VISITING COMMITTEE ON ADVANCED TECHNOLOGY (VCAT)
MINUTES OF OCTOBER 14-15, 2009, MEETING
Ehrlich, Gail, Executive Director
NIST Leadership Board
Na, Sae Woo
St. Pierre, Jim**
Thomas Donahue, National Security Council
Steven Lipner, Microsoft
*Attended part of the meeting via audio-teleconference.
**Attended part of the meeting via video-teleconference.
Note: Each of the presentations summarized below are available from the October 2009 meeting agenda on the VCAT website at http://www.nist.gov/director/vcat/agenda.htm.
Call to Order, Agenda Review, and Upcoming VCAT Elections
Dr. James Serum, VCAT Chair
Dr. Serum called the meeting to order at 8:28 a.m. and welcomed new VCAT member, Tony Haymet, Director of the Scripps Institute of Oceanography. NIST Deputy Director, Dr. Patrick Gallagher, is participating in this meeting by video teleconference from Gaithersburg, MD, due to his Senate confirmation hearing as the NIST Director which will be held on October 15. The meeting agenda is consistent with the priorities of NIST and the VCAT as it addresses the very important question of NIST’s role in documentary standards and how this role affects the laboratory programs. The focus of this meeting is cybersecurity standards.
Dr. Serum also reviewed the process for electing the new VCAT Chair and Vice Chair at the February 2, 2010 VCAT meeting. The members should submit their nominations to Gail Ehrlich via email by January 19, 2010. The candidates must be willing to serve and should be quite familiar with NIST and the VCAT operations.
For more details, see the presentation.
NIST Deputy Director’s Update
Dr. Patrick Gallagher, Deputy Director, NIST
Presentation Summary – Dr. Gallagher apologized for not being able to participate in the VCAT meeting in person in Boulder due to the timing of his Senate confirmation hearings. He also introduced new VCAT member, Tony Haymet, who has a world-wide reputation for his work in marine and atmospheric science and a leading voice in climate change discussions. Dr. Haymet’s unique perspective on partnerships also will be beneficial to the VCAT and NIST.
Dr. Gallagher provided an update on recent events of interest to the Committee as context for its Annual Report, including the President’s Innovation Strategy; developments at the Department of Commerce (DoC); NIST staff assignments, changes, and awards; safety; budget; construction projects; and planning and priorities. Items of note include:
• In September, 2009, the President released his Innovation Strategy to drive sustainable growth and quality jobs. This strategy is illustrated by a three-tier pyramid in which NIST has roles embedded in each level. For example, NIST’s Technology Investment Program (TIP) and NIST standards activities are essential in the second level to promote competitive markets that spur productive entrepreneurship.
• Dennis Hightower, who has a very strong business background, was confirmed as Deputy Secretary of Commerce on August 7, 2009.
• Secretary Locke announced President Obama’s intent to nominate Dr. Gallagher to be the 14th Director of NIST on September 10, 2009. (Subsequent to the VCAT meeting, the Senate confirmed Dr. Gallagher as the NIST Director on November 5, 2009.)
• Recent developments at DoC include the launch of Commerce Connect in which the NIST Manufacturing Extension Partnership (MEP) is playing a key role; the creation of the Office of Innovation and Entrepreneurship in which NIST is expected to be heavily involved; and the start of an internal review of department roles and responsibilities with regard to documentary standards and focused on strengthening federal coordination and international engagement.
• Once confirmed, Dr. Gallagher plans to formalize the NIST organization structure to strengthen the director’s office by having an executive management team of three who can help coordinate and amplify activities in NIST operations, the laboratory programs, and the extramural programs.
• In regards to safety, the Nuclear Regulatory Commission held a public meeting in the city of Boulder to provide a briefing on their draft inspection report of the June 2008 plutonium spill at NIST. Their findings closely mirror those of NIST and were positive about the NIST response in managing the clean-up. While describing the safety highlights in 2009 and the 2010 priorities, Dr. Gallagher emphasized that the responsibility for operating programs safely resides with the managers of the program.
• Dr. Gallagher is quite pleased with the level of strong support from the House and Senate for NIST’s FY 2010 budget request, particularly for MEP and the Technology Innovation Program (TIP).
• NIST met its FY 2009 target for obligating/awarding its Recovery Act funding and required an unprecedented demand on the staff at all levels across the agency.
• The NIST Gaithersburg master site development plan submitted to the National Capital Parks and Planning Commission reflects the construction of unfunded as well as funded facilities. NIST is planning for a long-term renovation program to systematically modernize general purpose laboratories in both Gaithersburg and Boulder which has very strong support from the Administration and the Office of Management and Budget (OMB).
