What is NIAP? Think Mirror. National Information Assurance Partnership

Tech Anons, could use some help on this. This jumped out at me. Could this be significant regarding PAIN incoming?

Automating National Information Assurance Partnership Requirements Testing for Mobile Apps

Ensuring the security of mobile app software for use within the federal government no longer needs to be time consuming or expensive. Under a joint pilot program, the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Information Assurance Partnership (NIAP) within the National Security Agency (NSA) cybersecurity mission have demonstrated that the process can be automated.

Assessing whether mobile apps are compliant with a NIAP Protection Profile (PP) has traditionally been a long and costly process. By automating that process, S&T and NIAP offer agencies the ability to quickly, affordably, and reliably determine if their apps meet NIAP’s stringent security requirements.

This pilot testing report demonstrates that automated mobile app testing tools and methodologies are reliable and efficient.

https://www.dhs.gov/publication/st-automating-national-information-assurance-partnership-requirements-testing-mobile-apps

About NIAP

The National Information Assurance Partnership (NIAP) is responsible for U.S. implementation of the Common Criteria, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. NIAP manages a national program for developing Protection Profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements. In partnership with NIST, NIAP also approves Common Criteria Testing Laboratories to conduct these security evaluations in private sector operations across the U.S.

NIAP takes a collaborative approach to technology-specific protection profile development by supporting the creation of international technical communities of representatives from industry, government, end users, and academia. This results in consistent evaluation methodologies across U.S. testing labs and among labs associated with international Common Criteria Recognition Arrangement schemes.

NIAP also works with NATO and international standards bodies (ISO) to share Common Criteria evaluation experiences and avoid duplication of effort. In the U.S., NIAP engages with other National Security Systems (NSS) users to ensure Protection Profiles, along with their associated DoD Annexes, provide a streamlined certification path for IA and IA enabled COTS products employed with NSS

https://www.niap-ccevs.org/

https://www.niap-ccevs.org/Product/index.cfm

https://csrc.nist.gov/glossary/term/National_Information_Assurance_Partnership

Common Criteria Evaluation and Validation Scheme (CCEVS)

is a United States Government program administered by the National Information Assurance Partnership (NIAP) to evaluate security functionality of an information technology with conformance to the Common Criteria international standard. The new standard uses Protection Profiles and the Common Criteria Standards to certify the product. This change happened in 2009. Their stated goal in making the change was to ensure achievable, repeatable and testable evaluations.

The CCEVS program is a partnership between the U.S. Government and industry to assist themselves and the consumers:

To meet the needs of government and industry for cost-effective evaluation of IT products

To encourage the formation of commercial security testing laboratories and the development of a private sector security testing industry

To ensure that security evaluations of IT products are performed to consistent standards

To improve the availability of evaluated IT products.

The scheme is intended to serve many communities of interest with very diverse roles and responsibilities. This community includes IT product developers, product vendors, value-added resellers, systems integrators, IT security researchers, acquisition/procurement authorities, consumers of IT products, auditors, and accreditors (individuals deciding the fitness for operation of those products within their respective organizations). Close cooperation between government and industry is paramount to the success of the scheme and the realization of its objectives.[1]

https://en.m.wikipedia.org/wiki/Common_Criteria_Evaluation_and_Validation_Scheme

>>11725870

National Information Assurance Partnership (NIAP)

A U.S. Government initiative established to promote the use of evaluated information systems products and champion the development and use of national and international standards for information technology security. NIAP was originally established as collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under P.L. 100-235 (Computer Security Act of 1987). NIST officially withdrew from the partnership in 2007 but NSA continues to manage and operate the program. The key operational component of NIAP is the Common Criteria Evaluation and Validation Scheme (CCEVS) which is the only U.S. Government- sponsored and endorsed program for conducting internationally-recognized security evaluations of commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products. NIAP employs the CCEVS to provide government oversight or “validation” to U.S. Common Criteria (CC) evaluations to ensure correct conformance to the International Common Criteria for IT Security Evaluation (ISO/IEC 15408).

