1990 Annual Report of the National Computer System Security and Privacy Advisory Board March 1991 TABLE OF CONTENTS Executive Summary. . . . . . . . . . . . . . . . . . . . . . . i I. Introduction . . . . . . . . . . . . . . . . . . . . . . . 1 Board's Establishment and Mission . . . . . . . . . . 1 Board's Charter . . . . . . . . . . . . . . . . . . . 1 Membership. . . . . . . . . . . . . . . . . . . . . . 2 II. Major Issues Discussed. . . . . . . . . . . . . . . . . . 4 NIST's Computer Security Budget . . . . . . . . . . . 4 Data Categorization . . . . . . . . . . . . . . . . . 4 E-Mail Security and Privacy . . . . . . . . . . . . . 5 Computer Security Evaluation Criteria . . . . . . . . 5 Computer Security Guidelines (Handbook). . . . . . . 6 III. Advisory Board Correspondence. . . . . . . . . . . . . . 7 NIST's Computer Security Budget . . . . . . . . . . . 7 Development of Computer Security Guidelines . . . . . 7 Information Technology Security Evaluation Criteria . . . . . . . . . . . . . . . . . . . . 7 Exhibits. . . . . . . . . . . . . . . . . . . . . . . 8 IV. Future Advisory Board Activities. . . . . . . . . . . . . 31 V. Conclusions. . . . . . . . . . . . . . . . . . . . . . . . 33 Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Executive Summary This Annual Report documents the activities of the National Computer System Security and Privacy Advisory Board during 1990, its second year. The Board, which met three times during the year, was established by Congress through the Computer Security Act of 1987 to identify emerging computer security issues. Dr. Willis Ware of RAND has served as Chairman of the Board since March of 1989. The Board formally identified three areas of emerging concern and has issued letters containing the Board's positions and recommendations to appropriate executive and congressional officials. These were: - NIST's Computer Security Program Budget; - the Information Technology Security Evaluation Criteria; and - the Need for Computer Security Guidelines. The Board also established a work plan for 1991 which identified candidate topics for in-depth examination, including: - Computer Security Guidelines - NIST Plans and Activities; - Privacy - EC Green Paper; - Implementation of the Computer Security Act of 1987; - Software Engineering and Reliability; - Security and the Public Switched Network; - Use of Security Products and Features; - Rewrite of NSDD-145 and the NIST/NSA Memorandum of Understanding; - Computer Emergency Response Team (CERT); - Digital Signature; and - International Hacking. With such a list of important topics to examine, plus the ever growing relevant new issues and public policy questions, it is clear that much work lies ahead for the Board in 1991 and beyond. I. Introduction Board's Establishment and Mission The passage of the Computer Security Act of 1987 (P.L. 100-235, signed into law on January 8, 1988 by President Reagan) established the Computer System Security and Privacy Advisory Board. The Board was created by Congress as a federal public advisory committee in order to: identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy. Appendix A includes the text of the Computer Security Act of 1987, which includes specific provisions regarding the Board. The Act stipulates that the Board: - advises the National Institute of Standards and Technology and the Secretary of Commerce on security and privacy issues pertaining to federal computer systems; and - reports its findings to the Secretary of Commerce, the Director of the Office of Management and Budget (OMB), the Director of the National Security Agency (NSA), and appropriate committees of Congress. Board's Charter The Board was first chartered on May 31, 1988 and was rechartered on May 30, 1990 by U.S. Department of Commerce Assistant Secretary for Administration Thomas Collamore. (See Appendix B for the text of the current charter.) It should be noted that because of the time necessary for the rechartering, the Board meeting scheduled for June could not be officially noticed in the Federal Register. Since a committee must have a current charter in order to notice a meeting, and since at least 15 days notice is required, the decision was made on May 8, 1990 to cancel the June meeting. Consistent with the Computer Security Act of 1987, the Board's scope of authority extends only to those issues affecting the security and privacy of unclassified information in federal computer systems or those operated by contractors or state or local governments on behalf of the federal government. The Board's authority does not extend to private sector systems (except those operated to process information for the federal government) or systems which process classified information or Department of Defense unclassified systems related to military or intelligence missions as covered by the Warner Amendment (10 U.S.C. 2315). Membership The Board is composed of twelve computer security experts in addition to the Chairperson. The twelve members are, by statute, drawn from three separate communities: - four experts from outside the federal government, one of whom is a representative of a small- or medium- size firm; - four non-government employees who are not employed by or a representative of a producer of computer or telecommunications equipment; and - four members from the federal government, including one from the National Security Agency of the Department of Defense. Currently, Dr. Willis H. Ware, a senior researcher of the Corporate Research Staff of RAND, serves as Chairman of the Board. He was appointed in July 1989 following consultation with Congress which determined that it was inappropriate for a NIST official to chair the Board. As of December 1989, the full membership of the Board was as follows: - Chairman Willis H. Ware, RAND - Federal Members Bill D. Colvin, National Aeronautics and Space Administration Roger M. Cooper, Department of Agriculture Patrick Gallagher, National Security Agency (nominated) Rhoda R. Mancher, Department of Veterans Affairs - Non-federal, Non-Vendor Robert H. Courtney, RCI Inc. John A. Kuyers, Ernst and Young (renominated) Eddie L. Zeitler, Fidelity Security Services, Inc. (vacancy) - Non-federal Steven B. Lipner, Digital Equipment Corp. Lawrence L. Wills, International Business Machines Corp. Jack L. Hancock, Pacific Bell (vacancy) NIST's Associate Director for Computer Security, Mr. Lynn McNulty, serves as the Board's Secretary and is the Designated Federal Official (DFO) under the Federal Advisory Committee Act. The DFO is responsible for ensuring that the Board operates in accordance with applicable statutes and agency regulations. Additionally, the DFO must approve each meeting and its agenda. Through the Secretariat, NIST provides financial and logistical support to the Board as stipulated by the Computer Security Act of 1987. During 1990, the terms of Mr. Walter Straub (Rainbow Technologies, Inc.) and Mr. Robert Morris (National Security Agency) expired. Additionally, Mr. Jack Simpson (Mead Data Central, Inc.) resigned on March 9, 1990. NSA chose Mr. Patrick Gallagher, Director of the National Computer Security Center, as their designated representative member on the Board. As of December, 1990, NIST's nominations to fill existing Board vacancies were still being processed. II. Major Issues Discussed The following section summarizes the discussions held by the Board in 1990. Additionally, the Board accomplishes a lot of informal, non-decisional, background discussion and preparation for meetings by e-mail between meetings. The Board's activities also complement the other activities of the Board's members, several of whom are quite active in many aspects of these topics. Note that the minutes and agenda from the March, September, and December meetings are included as Appendices C to E, respectively. The required Federal Register notices for the meetings are presented in Appendix F. The substantive work of the Board during 1990 was devoted to various topics related to the security of federal unclassified automated information systems. Among the most important were: - NIST's Computer Security Program Budget; - Data Categorization; - E-Mail Privacy and Security; - Computer Security Evaluation Criteria; and - Computer Security Guidelines. NIST's Computer Security Budget In 1989, the President had requested a substantial increase for NIST's computer security program. In late September 1989, the proposed increase for NIST's computer security program was cut by conference committee action. This led to discussions among Board members as to the inadequacy of the current budget, $2.5 million at the time. The Board decided at its December 1989 meeting to send a letter to Congress stressing the need for a higher funding level. The letters could not be formally approved until March 1990 since the letters had to be adopted by the Board in open session. The President's budget for FY-91 requested an increase for the computer security program, which ultimately resulted in an increased $1 million for the program. Data Categorization Since June of 1989, the Board has discussed the issue of data categorization of unclassified information. This topic continued to be one of interest in 1990, although members of the Board hold widely divergent opinions as to the desirability and feasibility of developing a standard government-wide categorization scheme. During the year, several Board members argued against the desirability of defining or categorizing sensitive information. The essence of their position was that all information held by government agencies has some degree of sensitivity, as defined in terms of its unauthorized disclosure, loss of integrity, or inadvertent or intentional destruction. It was stated that in most instances the development of sensitivity policies have focused entirely upon the confidentiality aspects of the problem to the exclusion of integrity and availability requirements. Any Board recommendation would serve to continue this pattern of confusing the fundamental security issues affecting the protection of unclassified information. The underlying concern was to develop a policy that would supplement the requirement expressed in the Computer Security Act of 1987 to protect "sensitive" information. In December 1990, during an extensive session on the topic, representatives from five government agencies were invited to share their positions on the topic with the Board. As with the Board itself, their positions varied; however, while most believed that such a scheme would be useful, they disagreed as to the feasibility of actually developing a scheme that would be useful across all agencies. A representative from the Canadian government also shared their experiences with a statutory based categorization scheme which is working very well. The Board continues to examine this issue recognizing the importance of this issue and its far reaching implications. As of December, the