Dr. Gallagher also reviewed the role of the VCAT as the context for their focus on documentary standards and their comments on NIST’s programmatic planning process and three-year plan. The next step in the planning process is to start to define and improve NIST’s understanding of how its program priorities address the four strategic priorities provided in last year’s three-year programmatic plan. To that end, Dr. Gallagher described how NIST will improve the “moving parts” of the planning process, including the transition from budget initiative planning to program planning, holding workshops as a mechanism for external input and needs validation, and regularizing the planning process with a set of multi-year program planning documents that articulate the NIST role and how its programs interact with other players to be effective.
Lastly, Dr. Gallagher described NIST’s unique mission role in supporting the development of documentary standards and its impact on the agency by driving a whole set of activities. This role is very diverse and is increasing in some of the highest profile activities underway at NIST, including Smart Grid and Health IT. NIST is assigned this role due to its technical capabilities and experts that add value to the standards development process. Dr. Gallagher reviewed three key questions for the VCAT to continue to address regarding NIST’s role in documentary standards.
For more details, see Dr. Gallagher’s presentation.
• In regards to the Recovery Act funds, NIST is required to obligate the $360 million for both internal construction and external grants by the end of FY 2010. To date, Recovery Act funds in support of Smart Grid standards have been awarded to the Electric Power Research Institute and to EnerNex.
• At this time, the Boulder plans for providing the needed swing space during renovations are more advanced than Gaithersburg. NIST has initiated a contract to develop a plan for providing swing space and minimizing disruptions during the Gaithersburg renovations.
• The group discussed the need for NIST to engage in more effective marketing and a branding strategy. Dr. Gallagher agreed with these needs and emphasized the importance of NIST leadership’s involvement in meaningful engagements with other agencies to define and articulate the NIST role as done successfully with Smart Grid. NIST is also moving forward with these interactions in climate science as well and has assigned James Whetstone as the coordinator for NIST’s climate science programs with the responsibility for defining these relationships with other agencies. The VCAT Chair challenged NIST to define its program outcomes and then plan for the branding.
• The group noted the passive nature and ambiguity of the quote from NIST’s legislation which states its role in documentary standards. The government’s interest in standards is now much broader than acquisition. Thus, there is a large opportunity to help strengthen NIST’s federal coordination role to address standards challenges in national priority areas such as cybersecurity and healthcare IT. The importance of driving global standards that benefit U.S. industry was also discussed and recognized as an urgent and critical issue.
Overview of NIST Role in Cybersecurity
Cita Furlani, Director, Information Technology Laboratory (ITL), NIST
Presentation Summary – Ms. Furlani provided an overview of NIST role in cybersecurity. She described the need for cybersecurity standards and research, the national priorities and mandates related to cybersecurity, and examples of key stakeholders who explicitly work with NIST, including national and international standards bodies, industry organizations, and other Federal government agencies and organizations. The mandates recognize the value of NIST’s past and future contributions to meet the needs of effective cybersecurity. NIST’s strengths include objectivity and neutrality, technical cybersecurity expertise, a long history of cooperation with U.S. industry in developing standards, collaborative access to international cybersecurity expertise, a national perspective, and its mandate to develop cybersecurity standards applicable to the Federal government. NIST is obligated by statute to develop standards and to coordinate with other agencies under the Homeland Security Presidential Directive-12, the Federal Information Security Management Act (FISMA), the Office of Management and Budget (OMB) Circular A-130, and the Computer Security Act of 1987.
There are several ways in which NIST supports cybersecurity standards including developing and revising standards, evaluating candidates for a standard, coordinating other standards efforts, establishing validation programs, providing guidance to agencies on how to use standards and standards-based technologies, and actively submitting NIST-developed standards to national and international standards organizations as the basis for harmonization of standards. Ms. Furlani briefly highlighted 15 specific areas covering a broad spectrum of cybersecurity research and standards efforts within ITL and across parts of NIST. As an example of ITL’s efforts in the usability of biometric systems, Ms. Furlani distributed a brochure on the NIST Mobile iD User Interaction Specification. NIST’s contributions to the Advanced Encryption Standard (AES), Domain Name System Security Extensions, and multifactor authentication are success stories in which standards have helped to improve cybersecurity. Moving forward, NIST plans to continue its ongoing standards development efforts, provide technical leadership and coordination in support of standards efforts, establish validation programs, and perform R&D to create technical specifications for possible future adoption as standards.
Lastly, Ms. Furlani described the proposed reorganization and new name for ITL. The proposed restructuring would help the laboratory become more responsive and effective in addressing the many challenges and opportunities ahead.
For more details, see Ms. Furlani’s presentation.
• An international perspective as well as a national perspective on cybersecurity is important.
• NIST’s neutrality in standards is based on the agency’s technical expertise to balance the respective views of the participants without favoring one standard over another. The goal is to develop a neutral but effective standard.
• Under FISMA, NIST has the responsibility of developing standards and guidelines for all federal, non-national security information systems. NIST has been working collaboratively with the Department of Defense and the intelligence community on developing Special Publication 800-53 with recommended security controls for federal information systems and organizations.