Source(s):

CNSSI 4009-2015

https://csrc.nist.gov/glossary/term/National_Information_Assurance_Partnership

CIA Awards Cloud Contract to Multiple Vendors

The Central Intelligence Agency (CIA) confirmed late Friday that it awarded the Intelligence Community (IC) Commercial Cloud Enterprise (C2E) Cloud Service Provider (CSP) contract to multiple vendors.

A spokesperson said the agency looks forward to “utilizing, alongside our IC colleagues, the expanded cloud capabilities resulting from this diversified partnership.”

The agency did not identify the winning vendors, but Nextgov, which first reported the news, said that the winning vendors include IBM, Amazon Web Services, Microsoft, Google, and Oracle. Various news reports in recent months have speculated that the contract is valued in the billions of dollars over its life, but a precise value has not been stated.

John Sherman, currently Principal Deputy CIO at the Defense Department (DoD), talked about the importance of the cloud contract earlier this year when he was Intelligence Community CIO.

“The importance of us in the IC moving to a multi-cloud enterprise cannot be overstated,” Sherman said in February, adding, “I’m very proud of where we’re heading on this.”

Sherman said C2E will provide a multi-cloud, multi-vendor environment, possible infrastructure on and off premises, and cloud services at all three security levels – unclassified, secret, and top secret.

https://www.meritalk.com/articles/cia-awards-cloud-contract-to-multiple-vendors/?doing_wp_cron=1605975007.9042809009552001953125

>>11725929

>>11725870

Not sure, not a techie. Trying to put some pieces together…Voting apps, perhaps?

10 Mobile AppSec Predictions for 2020

Every year the NowSecure team makes predictions about developments in mobile application security that we expect to occur in the coming year. The importance of mobile appsec and privacy testing has grown this year and several of our 2019 predictions were right on the mark.

What will 2020 hold? Our leaders and researchers predict we’ll see an intensified focus on privacy, mobile DevSecOps gaining traction and ample activity around wearables and Internet of Things (IoT).

Given Google’s recent $2.1 billion acquisition of Fitbit, there’s no denying the popularity of wearable devices. Declining prices have made the technology more accessible to consumers and you can expect to see an onslaught of Android wearables in the coming years. All told, worldwide spending on wearable technology will reach $52 billion in spending in 2020, according to Gartner.

In the meantime, Internet of Things (IoT) is poised to cross the chasm into mainstream enterprise use. Roughly 25% of businesses use IoT technology today, according to McKinsey & Company, which forecasts surging uptake by 2023.

The downside of growth in connected wearable and IoT devices means they will present a more attractive target for attackers. You can expect breaches and vulnerabilities to get much worse before they get better because of a lack of focus on security and privacy for these mobile apps.

In positive developments, the California Consumer Privacy Act (CCPA) takes effect on Jan. 1 and will increasingly shift conversations about mobile app privacy to the forefront. According to the legislation, for-profit businesses that collect data about California residents must protect the personal information from unauthorized access, use or disclosure or face fines.

Here are some of the mobile application security trends and challenges that NowSecure experts anticipate we’ll see in 2020.

Peering into the Crystal Ball

“With the smartwatch segment showing strong growth throughout 2019 and Apple Watch still leading the industry, I’m expecting to see more iOS apps introduce Watch integrations in 2020. The question is whether security best practices in iOS development will carry over into watchOS apps — I predict that this will not be the case! It will be key for the AppSec community to surface and articulate the risks on smartwatch platforms as this trend continues.” — Dawn Isabel, Research Engineer

“IoT testing (smart home devices, home assistants, webcams, cars etc.) will gain a lot more traction. Automated mobile security companies will have to shift focus to other communication protocols such as Bluetooth, Zigbee and NFC.” — Rono Dasgupta, Research Engineer

“States are increasingly developing or releasing mobile apps for voting in elections. We saw the first allegation of an attempted hack of a mobile voting app in West Virginia. I predict we’ll see more widespread allegations of voter fraud via mobile apps in the coming election, along with more attempts by malicious actors to breach those systems.” — Jordan Thomas, Director of Customer Success

“The United States Census Bureau will use a (hopefully secure) mobile app to conduct the 2020 Census.” — Chris Cimaglia, Manager, Mobile DevSecOps Advocacy Team