Board asked two of its members to look further into the issue and report back in March 1991. E-Mail Security and Privacy At the suggestion of Mr. Cooper at the September meeting, the Board developed a session to e-mail privacy and security issues at the December meeting. The Board heard from representatives of the E- Mail Industry Association, American Bar Association, and a public interest group, the Computer Professionals for Social Responsibility. Action by the Board on this matter was anticipated for 1991. Computer Security Evaluation Criteria Two distinct items are included in this category: 1) the European- developed draft Information Technology Security Evaluation Criteria (ITSEC) and the NIST response to that document and 2) the NIST and NSA effort to develop appropriate standards and guidelines for U.S. Government use. At the September meeting, the Board examined the ITSEC and heard one vendor's reactions to it. The Board also was presented with NIST's official position on the document as relayed to the Europeans in a letter in August. In December, NIST provided the Board with an update on the ITSEC's progress and the European Community-sponsored conference held in Brussels in September on it. The Board was also informed of efforts by NIST and NSA to arrive at a common response to the ITSEC. The Board, agreeing on the significance of the ITSEC effort and resulting possible implications for U.S. international trade, voted to send a letter to the Secretary of Commerce outlining their position on the U.S. government's role. (See next chapter for text of the letter and the response.) Intertwined with the ITSEC topic was a discussion of what NIST should be doing, if anything, to develop a appropriate standards and guidelines for the federal government's use. Positions ranging from the need to modify the Orange Book to the non-usefulness of such a document were vigorously debated. In December, NIST and NSA announced their joint effort to develop a single federal criteria document, which would not begin with the Orange Book as an initial approach. NIST stressed that there was much that could be learned from users of trusted systems and that it would be holding a conference to gather the "lessons learned." Computer Security Guidelines (Handbook) In mid-1990, Mr. Courtney suggested to Board members that they endorse a recommendation to NIST to develop a set of computer security guidelines to aid federal agencies in the selection of cost-effective security measures. He also prepared a draft outline for NIST's use. After discussion of the outline at the September meeting, and minor modifications, the Board recommended to the Director of NIST that he give the development of such a document high priority. The Director responded that NIST would be examining ways to meet the need addressed by the Board. III. Advisory Board Correspondence During FY-89, the Board issued letters reporting the Board's findings on the three important issues: - the level of funding of NIST's computer security program budget; - the draft European Information Technology Security Evaluation Criteria; and - the development of computer security guidelines. Also, the Chairman conducted correspondence with the Department of Commerce's General Counsel regarding the legal constraints on the Board. Finally, the Secretary of Commerce forwarded the Board's 1989 Annual Report to the Congress and Administration officials. NIST's Computer Security Budget On April 20, 1990, the Board issued a letter to Congressional officials on the state of NIST's computer security program budget and recommended that it be increased, as the President requested in his FY-91 budget request. The Board's letter was forwarded to the Congress by the Secretary of Commerce. The increase was ultimately approved and in FY-91 the program budget was increased by $1 million to $3.5 million. Development of Computer Security Guidelines On October 10, 1990, following action at its September meeting, the Board issued a letter to the Director of NIST recommending that NIST develop and issue a comprehensive set of computer security guidelines. The Board also provided NIST with a proposed outline of the envisioned publication. On October 26, 1990, Dr. Lyons responded that he was reviewing alternatives to meet the need developed by the Board. NIST now plans to use the outline as the basis for a Computer Security Handbook, to be developed under contract to NIST. Information Technology Security Evaluation Criteria The Board also issued its findings on October 20, 1990, regarding the draft European-developed Information Technology Security Evaluation Criteria document. The Board recommended that this important trade issue be coordinated among all concerned federal agencies. Also, the Board sought active protection of U.S. interests via the International Standards Organization process. Secretary of Commerce Mosbacher replied on December 18, 1990 that the Department would be following this important issue. Exhibits The Board's correspondence and replies (when received) are included in the following exhibits: Exhibit I Apr 20, 1990 Budget letter from Chairman Ware (No replies were received.) Exhibit II May 22, 1990 Budget letter from Secretary of Commerce Mosbacher to the Honorable Robert C. Byrd, et al. Exhibit III May 24, 1990 Transmittal of 1989 Annual Report by Secretary Mosbacher (No replies were received.) Exhibit IV Apr 9, 1990 Letter from Chairman to U.S. Department of Commerce General Counsel on legal issues Exhibit V May 17, 1990 Answer from General Counsel to Chairman Ware Exhibit VI Oct 10, 1990 Chairman's letter to NIST Director Lyons regarding computer security guidelines (Handbook) Exhibit VII Oct 20, 1990 Board letter to Secretary Mosbacher regarding the Information Technology Security Evaluation Criteria Exhibit VIII Oct 26, 1990 answer to the Board from NIST Director Lyons Exhibit IX Dec. 18, 1990 answer from Secretary Mosbacher to the Board Exhibit I THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Established by the Computer Security Act of 19877 APR 20 190 Honorable Robert C. Byrd Chairman, Committee on Appropriations United States Senate Washington D.C. 20510-6025 Dear Mr. Chairman: The Computer System Security and Privacy Board, established under Section 21 of the Computer Security Act of 1987 (P.b. 100-235], herewith conveys its finding, as stipulated under Section 21(b) (3) of the Act, on the issue of budget support for the National Institute of Standards and Technology (NIST), I and its National Computer Systems Laboratory (NCSL). Through the Act, Congress assigned to the NIST/NCSL responsibility in Section 20(a) "to (develop] standards, guidelines, .... methods and techniques for cost-effective security...(in Federal computer systems]." At our recent meetings, the Board discussed the funding level of NIST/NCSL for the computer security program to meet the Congressionally mandated goal. Congress did not provide FY-90 funding commensurate with the relevant technical and managerial issues that must be addressed. The Board believes that the current funding level of 52.5 million for the NIST/NCSL computer security program is inadequate, a view consistent with the White House support of a $6.0 million funding level in FY-90. With limited funding, Congress must appreciate that issues which led to the passage of legislation will not be promptly addressed, and that adequate solutions will be delayed. With the integration of computer systems into all aspects of our daily lives and the national economy, the failure to address system protection and security controls could have potentially serious consequences for the nation. Moreover, money spent on improving the security posture of government computer systems will be more than recouped from savings that result from more effective and safer system operation with more reliable and accurate data. For these reasons, we solicit your support for the President's proposal to increase FY-91 funding to the NIST/NCSL program. The Board is available to explore the issue further or to amplify its views on the matter. Sincerely, Willis R. Ware Chairman Addressees to receive the recommendations on the computer security budget of the National Institute of Standards and Technology, U.S. Department of Commerce, from the Computer System Security and Privacy Advisory Board: Honorable Ernest F. Hollings Chairman, Committee on Commerce, Science, and Transportation United States Senate Washington, D.C. 20510-6125 Honorable Jamie L. Whitten Chairman, Committee on Appropriations House of Representatives Washington, D.C. 20515-6015 Honorable Robert A. Roe Chairman, Committee on Science, Space, and Technology House of Representatives Washington, D.C. 20515-6301 Honorable John Conyers, Jr. Chairman, Committee on Government Operations House of Representatives Washington, D.C. 20515-6143 Exhibit II May 22, 1990 Honorable Robert C. Byrd Chairman, Committee on Appropriations United States Senate Washington, DC 20510-6025 Dear Mr. Chairman: I am please to submit the enclosed report on the computer security budget for the National Institute of Standards and Technology from the Computer System Security and Privacy Advisory Board, U.S. Department of Commerce, in compliance with the Computer Security Act of 1987. Sincerely Robert A. Mosbacher Honorable Robert C. Byrd Chairman, Committee on Appropriations United States Senate Washington, DC 20510-6025 Honorable Ernest F. Hollings Chairman, Committee on Commerce, Science and Transportation United States Senate Washington, D.C. 20510-6125 Honorable Jamie L. Witten Chairman, Committee on Appropriations House of Representatives Washington, D.C. 20515-6301 Honorable Robert A. Roe Chairman, Committee on Science, Space, and Technology House of Representatives Washington, DC 20515-6301 Honorable John Conyers, Jr. Chairman, Committee on Government Operations House of Representatives Washington, D.C. 20515-6143 Exhibit III May 24 1990 Honorable John Conyers, Jr. Chairman, Committee on Government Operations House of Representatives Washington, D.C. 20515-6143 Dear Mr. Chairman: I am pleased to submit the Annual Report of the Computer System Security and Privacy Advisory Board, U.S. Department of Commerce, for calendar year 1989, in compliance with the Computer Security Act of 1987. Sincerely, Robert A. Mosbacher Honorable Robert C. Byrd Chairman, Committee on Appropriations United States Senate Washington D.C. 20510-6025 Honorable Ernest F. Hollings Chairman, Committee on Commerce, Science, and Transportation United States Senate Washington, D.C. 20510-6125 Honorable Jamie L. Whitten Chairman, Committee on Appropriations House of Representatives Washington, D.C. 20515-6015 Honorable Robert A. Roe Chairman, Committee on Science, Space, and Technology House of Representatives Washington, D.C. 20515-6301 Exhibit IV THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Established by the Computer Security Act of 1987 APR 09 1990 Wendell L. Willkie II, Esquire General Counsel U.S. Department of Commerce Washington, DC 20230 Dear Mr. Willkie: During a recent meeting of the Computer System Security and Privacy Advisory Board (CSSPAB) established under Section 3 of the Computer Security Act of 1987 (Public Law 100-235), several items of CSSPAB functioning were discussed at length in public session with Mr. Michael Rubin of your office. Admittedly, some of these things are interpretive in nature or even uncertain in view of the words of the law and its legislative history. Accordingly, on behalf of the Board, I am formally soliciting an official departmental written legal opinion on the following questions. Your guidance will great. assist the effective functioning of the CSSPAB and will hopefully resolve confusion which has arisen as to its proper role, relationship to the Department of Commerce, and obligations under various laws. l. What is the relationship between the CSSPAB and the Federal Advisory Committee Act? Is it necessary that the CSSPAB be established pursuant to the procedures of the Federal Advisory Committee Act, or does the Computer Security Act in and of itself provide a sufficient basis for the CSSPAB to function? 