• A VCAT member raised the issue of the need for a federal standard for voting systems that should be adopted by all of the states. Dr. Gallagher noted that NIST has an interesting role in working with the Election Assistance Commission on voting standards which provides a forum to discuss technology in the context of voting. On-line voting for access by voters overseas is another area that needs to be explored. NIST is hosting a two-day workshop which began yesterday to address some of the challenges involved with electronic voting from a research perspective and NIST has developed a white paper on the technology aspect of electronic voting.
• Several VCAT members encouraged NIST to pursue cybersecurity research in support of the financial industry. Ms. Furlani remarked that Donna Dodson, the Deputy Chief Cybersecurity Advisor in ITL, recently returned from meeting with banking officials from around the world to better understand how NIST should use its unique capabilities to engage with the financial community. Ms. Dodson’s subsequent presentation to the VCAT will cover some of ITL’s long-term work in support of the banking industry, such as the payment card industry that uses ITL’s vulnerabilities database to measure whether their transfers are safe.
• Ms. Furlani welcomed ideas about ITL’s proposed reorganization which is still under consideration within ITL and has not yet been submitted to Dr. Gallagher. The proposal has been very visible publicly and discussed at the recent Information and Security Policy Advisory Board meeting. One of the VCAT members expressed concerns over the proposed title and also emphasized the need for a specific program focused on the development of methods, metrics, and standards for understanding the level of infection in the internet. ITL does have some work in that area. Dr. Gallagher remarked that it was absolutely essential to be able to meaningfully measure the level of attack and risk environment for IT systems. Further discussion on the ITL reorganization proposal was deferred until the second day of the meeting.
Government Perspective on Issues and Challenges Associated with Cybersecurity
Dr. Thomas Donahue, Director, Cyber Policy, National Security Staff, National Security Council
Presentation Summary - Thomas Donahue of the White House National Security Staff provided a government perspective on cybersecurity. He noted that the Cyberspace Policy Review concluded that cybersecurity must be treated together with societal and economic goals rather than in isolation. He also emphasized the need to address privacy and civil liberties early in any effort. He noted that cyber threats target people, processes, information, and economic value, not just networks and attacks involve more than just remote network intrusions. The greatest threat actor is one that understands the business process, not just networks. The most sophisticated threat can use a variety of methods and has the resources and organizational skills to do more complicated attacks. Adversaries also use technology for the benefit of all their activities to be more productive and efficient. The economics of cyber activities indicates that low-level crime can take advantage of low risk and large numbers of easy victims to score a few but worthwhile successes. Nation states and criminal syndicates can attempt high risk for much higher gain. Military operations are challenged by the need in some circumstances to have access to all targets at a particular time and thus may have to consider less demanding electronic warfare or special forces models. The defense faces high, fixed costs with considerable success but potentially very high loss for just a few failures. Supply chain risk poses a particular challenge. It mostly appears as a counterfeiting problem yet we can envision much worse through deliberate subversion. With little experience it is difficult to judge how to mitigate such risks and any policy must be integrated with trade and industrial policy. The financial sector, under Basel III, has made the important step to make cyber risk assessments part of the overall operational business risk management, thus tying cyber decisions to business decisions. More work is needed to understand the potential and likelihood for losses in any risk assessments. We also need better tools and processes to visualize and understand what is happening in our infrastructures, both within the Federal government and more broadly. Toward that end, the Federal government, working with industry, is developing a National Cyber Incident Response Plan. The Cyberspace Policy Review also calls for the development of an overall strategy for cybersecurity and for the development of international norms. Finally, as the government goes forward, identity management concepts, infrastructure resilience in times of national emergency (particular in future broadband networks) need to be addressed in new ways. We may also need to define new risk strategies that shift risk in a way that expertise can be brought to bear on implementation rather than depending on everyone who uses a computer to be a cybersecurity expert.
• A VCAT member asked about available resources to help and guide a new industry entering the realm of identity management.
• Another VCAT member remarked that some of the worst cyber attacks are a consequence of mistakes that are made by the individuals who configure the systems.
An Industry Perspective on Cybersecurity
Steven B. Lipner, Senior Director of Security Engineering Strategy, Trustworthy Computing, Microsoft Corporation
Presentation Summary – Mr. Lipner began his presentation by providing a historical perspective on cybersecurity from 1975 to the present and stressed that cybersecurity is an evolving discipline with an evolving set of requirements that will be needed as long as we continue to build systems and software. In describing today’s landscape and vulnerabilities in the design and coding errors of malicious software, Mr. Lipner emphasized that the fundamental challenge of cybersecurity is that the defender must find every vulnerability in the software while the attacker must search for a vulnerability. This was the fundamental challenge in the early 1970’s and it still exists. Regarding the realities of cybersecurity, Mr. Lipner noted that security, unlike other aspects of science and engineering, is about attack and defense; security is “in the weeds” in that the details down to the lowest levels of implementation must be correct; and that invention of new classes of attacks is fairly common. He also summarized three approaches to building more secure systems: secure by design, secure by default, and secure in deployment.
