9/21/2015 January 15, 2008 Emerging Technology & Desktop Standards Group Page 1 Meeting NASA ’ s Data-At-Rest Encryption Requirements NASA Encryption Requirements

04/19/23January 15, 2008 Emerging Technology & Desktop Standards Group Page 1

Meeting NASA’s Data-At-Rest Encryption Requirements

NASA Encryption Requirements TeamExecutive Briefing With Recommendations

January 15, 2008


Meeting NASA’s DAR RequirementsBackground

– June 2006: OMB M-06-16, “Protection of Sensitive Agency Information”• Requires Encryption For Sensitive Data (unless data is determined to be non-sensitive)• Mandate not uniformly addressed resulting in misunderstood requirements and questionable

guidance

– May 2007: JSC Issues RFI to Leading Encryption Vendors• Based on requirements gathered from across the Johnson Space Center

– June 2007: DoD/GSA Announce DAR SmartBuy Vendors

– July 2007: NASA OCIO Chartered the Encryption Requirements Team• Gather and establish NASA requirements for encryption solutions that meet OMB direction• Use requirements to select and establish an Agency solution for encrypting NASA devices

and information and to purchase approved products from the Federal SmartBuy vehicle.• Evaluate technology solutions and recommend an approach that meets NASA requirements• Establish a standard and fold it in to NASA-STD-2804/5


Meeting NASA’s DAR RequirementsBackground

– Approach

• Use inter-agency team to – Collect NASA Requirements– Validate DoD Requirements– Establish NASA DAR Encryption Requirements

• Request Independent Analysis and Recommendation from LMIT– Identify DAR Requirements– Down Select Vendors for Evaluation– Conduct Testing and Deliver Recommendation

• Leverage JSC Evaluation as Appropriate– Conduct Gap Analysis between JSC and NASA Requirements– Utilize Knowledge and Expertise developed at JSC in support of their evaluation

• Develop Agency Recommendation– Merge Independent LMIT and JSC test results– Evaluate Findings and Recommendations– Select Vendor and Conduct Pilot Test– Engage Selected Vendor in Implementation Strategy– Negotiate Pricing and Draft Acquisition Strategy


Meeting NASA’s DAR RequirementsRequirements

– DoD Requirements• 104 Requirements identified as either Critical, Important, or Desirable• 34 Critical Requirements, including

– FIPS 140-2 Validated– Full Disk Encryption (FDE) and Filesystem-Level Encryption (FSE)– Minimal User Intervention– PKI and Smartcard Compatibility– FDE Pre-boot Authentication– Central Management Console

• High concentration of Critical Tech Support, Licensing, and Training requirements (18 - 50%)

– JSC Requirements• Vendors Asked to Respond to 227 Unranked Requirements• 34 Requirements Internally Identified as either Required, Desired, or Optional• 22 Required, including

– FIPS 140-2 Validated– 508 Compliant– Ability to Encrypt Removable Devices– Key Escrow– Central Management– Minimal User Intervention– Not dependent upon network connectivity– PIV II Smartcard Compatibility– Full Disk Encryption– Support for Single Sign-on


Meeting NASA’s DAR RequirementsRequirements

– LMIT Requirements• 11 Requirements Necessary for Consideration

– FIPS 140-2 Validated– Full Disk Encryption– Minimal User Intervention– Interoperability with NASA Active Directory– Support for multiple users (DoD “I”)– Central Management Console– Key Escrow (DoD “I”)– PIV II Smartcard Compatibility– Ability to Remotely Wipe the Device– Log Failed Login Attempts– Maintain Data Integrity

– NASA Requirements• NASA unique requirements used to adjust DoD requirements• Gap analysis performed against JSC RFI and Internal Requirements

Rankings• Resulting decision was to adopt JSC Requirements• LMIT Requirements mapped entirely into NASA Requirements


Meeting NASA’s DAR RequirementsSelection

– Gartners Magic Quadrant Summary of Leading DAR Encryption Vendors:

Vendors under consideration all listed in the upper right quadrant

– JSC Selected 5 Vendors for evaluation based on RFI results

• Only 4 vendors were able to participate in proof-of-concept testing

– LMIT Selected 3 Vendors for evaluation based on DAR requirements mapping



– JSC Evaluation• Conducted in-house proof-of-concept

• Evaluated 7 weighted criterion as either Low, Medium, or High– Business/Background– Experience– Financial– Professional Services– Solution Architecture– Ability to Meet Specific Requirements– Price

– LMIT Evaluation• Conducted in-house functional testing to validate vendor claims

• Evaluated 3 additional criterion critical to NASA interoperability– Availability of Mac OS X Client– Deployment Options Into Current NASA Active Directory Environment– Ease of Migration from Current AD Environment to NCAD AD Environment

• Also Evaluated Infrastructure and Deployment Complexity– Number of required servers– Firewall requirements– Centralized Management and Reporting



– JSC Selection: Safeboot• One of only two products committed to cross-platform support• Support for PIV II Smartcards and ActivIdentity Middleware• Flexible and Complete Licensing• Gartner Magic Quadrant• Lowest Price• Impressive List of Government and Industry Customers

