NSA’s Center for Cybersecurity Standards supports collaboration with industry to ensure U.S. Government cybersecurity requirements are included in the standards for a more secure future. These standards enable interoperable IT solutions and mitigate security challenges across networks.
As NSA relies increasingly on commercial products to secure National Security Systems* (i.e., systems that carry classified or otherwise sensitive information), we must find ways to partner with vendors to ensure security requirements are built into development processes. NSA has recognized that engagement with standards bodies is a highly effective mechanism to not only communicate requirements to all vendors in a given product segment, it is also a way to ensure those requirements are met by most vendors.
NSA Cybersecurity Standards Engagements
While NSA works to track development across standards organizations, recent NSA cybersecurity standards engagements fall into the following broad areas:
NSA supports the Department of Defense effort to secure next generation mobile infrastructure through participation in the Third Generation Partnership Program (3GPP), the Alliance for Telecommunications Industry Solutions (ATIS), and the Institute of Electrical and Electronics Engineers (IEEE LAN/MAN Standards Committee.
To protect DoD networks from attack, NSA Cybersecurity is standardizing the collection and sharing of information necessary to automate network risk assessment and response. This work takes place in cooperation with the National Institute of Standards and Technology (NIST) the Department of Homeland Security (DHS) in the Internet Engineering Task Force (IETF), the Trusted Computing Group (TCG), the International Organization of Standards/International Electrotechnical Committee (ISO/IEC) and the Organization for the Advancement of Structured Information Standards (OASIS).
Platform resilience standards address vulnerabilities and attacks that leverage weaknesses in platform update mechanisms. NSA Cybersecurity is working with the IETF and TCG to make sure that standards are in place to secure software and firmware update mechanisms, as well as collaborating with NIST to standardize commercial code signing systems.
NSA Cybersecurity needs a set of standardized commercial cryptographic primitives to support current requirements, as well as future environments and protection against emerging threats such as quantum computing. Cooperation with NIST is essential to that mission, as is participation in ISO/IEC, IEEE, IETF, and the American National Standards Institute (ANSI).
As part of our mission to protect NSS network communications, NSA Cybersecurity Solutions works with the IETF, ISO/IEC to ensure that a robust set of cryptographic protocols are available and incorporated into commercial products. We also work with 3GPP and ATIS to build security into 5G networks.
National Information Assurance Program (NIAP)
NIAP oversees the evaluation of commercial information technology (IT) products for use in National Security Systems (NSS). Visit NIAP to learn more.
*National Security Directive 42 designates NSA as the National Manager for National Security Systems (NSS) – information systems which require special protections, such as those used for intelligence activities or command and control of military forces. NSA’s role is to prescribe the appropriate protections for NSS. In support of that role, NSA works with industry to ensure that products are available to provide that protection.