2. In view of the wording of PL 100-235, what is the relationship between the CSSPAB and the Department of Commerce? Although the CSSPAB resides within the Department, does it follow that the Department must establish the CSSPAB's charter and set its agenda? To what degree does the Board have any independence from the Department? Do the members of the Board have the power to amend the CSSPAB's charter? To what extent are the DOC administrative review and approval procedures for correspondence relevant to CSSPAB? 3. The duties of the CSSPAB include the statutory responsibility to report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and appropriate the committees of the Congress. The question has arisen whether these reporting requirements are sequential or concurrent. Can the CSSPAB, for example, reports its findings directly to the Congress or must it report its findings to Congress through the Secretary? Is it legally Significant that Congress did not use the preposition "through" but Stated "to...the Congress" when it described the Board's reporting requirements? 4. The CSSPAB is Comprised of the Chairman and twelve members, four of whom are required to be Federal employees. If the Board were to make findings Concerning a specific legislative proposal affecting computer security and Communicated these findings in its reports to Congress, how can the Board protect its Federal members from running afoul of the anti- lobbying provisions of 18 USC 1913? Must the Federal members abstain from all votes affecting legislative issues? 5. The non-Federal members are concerned over the application of the Procurement Integrity Act to their activities with the Board. While the PIP Act has been suspended for one year, there was an overlap period of time in which the statute was in existence. We would like a summary of the Act's application to our activities during that period of time. I would appreciate your prompt consideration of these questions In the event it is considered inappropriate for the Commerce General Counsel to provide advice to the Board on these issues, who would be the proper authority? Would it be inappropriate for the CSSPAB to seek legal advice from the Office of Legal Counsel of the Justice Departments Would it be wise to Solicit an opinion from the DOJ in addition to that from your office? I thank you in advance for your time and consideration of these issues. Your guidance is much appreciated. Sincerely, Willis H. Ware Chairman Exhibit V UNITED STATES DEPARTMENT OF COMMERCE Office of the General Counsel Washington. D.C. 20230 MAY 17 1990 Mr. Willis H. Ware The National Computer System Security and Privacy Advisory Board NIST Technology Building, Room B154 Gaithersburg, Maryland 20899 Dear Mr. Ware: This is in response to your letter to the General Counsel requesting a written opinion on several issues concerning the status and operation of the Computer Systems Security and Privacy Advisory Board (CSSPAB) (Board). for the sake of clarity, each of your questions is set forth below, followed by the corresponding answer. Question 1 What is the relationship between the CSSPAB and the Federal Advisory Committee Act? is it necessary that the CSSPAB be established pursuant to the procedures of the Federal Advisor Committee Act, or does the Computer Security Act in and of itself provide a sufficient basis for the CSSPAB to function? Answer The Computer Security Act of 1987 provides for the establishment of the CSSPAB. P.L. 100-235, 3(2) , 101 Stat. 1727, 15 U.S.C. s 278g-4. The Board consists of a chairman, eight members from outside the Federal government and four members from the Federal government. The members are appointed by the Secretary of Commerce. The duties of the CSSPAB are: 1) to identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer system security and privacy; 2) to advise the National institute of Standards and Technology and the Secretary of Commerce on security and privacy issues pertaining to Federal computer systems; and 3) to report its findings to the Secretary of Commerce, the Director of the Off ice of Management and Budget, the Director of the National Security Agency, and the appropriate committees of the Congress. 15 U.S.C. S 278g-4(b). The Federal Advisory Committee Act (FACA) (5 U.S.C. App. 2) imposes certain procedural and administrative requirements on advisory committees. The definition of advisory committee includes any committee, board, commission, conference, panel, task force, or other similar group established by statute in the interest of obtaining advice or recommendations for any Federal agency. 5 U.S.C. App. 2 S 3(2). The requirements of the FACA are applicable to every advisory committee "except to the extent that any Act of Congress establishing such advisory committee specifically provides otherwise." 5 U.S.C. App. 2 4. Since the CSSPAB is tacked with advising the National institute of Standards and Technology (NIST) and the Secretary of Commerce on security and privacy issues pertaining to Federal computer systems, it is an advisory committee. The legislation establishing the CSSPAB provides that it is established within the Department of Commerce. 15 U.S.C. 278g-4(a). The legislation also does not exempt the CSSPAB from any of the FACA's provisions. Consequently, the FACA's requirements are fully applicable to the CSSPAB. The CSSPAB is subject to all of the provisions of the FACA and the CSSPAB cannot meet or take any other action until the procedural and administrative requirements of the FACA have been satisfied. Question 2 in view of the wording of PL-235, what is the relationship between the CSSPAB and the Department of Commerce (DOC)? Although the CSSPAB resides within the Department, does it follow that the Department must establish the CSSPAB's charter and set its agenda? To what degree does the Board have any independence from the Department. Do the members of the Board have the power to amend the Board's charter? To what extent are the HOC administrative review and approval procedures for correspondence relevant to CSSPAB? Answer As stated above, the CSSPAB is an advisory committee Within.the Department of Commerce. The FACA requires each agency to "exercise control and supervision over the establishment, procedures, and Accomplishments of advisory committees established by that agency." 5 U.S.C. App. 2 S 8(b). Agencies are also required to file a charter for each advisory committee. ID. 9(c). Charters for advisory Committees over which the Department has jurisdiction are required to be prepared and filed in accordance with the procedures set forth in Part 2, Chapter 2, Section 3 of the Departments (Committee Management handbook. The CSSPAB's charter must be prepared and filed in accordance with these procedures. The FACA also provides that a designated Federal official or employee must attend each meeting of an advisory Committee and that no advisory committee shall conduct any meeting in the absence of that officer or employee. Advisory committees are prohibited from holding meetings except with the advance approval of the designated Federal official. Further, the agenda of every advisory committee meeting must be approved by this official. 5 U.S.C. App. 2 S 10 (e), (f). Accordingly, the CSSPAB is prohibited from operating independently of the Department of Commerce. The meetings and agenda of CSSPAB must be approved by the appropriate Department official. The CSSPAB's charter also cannot be amended by the members. Any charter amendment must be effected in accordance with the procedures set forth in Part Two, Chapter Two, Section D of the Department's Committee Management Handbook, which requires the approval of amendments by the Assistant Secretary for Administration. Likewise, since the CSSPAB reports through the Director of NIST, the administrative review and approval procedures applicable to the correspondence of advisory committees within the jurisdiction of the Department are fully applicable to the CSSPAB Question 3 The duties of the CSSPAB include the statutory responsibility to report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency and the appropriate committees of Congress. The question has arisen whether these reporting requirements are sequential or concurrent. Can the CSSPAB, for example, report Its findings directly to Congress or must it report its findings to Congress through the Secretary? is it legally significant that Congress did not use the preposition "through" but stated "to.....the Congress" when it described the Board's reporting requirements? Answer The Computer Security Act does require the CSSPAB to report to several entities in addition to the Secretary of Commerce. However, nothing in the legislation or in the legislative history indicates that the reporting to the various entities is to be concurrent. Although the statute establishing the CSSPAB does not explicitly require that all reports shall be made through the Department, the reporting requirements must be viewed in light of the placement of the CSSPAB within the Department of Commerce. The CSSPAB is required to submit its reports in accordance with the CSSPAB charter. The charter provides that the Board report "through the Director of [NIST]." This requirement is consistent with the position of the CSSPAB as an advisory committee within the Department. Thus, the CSSPAB cannot report directly to Congress but must report through the Director of NIST as required by the CSSPAB charter. We view the requirement that the CSSPAB report to entities other than the Secretary as an expression of congressional intent that the other entities be kept informed, not as a mandate for the CSSPAB to operate independently of the Department in which it