– LMIT Selection: Safeboot• Provides Full Disk Encryption• Supports PIV II Smartcards• Supports Treo and other PalmOS devices• Supports Windows Mobile devices• Mac OS X Client Available FY08• Integrates Cleanly and Efficiently with Active Directory

– No anticipated issues supporting NCAD migrations• Single Management Console can support entire Agency• Elegant and Flexible Technical Architecture• Lowest Price (Significantly)

– NASA Encryption Requirements Team Recommends Safeboot• Supported by Rigorous Independent Evaluations• Best Technical Solution and Best Price• Extraordinary Vendor (VAR and OEM) Support


SafeBoot - A worldwide operating IT security company

● Quick Stats

More than 3 million active licenses

Over 3000 customers in 74 countries

>98.6% client retention

>150 Fortune 500 customers

Worldwide support with 24 x 7 x 365

Less than 2% employee attrition

20 consecutive quarters of growth

Strong financials and debt free

Dun & Bradstreet 3A1 rating

Most certifications and accreditations i.e. only vendor worldwide with Common Criteria Level 4 of 2006

Meeting NASA’s DAR RequirementsSafeboot Executive Overview


SafeBoot – The leading enterprise class security company

35% Europe

Revenue Distribution

31% USA

30% AsiaPac4%

Revenues 2001-2006E

2001 2002 2003 2004 2005 2006

$ 35 m

$ 10 m

$ 15 m

$ 20 m

$ 25 m

$ 30 m

Operating Profit 2001-2006E

2001 2002 2003 2004 2005 2006

$ 2 m

$ 4 m$ 6 m$ 8 m

$ 10 m$ 12 m

● SafeBoot Certifications 2006 Common Criteria Level 4 (EAL4) FIPS 140-1 and FIPS 140-2 BITS certified CSIA certified NIST AES 256 DSA/DSS (#53 & #112) SHA-1 (#71 & #254) DES (#145)

● SafeBoot Distinctions Recognized leader in Gartners Magic Quadrant Software 500 ranked #378 SC Magazine’s 2006 Readers Trust Award for “Best Authentication Solution” and “Best Identity Management Solution” SC Magazine’s Global Award 2004 for “Best Encryption Solution Member – Microsoft Secure IT Alliance Member – Secured Partner Program Member – Trusted Computing Group



SafeBoot – The most secure data protection solution

● Device Encryption - Encrypts mobile devices using military strength certified algorithms

● Content Encryption - Encrypts selected files, file types, folders or work groups

● Port Control - Allows enterprises to monitor the use of and set policies for ports

● Secure USB Memory - Encryption of USB memory sticks using military certified algorithms

● SafeBoot is a suite of enterprise-class IT security products for the protection of data on mobile devices.

● SafeBoot is built around a unique central management center to control corporate security policies

● Highly scalable enterprise class solution● Policy driven remote “stealth” installation of all SafeBoot products● Remote security policy management with rich feature set● Produces audit trail of all mobile devices in an enterprise environment to meet compliance requirements

SafeBootData

Encryption



Device Encryption – Protection of Entire Device

● The entire device is encrypted

• FIPS 140-2 certified• Common Criteria Level 4 certified• BITS certified• CSIA certified

SafeBootData

Encryption● Secure user authentication

• 2-factor • 48 different tokens incl. fingerprint are available• Mix and match tokens / smartcards / passwords• Integrated central administration console for all devices

● Audit capability

• Full audit trail for device protection• Fulfills all audit and compliance requirements



Content Encryption – Selective File and Folder Protection

● Selective encryption of files and folders

• Encrypts classes of data (i.e. Word, Excel)• Encrypts file and folders• Encrypts groups of users (i.e. HR division)• Encrypts email attachments• Removable media encryption (i.e. CD-ROM’s)SafeBoot

Data Encryption

● Central management of users

• All users are centrally managed• Fully integrated with device encryption• Mix and match capability



Port Control – Management of “Ports”

● Controls “ports” of laptops and PC’s

• Selective control of all ports• Activates and de-active• Selective use of devices (i.e. only encrypted USB memory)• Prohibits use of unauthorized devices (i.e.iPods, MP3 players)• Security policies can be set (i.e CD’s can only be burned in encrypted mode)

● Central management of users

• All users are centrally managed• Fully integrated with device and content encryption• Mix and match capability

PCMCIA

CD/DVD WiFi

Parallel Serial

BluetoothIR

Firewire

USB



4th Generation Security – State of the art software

● Key differentiators

• Auditing and compliance reporting are unmatched

• Integration of device and content encryption and port control

• Integrates seamlessly with existing infrastructure (AD-connectors, Novel NDS, Microsoft and Entrust PKI and so on)

• Non-intrusive to end-user and corporate network (extremely thin client <3MB)

• Most certifications and accredidations

• User synchronization (i.e. passwords, de-activations)



Customers – The most prominent companies in the world

● Typical customer profile

Fortune 5000 company

1000+ laptops or desktops

Global footprint

Mobile or distributed workforce

Subject to data protection privacy laws

All industry verticals

● Fortune 500 Customers

Over 150 are SafeBoot customers

GE, KPMG, SAP, Fujitsu, BT, HSBC, ABN Amro, Sun Life, Northwestern Mutual, and many more have made SafeBoot a mandatory security standard



