NIST Publishes NCCoE Notice on Validating the Integrity of Computing Devices

Today the National Institute of Standards and Technology published a notice in the Federal Register (85 FR 17043-17045) on “National Cybersecurity Center of Excellence (NCCoE) Validating the Integrity of Computing Devices Building Block”. NIST is inviting organizations to provide products and technical expertise to support and demonstrate security platforms for the Validating the Integrity of Computing Devices project.

According to the Notice: “The objective of this project is to produce example implementations to demonstrate how organizations can verify that the internal components of their purchased computing devices are genuine and have not been altered during the manufacturing and distribution process.” The components that NCCoE intends to look at in this block include:

• Computing devices, including laptops, servers, and mobile devices

• Configuration management software

○ vulnerability scanning

○ detection

○ patch management

○ version control

○ synchronization

○ firmware

• Asset inventory software

○ asset management

○ asset discovery

• Security information and event management (SIEM)

○ event detection

○ log management

○ exfiltration activity

○ unauthorized activity

○ anomalous activity

• Certificate authority

Organizations wishing to participate will have to submit a letter of intent describing how their products address one or more of the following desired solution characteristics:

• Use verifiable and authentic artifacts that manufacturers produce during the manufacturing and integration process.

• Detect malicious component swaps of the computing device.

• Manage the automation process when accepting the delivery of a computing device and throughout the operational lifecycle of the device.

• Inspect computing devices to verify that the components in a delivered (or in-use) system computing device match the attributes and measurements declared by the manufacturer.

A copy of a letter of intent template may contact Nakia Grayson via email to supplychain-nccoe@nist.gov.

Commentary

While this is primarily an IT related project at this point, it seems clear to me that control system components potentially have the same vulnerability to post design/manufacture modification that could compromise the security of the system in which the compromised component resides. This will be an interesting project to participate in and/or watch.