On Tue, Oct 28, 2008 at 3:52 PM, <
Kevin.Harnett@xxxxxxx> wrote:
Jack/Stuart
Any status and plans on P1700? If there is a meeting, please let u know.
Kevin Harnett
US Department of Transportation/Volpe Center
Cyber Security Project Manager
617-699-7086 (cell)
617-494-2604 (work)
617-494-2902 (fax)
________________________________
From: Stuart Katzke [mailto:
skatzke@xxxxxxxx]
Sent: Wednesday, September 24, 2008 10:20 AM
To: Harnett, Kevin F <VOLPE>;
stuart.katzke@xxxxxxxx;
rross@xxxxxxxx;
jack.cole@xxxxxxxx
Cc: Rakauskas, Vince (CSC) <VOLPE>;
raymond.w.decerchio@xxxxxxx;
wbarker@xxxxxxxx;
donna.dodson@xxxxxxxx;
keith.stouffer@xxxxxxxx; Gallagher, Alan (CSC) <VOLPE>;
ankrums@xxxxxxxxx
Subject: RE: IEEE P1700 International Harmonization
Kevin
My guess would be a decision to move forward with a plan sometime in Oct 2008--although it may take a little longer if we get into extended discussions on the relationship and impact of the government convergence and ISO harmonization efforts on P1700.
We'll keep you informed of our progress.
Stu
Stuart Katzke, Ph.D.
Guest Researcher
National Institute of Standards and Technology
100 Bureau Drive; MS 8930
Gaithersburg, MD 20899
(301) 975-4768
skatzke@xxxxxxxx
________________________________
From:
Kevin.Harnett@xxxxxxx [mailto:
Kevin.Harnett@xxxxxxx]
Sent: Tuesday, September 23, 2008 8:26 PM
To:
skatzke@xxxxxxxx;
stuart.katzke@xxxxxxxx;
rross@xxxxxxxx;
jack.cole@xxxxxxxx
Cc:
rakauskas@xxxxxxxxxxx;
raymond.w.decerchio@xxxxxxx;
wbarker@xxxxxxxx;
donna.dodson@xxxxxxxx;
keith.stouffer@xxxxxxxx;
Alan.Gallagher@xxxxxxxxxx;
ankrums@xxxxxxxxx
Subject: RE: IEEE P1700 International Harmonization
Stu, What timeframe do you expect to the P1700 issue with a plan forward?
Ray, At some point, I suggest that we have NIST back in to talk to SC-216 about the international harmonization and ISO 27001 ISMS standard issues effect 216.
Kevin Harnett
US Department of Transportation/Volpe Center
Cyber Security Project Manager
617-699-7086 (cell)
617-494-2604 (work)
617-494-2902 (fax)
________________________________
From: Stuart Katzke [mailto:
skatzke@xxxxxxxx]
Sent: Tuesday, September 23, 2008 3:05 PM
To: Harnett, Kevin F <VOLPE>;
stuart.katzke@xxxxxxxx;
rross@xxxxxxxx;
jack.cole@xxxxxxxx
Cc: Rakauskas, Vince (CSC) <VOLPE>;
raymond.w.decerchio@xxxxxxx;
wbarker@xxxxxxxx;
donna.dodson@xxxxxxxx;
keith.stouffer@xxxxxxxx; Gallagher, Alan (CSC) <VOLPE>;
ankrums@xxxxxxxxx
Subject: RE: IEEE P1700 International Harmonization
Kevin
Jack Cole (P1700 Chair), Scott Ankrum (P1700 Co-chair), and I are struggling with this issue right now-how to restart the P1700 effort and catch up with progress (and changes) that have occurred since P1700 went dormant last year. The recent DoD/Intelligence/Civil convergence, including the new joint version of 800-37 guidance and our efforts to harmonize our Risk Management Framework & related NIST standards and guidelines with the ISO 27001 Information Security Management System standard are both significant factors in any decision we make on how to move forward. I think the first step will be to look at the last draft of P1700 to determine how much of it needs to be updated based on recent (and planned) revisions to the related NIST documents (e.g., 800-39, 800-37).
