Meeting NASAs DataAtRest Encryption Requirements NASA Encryption Requirements

Meeting NASA’s Data-At-Rest Encryption Requirements NASA Encryption Requirements Team Executive Briefing With Recommendations January 15, 2008 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 1

Meeting NASA’s DAR Requirements Background – June 2006: OMB M-06 -16, “Protection of Sensitive Agency Information” • Requires Encryption For Sensitive Data (unless data is determined to be non-sensitive) • Mandate not uniformly addressed resulting in misunderstood requirements and questionable guidance – May 2007: JSC Issues RFI to Leading Encryption Vendors • Based on requirements gathered from across the Johnson Space Center – June 2007: Do. D/GSA Announce DAR Smart. Buy Vendors – July 2007: NASA OCIO Chartered the Encryption Requirements Team • Gather and establish NASA requirements for encryption solutions that meet OMB direction • Use requirements to select and establish an Agency solution for encrypting NASA devices and information and to purchase approved products from the Federal Smart. Buy vehicle. • Evaluate technology solutions and recommend an approach that meets NASA requirements • Establish a standard and fold it in to NASA-STD-2804/5 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 2

Meeting NASA’s DAR Requirements Background – Approach • Use inter-agency team to – Collect NASA Requirements – Validate Do. D Requirements – Establish NASA DAR Encryption Requirements • Request Independent Analysis and Recommendation from LMIT – Identify DAR Requirements – Down Select Vendors for Evaluation – Conduct Testing and Deliver Recommendation • Leverage JSC Evaluation as Appropriate – Conduct Gap Analysis between JSC and NASA Requirements – Utilize Knowledge and Expertise developed at JSC in support of their evaluation • Develop Agency Recommendation – – – 12/7/2020 January 15, 2008 Merge Independent LMIT and JSC test results Evaluate Findings and Recommendations Select Vendor and Conduct Pilot Test Engage Selected Vendor in Implementation Strategy Negotiate Pricing and Draft Acquisition Strategy Emerging Technology & Desktop Standards Group Page 3

Meeting NASA’s DAR Requirements – Do. D Requirements • 104 Requirements identified as either Critical, Important, or Desirable • 34 Critical Requirements, including – – – FIPS 140 -2 Validated Full Disk Encryption (FDE) and Filesystem-Level Encryption (FSE) Minimal User Intervention PKI and Smartcard Compatibility FDE Pre-boot Authentication Central Management Console • High concentration of Critical Tech Support, Licensing, and Training requirements (18 50%) – JSC Requirements • Vendors Asked to Respond to 227 Unranked Requirements • 34 Requirements Internally Identified as either Required, Desired, or Optional • 22 Required, including – – – – – 12/7/2020 January 15, 2008 FIPS 140 -2 Validated 508 Compliant Ability to Encrypt Removable Devices Key Escrow Central Management Minimal User Intervention Not dependent upon network connectivity PIV II Smartcard Compatibility Full Disk Encryption Support for Single Sign-on Emerging Technology & Desktop Standards Group Page 4

Meeting NASA’s DAR Requirements – LMIT Requirements • 11 Requirements Necessary for Consideration – – – FIPS 140 -2 Validated Full Disk Encryption Minimal User Intervention Interoperability with NASA Active Directory Support for multiple users (Do. D “I”) Central Management Console Key Escrow (Do. D “I”) PIV II Smartcard Compatibility Ability to Remotely Wipe the Device Log Failed Login Attempts Maintain Data Integrity – NASA Requirements • NASA unique requirements used to adjust Do. D requirements • Gap analysis performed against JSC RFI and Internal Requirements Rankings • Resulting decision was to adopt JSC Requirements • LMIT Requirements mapped entirely into NASA Requirements 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 5

Meeting NASA’s DAR Requirements Selection – Gartners Magic Quadrant Summary of Leading DAR Encryption Vendors: Vendors under consideration all listed in the upper right quadrant – JSC Selected 5 Vendors for evaluation based on RFI results • Only 4 vendors were able to participate in proof-of-concept testing – LMIT Selected 3 Vendors for evaluation based on DAR requirements mapping 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 6