The second part of the presentation focused on NIST’s efforts in cybersecurity beginning in 1972 or earlier. NIST has always been the agency responsible for the unclassified and civil government practices around cybersecurity and always collaborative with industry. The Data Encryption Standard (DES) which served a long and useful lifetime was NIST’s initial accomplishment in improving cybersecurity for the private sector and civil government. Mr. Lipner also noted that NIST’s contributions in cybersecurity, which are too numerous to list, have always been valued by vendors and the private sector and that NIST often receives tasks from OMB and Congress without the funds. Furthermore, NIST interacts with the broad entity of players in the security research community and is well respected by this community for its theoretical research programs; security development processes, concepts, and metrics; guidance programs; and the hugely valuable National Vulnerability Database. Among the examples of NIST’s contributions, the agency ran the Advanced Encryption Standard (AES) open evaluation process which was hugely beneficial to national security, civil government, and the private sector. Mr. Lipner offered his perspectives on NIST and cybersecurity and described why the computer security efforts at NIST are the healthiest in his experience from 1972 to the present. He indicated that the national security and NIST efforts in cybersecurity are working together effectively and productively.
In conclusion, Mr. Lipner proposed five recommendations: integrate attacker perspective, tackle important hard problems, maintain robust links to the security community, seek real-world perspective and balance, and speak up when your voice is needed. In particular, he noted the huge importance of NIST becoming engaged again in the development of the common criteria definition and to represent the industry perspective.
For more details, see Mr. Lipner’s presentation.
• The federal desktop core configuration released by NIST at the direction of OMB is a huge step in making operating systems more secure and a huge benefit to the country’s cybersecurity.
• A VCAT member suggested that NIST work jointly with industry to raise consumer awareness about the importance of downloading new security patches when released. Ms. Furlani noted that the top news on the DoC website includes a reference to NIST’s new guide and video to help small businesses understand how to provide basic security for their information, systems, and networks.
NIST Laboratory Research Program Contributions to Cybersecurity Standards
Donna Dodson, Deputy Chief Cybersecurity Advisor, ITL, NIST
Presentation Summary – Ms. Dodson expressed ITL’s appreciation for Dr. Gallagher’s interest in the Comprehensive National Security Initiative where much of this work revolves around research and the synergy between research and cybersecurity standards. She also reviewed ITL’s mission statement and emphasized how research has always been an integral part of its program by advancing science, informing its standards and metrics development activities, and establishing new technologies and creating opportunities. After briefly describing 14 areas in which NIST conducts cybersecurity research, Ms. Dodson noted NIST’s cybersecurity standards activities cover technical leadership in Standards Development Organizations, NIST Federal Information Processing Standards (FIPS), and security guidelines and best practices, including a YouTube video to help small businesses which is available from DoC’s website.
The second half of the presentation focused on cryptography as a case study which demonstrates the cycle between NIST’s research and standards development activities for improving cybersecurity. This case study covered the DES, the AES, the Security Requirements for Crypto Modules (FIPS 140), and the Secure Hash Algorithm 3 (SHA-3) Competition now in progress. In summary, the NIST DES was the first unclassified, publicly disclosed algorithm standard for the protection of U.S. government sensitive unclassified information and became the world’s most widely used algorithm, particularly to protect financial information for about 25 years. This standard generated open research and development in cryptanalysis, cyrptographic testing, and key management. In recognition that the DES had a limited lifetime, NIST, through an open and transparent process, sponsored the first International Cryptographic Algorithm Design Competition, and developed innovative design criteria, which resulted in the selection of the AES adopted by several standards bodies and the IT vendor community. This competition was the first time that academia and government worked together to build a cryptographic algorithm that was the best of its breed. This competition generated new research in cryptanalysis, smarter tokens, and security hardware designs. In fact, NIST was the first organization to implement the NIST suite of cryptographic algorithm standards on a smart card. Through FIPS 140, NIST has been conducting research in pseudo-random number generators and automated tools for testing. In response to cryptanalytic attacks on several cryptographic hash algorithms, the cryptographic community encouraged NIST to sponsor a Cryptographic Hash Competition due to its independence and neutrality. NIST developed the design criteria for the new algorithm and selected 14 algorithms out of 60 entries to advance to the second round. Ms. Dodson noted that a number of algorithms submitted in the competition are based on a new sponge model instead of traditional AES block cipher mathematical underpinnings.
Lastly, Ms. Dodson described the success criteria for research and for standards. NIST has succeeded in research if it moves the state of the art forward; leads to more precise metrics or more cost-effective testing and validation; or contributes to development of successful new standards. From a standards perspective, NIST has succeeded if the products are widely available and adopted, support interoperability, and satisfy customer requirements for functionality, performance, and return on investment.