has been established. Question 4 The CSSPAB is comprised of the Chairman and twelve members, four of whom are required to be Federal employees. If the Board were to make findings concerning a specific legislative Proposal affecting computer security and communicated these findings in its reports to Congress, how can the Board protect its Federal members from running afoul of the anti-lobbying provisions of 18 U.S.C. 1913? Must the Federal members abstain from all votes affecting legislative issues? Answer 18 U.S.C. 1913 provides that: No part of the money appropriated by any enactment of Congress shall, in the absence of express authorization by Congress, be used directly or indirectly to pay for any Personal SerVice, advertisement,. telegram, telephone, letter, printed or written matter, or other device, intended or designed to influence in any manner a Member of Congress, to favor or oppose, by vote or otherwise, any legislation or appropriation by Congress, whether before or after the introduction of any bill or resolution proposing such legislation or appropriation; but this shall not prevent officers or employees of the United States or of its Departments or agencies from communicating to members of Congress on the request of any Member, or to Congress, through the proper official channels, requests for legislation or appropriations which they deem necessary for the efficient conduct of public business (emphasis added). This law specifically authorizes Federal officials to communicate their views on pending legislation to Congress "through proper official channels." The CSSPAB is required by law and its charter to report to the appropriate Committees of Congress regarding computer systems security and privacy issues. The CSSPAB may have occasion to make findings or recommendations regarding specific legislative proposals affecting computer security. The communication of any such findings or recommendations in a report to Congress (through the Director of NIST as required by the CSSPAB charter) would be a communication through a proper official channel. Consequently, the Federal members.of the CSSPAB would not be in contravention of 18 U.S.C. S 1913 and need not abstain from votes affecting legislative issues. Question 5 The Non-Federal members are concerned over the application of the Procurement integrity Act to their activities with the Board. while the PIP Act has been suspended for one year, there was an overlap period of time in which the statute was in existence. We would like a summary of the Act's application to our activities during that period of time. Answer The Procurement Integrity Act of 1988 became effective July 16, 1989. Congress suspended the provisions of the Act from December 1, 1989 through November 30, 1990. The Administration hopes that before November 30th, new legislation will be enacted to supersede the more troublesome aspects of the suspended Act. It is expected that any new legislation would exempt members of advisory boards or committees from its coverage. As you recognize, between July 16, 1989 and November 30, 1989, the Act affected the activities of any procurement of official who participated personally and substantially in any phase of an agency procurement. For purposes of the Act, procurement officials of an agency included consultants, experts, or advisers (other than a competing contractor) who acted on behalf of, or provided advice to, the procuring agency with respect to a procurement. You must therefore determine whether non-Federal Board members participated personally and substantially in the conduct of any Federal agency procurement. Personal and substantial participation in a procurement may have occurred if Board members provided advice to an agency about contract specifications or related procurement matters between July 16, 1989, and November 30, 1989. If a Board member's advice constituted active and significant involvement in activities directly related to a procurement, the Board member became a procurement official for purposes of that procurement. As a procurement official, the Board member's activities were affected in the following ways: o He was barred from seeking employment with or business opportunities from a competing contractor or its agents until December 1, 1989 or the conclusion of the procurement, whichever event came first. o He was prohibited from participating in any manner on behalf of a competing contractor in negotiations leading to the award, modification, extension of a contract for such procurement until December 1, 1989. o He was prohibited from participating personally and substantially on behalf of the competing contractor in the performance of such contract until December 1, 1989. o He was barred-from seeking or receiving, directly or indirectly, any money, gratuity, or other thing of value from any competing contractor or its agents. In addition, any member of the Board who was given authorized or in addition, any proprietary Unauthorized access to or source selection information regarding any agency procurement was barred from knowingly disclosing such information, directly or indirectly, to any person other than a person authorized by the head of such agency or the contracting officer to receive such information. This prohibit. applied without regard to one's status aœ a procurement official Should the suspended Act take effect again on November 30, 1990, questions might arise about its continuing application to activities that occurred between July 16, 1989 and November 30, 1989. In this event, you might wish to consult us for additional advice. As a final matter, let me assure you that it is entirely appropriate for the CSSPAB to seek advice from this office. Since the CSSPAB an advisory committee within the Department of Commerce, advice of its status and operation must be based upon an interpretation of Departmental requirements as well as the establishing legislation. Please feel free to contact this office again if you have additional questions on this matter. Sincerely, Dan Haendel Deputy General Counsel Exhibit VI THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD October 10, 1990 Dear Dr. Lyons: The Computer System Security and Privacy Advisory Board was established within the Department of Commerce by the Computer Security Act of 1987, P.L. 100-225. The charter of the Board establishes a specific objective for the Board to advise the national Institute of Standards and Technology (NIST) and the Secretary of Commerce on security and privacy issues pertaining to Federal computer systems. The purpose of this letter is to advise you of the unanimous concern of the Advisory Board that information security guidelines be written and published by FIST. We feel that these guidelines are a basic building block of the governments information infrastructure program and will provide the necessary detailed guidance to Federal agencies to ensure proper safeguards for unclassified systems. There are numerous laws and regulations requiring attention to computer security and privacy, but the missing link is the proposed FIST guidelines. 1. Privacy Act of 1974 (P.L. 92-579) -- Provides for the protection and accuracy of information about individuals. 2. Federal Managers Financial Integrity Act (P.L. 97-225) -- Requires the use of internal controls to reduce fraud, waste and abuse. 3. OMB Circular A- 123 -- Requires the establishment and periodic review of internal controls. 4. OMB Circular A-130 -- Assigns government-wide security responsibilities and describes minimum agency security program components. 5. OMB Circular 90-08 -- Provide guidance to Federal agencies on computer security Planning. 6. Computer security Act of 1987 (P.L. 100-235) -- Assigns primary responsibility for Providing guidance and assist for unclassified computer security. 7. President's FY-91 Budget, managing for Integrity and efficiency Section -- Describes the need for data integrity and accuracy Clearly the concerns of the Congress and the Office of Management and Budget regarding the need for improved computer security of the Government's unclassified systems have been repeatedly addressed. The Board shares these concerns and has identification the lack of a Comprehensive computer security guideline as adversely affecting the Government's ability to effectively and efficiently implement these laws and regulations. Such guidelines would have immediate government-wide benefits in the strengthening of Controls, resulting in improved computer security. Recognizing the technical and fiscal resource constraints of NIST, and other competing Priorities, the Advisory Board has independently Produced an outline of these guidelines (enclosed). We are now requesting that you recognize this need, and Consider whatever managerial alternatives are at your disposal to expedite the writing and issuance of these guidelines. Thank you for your time and consideration of. our recommendation I am available to discuss this with you at your convenience. Sincerely, Willis H. Ware Chairman Enclosure ENCLOSURE A SYSTEMATIC APPROACH TO INFORMATION SECURITY 1. Purpose It is intended that this document be used as a handbook to guide the selection and implementation of security measures in data processing and data communications environments. It does not provide exhaustive treatment of every aspect of computer and telecommunications security. It does provide references to other material which can be used to augment that presented here. A major difference between this material and other, similar efforts is that it offers guidance to specific references in its bibliography as a function of the particular problem being addressed. For example, if the problem is control of access to data at the record and field level , the reader will not be directed to the many papers on generalized access control at the file or data set levels, but rather to references to papers on only that aspect of access control. It has been our experience that it can be irritating and very time consuming to be given broadly-based references which force the reader to acquire and read many papers to find which, if any of them, contain the desired, specific information. 2. Scope It is intended that this handbook provide material and references which will assist in identifying, implementing, and assessing the relative cast and adequacy of security controls in data processing and telecommunications environments. 3. Definitions of Key Terms There is no broad agreement on what is meant by many of the most commonly used computer security-related terms, such as integrity, quality, value, accountability, auditability, access control, and even data and computer security. An understanding of such terms constitutes a virtual sine qua non for the usefulness of the following material. 4. Computer Security Policy Statements Treat here the need for policy statements, guidance in the preparation and issuance, and sample policies which have proven effective. Include here comments on enforcement. 