Blockchain Technology is rapidly gaining traction in the government spaces. Several federal agencies such as GSA, CDC, and FDA have started exploring the technology and even have pilot programs. However, for a Blockchain system to be used in a production environment and handle real data and customers it must meet stringent federal security requirements. A system must go through a complete Security Authorization (SA) before it is granted an Authorization to Operate (ATO) and blockchain systems are no exception.
The security authorization process applies the Risk Management Framework (RMF) from NIST Special Publication (SP) 800-37. This includes conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring.
Blockchain systems provide unique challenges to the security authorization process due to their distributed, peer to peer (P2P), and often permissionless design. However, at the end of the day this technology is capable of fitting within RMF Framework and successfully being granted an ATO.
At the moment, there is not much guidance or procedures on how to apply security principles to Blockchain systems. Our working group will work on the following topics based directly on the NIST 800 37 Risk Management Framework (RMF) and will dive deep into each.
• How to categorize a blockchain system and the information processed, stored, and transmitted based on an impact analysis
• Develop an initial set of baseline security controls for a blockchain system based on the security categorization and tailoring and supplementing the security control baseline as needed
• How to implement the security controls and describe how the controls are employed within the blockchain system and its environment of operation
• Developing assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
• Define procedures to authorize a blockchain system operation based on a determination of the risk to the organization
• Tools and Techniques and Procedures to monitor the security controls in the information system on an ongoing basis
If you are interested in working on creating this security authorization process for blockchain systems, please contact Ajay Chandhok or join our Cybersecurity Working Group. It is listed on the GBA Working Group site at: https://gbaglobal.org/working-groups