For more details, see Ms. Dodson’s presentation.
• U.S. industry is having difficulty competing in the smart card arena. Standards are needed for security and interoperability between the card interface, the reader interface, and the middleware interface. NIST is involved in this standards development activity.
Quantum Information Science (QSI): NIST’s Role and the National Agenda
Dr. Carl Williams, Chief, Atomic Physics Division, Physics Laboratory (PL), NIST
Presentation Summary – Dr. Williams is currently coordinating NIST’s QIS program as well as serving a part-time detail to the Office of Science and Technology Policy (OSTP) since March 2008 to coordinate the U.S. government program in QIS. As defined by Nobel Prize Laureate William Phillips, quantum information is “a radical departure in information technology, more fundamentally different from current technology than the digital computer is from the abacus.” Dr. Williams elaborated on the origin and nature of QSI as a convergence of two of the 20th century’s great revolutions in quantum mechanics and information science and noted that NIST should have a leading role in this new science for providing new technologies and capabilities.
The National Agenda for QIS began in the fall of 2007 when the OSTP Director and staff met with several agencies, followed by several meetings between NIST researchers William Phillips, David Wineland, and Carl Williams. In June 2008, the agency heads met with OSTP and decided to create a broad scientific agenda to build a foundation for future technologies based on QIS and to issue a vision document by the end of the Administration. To meet this goal, the National Science and Technology Council (NSTC), a policy arm of OSTP, established the Subcommittee on QIS (SQIS) in December 2008 which released “A Federal Vision for QIS” in January 2009. This report raised three high-level questions which address the true power of general purpose quantum computers, fundamental limits in controlling and manipulating quantum systems, and exotic new states of matter emerging from collective quantum systems. In response to this report, an SQIS workshop held in January 2009. Dr. Williams read a quote from the workshop report which highlights how QIS is still in its infantile stage.
Turning to NIST’s QIS program, Dr. Williams summarized the origin of NIST’s involvement in QIS which began in 1992 with its core capabilities in manipulating quantum states of atoms to build atomic clocks. In 2000, NIST initiated a focused QIS program to demonstrate basic quantum logic operations in a number of technologies beyond atoms and ions. NIST’s efforts in basic fundamental qubit applications support other federal agencies, such as the National Security Agency and DARPA, and NIST interacts closely with these agencies in demonstrating core technologies and core capabilities. With researchers from the NIST Physics Laboratory (PL), the Information Technology Laboratory, and the Electronics and Electrical Engineering Laboratory (EEEL), NIST’s QI programs include computing with ion traps, computing with neutral atom lattices, computing with artificial atoms, quantum optical metrology, quantum communications and quantum information theory.
In describing QIS’ compelling implications for science and engineering, national security, and commerce, Dr. Williams remarked that an ultimate NIST core responsibility will be to replace public key algorithms with a new encryption algorithm that will be resistant to the quantum computer. He also summarized four very challenging issues associated with QIS and highlighted NIST’s unique role in the public key infrastructure, qubit control and manipulation, quantum based measurements, and exotic quantum states and emerging phenomena. Most of NIST’s efforts over the next two years will be focused on quantum based measurements because that is where the first niche markets will develop. In the area of quantum based measurements, NIST has existing efforts in quantum logic clocks and entanglement based clocks, and new thrusts in super resolution imaging, improved phase measurements, better optical detector calibration, absolute optical calibration based on photon counting, high speed low noise amplifiers, and low noise amplifiers. In summary, NIST, with its core laboratory R&D programs, is a world leader in QIS preparing for future measurement science needs and standards as well as exploring implications for next generation measurement.
For more details, see Dr. Williams’ presentation.
• A VCAT member remarked that not all algorithms done classically can necessarily benefit by running on a quantum computer. However, quantum computing is potentially very powerful because it provides dramatic speed ups with remarkable accuracy for certain problems. It is important to understand these applications.
• NIST may play a fundamental role in developing the protocol stats for a quantum computer but will not be the organization that will ultimately build the quantum computer. NIST is not justifying its QIS program on building a quantum computer; instead NIST will focus on the related core measurement issues.
• Another member expressed skepticism over the development of a quantum computer but noted that quantum information processing has a great potential in communications. The member also suggested that Dr. Williams be a little more cautious about his predictions.
• NIST collaborates in numerous ways with other QIS groups. For example, NIST attends meetings and conferences with all of the world class leaders, trades Post Docs and students from all other major ion trapping groups, and has very close collaborations with other forums, such as the Joint Quantum Institute, a partnership between NIST, the University of Maryland, and NSA’s Laboratory for Physical Sciences.
• NIST’s quantum resources including other agency funding total about $15 million per year and supports between 70 to 80 individuals across NIST through three different laboratories and ten divisions in both Gaithersburg and Boulder.