5. Assigning Responsibility for Computer Security Guidance in the selection of organizational configurations for managing computer security programs and the assignment of responsibilities for security. 6. The Importance of a Rational and Systematic Approach to Computer Security Unless the computer security program is conceived as a wholly coherent, properly integrated set of measures it will not yield adequate security at a reasonable cost. This point must be made as forcefully as possible. This is a very important topic. There are virtually no steps-in-the-right. direction which are meaningfully effective until they have been augmented by other measures essential to their effectiveness. For example, we have seen many systems in which there have been implemented password schemes which do nothing, that is, they support neither access control nor activity logs. 7. Economics of Security It is important that those-securing systems understand that solutions to security problems which cost more than simply tolerating those same problems are not cost-effective. There are times when the implementation of controls which are not cost- effective are dictated by other considerations, but these are relatively rare and should be the exceptions rather than the rule. 8. Threats and Vulnerabilities It is all but impossible to implement cost-effective or even just adequately effective security measures without a proper understanding of the threats to and vulnerabilities of the systems involved. Failure to fully grasp both the threats and vulnerabilities seems to us.the greatest single cause for failures to properly secure information systems. 9. Risk Analyses This section should contain descriptions of and references to the more prominent or commonly used of the many different schemes for assessing risks in a data processing environment and some notes of caution about their use. 10. Human Resources 11. Employee Awareness Programs Treatment-of the need for, identification of materials and their sources, and suggestion for their use. 12. Data Categorization Here should be addressed the matter of marking or labelling data to indicate the nature and degree of their sensitivities. We use the term categorization to avoid using classification because that latter term has military or intelligence implications related to protection against only unauthorized disclosure. There are more data which are sensitive to accidental or intentional modification or destruction than there are data sensitive to disclosure. 13. Personal Identification and Authentication It is important to emphasize here the near-total dependence of many other controls on adequate personal identification schemes which are practicable of implementation in the work environments being secured. Fairly exhaustive treatment of the various schemes for personal identification is needed here without sending the reader to find too many other papers before he fully understands what this is all about. 13.1 Supporting physical security 13.2 Supporting system, application, data base and network protection 14. Access Control for the protection of: 14.1 system controls 14.2 data bases 14.3 applications 14.4 networks 15. Individual accountability (logging and log processing) 16. System Integrity 16.1 Hardware 16.2 Programs 16.2.1 System Control Programs 16.2.2 Application code 16.2.2.1 Purchased 16.2.2.2 In-House Generated 16.3 Physical Security 16.4 Contingency Planning 16.4.1 Emergency Response Measures 16.4.2 Back-Up Plans 16.4.3 Recovery Plans 16.5 Security Procedures and Practices 16.6 Protection against Electromagnetic or Acoustic Eavesdropping 16.7 Protection against Communications Intercept This section should include enough guidance in cryptography to understand those aspects essential to the selection and implementation of appropriate means. In addition, it should provide enough information to relieve fear that cryptography is too complex, costly or burdensome for most conventional systems. References to more detailed treatments of cryptography are important. 17. Message Authentication and Digital Signatures 18. Microcomputer Security Physical and logical. Include comments on legal/ethical issues involving software. 19. Security in Local Area Networks 20. Viruses, Worms, Trojan Horses, etc. 21. The importance of Federal, National and International Standards in the Selection and Implementation of Security Measures to Assure Quality and Availability 22. Monitoring Security Measures and Controls Describe here the very important role of the internal audit function in seeing that all appropriate security controls have been selected and implemented. Exhibit VIII UNITED STATES DEPARTMENT OF COMMERCE National Institute of Standards and Technology (formerly National Bureau of Standards) Gaithersburg, Maryland 20899 OFFICE OF THE DIRECTOR OCT 26 1990 Dr. Willis Ware Chairman, Computer System Security and Privacy Advisory Board The Rand Corporation 1700 Main Street P.O. Box 2138 Santa Monica, CA 90406-2138 Dear Dr. Ware: Thank you for your recent recommendation from the Computer System Security and Privacy Advisory Board on the need for the National Institute of Standards and Technology (NIST) to issue computer security guidelines. We at NIST share the Board's interest in seeing that timely computer security standards and guidelines are developed and promulgated. The outline developed by the Board appears to provide a useful framework for those seeking to utilize appropriate computer security measures. I will be meeting with James Burrows, Director of the National Computer Systems Laboratory, to discuss alternatives for the development of a document to meet the needs identified by the Board. I have asked him to keep the Board apprised of our progress on this matter. Let me take this opportunity to emphasize my appreciation for the continued efforts of the Board to improve the level of computer security in the federal government. I look for-bard to receiving further reports from the Board. Sincerely, John W. Lyons Director Exhibit IX THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Established by the computer Security Act of 1987 OCT 20 1990 Honorable Robert A. Mosbacher Secretary of Commerce Washington, DC 20230 Dear Mr. Secretary: Pursuant to its responsibility under the Computer Security Act of 1987, the Computer System Security and Advisory Board wishes to call the following issue to your attention. The European Community has developed and circulated for comment a draft Information Technology Security Evaluation Criteria document. This proposed standard is similar to but different in important ways from the U.S. Trusted Computer System Evaluation Criteria. Both are intended as guidance to computer vendors in developing secure computer systems and products. Since much of U.S. industry is multi-national, the possibility of a European standard significantly different from a U.S. posture is an important issue. Such divergence could: a) Impact the ability of the U.S. computer industry to market in Europe; and b) Impact multi-national users who operate computer systems in various countries which may be required to use local Standardization. The situation is properly being monitored by the National Institute of Standards and Technology (NIST) and the National Computer Security Center of the National Security Agency (NSA). However, we believe this is an important emerging issue and therefore we strongly recommend that you: a) Actively coordinate this issue within the government including such departments as the U.S. Department of State, International Trade Administration and Office of the U.S. Trade Representative; and b) Actively protect the interests of U.S. industry via our international representation in the International Standards Organization arena. It is of the utmost national importance that the efforts of NIST and NSA be sustained, encouraged, and supported. Sincerely, Willis H. Ware Chairman Exhibit X December 18, 1990 Dr. Willis Ware Chairman, Computer System Security and Privacy Advisory Board c/o The Rand Corporation 1700 Main Street P.O. Box 2138 Santa Monica, CA 90406-2138 Dear Dr. Ware: Thank you for your letter regarding the recommendations of the Computer System Security and Privacy Advisory Board concerning the draft information Technology Security Evaluation Criteria developed by the European Community. I have asked the Office of the Under Secretary for Technology to examine the important issues raised in your letter. Also, the National Institute of Standards and Technology is working with the Europeans to address United States' concerns with their draft criteria. I would like to take this opportunity to express my appreciation for the continued efforts of the Board to improve the level of computer security in the federal government. I look forward to receiving further reports from you. Sincerely, Robert A. Mosbacher IV. Future Advisory Board Activities At its December meeting, the Board discussed a number of agenda topics for its 1990 meetings. Among the more important topics and questions of possible interest are: Computer Security Guidelines and Standards The Board would like to continue to receive updates of NIST plans and programs for an international solution/harmonization of computer security requirements and continue to monitor European developments. Also to be included are updates from NSA on Orange Book experiences and plans for any additional guidance and standards. NIST Plans and Activities Includes regular updates of status of completing guidelines document suggested by the Board and updates on current NIST projects and workplans, including priorities, schedule for rewrite of outdated guides, and work deferred due to lack of resources. Privacy - EC Green Paper This topic includes a briefing of EC Green paper vis-a-vis U.S. position which should include status report from Congress. Also, included are briefings on current privacy issues by organizations, individuals with competing views, and possibly Congressional staff. Implementation of the Computer Security Act of 1987 Subsumed under this heading are various related issues the Board would like to address in 1991. These include an examination of Office of Management and Budget policies, including the anticipated rewrite of OMB Circular A-130. Also of interest is the role of the Inspector General in computer security. Computer security training and its effectiveness are also to be studied. Lastly, the Board would look into the status of OMB/NIST/NSA security planning agency visits. Software Engineering and Reliability Much attention is focussed on security environments, products and data bases. Less has been said about the quality and reliability of application software. An April, 1990 Congressional report (Bugs in the Program) questions whether the federal government is capable of developing software as reliable as it needs. The Board