 IT IT 够 OMB 够 1. IT 2. 够 决 减 IT 况 NIST SP 800-266 IT NIST SP 800-26 IT 4 3 OMBA-130 PDD-63 NIST SP 800-26 2000 2.7 2000~2003-40-
2.72000~2003 2003 2003 2002 2002 2001 2001 2000 2000 40 F 36 F 31 F 56 F 70.5 C- 52 F 22 F 72 C- 72.5 C- 68 D+ 51 F 72 C- * 65.5 D 38 F 40 F 69 D+ 77 C+ 66 D 33 F 75 C 59.5 F 41 F 51 F 74.5 C 63 D- 69 D+ 64 D 65 D 64 D 66 D 61 D- 衆 54 F 61 D- 43 F 58 F 34 F - - - - - - 40 F 48 F 66 D 73 C- 43 F 37 F 48 F 17 F 55.5 F 56 F 50 F 52 F 86.5 B 79 C+ 56 F 38 F 60.5 D- 68 D+ 70 C- 60 D- 94.5 A 74 C 34 F 90.5 A- 63 D- 87 B+ 80 B- 61.5 D- 52 F 39 F 59 F 71 C- 48 F 48 F 55 F 88 B+ 82 B- 79 C+ 86 B 39.5 F 54 F 69 D+ 75 C 69 D+ 28 F 48 F * 64 D 48 F 54 F 65 D * 76.5 C 50 F 44 F 65 D 65 D 55 F 53 F D- 1. (Office of Management and Budget OMB) 况 2. 3. OMB 100OMB 0 29% 30%44%45%59% 90%100% 4. 4.1 A=90~100 4.2 B=80~89 4.3 C=70~79 4.4 D=60~69 4.5 E=0~59 5. 5.1 Clinger Cohen Act 104-106 1996 8 5.2 Government Information Security Reform Act2000 5.3 OMB A-130 4 2000 11 30 5.4 Federal Information Security Management Act 107-347 (Title III ) 2002 12 5.5 OMB M-03-19 2003 8 6-41-
OMB 2.1 3 IT Token IT IT 2.1 3 (IT) (PP) PPs (CC) NIAP CCEVS NIST CMVP FIPS 140-2 IT Katzke, S.(2003) Protecting Federal Information Systems and Networks, In resentation of the 4 th International Common Criteria Conference, Sept. 7~9, 2003, Stockholm, Sweden. 2.1-42 -
1 2 3 3.1 3.2 3.3 4 5 5.1 5.2 6 7 7.1 7.2-43 -
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22-44 -
- 45 -
- 46 -
- 47 -
IT IT 10 IT IT OMBA-130 幷 决 OMB A-130 够 够 强 1987 2002 9 IT OMB A-130 IT NIST SP 800-1810 IT SP 800-30IT 11 IT 啓 IT IT 够 IT IT 2002 IT - 48 -
IT NIST 2002 10 啓 12~14 1. 2. IT 3. 够 C&A 1. IT 2. IT 决 3. IT 4. 5. IT NIST SP 800-37 IT IT IA-CMM8 3 C&A IT NIST SP 800-37 C&A IT C&A C&A 1983 9 102 NIST FIPS IT System Development Life Cycle SDLC 1. 2. 3. 4. 5. NIST SP 800-37 C&A IT IT 靭 够 C&A IT C&A C&A IT IT Commercial off the shelf COST WEB IT C&A IT ISO/IEC 15408-49 -
FIPS 140-2 C&A 11 NIST http://csrc.nist.gov/cryptval http://niapnist.govcc-scheme C&A C&A IT IT C&A IT IT 1.2 1993 ommon eritera ISO C&A 3.6~3.8 3.4 IT - 50 -
NIST SP 800-53 NIST SP 800-53 ISO/IEC 13335-1 ISO/IEC 13335-1 ISO/IEC 13335-1 (ISO/IEC 13335-1 ) ISO/IEC 13335-1 ISO/IEC 13335-1 ISO/IEC 13335-1 ISO/IEC 13335-1 ISO/IEC 13335-1 - 51 -
- 52 -
1. 2. 4. 5. 6. 7. 8. 9. 10. (Flow Hypothesis) 11. 3.10 ISO/IEC 2nd WD 19791:2003-12-31 ( ) (System Security Target, SST) - 53 -
Target of Evaluation TOE Protection Profile PP / SST / SST \ / / SST C&A Outreach Katzke, S. 2003 9 7~9 4 ISO/IEC 19791 C&A 11 3.1~3.3 3.1 C&A Simple and Smart C&A 4 3.4 3 ISO/IEC 19791 14-54 -
U.S. $1,000,000 U.S. $10,000,000 U.S. $10,000,000 C&A 1. 2. 3. 3 ISO 2000 C&A 2005 C&A IT C&A 4.1 4.1 C&A 1 12 C&A ISO 2 4.1-55 -
- 56-4.1
1NIST (2003) Standards for Security Categorization of Federal Information and Information Systems, PUB (Publication) 199, NIST 2ISO (2003) Text for ISO/IEC 2 nd WD 19791, Information technology-security techniques-security assessment for operational systems, ISO/IEC JTC1/SC27 N 3801 3OMB (2000) OMB Circular No. A-130, Appendix III, Revised, November 30, 2000 4NIST (2000) Federal Information Technology Security Assessment Framework, November 28, 2000, NIST 5OMB (2003) OMB M-03-19, August 6, 2003 6Swanson, M. (2001) Security Self-Assessment Guide for Information Technology Systems, NIST Special Publication 800-26, NIST 7The White House (1998) The Clinton Administration s Policy on Critical Infrastructure Protection: Presidential Decision Directive 63(PPD-63), May 22, 1998 8NSA (2003) INFOSEC Assurance Capability Maturity Model (IA-CMM), Version 3.0, October 2003, NSA 9The White House (2002) Federal Information Security Act, December 17, 2002 10Swanson, M. (1998) Guide for Developing Security Plans for Information Technology Systems, NIST Special Publication 800-18, December 1998, NIST 11Stoneburner, G., A. Goguen and A. Feringa (2004) Risk Management Guide for Information Technology Systems (Draft), NIST Special Publication 800-30 Revise A., January 2004, NIST 12Ross, R. and M. Swanson (2002) Guidelines for the Security Certification and Accreditation of Federal Information Technology System, (Initial Public Draft) NIST Special Publication 800-37, October 2002, NIST 13CNSS (Committee on National Security System) (2003) NSTISSP (National Security Telecommunications and Information Systems Security Policy) No.11, Revised Fact Sheet, July 2003 14Katzke, S. (2003) Protection Federal Information Systems and Network, in Presentation of the 4 th International Common Criteria Conference, September 7~9, 2003, Stockholm, Sweden 15ISO (1999) Information technology- Security techniques- Evaluation criteria for IT security (all parts), ISO/IEC 15408 16http://www.CommonCriteriaPortal.org (2004/04/02) 17 Hamilton, B.A. (2002) Depart of Defense Public Key Infrastructure and Key Management Infrastructure Token Protection Profile (Medium Robustness), NSA (National Security Agency) - 57 -
- 58 -