Agency overview | |
---|---|
Formed | February 21, 2012 |
Headquarters | Rockville, Maryland United States |
Website | nccoe.nist.gov |
The National Cybersecurity Center of Excellence (NCCoE) is a US government organization that builds and publicly shares solutions to cybersecurity problems faced by U.S. businesses. [1] The center, located in Rockville, Maryland, was established in 2012 through a partnership with the National Institute of Standards and Technology (NIST), the state of Maryland, and Montgomery County. [2] The center is partnered with nearly 20 market-leading IT companies, which contribute hardware, software and expertise. [3] [4]
The NCCoE asks industry sector members about their cybersecurity problems, and then selects issues that affect an entire sector or reach across sectors. The center forms a team of people from cybersecurity technology companies, other federal agencies and academia to address each problem. [5] The teams work in the center's labs to build example solutions using commercially available, off-the-shelf products. For each example solution, the NCCoE publishes a practice guide, a collection of the materials and information needed to deploy the example solution, and makes it available to the general public. [5] The center's goal is to "accelerate the deployment and use of secure technologies" that can help businesses improve their defenses against cyber attacks.
The NCCoE is part of NIST, a non-regulatory federal agency within the U.S. Department of Commerce that develops measurement standards and conducts research in measurement science. According to the NIST website, [6] the Federal Information Security Management Act of 2002 (FISMA) "reaffirmed NIST's role of developing information security standards (Federal Information Processing Standards) and guidelines for non-national security federal information systems and assigned NIST some specific responsibilities, including the development of: Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels; Guidelines recommending the types of information and information systems to be included in each category; and Minimum information security requirements (management, operational and technical security controls) for information and information systems in each category." Many private sector organizations voluntarily adopt these standards, guidelines and security requirements. As a NIST center, the NCCoE is an applied space for the demonstration of standards-based approaches to cybersecurity.
President Barack Obama issued Executive Order 13636, [7] "Improving Critical Infrastructure Cybersecurity", in February 2013 tasking NIST to create a cybersecurity framework that helps organizations mitigate risks to the nation's essential systems such as power generation and distribution, the financial services sector, and transportation. NIST released the Framework for Improving Critical Infrastructure Cybersecurity [8] in February 2014, which "consists of standards, guidelines and practices to promote the protection of critical infrastructure." The NCCoE demonstrates how the framework can be implemented in real-world environments. [9] When an industrial sector approaches the center with a cybersecurity problem, the center maps the solution's hoped-for capabilities to the Cybersecurity Framework, as well as to other standards, controls and best practices.
The NCCoE's launch was formally announced on February 21, 2012, by U.S. Senator Barbara Mikulski (D-Md.), Maryland Lt. Governor Anthony Brown, Montgomery County Executive Isiah Leggett and Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher. NIST issued a press release the same day stating that the center was created to "work to strengthen U.S. economic growth by supporting automated and trustworthy e-government and e-commerce." The NCCoE will "host multi-institutional, collaborative efforts that build on expertise from industry and government", according to the press release.
In September 2014, the National Institute of Standards and Technology (NIST) awarded a contract to the MITRE Corporation to operate the Department of Commerce's first Federally Funded Research and Development Center (FFRDC), the National Cybersecurity FFRDC, which supports the NCCoE. According to the press release on the NIST website, [10] "this FFRDC is the first solely dedicated to enhancing the security of the nation's information systems." The press release states that the FFRDC will help the NCCoE "expand and accelerate its public-private collaborations" and focus on "boosting the security of U.S. information systems." "FFRDCs operate in the public interest and are required to be free from organizational conflicts of interest as well as bias toward any particular company, technology or product—key attributes given the NCCoE's collaborative nature…The first three task orders under the contract will allow the NCCoE to expand its efforts in developing use cases and building blocks and provide operations management and facilities planning."
The partners that founded the NCCoE are the National Institute of Standards and Technology (NIST), the state of Maryland and Montgomery County. This partnership was instrumental in establishing the center as a nationally recognized cybersecurity resource that has the potential to increase the number of local cybersecurity companies, local workforce development and provide local companies with exposure to NIST's expertise. [4]
National Cybersecurity Excellence Partners (NCEPs) offer technology companies the opportunity to develop long-term relationships with the NCCoE and NIST. As core partners, NCEPs can provide hardware, software, or personnel who collaborate with the NCCoE on current projects. [4]
Sector representatives approach the NCCoE on behalf of their industry to share business problems that can be solved through a cybersecurity solution. These representatives can also provide insight during the project build process and help validate the center's approach to developing an example solution. [11]
Members of government agencies and academic institutions can discuss their cybersecurity challenges with the NCCoE, provide insight and feedback on existing center projects, or collaborate with technology companies in the center's labs. [11]
Other users, such as businesses working to improve their cybersecurity, have the opportunity to test the NCCoE's example solutions, evaluate their effectiveness, and provide feedback. [11]
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical science laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. From 1901 to 1988, the agency was named the National Bureau of Standards.
The Mitre Corporation is an American not-for-profit organization with dual headquarters in Bedford, Massachusetts, and McLean, Virginia. It manages federally funded research and development centers (FFRDCs) supporting various U.S. government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields, among others.
The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System, NCSD opened on June 6, 2003.
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.
The Federal Office for Information Security is the German upper-level federal agency in charge of managing computer and communication security for the German government. Its areas of expertise and responsibility include the security of computer applications, critical infrastructure protection, Internet security, cryptography, counter eavesdropping, certification of security products and the accreditation of security test laboratories. It is located in Bonn and as of 2024 has about 1,700 employees. Its current president, since 1 July 2023, is former business executive Claudia Plattner, who took over the presidency from Arne Schönbohm.
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.
NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.
Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is typically the core component of any security operations center (SOC), which is the centralized response team addressing security issues within an organization.
The Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology (NIST). The RMF, illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.
Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.
The National Cybersecurity and Critical Infrastructure Protection Act of 2013 is a bill that would amend the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government and would codify the role of DHS in preventing and responding to cybersecurity incidents involving the Information Technology (IT) systems of federal civilian agencies and critical infrastructure in the United States.
The National Cybersecurity FFRDC (NCF) is a federally funded research and development center (FFRDC) operated by MITRE Corporation. It supports the U.S. National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE). NCF is the first and, as of March 2017, only federally funded research and development center dedicated solely to cybersecurity. The NCF is located at 9700 Great Seneca Hwy in Rockville, Maryland.
NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.
The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."
Suzette Kuhlow Kent is an American government official who served as Federal Chief Information Officer of the United States from January 29, 2018 until July 2020. She was the fourth person to formally hold the job of Federal CIO, which was created by the E-Government Act of 2002. The Federal CIO's office is a part of the Office of Management and Budget (OMB).
This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.
Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.
The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.