In this era of rapidly emerging technologies, it is easy to be swept away by the endless tide of "new and improved" products. We all have one or two colleagues hopelessly saddled with not only a desktop PC, but laptop, cellular telephone, personal digital assistant and perhaps even occasionally, the prehistoric numeric pager. Despite the convenience, very few of these items are compatible with one another and even fewer were developed using common evaluation metrics. Such is the case in the world of information assurance (IA) with its non-universal definitions, constantly evolving cyber threats, and interoperability concerns.
The government has sought the assistance of commercial industry in developing security solutions as its dependency upon information technology has increased. The private sector has responded with a dizzying array of Commercial Off-The-Shelf (COTS) solutions, in response to threats that continue to increase in sophistication and severity. Some products are certified as compliant with various security standards and protocols. Each product comes with its own vendor claims of security robustness. Most products are tailored to counter a specific cyber threat, therefore, knowing which "certification" thresholds they meet making is the greatest difficulty with all of these "certified" products knowing which "certification" thresholds they meet.
The Department of Defense defines "national security system" as any telecommunications or information system operated by the U.S. Government, the function, the operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or, is critical to the direct fulfillment of military or intelligence missions (except for a system used for routine administrative and business applications).
Seeking to ensure that the U.S. Government acquires only robust IA security products for use on national security systems, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) has introduced the National Information Assurance Acquisition Policy Number 11. Also referred to as NSTISSP Number11, this policy prescribes an internationally recognized standards process for COTS and Government-Off-The Shelf (GOTS) information assurance products.
A primary objective for the policy is to ensure that COTS and GOTS products perform as advertised or satisfy the security requirements of the intended user. A portion of the policy language reads as follows: Information Assurance shall be considered as a requirement for all systems used to enter, process, store, display, or transmit national security information. IA shall be achieved through the acquisition and appropriate implementation of evaluated or validated [GOTS] or [COTS] IA and IA-enabled Information Technology (IT) products. These products should provide for the availability of the systems; ensure the integrity and confidentiality of information, and the authentication and non-repudiation of parties in electronic transactions.
The NSTISSC, since then renamed the Committee on National Security Systems (CNSS), consists of twenty-one inter-governmental members charged with establishing policy for national security systems.
The committee recognizes the past decade has seen a dramatic shift in the way that Information Technology (IT) systems must be protected. The risk to contemporary national security systems extends far beyond simple confidentiality of information, and is exacerbated by readily available COTS product alternatives to rigorously tested products developed by the National Security Agency (NSA). Thus, the aim of NSTISSP Number 11 is to ensure that the heads of government departments and agencies acquire products that perform as advertised and also validate the compatibility of such products. Ultimately true system security is not dependent upon a single application, but rather the proper integration of all applications.
Hoping to make the shift toward a standardized evaluation process somewhat easier, NSTISSP Number 11 has been gradually implemented over the past two years. Initially there was only the encouragement that departments and agencies give preference to commercial products which have been evaluated and validated, as appropriate, in accordance with the: International Common Criteria for Information Security Technology Evaluation Mutual Recognition Arrangement; National Security Agency (NSA)/National Institute of Standards and Technology (NIST) National Information Assurance Partnership (NIAP) Evaluation and Validation Program; or NIST Federal Information Processing Standard (FIPS) validation program.
However as of July 1, 2002, this latitude has expired and only those COTS IA and IA-enabled enabled products evaluated and validated by either NIST or other accredited national security laboratories -- in accordance with the above internationally recognized standards -- may be purchased.
But what if there are not any evaluated/validated products available? In such cases, customers should first check the NIAP Web site for products that are currently in evaluation. If there are no suitable products in the pipeline for evaluation, then customers should require, as condition of purchase, that the product vendor submit its product for evaluation under the NIAP program. Lastly, though it is not yet mandated, it is preferred that only evaluated products be used on non-national security systems as well.
The NSTISSP Number 11 requirements for COTS products apply to both IA and IA-enabled products. While it is fairly clear what would constitute an IA product (i.e. firewalls, intrusion detection systems, virus protection), what exactly is an IA-enabled product? An IA-enabled product is one that provides security services as a feature rather than as the primary functionality of the product. For example, most of today's e-mail and Web browser applications support digitally signed messaging and access to secure Web sites; these applications are considered IA-enabled products. But what about other applications that provide security services as secondary features, such as word processing and spreadsheet applications that allow you to encrypt or password-protect documents and spreadsheets?
While these products do provide limited security features, the discriminator as to whether these products should be formally evaluated and validated under NSTISSP Number 11 is this: if the product's security features are critical to implementing an organization's security policy, then the product should be evaluated and validated in accordance with NSTISSP Number 11.
As the war on terrorism shifts the U.S. paradigm of warfighting from conventional to unconventional, the requirements placed against already scarce budget dollars will continue to grow. In such a fiscal environment the need to make certain that the government purchases effective, reliable and integration-worthy IA products is paramount. NSTISSP Number 11 is one tool by which the information technology community can both enhance the overall IA, and ensure that we spend every available dollar appropriately – on the fight!
Lt. Cmdr. Larry Pemberton is assigned to the DON CIO Information Assurance Team. Jim Bates and Kerry Williams, from the DoD Information Assurance Technology Analysis Center (IATAC), are support contractors to the DON CIO Information Assurance Team.