would like to be briefed on the state-of-the-art in software reliability. Security and the Public Switched Network A number of studies have highlighted the vulnerabilities of the public switched network. At the moment, much activity is taking place behind closed doors on this issue, particularly in the National Security Emergency Preparedness arena. At some point this issue needs to be surfaced and examined by the Board. Use of Security Products and Features A study conducted by the President's Council on Integrity and Efficiency indicated that many security functions and features were either unused or misused by system administrators and users. The experience of emergency response teams further bears this out. The Board would like to examine what must be done to change this and whether better guidelines are needed on how to use basic security tools such as passwords. Rewrite of NSDD-145 and the NIST/NSA Memorandum of Understanding The Board would like to continue to receive written updates or briefings by NSA/NIST on the status of the NIST/NSA Memorandum of Understanding and the recent Presidential directive on computer and telecommunications security. Computer Emergency Response Team (CERT) The Board believes that it would be useful to hear from NIST, other participants in the CERT program as well as victims of malicious software attacks. Periodic briefings on the CERT system and what lessons can be learned to improve security would be useful. Since most incidents occur because accepted routine security practices are not followed, should this not be well publicized, as an awareness or training tool? Digital Signature It is likely that during 1991 the Board will have the opportunity to examine the new digital signature algorithm. International Hacking Cases continue to be uncovered such as those that Cliff Stoll documented seems to be happening. Hackers continue to exploit the same old vulnerabilities that Stoll and many others have documented. Where is the accountability for taking care of known problems? Second, there appears to be continuing organizational confusion on the international hacking problem (i.e., who in the government, if anyone, is or should be responsible?) V. Conclusions During its second year, the Board continued to build the foundation toward progress in the years ahead. It developed a work plan and established its priorities. The Board has begun to examine those issues which it should study further and has heard from a number of agencies and organizations as to its role and duties. While the Board has initiated an action plan to identify emerging computer security and privacy issues, much remains to be accomplished in successfully addressing the challenges of the 1990s. APPENDIX A Computer Security Act of 1987 See Separate File APPENDIX B Charter of the COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD See Separate File APPENDIX C AGENDA March 13-14 Meeting of the Computer System Security and Privacy Advisory Board Marriott Hotel Gaithersburg, Maryland Tuesday, March 13, 1990 9:00 Computer Security Issues Update Lynn McNulty, Board Secretary 9:30 Review of Revision of NSDD-145 Lynn McNulty 10:00 Review of Board's Progress Willis Ware, Board Chairman 10:30 Break 10:45 Discussion of Export Draft Paper Willis Ware, Board Chairman 12:00 Lunch 1:15 National Computer Security Center FY-1990 Program Patrick Gallagher, Director National Computer Security Center 2:30 Break 2:45 Board Discussion 3:15 Update on Computer Security and Telecommunications Council Activities Stuart Katzke Chief, NIST Computer Security Division Closed Session 3:30 NIST Five-year Budget/Plan Update Stuart Katzke Chief, NIST Computer Security Division 4:30 Close first Day End of Closed Session Wednesday, March 14, 1990 9:00 Board Discussion of Civil Orange Book Alternatives Leader(s) to be Determined 10:15 Break 10:30 Discussion of Civil Orange Book Alternatives cont. 11:45 Lunch 1:00 Board Open Discussion with NIST Director Dr. John Lyons 2:00 Subcommittee Reports and Public Participation (as necessary) CSSPAB Work Plan Subcommittee Update Larry Wills Information Categorization Subcommittee Update Rhoda Mancher NIST FY-90 Plan Review Subcommittee Update Robert Courtney 2:30 New Topics or Continuation of Prior Discussions 3:30 Close of Meeting MINUTES OF THE MARCH 13-14, 1990 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD March 13, 1990 Call to Order The fifth meeting of Computer System Security and Privacy Advisory Board, held on March 13-14, 1990 at the Marriott Hotel in Gaithersburg, Maryland, was called to order at. 9:00 a.m. by Chairman Willis Ware. Eleven members were in attendance in addition to the Chairman. (One vacancy exists on the Board due to the resignation of Mr. Simpson.) Mr. Lynn McNulty, Board Secretary, reviewed the agenda and future Board meeting dates. The next five meetings will be held as follows: June 14-15, 1990 Beckman Center, Irvine, CA September 11-12, 1990 Reston, VA December 11-12, 1990 Washington, DC area March 19-20, 1991 West Coast June 18-19, 1991 Washington, DC area September 18-19, 1991 TBD Mr. McNulty announced that the process to renew the charter (which expires on May 31, 1990) would be initiated shortly to allow sufficient time for processing through the Department of Commerce. (Under the Federal Advisory Committee Act, no advisory committee can operate without a valid charter.) Any comments from the Board on the charter were requested by April 1, 1990. Also, Board members were requested to submit nominations to fill the vacancy to the Secretary as soon as possible. (ACTION - BOARD MEMBERS) Computer Security Issues Update During a review of current computer security news, it was announced that NIST was assuming the sponsorship of the federal Computer Security Educators Forum. The Board expressed its concern about the already limited funds and personnel available to the National Computer Systems Laboratory (NCSL) and recommended that NCSL not assume this undertaking. NCSL personnel responded that sponsorship entailed little additional work and would be useful as a vehicle to increase the training and awareness aspects of the computer security program at nominal expense. Many members recommended that NCSL contact the Office of Personnel Management to see if it would be willing to assume this role. The recent Department of Defense license of RSA public key cryptography was briefly discussed. A DoD visitor, Mr. Viktor Hampel, indicated DoD's flexibility on the issue and the willingness of the Protection of Logistics/Unclassified Program to brief the Board at a future meeting. (ACTION - SECRETARY) OMB Circular 90-xx Update Mr. Gene Troy, Manager of the Agency Assistance Group of NCSL's Computer Security Division, reported briefly on the progress of drafting OMB Circular 90-xx on computer security planning. Highlights of the proposed Circular include the modification of the NIST/NSA computer security plan review process. Agencies will continue to maintain existing plans and prepare plans for new systems. An internal review mechanism will be established to assure that the plans are completed. A team-from OMB, NIST, and NSA will visit agencies to review these plans and discuss pertinent security issues. It is OMB's goal to have the document ready for Mr. Darman's signature by May 1, 1990. The Board also asked that Mr. Edward Springer of OMB be invited by the Board Secretary to attend the second day of the meeting. Review of Board's Progress The Chairman opened the discussion by noting that bureaucratic constraints have sometimes hampered advisory bodies like the Board from making as much progress as would have been desirable. Mr. Kuyers expressed strong personal concern about the Board's inability to act independently as he believed intended by Congress. He also expressed a sense of personal frustration about the lack of progress made by the Board and all of the administrative processing necessary to transmit the Board's findings through the Secretary of Commerce. Also, there was general concern about the timeliness of getting Board letters issued. The delay appears to have been due to a combination of drafting and redrafting cycles as well as the requirement to issue Board findings through the Secretary of Commerce. It was noted that Mr. Rubin, Deputy Chief Counsel (of the Department of Commerce) for NIST, would-be able to meet with the Board late in the day to review pertinent legal issues. In discussing ways to increase the Board's efficiency, Mr. Zeitler suggested that small subcommittees be established to develop draft white papers for discussion at each meeting. Board Actions - Approval of Export Control and NIST Budget Letters The Chairman prefaced his remarks by indicating that he was a member of the National Research Council's Computer Science and Technology Board, which is also addressing export controls. He indicated the need for the record to show that he is in favor of a public airing of the export control issue. He also indicated that if the Board had a problem with his participation in the discussion he would recuse himself for the duration. Hearing no objection, the discussion began. The Secretary distributed copies of the draft export control and NIST budget letter for the Board's consideration. Modifications were proposed by the members in the areas of application software integrating cryptologic features and syntax. After the NCSC presentation, the letters were revised and distributed to the Board for a vote. A vote was held on the budget and export letters. However, the Board later decided to modify the letters again. The Board also voted, in public session, to unanimously accept the 1989 Annual Report. The next day, on March 14, 1990, the Board, in a public session voted of 8 in favor with 4 (federal member) abstentions, agreed to forward the budget letter, as modified. The version of the export letter to be sent to the executive branch was unanimously approved. The version to be sent to Congress was approved with a vote of 9 in favor with 3 (federal member) abstentions. The Chairman stated for the record that in approving these letters the Board, to the best of its knowledge, has acted in full compliance with applicable laws, Commerce regulations, and its charter, as verbally discussed by the Deputy Chief Counsel for NIST. In accordance with the Federal Advisory Committee Act, copies of these approved letters were requested and were made available to members of the public and press in attendance. National Commuter Security Center - Mr. Patrick Gallagher Mr. Patrick Gallagher, Director of the National Computer Security Center (NCSC), presented an overview of the Center's FY-90 activities. He was accompanied by Mr. Terry Ireland and Mr. Tom Malarkey. Mr. Ireland discussed NCSC's COMPUSEC research while Mr. Malarkey discussed the various documents issued by the Center. He indicated that a number of NCSC developed documents may be useful to the civilian side