• To stay competitive with the world’s economies, the U.S. needs a balanced investment strategy in Quantum Information to ensure that there are sufficient centers of excellence in this country which focus on the science as well as the technology. Although the U.S. has been largely responsible for developing the theorists, many of them have left the country for jobs elsewhere because there were no positions available for them in the United States. The U.S. investments have begun to increase over the last year and the current Administration is supporting core sciences, and, in particular, the physical sciences.
Quantum Mechanics in Measurement, Control and Computation
Dr. Emanuel “Manny” Knill, Mathematical and Computational Sciences Division, ITL, NIST
Presentation Summary – Dr. Knill provided a scientific talk on quantum information efforts at NIST. NIST research is focused on the understanding and control of quantum matter at large. The NIST QI efforts can be grouped into four research areas: research requiring quantum systems to develop and understand; research involving quantum control of one system; research using QI concepts for motivation or implementation; and research aiming for universal control of many systems. Many examples and accomplishments of NIST research in each of these areas were provided, along with the technical details. These include the use of Josephson Junctions as a wave form synthesis for extremely accurate and repeatable voltage sources, NIST development of the most effective photon counters in the world, NIST development of the quantum logic clock coupling aluminum ions to beryllium ions, and the use of qubits in superconducting circuits. NIST’s QI projects involve many collaborations with researchers in the United States and across the world.
For more details, see Dr. Knill’s presentation.
• It is important to share the QI research to help find an application sooner.
• NIST has several fulfilling collaborations with Sandia National Laboratories since their engineering labs offer technologies which complement the NIST science labs.
The VCAT members had the opportunity to engage directly with researchers during the following laboratory tours of selected projects at the Boulder campus.
Quantum-limited Metrology, Quantum-enhanced Clocks, and Steps towards Quantum Simulation
Dr. Till Rosenband, Ion Storage Group, Time and Frequency Division, PL, and Dr. Emanuel (Manny) Knill, Mathematical and Computational Sciences Division, ITL, NIST
This project is part of the NIST Quantum Information Program involving three laboratories at both the Boulder and Gaithersburg NIST campuses. The trapped ion quantum computing project is developing the components for a scalable quantum processor that could potentially lead to quantum computers vastly more powerful than today’s best supercomputers at tasks such as cryptographic analysis, data searching and correlation, and modeling complex systems.
Quantum Optical Metrology
Dr. Sae Woo Nam, Optoelectronics Division, EEEL
Quantum information science and technology is intimately related to making precision measurements. Researchers in EEEL, ITL, and PL have been working jointly on the generation, manipulation, and detection of different quantum states of light. This group has been using these tools not only for quantum information processing demonstrations such as quantum key distribution and quantum computing demonstrations, but also characterizations of materials and devices at time scales and wavelengths not possible until this work at NIST.
Precision Measurement Laboratory (PML) Project: Safety Briefing and Tour
Bryan Faktor, Project Manager, Engineering Maintenance and Support Services Division, Office of the Chief Facilities Management Officer, NIST
The extension of Building 1 will bring NIST Boulder its new Precision Measurement Laboratory (PML) which will provide researchers with a high performing building that will enable them to achieve better productivity and results. The building will include instrument laboratories, cleanrooms, conference center, and offices. Researchers can expect temperature control at 70.7 degrees F at +or – 0.5 degrees F, tight humidity control (varies depending on location within the building), and 20 air changes per hour. The cleanroom will perform at class 100 with less critical areas within the cleanroom performing at class 1000 or class 10000. The first phase of the building structure is scheduled to be completed in April 2010 and the second phase, which includes the construction of the interior funded from the Recovery Act, is scheduled to be completed in the fall of 2011.
VCAT Feedback Session and Discussion
Summary - The VCAT Chair announced that the beginning of this session will be focused on reflecting on the presentations from the first day of the meeting with an opportunity to ask follow-up questions. The following topics were discussed:
• Meeting Format and Background Materials: The Chair and other members expressed the need to have had more time on yesterday’s agenda for more in-depth interrogation and the need for advanced background material. Suggestions for improvement included shorter presentation time, longer meetings, advanced distribution of the PowerPoint presentations with time on the agenda only for asking questions, advanced reading materials with issues aimed at soliciting specific advice from the members, more follow-up on prior meeting topics, and less PowerPoint presentations on tours. The next VCAT Chair should follow-up on changes to the meeting format, as necessary. NIST will work on improving the meeting format and background materials for the February meeting.
• Cybersecurity and Disaster Response: The presentations were missing information on NIST’s role in helping to prepare for a natural disasters response. A VCAT member remarked that this is an area where NIST should have a leadership role in standards for both the national and international arenas. Another member suggested that NIST could be strongly helpful in the cloud computing infrastructure for communications recovery.