With regard to your comment on needing international standards, I think very soon we will be able to demonstrate how an organization could meet the requirements of the ISO 27001 Information Security Management System standard using (i.e., implementing) the NIST risk management framework and related standards and guidelines. If/when we can demonstrate that, your "international standards" problem may be alleviated since organizations that comply with NIST standards (i.e., all the information systems within that organization meet NIST standards) will also comply with the international ISO 27001 ISMS standard.
However, I am still a bit fuzzy about what that means at the on-board flight software systems level. I think we need more discussion on this aspect of the problem.
That's about all I know right now--more when we know more.
Take care
Stu
Stuart Katzke, Ph.D.
Guest Researcher
National Institute of Standards and Technology
100 Bureau Drive; MS 8930
Gaithersburg, MD 20899
(301) 975-4768
skatzke@xxxxxxxx
________________________________
From:
Kevin.Harnett@xxxxxxx [mailto:
Kevin.Harnett@xxxxxxx]
Sent: Monday, September 22, 2008 2:45 PM
To:
stuart.katzke@xxxxxxxx;
rross@xxxxxxxx;
jack.cole@xxxxxxxx
Cc:
rakauskas@xxxxxxxxxxx;
raymond.w.decerchio@xxxxxxx;
wbarker@xxxxxxxx;
donna.dodson@xxxxxxxx;
keith.stouffer@xxxxxxxx;
Alan.Gallagher@xxxxxxxxxx
Subject: IEEE P1700 International Harmonization
Stu/Jack
Any update on P1700? I was wondering if this gets rolled into the new DoD/Intelligence/Civil NIST 800-37 guidance?
There are issues with our FAA airborne network security standards which need to be international.
Kevin Harnett
US Department of Transportation/Volpe Center
Cyber Security Project Manager
617-699-7086 (cell)
617-494-2604 (work)
617-494-2902 (fax)
________________________________
From: Stu Katzke [mailto:
skatzke@xxxxxxxx]
Sent: Wednesday, November 21, 2007 2:26 PM
To: Harnett, Kevin F; 'Ron Ross';
stuart.katzke@xxxxxxxx
Cc: Rakauskas (CSC);
dianne.moen.ctr@xxxxxxxxxxxxxxx; 'Harold E. Moses';
raymond.w.decerchio@xxxxxxx; cole, john; barker, curtis; dodson donna; stouffer, keith (stouffer, keith)
Subject: RE: New Special Committee - 216 - Aeronautical Systems Security
Kevin
My responses below
Stu
Stuart W. Katzke, Ph.D.
Senior Research Scientist
National Institute of Standards and Technology
100 Bureau Drive; Stop 8930
Gaithersburg, MD 20899
skatzke@xxxxxxxx
(301) 975-4768
(301) 975-4964 (FAX)
-----Original Message-----
From: Harnett, Kevin F [mailto:
Kevin.F.Harnett@xxxxxxxxxxxxx]
Sent: Wednesday, November 21, 2007 12:01 PM
To: Ron Ross;
stuart.katzke@xxxxxxxx
Cc: Rakauskas (CSC);
dianne.moen.ctr@xxxxxxxxxxxxxxx; Harold E. Moses;
raymond.w.decerchio@xxxxxxx
Subject: RE: New Special Committee - 216 - Aeronautical Systems Security
Ron/Stu,
1) I am interested in IEEE P1700 reference in this article.
http://www.computer.org/portal/site/computer/menuitem.5d61c1d591162e4b0ef1bd108bcd45f3/index.jsp?&pName=computer_level1_article&TheCat=1060&path=computer/homepage/Aug07&file=security.xml&xsl=article.xsl&
- What is the status of this?
[Stu Katzke] The normative section of draft standard is completed but needs to be reformatted so it meets IEEE requirements. Both Jack Cole (the P1700 working group chair) and I (the document editor) have been too busy doing other things to get back to the formatting. Consequently, it has not moved forward as a working group draft for balloting. Both Jack & I hope to make this a high priority early next calendar year.