Meeting NASA’s DAR Requirements Selection – JSC Evaluation • Conducted in-house proof-of-concept • Evaluated 7 weighted criterion as either Low, Medium, or High – Business/Background – Experience – Financial – Professional Services – Solution Architecture – Ability to Meet Specific Requirements – Price – LMIT Evaluation • Conducted in-house functional testing to validate vendor claims • Evaluated 3 additional criterion critical to NASA interoperability – Availability of Mac OS X Client – Deployment Options Into Current NASA Active Directory Environment – Ease of Migration from Current AD Environment to NCAD AD Environment • Also Evaluated Infrastructure and Deployment Complexity – Number of required servers – Firewall requirements – Centralized Management and Reporting 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 7

Meeting NASA’s DAR Requirements Selection – JSC Selection: Safeboot • • • – One of only two products committed to cross-platform support Support for PIV II Smartcards and Activ. Identity Middleware Flexible and Complete Licensing Gartner Magic Quadrant Lowest Price Impressive List of Government and Industry Customers LMIT Selection: Safeboot • • • Provides Full Disk Encryption Supports PIV II Smartcards Supports Treo and other Palm. OS devices Supports Windows Mobile devices Mac OS X Client Available FY 08 Integrates Cleanly and Efficiently with Active Directory • • • Single Management Console can support entire Agency Elegant and Flexible Technical Architecture Lowest Price (Significantly) – – No anticipated issues supporting NCAD migrations NASA Encryption Requirements Team Recommends Safeboot • • • 12/7/2020 January 15, 2008 Supported by Rigorous Independent Evaluations Best Technical Solution and Best Price Extraordinary Vendor (VAR and OEM) Support Emerging Technology & Desktop Standards Group Page 8

Meeting NASA’s DAR Requirements Safeboot Executive Overview Safe. Boot - A worldwide operating IT security company ● Quick Stats More than 3 million active licenses Over 3000 customers in 74 countries >98. 6% client retention >150 Fortune 500 customers Worldwide support with 24 x 7 x 365 Less than 2% employee attrition 20 consecutive quarters of growth Strong financials and debt free Dun & Bradstreet 3 A 1 rating Most certifications and accreditations i. e. only vendor worldwide with Common Criteria Level 4 of 2006 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 9

Meeting NASA’s DAR Requirements Safeboot Executive Overview Safe. Boot – The leading enterprise class security company $ 35 m Revenues 2001 -2006 E $ 30 m $ 25 m $ 20 m $ 15 m $ 10 m 2001 2002 2003 2004 2005 2006 $ 12 m $ 10 m $8 m $6 m $4 m $2 m ● Safe. Boot Certifications 2006 Common Criteria Level 4 (EAL 4) FIPS 140 -1 and FIPS 140 -2 BITS certified CSIA certified NIST AES 256 DSA/DSS (#53 & #112) SHA-1 (#71 & #254) DES (#145) Operating Profit 2001 -2006 E ● Safe. Boot Distinctions 2001 2002 2003 2004 2005 2006 Revenue Distribution 4% 30% Asia. Pac 35% Europe 31% USA 12/7/2020 January 15, 2008 Recognized leader in Gartners Magic Quadrant Software 500 ranked #378 SC Magazine’s 2006 Readers Trust Award for “Best Authentication Solution” and “Best Identity Management Solution” SC Magazine’s Global Award 2004 for “Best Encryption Solution Member – Microsoft Secure IT Alliance Member – Secured Partner Program Member – Trusted Computing Group Emerging Technology & Desktop Standards Group Page 10

Meeting NASA’s DAR Requirements Safeboot Executive Overview Safe. Boot – The most secure data protection solution ● Safe. Boot is a suite of enterprise-class IT security products for the protection of data on mobile devices. Safe. Boot Data Encryption ● Device Encryption - Encrypts mobile devices using military strength certified algorithms ● Content Encryption - Encrypts selected files, file types, folders or work groups ● Port Control - Allows enterprises to monitor the use of and set policies for ports ● Secure USB Memory - Encryption of USB memory sticks using military certified algorithms ● Safe. Boot is built around a unique central management center to control corporate security policies ● ● 12/7/2020 January 15, 2008 Highly scalable enterprise class solution Policy driven remote “stealth” installation of all Safe. Boot products Remote security policy management with rich feature set Produces audit trail of all mobile devices in an enterprise environment to meet compliance requirements Emerging Technology & Desktop Standards Group Page 11