“Having secure mobile applications will become a competitive advantage.” — Edward Nagai, Technical Account Manager

“Mobile-centric breaches will lead to four significant privacy fines for violating GDPR and CCPA.” — Brian C. Reed, NowSecure Chief Mobility Officer

“We will see an increased focus on protecting user privacy and ensuring user trust, primarily in financial services, healthcare and retail industries.” — Cory Thomas, Strategic Account Manager

“Interactive Application Security Testing (IAST) capabilities initially used for web apps will take hold in mobile app development shops. In addition, the separation between privacy and security will blur even more in 2020, prompting businesses to ask their AST providers for more comprehensive solutions.” — Warren Smith, Vice President of Products

“Another mobile OS will enter the arena next year.” — David Weinstein, Chief Technology Officer

“Deployment of automated mobile appsec testing in the DevOps toolchain will double in 2020.” — Brian C. Reed, NowSecure Chief Mobility Officer

https://www.nowsecure.com/blog/2019/12/18/10-mobile-appsec-predictions-for-2020/

>>11725870

>>11725929

>>11726078

Public Comment on the 2005 Voluntary Voting System Guidelinesfrom A Center for Correct, Usable, Reliable, Auditable & Transparent Elections (ACCURATE)

15

In practice, when data is corrupted, it may be impossible to discern whether the error was caused

by a malicious act or malfunction. For example, malicious code inserted into a system could be

capable of stealing an election by displaying a voter’s choice in an apparently “correct” manner,

but recording the vote as other than the voter intended. A system bug could result in the same

error, for example, where a bug caused a vote for one choice to be misinterpreted or misrecorded

as a vote for a different choice. Each form of compromise must be analyzed and reduced so that

security requirements and evaluation can be designed to test resilience against such attacks.

For security threat assessment, the burden of proof should be on the vendors. First,

requirements for all voting systems need to be established. These requirements, most likely

supplied by NIST or another independent entity that can assemble a representative group of

experts, should specify the properties the system must provide, the threats it must tolerate, and

the level of assurance required. Second, the requirements must provide a comprehensive list of

attacks that any security analysis must address. Third, vendors must provide comprehensive

evidence that their system is secure through evaluation performed by Independent Testing

Authorities. Finally, this evidence needs to be made available to independent security experts

and analysts for review.

One example of a scheme where the burden of proof is on the vendor to prove the system

is secure, rather than on the evaluation lab to prove it insecure, is the Common Criteria

Evaluation and Validation Scheme currently being developed by NIST and the National Security

Agency (NSA) under the National Information Assurance Partnership (NIAP).

40 The Common

Criteria scheme proposes to evaluate the security of a system on several axes representing

performance criteria. However, in contrast to the Common Criteria model, vendors for voting

systems should not be able to choose the evaluation lab, nor should evaluation labs be paid

directly by vendors.

41 The voting standards-setting body, assisted by security experts, could set a

requirement for a minimum rating for each axis (i.e., performance criterion) and vendors would

be required to demonstrate that their system can meet at least that rating. If a vendor can show a

superior rating on any axis for a system, that vendor’s system would be at a competitive advantage. Thus, such a rating system fosters innovation and provides incentives for vendors to

improve various security features, rather than to simply achieve a “pass” rating.

40 See The Common Criteria Evaluation and Validation Scheme at http://niap.nist.gov/cc-scheme/aboutus.html. See

also Poorvi L. Vora, Benjamin Adida, Ren Bucholz, David Chaum, David L. Dill, David Jefferson, Douglas W.

Jones, William Lattin, Aviel D. Rubin, Michael I. Shamos, and Moti Yung, Evaluation of Voting Systems, 47(11)

COMM. OF THE ACM 144 (November, 2004). 41 See The Common Criteria Evaluation and Validation Scheme, Frequently Asked Questions, at

http://niap.nist.gov/cc-scheme/faqs.html#eval-product-faq (stating that vendors (“sponsors”) specify a security target

and select a CCTL (Common Criteria Testing Laboratory).

https://josephhall.org/papers/2005_vvsg_comment.pdf