The P1700 website is:
http://issaa.org/
2) FAA wants me to work with NIST on leveraging what NIST work with other federal agencies (e.g. Defense Industrial Base-USAF, SCADA, etc). Please have someone contact me on this issue
[Stu Katzke] I'll contact you next week via email to discuss how we can help. I understand we (Keith Stouffer and I) will be addressing your committee during the next meeting via a telecon link (Dec 12th I think). We will address why we think your committee should seriously consider adopting NIST's Risk Management Framework and associated security standards and guideline for your aeronautical information systems.
FYI-The link below will take you to a recently posted Revision 2 to SP 800-53 which is intended for use in real-time control systems. You might like to take a look at this guidance document to see how we have extended the applicability of SP 800-53 to industrial control systems.
http://csrc.nist.gov/publications/drafts/sp800-53-rev2/Draft_800-53-rev2-AppendixI_fpd-clean.pdf
and
http://csrc.nist.gov/publications/PubsDrafts.html#800-53_Rev2
Stu
I will be on business travel in Germany next week but reachable via email.
Kevin Harnett
US DOT/Volpe Center
617 699 7086
________________________________
From: Harnett, Kevin F
Sent: Monday, November 05, 2007 1:18 PM
To: 'Ron Ross';
stuart.katzke@xxxxxxxx
Cc: 'Rakauskas (CSC)';
dianne.moen.ctr@xxxxxxxxxxxxxxx; 'Harold E. Moses';
raymond.w.decerchio@xxxxxxx
Subject: RE: New Special Committee - 216 - Aeronautical Systems Security
Stu, FAA and Volpe would like to know if NIST RMF standards (800-30, 53A, etc) have been used or plan to be in for mission critical "safety" environments (e.g. SCADA)?
Kevin
________________________________
From: Ron Ross [mailto:
rross@xxxxxxxx]
Sent: Saturday, October 20, 2007 10:22 PM
To: Harnett, Kevin F;
stuart.katzke@xxxxxxxx
Cc: Rakauskas (CSC);
dianne.moen.ctr@xxxxxxxxxxxxxxx; 'Harold E. Moses';
raymond.w.decerchio@xxxxxxx
Subject: RE: New Special Committee - 216 - Aeronautical Systems Security
Kevin,
I am forwarding your note to Dr. Stu Katzke, a colleague of mine on the FISMA team. He has several contacts in the electric/power industry that have been applying the 800-53 controls (e.g., Bonneville Power, TVA, etc.). These might be of some help to you.
Regards,
Ron
________________________________
From: Harnett, Kevin F [mailto:
Kevin.F.Harnett@xxxxxxxxxxxxx]
Sent: Tuesday, October 16, 2007 9:33 AM
To:
rross@xxxxxxxx
Cc: Rakauskas (CSC);
dianne.moen.ctr@xxxxxxxxxxxxxxx; Harold E. Moses;
raymond.w.decerchio@xxxxxxx
Subject: RE: New Special Committee - 216 - Aeronautical Systems Security
Resending this message.. Ron's email was not right in the email that I copied it from...
________________________________
From: Harnett, Kevin F
Sent: Tuesday, October 16, 2007 9:30 AM
To: '
raymond.w.decerchio@xxxxxxx'; '
rross@xxxxxxxxx'
Cc: Rakauskas (CSC); '
dianne.moen.ctr@xxxxxxxxxxxxxxx'; 'Harold E. Moses'
Subject: RE: New Special Committee - 216 - Aeronautical Systems Security
Ron,
Nice to see you again.
I wanted to follow-up on a question........that I never got to ask you last week. I know you have worked closely with other critical infrastructures (e.g. SCADA) on the applying the FISMA process (FIPS 199, FIPS 200, and NIST 800-53, etc).... So my question, what other critical infrastructures have "tailored" (successfully) the NIST FISMA standards for their business areas? Now, I know the FAA/NAS side of the house has done some work in this area that I am sure you are aware of......but I am looking for contacts who have done it in other mission critical infrastructures. I think these lessons-learned would be helpful info for the RTCA SC-216 Aeronautical System Security who is attempting to apply the FISMA/NIST standards for our security requirements.
