standards for security in software

["Larry Seltzer" <larry () larryseltzer com>]

Below is the section of S.773 mandating that NIST establish "measurable
and auditable cybersecurity standards" for systems and networks. 

 

Do standards along these lines exist already? I guess I'd be surprised
if nothing like this exists, but the only ones I'm aware of don't have a
lot of real world-relevance, like C1 and B certifiability. 

 

Some of it is already in place or at least being worked on, like the
standard configurations (see
http://www.eweek.com/c/a/Security/Standardizing-the-Federal-Desktop/) or
the vulnerability specification stuff. 

 

Do others think the other elements and the big picture of this is
practical?

 

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ <http://security.eweek.com/> 
http://blogs.pcmag.com/securitywatch/
<http://blogs.pcmag.com/securitywatch/> 
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com
<mailto:larry.seltzer () ziffdavisenterprise com> 

 

SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.

(a) IN GENERAL. Within 1 year after the date of enactment of this Act,
the National Institute of Standards and Technology shall establish
measurable and auditable cybersecurity standards for all Federal
government, government contractor, or grantee critical infrastructure
information systems and networks in the following areas:

                (1) CYBERSECURITY METRICS RESEARCH. The Director of the
National Institute of Standards shall establish a research program to
develop cybersecurity metrics and benchmarks that can assess the
economic impact of cybersecurity. These metrics should measure risk
reduction and the cost of defense. The research shall include the
development automated tools to assess vulnerability and compliance.

                (2) SECURITY CONTROLS. The Institute shall establish
standards for continuously measuring the effectiveness of a prioritized
set of security controls that are known to block or mitigate known
attacks.

                (3) SOFTWARE SECURITY. The Institute shall establish
standards for measuring the software security using a prioritized list
of software weaknesses known to lead to exploited and exploitable
vulnerabilities. The Institute will also establish a separate set of
such standards for measuring security in embedded software such as that
found in industrial control systems.

                (4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE. The
Institute shall, establish standard computer-readable language for
completely specifying the configuration of software on computer systems
widely used in the Federal government, by government contractors and
grantees, and in private sector owned critical infrastructure
information systems and networks.

                (5) STANDARD SOFTWARE CONFIGURATION. The Institute shall
establish standard configurations consisting of security settings for
operating system software and software utilities widely used in the
Federal government, by government contractors and grantees, and in
private sector owned critical infrastructure information systems and
networks.

                (6) VULNERABILITY SPECIFICATION LAN4GUAGE.The Institute
shall establish standard computer-readable language for specifying
vulnerabilities in software to enable software vendors to communicate
vulnerability data to software users in real time.

                (7) NATIONAL COMPLIANCE STANDARDS FOR ALL SOFTWARE.

                                (A) Protocol. The Institute shall
establish a standard testing and accreditation protocol for software
built by or for the Federal government, its contractors, and grantees,
and private sector owned critical infrastructure information systems and
networks. to ensure that it

                                                (i) meets the software
security standards of paragraph (2); and

                                                (ii) does not require or
cause any changes to be made in the standard configurations described in
paragraph (4).

                                (B) COMPLIANCE. The Institute shall
develop a process or procedure to verify that

                                                (i) software development
organizations comply with the protocol established under subparagraph
(A) during the software development process; and

                                                (ii) testing results
showing evidence of adequate testing and defect reduction are provided
to the Federal government prior to deployment of software.

(b) CRITERIA FOR STANDARDS. Notwithstanding any other provision of law
(including any Executive Order), rule, regulation, or guideline, in
establishing standards under this section, the Institute shall disregard
the designation of an information system or network as a national
security system or on the basis of presence of classified or
confidential information, and shall establish standards based on risk
profiles.

(c) INTERNATIONAL STANDARDS. The Director, through the Institute and in
coordination with appropriate Federal agencies, shall be responsible for
United States representation in all international standards development
related to cybersecurity, and shall develop and implement a strategy to
optimize the United States' position with respect to international
cybersecurity standards.

(d) COMPLIANCE ENFORCEMENT. The Director shall

                (1) enforce compliance with the standards developed by
the Institute under this section by software manufacturers,
distributors, and vendors; and

                (2) shall require each Federal agency, and each operator
of an information system or network designated by the President as a
critical infrastructure information system or network, periodically to
demonstrate compliance with the standards established under this
section.

(e) FCC NATIONAL BROADBAND PLAN. In developing the national broadband
plan pursuant to section 6001(k) of the American Recovery and
Reinvestment Act of 2009, the Federal Communications Commission shall
report on the most effective and efficient means to ensure the
cybersecurity of commercial broadband networks, including consideration
of consumer education and outreach programs.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.