- Dr. Williams remarked that the Department of Homeland Security (DHS) is leading the development of a National Cyber Instant Response Plan with input from all of the Federal agencies which will include their roles and responsibilities. NIST is well represented at these meetings.
- Ms. Dodson noted that in the world of cybersecurity, NIST is always interested in confidentiality, integrity and availability of the information and the information systems. With that premise, NIST supports FISMA in terms of the risk management framework. Turning to lessons learned from Katrina, NIST is carrying out research and developing standards for ad hoc wireless networks and for identity management. In the area of cloud computing, NIST has produced a draft publication to address this new paradigm from a security perspective and will continue to work on this activity.
- Ms. Furlani indicated that the Building and Fire Research Laboratory at NIST also plays a role in critical infrastructure protection and works closely with ITL.
- Seamless and secure mobility is part of ITL’s cybersecurity research and standards activities that addresses ubiquitous connectivity for communications between emergency responder groups. ITL and the NIST Office of Law Enforcement Standards (OLES) are working together on the P25 standards.
- Ms. Dodson described how NIST’s research and standards activities are moved into an operational environment. In the area of seamless and secure mobility, NIST works closely with the DHS and the law enforcement community to understand and respond to their technical needs which drive the timeline.
- The VCAT chair discussed the need for a high level architecture map of cybersecurity by industrial segment which recognizes their unique requirements and encouraged NIST to be more proactive in taking a leadership role in this area. Ms. Furlani noted that some of ITL’s special publications address this need and agreed that NIST could be more proactive. Mr. Lipner commented on the differences between the fundamentals of cybersecurity and industry unique requirements and noted that NIST recognizes these differences and does a good job of providing the common technologies. Ms. Dodson described how NIST provides a cybersecurity framework with minimum baseline requirements for federal agencies to tailor to meet their own needs and business processes. NIST issues FIPS which identify the essential controls and provides FIPS guidelines to agencies for selecting their appropriate set of controls for flexibility.
• Proposed ITL Reorganization: The group discussed the rational for renaming ITL under the proposed reorganization. Ms. Furlani remarked that the current name was devised when the lab was formed in 1997 and covered systems deployment which is no longer part of the lab. The proposed name will help the lab reposition itself by providing a better perception of its functions. Some of the members were opposed to the name change while others suggested options.
• Branding/Marketing of NIST Vulnerability Database and other Cybersecurity Activities: The VCAT Chair remarked that he just learned of the NIST Vulnerability Database (NVD) and asked about NIST’s outreach efforts in promoting this database and other cybersecurity documents.
- Ms. Dodson described the NVD as an extremely powerful tool used nationally and internationally. ITL views the NVD as a baseline to support its work in security automation tools.
- ITL dedicates a lot of time and effort in its outreach program and tries to find ways to leverage its resources to maximize its outreach. For example, NIST sponsors large workshops, provides all of its publications via the Computer Security and Resource Center (CSRC) website, assists small businesses through its recently released YouTube video, offers an Executive Guide with quick flipcharts, and provides a roadmap document of its cybersecurity standards and publications. A one-page Executive Summary is under consideration. ITL is also involved with outreach to the states. NIST struggles with balancing its outreach efforts with its basic research.
- A VCAT member suggested that a private sector organization be used as a service to make the NIST-generated materials more visible and available to companies looking for help in securing their systems.
- A VCAT member was pleased that Ms. Furlani and others from NIST will be visiting University of California, Berkeley, as a way to help increase the information exchange between NIST and the university research community.
• Voting Standards: Ms. Furlani summarized NIST’s role in voting standards. NIST is charged under the Help America Vote Act (HAVA) of 2002 to work with the Election Assistance Commission (EAC) to develop guidelines for voting machines. NIST developed a draft revision to the 2005 federal Voluntary Voting System Guidelines and provided associated tests, both of which are being vetted by the EAC. NIST works with the Technical Guidelines Development Committee (TGDC), comprised of a variety of constituents, which assists EAC in developing the Voluntary Voting System Guidelines.
• Value of the VCAT: It would be very valuable for the NIST Director to pose specific questions and options for discussion by the VCAT. The Chair reminded the members that a priority for the VCAT is to address the issues that the NIST Director deems important as long as the Committee agrees that these are consistent with the future direction of NIST. The VCAT should also request information related to NIST’s organization, budget, programs, and policy since these are the areas cited in the Committee’s legislative mandate and charter. The members should bring their ideas to the Chair for consideration as future agenda items. A solid, critical, and constructive VCAT Annual Report can be very powerful.
• Key Questions for the VCAT: Dr. Jason Boehm, Acting Director of the NIST Program Office, stated that NIST is wrestling with its identity and role and this is the area where the NIST Director would like the VCAT’s input. The key issue is how does NIST balance and prioritize its core fundamental work with its standards coordination role in areas of national priority. The VCAT should advise NIST on how the agency can better engage with industry to carry out its standards work more effectively.