of government and had been offered to NIST. In response to a Board question, Mr. Gallagher indicated that the Center's budget was $40 - $45 million and was staffed by approximately 200 people. In discussing integrity criteria, Mr. Gallagher said that developing an integrity model could take a year, perhaps less, depending upon the acceptance of a specific model. Mr. Lipner suggested building a prototype system incorporating controls along the lines of the Clark/Wilson model and publishing the results within one year. NCSL's Dr. Katzke said that NCSC and NIST are looking into the integrity issue and focusing on the development of an integrity document, expected by the end of April 1990. Computer and Telecommunications Security Council (CTSC) Update - Dr. Katzke Dr. Katzke updated the Board on the activities of the CTSC and his reorientation of the Council toward an affiliation of Working Groups. Any recommendations or decisions resulting from the working groups will be issued as CTSC documents and announced by NIST press releases. Mr. Wills requested that the Board receive a briefing on the professional certification of computer security professionals. (ACTION - SECRETARY) Dr. Katzke indicated that he will be pleased to provide the Board with updates on the CTSC as progress occurs. NIST Five Year Budget/Plan Update - Dr. Katzke During a brief closed session, Dr. Katzke briefed the Board on planned budgets for NIST's computer security program. No decisions or recommendations were made by the Board as a result of this briefing. Board Legal Issues Mr. Michael Rubin, Deputy Chief Counsel for NIST, briefed the Board on the intent of the Computer Security Act, with particular emphasis on the reporting requirements of the Board's documents. The Board automatically falls under the rules of the federal Advisory Committee Act and was established within the Department of Commerce. Mr. Rubin explained that Board decisions can only be made during open session of the Board. A report or letter has no status until the Board has met in public meeting, properly noticed in the federal Register, and voted upon it. The Board appreciates the intent of the FACA and the necessity to conduct government business in open session and will fully comply. The Department has taken the view that advisory committees are part of the Executive Branch and, therefore, subject to its constraints. The Department also holds the view that any transmittal or reports or correspondence has to be routed through the Department of Commerce. The Department has taken the view that advisory committees are part of the Executive Branch and, therefore, subject to its constraints. Mr. Rubin noted that the Justice Department also supports this position. It was recommended that each of the federal members consult with his agency attorneys to determine how to handle Board issues, and in particular, the possible appearance of "lobbying." following Mr. Rubin's departure, the Board's discussion continued. Board members noted that very few other advisory committees have a direct statutory reporting authority to the head of an agency and to the Congress. It was suggested that this might be taken to Congress for a further explanation of their intent. Mr. Colvin pointed out that he believes the Board has the right to request a legal opinion from the Department of Justice regarding the Board's reporting mechanism. The purpose of this request would be twofold: 1) to protect the federal members of the Board and 2) to protect the non-federal members with regard to the federal Integrity in Procurement Act. He suggested that the method of pursing this would be to submit a request to the Director of NIST and ask him to forward it to the Commerce General Counsel. The Chairman asked Mr. Colvin to draft an appropriate letter. (ACTION - MR. COLVIN) March 14, 1990 Civil Orange Book Alternatives Following a briefing by Ms. Lisa Carnahan concerning the Board's e- mail system, Mr. Lipner led the Board in a discussion of alternatives for a civilian orange book. He expressed the opinion that the current active international efforts in this area, particularly in the integrity arena, underscore the need for U.S. action by responsible private and public organizations. During the wide-ranging discussion, Mr. Courtney suggested that a civilian yellow book could probably be developed and offered to develop an outline for the Board's consideration within thirty days. (ACTION - MR. COURTNEY) Also, it was agreed that the Board should send a letter to NIST emphasizing its concerns on the integrity issue. Mr. Courtney agreed to draft such a letter for the Board's consideration. (ACTION - MR. COURTNEY) It became clear that the Board needed more time to consider this issue and would like to do so at the next meeting. (ACTION - SECRETARY) Mr. Burrows expressed his view that NIST should begin with a civilian yellow book. The Chairman questioned Mr. Burrows regarding putting manpower on the effort required to turn Mr. Courtney's outline into a document. Discussion with the Director NIST After lunch, Mr. Burrows introduced Dr. Lyons to the Board. Dr. Lyons presented a brief overview of current NIST activities, its budget, and its redirection into the advanced technology program. He remarked that, in spite of the past budget shortfalls, NCSL's computer security program had done well. He was pleased that the President's budget included a request for an additional $2.5 million. Mr. Cooper raised the Board's concerns with export control and the issue of cryptography, particularly in light of international efforts in the computer security standards arena. Dr. Lyons responded that the whole issue of computer exports had changed a great deal in the past 18 months. Mr. Morris asked Dr. Lyons how the Board can help NIST. Dr. Lyons replied that NIST has a number of advisory groups and that they assist by reviewing program plans and putting ūtasks in priority order. Evaluation of NIST programs, whether good or bad, is also useful. Technical details and assessment reports are of particular benefit. Reports are useless if they deal with increasing the budget by threefold. Dr. Lyons expressed NIST appreciation for the Board's efforts and welcomes all their comments and reports. People-to-People Tour of USSR on System Control Issues Mr. Wayne Madsen, who will be participating in a "People-to-People" visit to the USSR, gave a presentation on his upcoming trip. He explained the Soviets' interest about information concerning advanced technology, including: microcomputer security, PIN security, viruses, risk assessment, network security risks, auditing, and computer crime. Board members expressed their desire to invite Mr. Madsen back to give a follow-up report on his visit. -The Board then voted upon the revised versions of the export and NIST budget letters, as discussed above.) Board future Activities Mr. Larry Wills conducted a brief overview of future board activities. Among the items of interest to the Board: NIST resources, NSDD-145 re-write, the NIST/NSA Memorandum of Understanding, proliferation of competing national computer security standards, public key cryptography, network security, privacy, telecommunications security, OMB Circular A-130, NIST Security programs, the data categorization and labelling issue, and self- assessment. Also, the Board expressed interest in having a presentation on the training aspects of the Computer Security Act. The Board is interested in hearing whether such training has been effective. Central agencies could be asked for input in writing. The Chairman and the Secretary will look into the issue for the September meeting. (ACTION - CHAIRMAN AND SECRETARY) OMB Perspective on OMB Bulletin go-xx In response to the Board's request to hear directly from OMB regarding its draft Bulletin 90-xx, Mr. Edward Springer of the Office of Information Policy discussed with the Board the status of the draft Bulletin. Of particular concern was the perceived lack of accountability as to what happens if the agencies do not comply with the directive. Mr. Springer stated that OMB has the option to take non-compliance to a high level of agency management, and to make sure that the agency's budget is appropriately handled. Mr. Kuyers recommended that the enforcement issue be stated more bluntly. Public Participation Mr. Viktor Hampel of DoD restated his concerns regarding DoD's license to-use public key cryptology and Mr. Wayne Madsen expressed the opinion that privacy, as this relates to the confidentiality of information resident on computer systems will become a significant issue during this decade. He stated that Congress will probably revise the Privacy Act of 1974. Close There being no additional business or comments, the Chairman adjourned the meeting at approximately 3:00 p.m. Lynn McNulty Secretary CERTIfIED as a true and accurate summary of the meeting Willis Ware Chairman APPENDIX D Computer System Security and Privacy Advisory Board September 11-12, 1990 Agenda 9:00 Welcome & News Update Ed Roback, Acting Board Secretary 9:10 Chairman's Remarks Willis Ware, Chairman I. Information Technology Security Evaluation Criteria 9:15 Overview of the Information Technology Security Evaluation Criteria (ITSEC) Gene Troy, Manager, Agency Assistance Group, NIST 9:30 Position of U.S Government for Unclassified Systems Community James Burrows, Dir., National Computer Systems Laboratory 10:15 Break 10:30 A Vendor's Reaction to the ITSEC William R. Whitehurst International Business Machines Corp. 11:00 Discussion 11. Data Categorization Issues 11:30 Data Categorization Discussion 12:30 Lunch 111. Civilian Guidance Document 1:45 Questions/Clarification of A Proposed Outline for Commuter Security Guidelines Robert Courtney 2:00 Discussion of A Proposed Outline for Commuter Security Guidelines IV. Board's Progress Report 3:45 Status of Board's Work Efforts V. USSR Visit Update 4:10 Update of "People-to-People" Visit to USSR Wayne Madsen 4:30 Close 5:00 (Impromptu Social Hour) September 12, 1990 VI. National Research and Educational Network 8:30 Congressional Perspectives on NREN Michael R. Nelson Professional Staff Member Senate Committee on Commerce, Science, and Transportation 9:00 National Research and Educational Network - Information Briefings Dr. Charles Brownstein Acting Assistant Director for Computer Information Science and Engineering National Science Foundation 10:15 Break 10:30 Public Policy Issues Raised by National Networks Prof. Lance J. Hoffman The George Washington University VII. Need for Government Commuter Security Professional Series 11:15 Computer Security Professional Series Ed Roback, NIST VIII. Planning Session for 1990-1991 Program Year 11:35 Future Issues and Subcommittee Identification 12:00 Lunch IX. NSDD-145 Rewrite and Role of NIST and NSA 1:15 Role of NIST and NSA in the Post-NSDD-145 Era Bob Courtney X. Discussion 1:45 Board Discussion - Continued & Pending Items 3:15 Presentation