2016, Volume 18, Issue 6
Strategic Study of CAE >> 2016, Volume 18, Issue 6 doi: 10.15302/J-SSCAE-2016.06.008
Research on a Cybersecurity Review System with Suggestions
1. Chinese Academy of Cyberspace Studies, Beijing 100010, China;
2. China Information Technology Security Evaluation Center, Beijing 100085;
3. Institute of Computer Technology, Chinese Academy of Sciences, Beijing 100190, China;
4. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
Next Previous
Abstract
Cybersecurity is part of national security. The rules and regulations for security testing and evaluation are distributed as policies for national security review or cyberspace management. This paper focuses on the current international systems related to cybersecurity review, and analyzes governments’ practices in the aspects of information technology product and service security evaluation, critical information infrastructure security evaluation and management, information and communication technology (ICT) supply chain security, and background security investigation. Based on the above, this paper discusses how to establish a cybersecurity review system in the fields of law and regulation, organization framework, operation mode, review approach, and supporting technology.
Keywords
cybersecurity review ; information technology product and service ; critical information infrastructure ; supply chain security ; background security
References
[ 1 ] General Services Administration (GSA), U.S. Department of Defense (DoD), National Aeronautics and Space Administration (NASA). Federal acquisition regulation (FAR), FAC 2005_91 [Z/OL]. (2016-09-29) [2016-10-12].
[ 2 ] U.S. Congress. Public law 110–49 :Foreign investment and national security act of 2007(FINSA) [Z/OL].
[ 3 ] Peterson Institute for International Economics. The Exon-Florio amendment [Z/OL].
[ 4 ] U.S. Department of Homeland Security. Federal information security management act (FISMA) [Z/OL]. (2016-10-03) [2016-10-12].
[ 5 ] National Institute of Standards and Technology (NIST) [EB/OL]. [2016-10-12].
[ 6 ] Office of Management and Budget (OMB) [EB/OL]. [2016-10-12].
[ 7 ] The committee on foreign investment in the United States (CFIUS) [EB/OL]. [2016-10-12]. link1
[ 8 ] Rogers M, Ruppersberger D. Investigative report on the U.S. national security issues posed by Chinese telecommunications companies Huawei and ZTE [J]. Journal of Current Issues in Media & Telecommunications, 2012,4(2):59.
[ 9 ] National Information Assurance Partnership (NIAP) [EB/OL]. [2016-10-12].
[10] NIAP. CCEVS objectives[EB/OL]. [2016-10-12].
[11] Communications-Electronics Security Group (CESG) [EB/OL]. (2012-05-14) [2016-10-12].
[12] Federal Risk and Authorization Management Program (FedRAMP) [EB/OL]. (2016-10-05) [2016-10-12].
[13] U.S. Department of Homeland Security (DHS) [EB/OL]. [2016-10-12].
[14] U.S. Department of Homeland Security. Homeland security presidential directive 7: critical infrastructure identification, prioritization, and protection [EB/OL]. (2015-09-22) [2016-10-12].
[15] The White House. Executive order - Improving critical infrastructure cybersecurity [EB/OL]. (2013-02-12) [2016-10-12]. link1
[16] U.S. Department of Homeland Security. Strategy to enhance international supply chain security (July 2007)[EB/OL]. (2015-07-14) [2016-10-12].
[17] Cyber Security and Information Assurance Interagency Working Group (CSIA IWG). Federal plan for cyber security and information assurance research and development [R]. Washington, DC: CSIA IWG, 2006.
[18] The White House. The comprehensive national cybersecurity initiative [EB/OL]. [2016-10-12].
[19] National Institute of Standard Technology. Standards for security categorization of federal information and information systems, FIPS PUB 199 [S].
[20] National Institute of Standard Technology. Minimum security requirements for federal information and information systems, FIPS PUB 200[S].
[21] National Institute of Standard Technology. Summary of NIST SP 800-53 revision 4, security and privacy controls for federal information systems and organizations[S].
[22] National Institute of Standard Technology. Guideline for identifying an information system as a national security system, SP 800-59[S].
[23] National Institute of Standard Technology. Guide for mapping types of information and information systems to security categories, SP 800-60 [S].
[24] U.S. Office of Personnel Management (OPM) [EB/OL]. [2016-10-12].
[25] Farrell B S. Personal Security Clearances: Actions needed to ensure quality of background investigations and resulting decisions [R]. Washington, DC: U.S. Government Accountability Office, 2014.
[26] Federal Investigative Services. The security clearance and investigation process [R/OL]. Washington, DC: U.
[27] U.S. Office of Personnel Management. Questionnaire for national security positions, OMB No. 3206 0005[Z/OL].
[28] U.S. Office of Personnel Management. Questionnaire for non-sensitive positions, OMB No. 3206-0261 [Z/OL].
京公网安备 11010502051620号
