Official Launch: Feb. 21, 2012
The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) established the National Cybersecurity Center of Excellence (NCCoE), a public-private collaboration for accelerating the widespread adoption of integrated cybersecurity tools and technologies. The State of Maryland, Montgomery County, Md., and NIST co-sponsor the NCCoE.
First Project: Feb. 2013
The center’s first project focused on the healthcare sector, aimed at developing a solution that allowed healthcare providers to securely document, maintain, and exchange clinical information using electronic methods. Additionally, the center also began working on “building block” projects, focused on addressing multi-industry technology security gaps.
Industry Partners Join NCCoE: Apr. 15, 2013
Eleven major companies pledged to contribute hardware and software components and share best practices and personnel with the center:
- Cisco Systems Inc.
- HyTrust Inc.
- Intel Corp.
- McAfee Inc.
- Microsoft Federal Civilian Services
- Splunk Inc.
- Symantec Corp.
- Vanguard Integrity Professionals
- Venafi Inc.
The center has spurred collaboration with and among large and small companies from multiple sectors—including healthcare, energy, financial services, retail, restaurants, and hospitality.
NIST Awards Contract to MITRE for FFRDC: Sept. 24, 2014
To support the NCCoE mission, NIST awarded a contract to operate its first Federally Funded Research and Development Center (FFRDC) to The MITRE Corporation, a not-for-profit organization that operates six other FFRDCs. This FFRDC is the first national center dedicated to enhancing the security of the nation's information systems. The FFRDC functions as the national laboratory for cybersecurity, providing research, development, technology, and engineering expertise in support of NIST and the rest of the federal government. The FFRDC also provides access to expertise across the University of Maryland system and nine other university affiliates around the country.
First Practice Guide Released: July 2015
The center published its first practice guide, Securing Electronic Records on Mobile Devices, to provide IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from NIST and others, and to Health Insurance Portability and Accountability Act (HIPAA) rules. The guide takes into account the need for different types of implementation for different circumstances such as when cybersecurity is handled in-house or is outsourced.
Identity and Access Management for Electric Utilities Practice Guide Released: Aug. 2015
The center published Identity and Access Management for Electric Utilities to more securely and efficiently manage access to the networked devices and facilities upon which power generation, transmission, and distribution depend. The solution demonstrates a centralized IdAM platform that can provide a comprehensive view of all users within the enterprise across all silos, and the access rights users have been granted, using multiple commercially available products. Electric utilities can use some or all of the guide to implement a centralized IdAM system using NIST and industry standards, including North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP).
Attribute Based Access Control Guide Released: Sept. 2015
The center published Attribute Based Access Control (ABAC) to demonstrate a standards-based ABAC platform in which access rights to an organization’s network or assets are granted based on a user’s attributes, such as certifications, IP address, group, department, or employee status. ABAC enables the appropriate permissions and limitations for the same information system for each user based on individual attributes and allows for the management of those permissions to multiple systems from a single platform, reducing administrative burden.
IT Asset Management Guide Released: Oct. 2015
The center published IT Asset Management to provide financial services organizations the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used and reducing help desk response times.
Mobile Device Security: Cloud & Hybrid Builds Guide Released: Nov. 2015
The center published Mobile Device Security: Cloud & Hybrid Builds to demonstrate how commercially available technologies can meet organizations’ needs to secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices. The guide includes example solutions on how to configure a device to be trusted by the organization; maintain adequate separation between the organization’s data and the employee’s personal data stored on or accessed from the mobile device; and handle the de-provisioning of a mobile device that should no longer have enterprise access.
Center Moves to Permanent Facility: Dec. 2015
After being temporarily housed on the Shady Grove campus of the University of Maryland, NIST worked with the State of Maryland and Montgomery County, Md., to identify and procure a permanent facility for the center. The NCCoE now has almost 5,600 square meters (60,000 square feet) of modern physical space and the information technology systems needed to host its staff and partners who work jointly on a variety of projects in its collaborative environment. This includes the space to house experts from the National Cybersecurity FFRDC, operated by The MITRE Corporation with active participation by the University of Maryland System.
The new facility expands the center’s workspace from four to 22 separate, flexible laboratories. That includes two larger areas capable of safely hosting large equipment—including a vehicle that will be used in an upcoming project on auto-related cybersecurity issues. This additional space now allows NCCoE to increase its collaborations and to undertake new projects.
The NCCoE is currently working on use cases in eight different industry sectors and 10 building blocks that can be applied across sectors with 38 core partners from Fortune 50 market leaders to smaller companies specializing in IT security. Federal agencies also have engaged the help of NCCoE, including the Department of Homeland Security, General Services Agency, U.S. Coast Guard, and others.