Kevin Harnett
DOT/Volpe Center
Cyber Security PM
617-699-7086
________________________________
From:
raymond.w.decerchio@xxxxxxx [mailto:
raymond.w.decerchio@xxxxxxx]
Sent: Friday, September 28, 2007 4:38 PM
To: Harnett, Kevin F
Subject: Fw: New Special Committee - 216 - Aeronautical Systems Security
fyi
----- Forwarded by Raymond W Decerchio/AWA/FAA on 09/28/2007 04:35 PM -----
"Stu Katzke" <
skatzke@xxxxxxxx>
09/27/2007 12:18 PM
Please respond to
<
stuart.katzke@xxxxxxxx>
To
Raymond W Decerchio/AWA/FAA@FAA
cc
<
rross@xxxxxxxxx>, "Abrams Marshall" <
abrams@xxxxxxxxx>, "stouffer, keith \(stouffer, keith\)" <
keith.stouffer@xxxxxxxx>
Subject
RE: New Special Committee - 216 - Aeronautical Systems Security
Ray
Ron is at a meeting this afternoon so I probably won't be able to talk to
him until tomorrow-I will get back to you as soon as I can.
I attached the article that was in the August edition of IEEE Computer
Magazine. The process that is described in the article (which is supported
by NIST standards & guidelines) can be used for any type of information
system, including the types of avionic systems we discussed in our phone
conversation. The article points out the flexibility that is built into our
risk management framework (RMF) and the standards & guidelines (S&Gs) we
developed to support the framework.
I recommend that the RTCA SC-216 adopt NIST's RMF, including the minimum
baseline security controls specified in SP 800-53 (appropriately
tailored/adjusted for the specific avionic environment you are concerned
about). Adopting the NIST RMF would then require that the security baseline
be supplemented (based on additional/traditional risk analysis) with
controls to handle any additional security-related and safety-related
concerns that must be addressed in your specific avionic environment.
In short, the NIST RMF is flexible enough to work for any information
system, including airborne/avionic systems.
In my brief look at the Terms of Reference, it seems to me that NIST's FIPS
200/SP 800-53 meet (at least partially) the requirements of the first
deliverable in Section 2 of the TOR (i.e., MASPS for Aeronautical Electronic
and Networked System Security) and SP 800-53A meets (at least partially) the
second deliverable in that same section (i.e., Security Assurance and
Assessment Processes and Methods....).
Finally, I believe FAA should argue that security controls required for
airborne/avionic information systems should be at least as strong as the
minimum security controls required for general information systems in the
federal government.
Stu
Stuart W. Katzke, Ph.D.
Senior Research Scientist
National Institute of Standards and Technology
100 Bureau Drive; Stop 8930
Gaithersburg, MD 20899
skatzke@xxxxxxxx
(301) 975-4768
(301) 975-4964 (FAX)
-----Original Message-----
From:
raymond.w.decerchio@xxxxxxx [mailto:
raymond.w.decerchio@xxxxxxx]
Sent: Thursday, September 27, 2007 11:09 AM
To:
skatzke@xxxxxxxx
Cc:
rross@xxxxxxxxx
Subject: New Special Committee - 216 - Aeronautical Systems Security
Stu,
I hope you and/or Ron can participate in our first meeting. Your presence
would help SC-216 start down the most fruitful path in developing
information system security standards, guidance, and
potentially rulemaking for type and airworthiness certification of civil
aircraft.
See invitation to SC-216 below.
If you would like give a presentation the agenda can be modified.
Please call if you have any questions at 202-267-3095.
Thanks Again,
Raymond DeCerchio, FAA Aircraft Certification
Dear RTCA Members, International Associates and Academic Associates:
RTCA announces the new Special Committee (SC) 216 - Aeronautical Systems
Security. Additional details are included in following four items:
1) A memo from Mr. David Watrous announcing SC-216.
2) The Agenda for the first Meeting scheduled for October 10 - 11,
2007 at RTCA.
3) The Terms of Reference for SC-216.
4) Registration Form
We appreciate your support for this new activity and look forward to
meeting you at the first meeting in October.
Best regards,
Harold Moses
Program Director - SC-216
RTCA, Inc.
(P) 202-833-9339