Meeting NASA’s DAR Requirements Safeboot Executive Overview Device Encryption – Protection of Entire Device ● The entire device is encrypted • FIPS 140 -2 certified • Common Criteria Level 4 certified • BITS certified • CSIA certified Safe. Boot Data Encryption ● Secure user authentication • 2 -factor • 48 different tokens incl. fingerprint are available • Mix and match tokens / smartcards / passwords • Integrated central administration console for all devices ● Audit capability • Full audit trail for device protection • Fulfills all audit and compliance requirements 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 12

Meeting NASA’s DAR Requirements Safeboot Executive Overview Content Encryption – Selective File and Folder Protection ● Selective encryption of files and folders Safe. Boot • Encrypts classes of data (i. e. Word, Excel) • Encrypts file and folders • Encrypts groups of users (i. e. HR division) • Encrypts email attachments • Removable media encryption (i. e. CD-ROM’s) Data Encryption ● Central management of users • All users are centrally managed • Fully integrated with device encryption • Mix and match capability 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 13

Meeting NASA’s DAR Requirements Safeboot Executive Overview Port Control – Management of “Ports” ● Controls “ports” of laptops and PC’s Parallel CD/DVD Serial Wi. Fi USB • Selective control of all ports • Activates and de-active • Selective use of devices (i. e. only encrypted USB memory) • Prohibits use of unauthorized devices (i. e. i. Pods, MP 3 players) • Security policies can be set (i. e CD’s can only be burned in encrypted mode) ● Central management of users PCMCIA IR Bluetooth • All users are centrally managed • Fully integrated with device and content encryption • Mix and match capability Firewire 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 14

Meeting NASA’s DAR Requirements Safeboot Executive Overview 4 th Generation Security – State of the art software ● Key differentiators • Auditing and compliance reporting are unmatched • Integration of device and content encryption and port control • Integrates seamlessly with existing infrastructure (AD-connectors, Novel NDS, Microsoft and Entrust PKI and so on) • Non-intrusive to end-user and corporate network (extremely thin client <3 MB) • Most certifications and accredidations • User synchronization (i. e. passwords, de-activations) 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 15

Meeting NASA’s DAR Requirements Safeboot Executive Overview Customers – The most prominent companies in the world ● Typical customer profile Fortune 5000 company 1000+ laptops or desktops Global footprint Mobile or distributed workforce Subject to data protection privacy laws All industry verticals ● Fortune 500 Customers Over 150 are Safe. Boot customers GE, KPMG, SAP, Fujitsu, BT, HSBC, ABN Amro, Sun Life, Northwestern Mutual, and many more have made Safe. Boot a mandatory security standard 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 16

Meeting NASA’s DAR Requirements Acquisition Strategy – Safeboot Incentives for Agencywide Licensing Are Impressive • • • – – JSC Cost Estimate for Entire Center (12, 000 Licenses): $750, 000 LMIT Cost Estimate for ODIN Systems: $1, 000 Cost Estimate for all of NASA (74, 000 Licenses + 3 years maintenance): $1, 198, 00 Q. What’s Included? A. Pretty Much Everything • • • • Full Disk (Device) Encryption (DE) Content (File/Folder) Encryption (CE) Port Control (PC) Management Console All Connectors Necessary for Active Directory Integration and Mobile Device Support Help Desk Web Interface Three Years of Maintenance Single License covers up to 5 devices (per-user licensing) Home Use of all licenses 74, 000 licenses with 10% growth allowance (7, 400 licenses) Access to named Safeboot Engineer for remote support Lots of onsite design, engineering, and deployment support $11. 56 per license $2. 31 per license maintenance after first year NASA Contractors qualified to purchase at these same prices Cost If Purchased off the GSA Smart. Buy: $3, 000+ 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 17

