When you walk into the National Cybersecurity Center of Excellence (NCCoE), you’re struck by the atmosphere of casual collaboration — open space, whiteboards and writable surfaces, and one big, round conference table. But the center has a serious mission.
Formed in 2012 by a partnership between the National Institute of Standards and Technology (NIST), the state of Maryland and Montgomery County, Md., the NCCoE brings together experts from industry, government and academia to advance cybersecurity through practical, standards-based solutions.
“We have a space that’s intended to be collaborative, with the idea that collaboration breeds innovation,” says Nate Lesser, deputy director for the NCCoE in Rockville, Md.
The Building Blocks of Cybersecurity
That collaborative innovation is already paying off. The NCCoE helped NIST develop the first version of its cybersecurity framework, which was released in February at the direction of President Obama. The framework offers guidance to private- and public-sector organizations on how to best protect information and assets.
Donna Dodson, acting director of the NCCoE and chief of the computer security division at NIST, likens the center’s work to that of architects. “If you think about building a home, there are good blueprints out there for building energy-efficient homes,” she says.
“When you think about the different sectors [that require cybersecurity], how do they get started? We’re really here to help build out the strong solutions they need to have in place.”
The NCCoE works on use cases, which are sector-specific IT security challenges, and building blocks, which address technology gaps affecting multiple sectors. It currently concentrates on the healthcare, financial services and energy industries, with plans to expand into transportation later this year, says Lesser.
The goal is to build modular, open, end-to-end reference designs that are broadly applicable and repeatable. Lesser explains that reference designs address the gap between standards and an actual solution using commercially available technology.
Who, What and Where
Take attribute-based access control, for instance — one of the building blocks the NCCoE has identified. It recently released a draft describing attribute-based access control for comment. “How do you connect through some exchange and validate both your identity and that you have the appropriate credentials?” Lesser says.
For example, a municipal utility company must verify if a line worker has a good safety record before putting him up in a truck. Say a snowstorm knocks out power for a municipal utility and unaffected utilities in the region dispatch line crews to aid in the restoration effort. Individual members of the line crews present credentials from their home utility, Utility B. Utilities A and B have both previously signed on with a third party to validate employee credentials.
The NCCoE access control building block describes the approach to address hypothetical scenarios and lists the components organizations need to solve the problem. In essence, it tells security professionals how to stitch everything together, says Lesser.
It Takes a Village to Build Security
The NCCoE needs partners to achieve its goals of providing practical cybersecurity, increasing the rate of adoption and speeding innovation. “It’s often been said that cybersecurity is a team sport, so we look to all the resources in the industry to help tackle those challenges,” says Lesser.
Major vendors such as Cisco Systems, HP, Intel, Juniper Networks, McAfee, Microsoft, Palo Alto Networks, RSA, Symantec and Tripwire, among others, provide equipment and expertise. The center uses Cisco telepresence equipment to connect remote workers and Cisco virtual private networking systems to access the center’s lab gear over the Internet.
“The beauty of this center is it allows industry to come in, work with each other and drive standards in cybersecurity,” says Dodson. The point is to assure that the systems manufacturers deliver tomorrow can be adopted in a way that benefits all industries.
The public/private partnership leans heavily on state and local government too. “Working both regionally and internationally is important for us all the time,” says Dodson, pointing to the rich IT security talent in Maryland. “NIST is just across the way, and there’s expertise at NIH and other federal agencies.”
NCCoE occupies a temporary, 7,000-square-foot office, but officials plan to move into a new facility by the summer of 2015. The federal government will pay $15 million, and the state of Maryland and Montgomery County will each kick in $4.5 million to retrofit a building that currently houses a biotech incubator. At 65,000 square feet, the new space will enable NCCoE to create jobs and spur business development.
For now, the center pursues its mission with 11 full-time workers and half a dozen contractors while collaborating with experts throughout NIST. Interns from the Wounded Warrior Cyber Combat Academy and local universities will soon join the center as well.
The security work the NCCoE does cuts across government and industry. In the end, it’s about “helping engineers at all these organizations figure out the easiest and least costly ways to improve security,” says Lesser.
The National Cybersecurity Center of Excellence has issued the following use cases for the energy, financial services and healthcare fields:
- Deploy comprehensive identity and access management.
- Create mechanisms to capture data in real time and near real time to provide situational awareness.
- Implement access rights management to centrally issue, validate and modify or revoke access rights for the enterprise.
- Combine physical and virtual assets to provide a picture of what, where and how assets are being used.
- Adopt secure electronic health record capabilities for mobile devices.