have been responding to the aftermaths of hurricanes Harvey, Irma and Maria.
“The cost to implement PIV-D is
estimated to be $2.39 million,” Gardner said. “However, PIV-D has yielded cost avoidances by allowing us to standardize on authentication for each of our users.” As a result, he expects to see a 50 percent return on investment over two years.
Finalist
A better way to build on the NIST framework
Baseline Tailor
National Institute of Standards and Technology, Department of Commerce
Joshua Lubell, a computer scientist at the National Institute of Standards and Technology, was getting tired of toggling back and forth between the agency’s Cybersecurity Framework and Special Publication 800-53 as he worked on
the Cybersecurity for Smart Manufactur- ing Systems project. To make applying the technical documents easier, he cre- ated Baseline Tailor, an application that lets users reference the framework to determine the security posture and then tailor a subset of the SP 800-53 security controls to make that desire a reality.
“The Cybersecurity Framework has this top-down organization where there are these five principal cybersecurity activities and then outcomes based on those activities and then sub-outcomes based on those outcomes,” Lubell said.
“And then at the bottom of the hierarchy are these pointers to other sources of guidance, one of which is the 800-53 security control catalog.”
He added that “what we needed to
do was relate that top-down hierarchy with the more bottom-up organization of 800-53, which has this comprehensive catalog of security controls. There are hundreds of them, and each control can be tailored according to a methodology that’s spelled out in 800-53.”
Baseline Tailor users start by click-
ing on the Cyber Framework tab in the graphical user interface and choosing a function and its subcategories. That pro- cess reveals the related SP 800-53 secu- rity controls. To tailor them, users click the needle and thread icon, which brings up the Security Control Editor tab. From there, users can set the baseline impact of the control at low, moderate or high.
“Then it builds this XML representa- tion for you, and then you can take that
XML representation and use it else- where,” Lubell said.
Other agencies are taking note. NASA is using the tool for its Space Apps Challenge, and more are likely to follow suit now that President Donald Trump’s cybersecurity executive order mandates that federal civilian agencies use the framework in conjunction with SP 800-53.
“I would expect that at least some people are going to want to use Baseline Tailor to do this,” Lubell said.
Finalist
Real-time protection against malicious mobile traffic
APE: Novel Intrusion Prevention for Android
Department of Homeland Security
GCN OCTOBER/NOVEMBER 2017 • GCN.COM 35
PHOTO CREDIT HERE