Meeting NASA’s DAR RequirementsAcquisition Strategy

– Safeboot Incentives for Agencywide Licensing Are Impressive• JSC Cost Estimate for Entire Center (12,000 Licenses): $750,000 • LMIT Cost Estimate for ODIN Systems: $1,00,000• Cost Estimate for all of NASA (74,000 Licenses + 3 years maintenance): $1,198,00

– Q. What’s Included? – A. Pretty Much Everything

• Full Disk (Device) Encryption (DE)• Content (File/Folder) Encryption (CE)• Port Control (PC)• Management Console• All Connectors Necessary for Active Directory Integration and Mobile Device Support• Help Desk Web Interface• Three Years of Maintenance• Single License covers up to 5 devices (per-user licensing)• Home Use of all licenses• 74,000 licenses with 10% growth allowance (7,400 licenses)• Access to named Safeboot Engineer for remote support• Lots of onsite design, engineering, and deployment support• $11.56 per license • $2.31 per license maintenance after first year• NASA Contractors qualified to purchase at these same prices

Cost If Purchased off the GSA SmartBuy: $3,000,000+



– Most Appropriate Acquisition Strategy is an ODIN Infrastructure Upgrade Proposal

• ODIN Desktops will all be affected• NASA’s Partnership with LMIT should be leveraged• MFR 137• NASA will own the licenses, LMIT will manage their acquisition and

distribution

– Components of an IUP• Software Licensing• Hardware and Infrastructure• Engineering• Software Deployment• Project Management• User Awareness and Training



ROM IUP Pricing

Quantity Price

Safeboot Licenses 74,000 $856,000

Year 2 Software Maintenance 74,000 $171,000

Year 3 Software Maintenance 74,000 $171,000

Dedicated (named) remote Safeboot Engineer 1 FTE Included

Onsight engineering for installation, configuration, and training 9 Days Included

LMIT Costs (Hardware and Infrastructure, Engineering, Software Deployment, Project Management, User Awareness and Training

$500,000

Total $1,698,000

LMIT Costs Are Estimated

For Planning Purposes Only


Meeting NASA’s DAR RequirementsImplementation Strategy

– Assumptions• Center Deployments Begin After Domain Consolidation

– Must Use Agency User IDs (AUID)• Safeboot administration will be managed centrally• ODIN seats will receive Safeboot client software via standard distribution channels• Non-ODIN seat deployment will be handled by workgroup administrators• NAD users will be provided access to client software and must install it themselves• NASA will approve operating policies and establish process for their maintenance

– Observations• Numerous low-cost options exist for redundancy and high availability• After initial client encryption, communication with Safeboot Server is not required for

client functionality– Client will sync with the server when connectivity is restored– Severs can become temporarily unavailable without affecting normal operations

• User data can be restored even in the absence of network connectivity


Meeting NASA’s DAR RequirementsImplementation Strategy

Notional Architecture


Meeting NASA’s DAR RequirementsUse Cases

– Laptop User• Device Encryption will be used to encrypt the entire device• Content Encryption will be used to ensure removable media is also encrypted

– Desktop User• Device Encryption will be used to encrypt the entire device• Content Encryption will be used to ensure removable media is also encrypted

– Desktop User needs to take work home and use his personal computer to continue editing his documents• DE and CE on the work desktop enable the use of any thumb drive• Contents of thumb drive are encrypted• CE must be installed on the home computer to enable thumb drive decryption and/or securely

store the documents• Thumb drive remains encrypted at all times• DE not recommended for home computers

– Laptop/Desktop User needs to store documents unencrypted on thumb drives (or CD’s) to distribute at a trade show• CE would normally prevent this• User must call the Help Desk and request this capability• Encryption will be disabled on some or all of the removable media devices• A control process will need to be implemented


Meeting NASA’s DAR RequirementsEncryption Requirement Team

NASA TeamDarryl Barnes, ARCEduardo Bertot, KSCDonald Calkins, JPLRon Colvin, GSFC Elton Comer, JSCDavid Epperson, NSSCWalter Franklin, MSFCNorbert Gillem, ARCCraig Grube, GSFCChristopher Jorgensen, GSFCSheryl Locke, JSC David Meza, JSC Evaluation Team LeadStephan Naus, GSFC Christine Reynolds, SSCJames Rouse, LARCWill Spencer, DFRCKanitra Tyler, GSFCBryan Walls, GSFCSherman Nicholas Wilson, MSFCThomas Wolfe, JPL

OCIO Guidance and SupportRob BinkleyDiana KniffinMarion MeissnerDana Mellerio

ETADS SupportGary Gapinski, Lead Engineer Richard HaasPete Wheeler

LMITJoe Sigmon, LMIT Lead

Documents

9/21/2015 January 15, 2008 Emerging Technology & Desktop Standards Group Page 1 Meeting NASA ’ s Data-At-Rest Encryption Requirements NASA Encryption Requirements