Meeting NASA’s DAR Requirements Acquisition Strategy – Most Appropriate Acquisition Strategy is an ODIN Infrastructure Upgrade Proposal • • ODIN Desktops will all be affected NASA’s Partnership with LMIT should be leveraged MFR 137 NASA will own the licenses, LMIT will manage their acquisition and distribution – Components of an IUP • • • 12/7/2020 January 15, 2008 Software Licensing Hardware and Infrastructure Engineering Software Deployment Project Management User Awareness and Training Emerging Technology & Desktop Standards Group Page 18

Meeting NASA’s DAR Requirements Acquisition Strategy ROM IUP Pricing Quantity Price Safeboot Licenses 74, 000 $856, 000 Year 2 Software Maintenance 74, 000 $171, 000 Year 3 Software Maintenance 74, 000 $171, 000 Dedicated (named) remote Safeboot Engineer 1 FTE Included Onsight engineering for installation, configuration, and training 9 Days Included LMIT Costs (Hardware and Infrastructure, Engineering, Software Deployment, Project Management, User Awareness and Training $500, 000 Total $1, 698, 000 LMIT Costs Are Estimated For Planning Purposes Only 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 19

Meeting NASA’s DAR Requirements Implementation Strategy – Assumptions • Center Deployments Begin After Domain Consolidation – • • • Must Use Agency User IDs (AUID) Safeboot administration will be managed centrally ODIN seats will receive Safeboot client software via standard distribution channels Non-ODIN seat deployment will be handled by workgroup administrators NAD users will be provided access to client software and must install it themselves NASA will approve operating policies and establish process for their maintenance – Observations • • Numerous low-cost options exist for redundancy and high availability After initial client encryption, communication with Safeboot Server is not required for client functionality – – • 12/7/2020 January 15, 2008 Client will sync with the server when connectivity is restored Severs can become temporarily unavailable without affecting normal operations User data can be restored even in the absence of network connectivity Emerging Technology & Desktop Standards Group Page 20

Meeting NASA’s DAR Requirements Implementation Strategy Notional Architecture 12/7/2020 January 15, 2008 Emerging Technology & Desktop Standards Group Page 22

Meeting NASA’s DAR Requirements Use Cases – Laptop User • • – Desktop User • • – Device Encryption will be used to encrypt the entire device Content Encryption will be used to ensure removable media is also encrypted Desktop User needs to take work home and use his personal computer to continue editing his documents • • • – Device Encryption will be used to encrypt the entire device Content Encryption will be used to ensure removable media is also encrypted DE and CE on the work desktop enable the use of any thumb drive Contents of thumb drive are encrypted CE must be installed on the home computer to enable thumb drive decryption and/or securely store the documents Thumb drive remains encrypted at all times DE not recommended for home computers Laptop/Desktop User needs to store documents unencrypted on thumb drives (or CD’s) to distribute at a trade show • • 12/7/2020 January 15, 2008 CE would normally prevent this User must call the Help Desk and request this capability Encryption will be disabled on some or all of the removable media devices A control process will need to be implemented Emerging Technology & Desktop Standards Group Page 27

Meeting NASA’s DAR Requirements Encryption Requirement Team NASA Team Darryl Barnes, ARC Eduardo Bertot, KSC Donald Calkins, JPL Ron Colvin, GSFC Elton Comer, JSC David Epperson, NSSC Walter Franklin, MSFC Norbert Gillem, ARC Craig Grube, GSFC Christopher Jorgensen, GSFC Sheryl Locke, JSC David Meza, JSC Evaluation Team Lead Stephan Naus, GSFC Christine Reynolds, SSC James Rouse, LARC Will Spencer, DFRC Kanitra Tyler, GSFC Bryan Walls, GSFC Sherman Nicholas Wilson, MSFC Thomas Wolfe, JPL 12/7/2020 January 15, 2008 OCIO Guidance and Support Rob Binkley Diana Kniffin Marion Meissner Dana Mellerio ETADS Support Gary Gapinski, Lead Engineer Richard Haas Pete Wheeler LMIT Joe Sigmon, LMIT Lead Emerging Technology & Desktop Standards Group Page 28