• NIST Role in Documentary Standards: The group reviewed the three key questions regarding NIST role in documentary standards posed by the NIST Deputy Director.
- The group was reminded that by having NIST staff on temporary assignments in other agencies, NIST is fully engaged in the standards process at the interagency level.
- A member noted the importance of NIST’s convening power in organizing the coordination of standards development and inquired about the possibility of NIST convening connectathons. Ms. Furlani noted NIST’s involvement with Health and Human Services in the health IT connectathons and noted that NIST has posted reference implementations on its website for companies to test and validate. The group recognized that connectathons are very resource intensive.
- Dr. Collins remarked that testing and validation in areas other than IT are typically performed in the private sector. In these cases, NIST offers a laboratory accreditation program.
- The VCAT Chair suggested that the Annual Report emphatically states that NIST should play an active role in documentary standards and that the research programs are important for understanding the standards.
VCAT Annual Report Input
Dr. Vinton Cerf, VCAT Vice Chair, led this session as summarized below.
• Format and Process – The report should include recommendations, commendations, issues, and observations along with the boilerplate and background information. The members will set up Gmail accounts to assist in the report preparation and review. Part of the February 2010 meeting will be dedicated to refining the report.
• Documentary standards – This topic should be a significant portion of the Annual Report. This section could cover such topics as reinforcing the broad definition of NIST’s coordination role, the importance of reference implementations for building interoperable systems, and NIST’s ability to contribute to standards due to its technical capabilities and other attributes.
- The report should be supportive of the choices and resources spent on healthcare IT, Smart Grid, and Cybersecurity.
• Safety – The VCAT should endorse NIST’s safety plans.
• Three-Year Programmatic Plan – This plan should be distributed to the members in advance of the February 2010 meeting so that their comments can be included in the Annual Report as mandated.
• Commendations – Stephanie Shaw was acknowledged for her administrative coordination activities for the VCAT. Congratulatory letters from the VCAT should be sent to the recent NIST recipients of prestigious external awards. The report should endorse the proposed new management structure. The VCAT may also want to endorse the competition ideas used in cryptographic advances and note that the Personal Identity Verification card standard has had a substantial government-wide impact.
• Observations – Dr. Cerf summarized many of the observations raised during the course of the meetings which may or may not be included in the Annual Report. These cover such topics as NIST budget documents, the Three-Year Programmatic Plan, a branding strategy, laboratory tours, cybersecurity statements from the guest speakers, the NVD, the importance of quantum computer science and its funding, the value of reference models, safety, and a scorecard for the VCAT’s work.
• Recommendations – Topics may cover safety, in particular Operating Unit implementation; a focus on international standards; IP for voice and data communication compatibility among emergency responders; a branding and outreach strategy, Mr. Lipner’s cybersecurity recommendations; voting system guidelines; and support for other standards and guidelines activities.
• Issues – Candidate issues which may be raised include cybersecurity measures for the problem space and infection rates, NIST’s neutrality, preparation for natural disasters, activities in financial security, and health IT privacy concerns. The members agreed that the proposed renaming of ITL is an internal matter and should not be included in the Annual Report.
- Issue of digital rights management and technology – A VCAT member raised this new topic for discussion and indicated that some standards include patented material and some are copyrighted making them a source of revenue for standards developing organizations (SDOs). According to Dr. Collins, these patents and copyrights directly affect NIST in terms of its coordination role. Since many large SDOs in the United States and other countries have business models that rely heavily on the sales of standards, NIST has to think carefully about downstream implications of changing these business practices. In regards to NIST being asked by the private sector to assist them in digital rights and management, Ms. Dodson responded that a workshop was held on this topic 10 or 15 years ago and the participants discussed the use of proprietary solutions rather than a more open system. NIST has not been asked to be involved in this area. A VCAT member indicated that this area needs to be rethought since some companies who produce intellectual property under the current copyright rules do not want compensation.
Closing Remarks and Adjournment
Mr. Marc Stanley, on behalf of the NIST Deputy Director, thanked the members for their very candid discussion and observations, and working towards recommendations on how NIST can improve its processes. Dr. Pat Gallagher, soon to be confirmed as the NIST Director, is looking forward to working with the Chair for the rest of his term and with the next Chair. Ms. Furlani added her appreciation for the members’ interest and noted that the discussions were very interactive and valuable.
In closing, Dr. Serum remarked that the members are happy to contribute to NIST due to their fundamental belief that the NIST mission is a worthwhile endeavor.
The meeting was adjourned at 11:22 a.m. on October 15, 2009.
I hereby certify that, to the best of my knowledge, the foregoing minutes are accurate and complete.
Gail Ehrlich Executive Director, NIST Visiting Committee on Advanced Technology
Dr. James Serum Chair, NIST Visiting Committee on Advanced Technology