of Certificates of Appreciation 3:30 Close MINUTES OF THE SEPTEMBER 11-12, 1990 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD September 11, 1990 Call to Order The sixth meeting of the Computer System Security and Privacy Advisory Board was called to order at 9: 00 a.m. by the Chairman, Dr. Willis Ware. All portions of the meeting were open to the public. All members were present with the exception of Messrs. Kuyers, Lipner and Morris, who were unable to attend. Also, Mr. Michael Rubin, Deputy Chief Counsel for the National Institute of Standards and Technology (NIST), was available during the meeting to answer any legal issues which may have arisen; none did. Mr. Ed Roback of NIST served as Acting Board Secretary for the meeting in Mr. McNulty's absence. Opening remarks were delivered by Mr. Roback. First, he welcomed Mr. Patrick Gallagher, Director of the National Computer Security Center of the National Security Agency (NSA), who has been nominated by the Director of NSA to serve on the Board. Secondly, it was announced that the Board has been officially rechartered by the Assistant Secretary for Administration for another two years, to expire in May 1992. Also, the July 10, 1990, computer security hearings were discussed, as was the possibility of government furloughs. The furloughs and possible budget cuts may affect the December Board meeting. Information Technology Security Evaluation Criteria Mr. Gene Troy, Head of the Agency Assistance Group of NIST's Computer Security Division, gave the Board a summary overview of the draft European-developed Information Technology Security Evaluation Criteria (ITSEC). (See Attachment A.) Next, he reviewed NIST's efforts to evaluate the ITSEC and arrive at a position on the document. NIST's comments on the ITSEC were provided to the Europeans in a letter dated August 2, 1990. Mr. Troy's comments included the need for the clustering of functionality and correlation of levels of functionality and assurance. Additionally, the ITSEC was critiqued from both the user and vendor perspective. Finally, Mr. Troy explained NIST's position that a significant number of supporting documents need to be developed to complement the ITSEC, including the selection of specific security mechanisms for a specific threat environment, and the need for specific instructions for the performance of evaluations against the ITSEC. Discussion followed the formal presentation. The ITSEC clearly proposes conducting computer security evaluations in a dramatically different way from the Orange Book approach. The link between the development and manufacturing process and the resulting level of security is also linked by the ITSEC approach. Additionally, Mr. Burrows pointed out that it is clear that the European Community (EC) has many concerns regarding health, safety, and the environment, which they link to secure software. Traditionally, the U.S. approach has been to let the user be responsible for such consequences and not have the government regulate them. Mr. Burrows also discussed the body of knowledge that the National Computer Security Center (NCSC) has amassed over the years by conducting Orange Book evaluations. It appears that the benefits of this experience is not available to those outside of the Center, although it may be of great potential benefit to the EC. Many additional questions regarding the ITSEC remain unanswered. Who will do the evaluations and who will bear the costs? Can manufacturers conduct their own evaluations? The development of international criteria should not be rushed until we are sure we have learned what we can from our experiences with the Orange Book. Mr. William Whitehurst of IBM followed with a presentation of a vendors perspective of the ITSEC. (See Attachment B.) He opened with an overview of the concerns of European nations with the Orange Book and the NCSC evaluation process. The current process is viewed as controlled by the Defense Department and restricted to U.S. vendors. Additionally, the Orange Book focuses primarily on confidentiality and not on integrity or availability issues. Next, the resulting consequences of multiple criteria on international users was presented. Requirements for transnational information flow may not be met if various conflicting criteria are developed and implemented. Also, managers of transnational networks will have to reconcile differences in criteria when configuring systems. Evaluations to varying national criteria will also be expensive, length and resource intensive. This may force the development of expensive unique products for each market while other products may be unacceptable in certain markets. Also, security incompatibilities, availability of products and barriers to international data flow may result. Specific impacts of trusted systems criteria and evaluation upon vendors were then discussed. IBM would like to see the development of a single world-wide harmonized international criteria with associated evaluations by government agencies. Such a desired result would include international recognition of national evaluations, which would be designed to be consistent and compatible. Evaluations of products are seen as the critical factor in the success of a criteria. Also, IBM believes that existing Orange Book security criteria and the associated evaluations have had limited impact. For example, basic requirements (individual accountability, segregation of duties, and integrity of information and auditability) have not changed. Other specific IBM concerns included: an undue emphasis upon assurance-correctness; inadequate descriptions of functionality; unlikelihood of mutually acceptable mapping of ITSEC to Orange Book criteria; inconsistent evaluations; the lack of provision for levels of proof; and the lack of distinction between products and systems. Following the presentation, the Board continued its discussion, focusing upon the EC-sponsored meeting to be held on ITSEC on September 25-26, 1990. Mr. Burrows will be representing NIST at the meeting and will participate as a panel member. There has also been a proposal by the EC to form work groups consisting of two members from each EC nation to work over the next two years to define and develop the evaluation process and ways for the evaluation to be mutually recognized throughout the EC when the evaluation is performed within the EC. Mr. Burrows said that the EC has not invited the U.S. to be part of their internal process. Mr. Gallagher indicated his concern that efforts be taken to protect proprietary information and processes of U.S. businesses as an international standard is developed. Mr. Burrows asked if the NCSC would be willing to share information and experiences it has gained from conducting evaluations with others, including the Europeans. Mr. Gallagher said that he would have to take a look at the proposal, but did not see any fundamental reason that the NCSC could not share what it had done. In discussing what actions the Board should take, Mr. Zeitler stressed the need for the Board to develop a position that points out that this issue is an important one for the U.S. to continue to monitor and participate in the process. Later, the Board unanimously agreed to send a letter to the Secretary of Commerce identifying its concerns. (See Attachment C.) Planning for the Board's 1991 Activities Mr. Roback reviewed items identified to be of interest to the Board for its 1990 meetings. Many of these items have been examined, although not at the level of detail desirable. It was agreed that Messrs. Colvin, Wills and McNulty would work to develop a list of topics for meetings for the next year. (ACTION - COLVIN, WILLS, and MCNULTY) Computer Security Guidelines Mr. Courtney briefly presented his outline for the development of proposed computer security guidelines. A rational and systematic approach to computer security is required. The Board agreed that the outline was good and the Board should encourage NIST to complete the entire document. Mr. Courtney asserted that the completed document would be approximately 150 pages. Mr. Zeitler felt that the document should be issued as a NIST guideline or standard. Ms. Mancher asked if every aspect of computer security would be covered in the guideline. It was agreed that was the goal of the document. The Chairman was interested in ensuring that the outline will accommodate a system under development as well as systems already in place. Mr. Courtney indicated that it would handle both. Mr. Colvin felt that this document should be given the highest priority for NIST to produce. Mr. Burrows agreed that NCSL would try to produce the document; however, because of the present budgetary situation and with no new funding expected, it may not be possible to pursue this effort on the timetable the Board would like. Later, the Board adopted a letter to the Director of NIST transmitting the Board's outline and recommending that NIST fund its completion. (See Attachment ūD.) People-to-People Visit to the USSR Mr. Wayne Madsen returned to brief the Board on the results of his recent visit to the USSR. He focused upon concerns the Soviets have in the computer security area. (See Attachment E.) Progress Report of Board's Activities Mr. Roback reviewed a list of accomplishments by the Board since its inception. These included: issuing a recommendation for computer security to be a MBO, which was incorporated into the President's management plan; issuing recommendations on the new OMB circular on computer security planning; issuing recommendations on NIST's budget level; and hearing from federal agencies on the development of large new systems. The Chairman asked the Board to consider whether the Board is looking at the right issues commensurate with the Computer Security Act of 1987 and the interests and concerns of the membership. Comments that members may have should be sent to the Chairman. (ACTION - ALL MEMBERS) Mr. Courtney stressed the need for improved communication among Board members. Other ideas suggested included: the need to look at small manageable issues one at a time; the need to hear directly from federal agencies regarding their problems; the need for identifying the functions of a computer security officer; and the need to examine practical areas such as computer security awareness. Privacy was also identified as an area requiring attention. The Chairman suggested that each issue should have a champion who knew enough about the issue to develop a short position paper for the Board's consideration before delving headlong into the issue. During the discussion, NIST's Dr. Katzke pointed out that the Small Business Administration had published some material regarding information security and risk management. He agreed to provide those documents to the Board (ACTION - KATZKE) Additionally, the Board briefly considered whether a quasi-government entity should be created to handle public/private sector issues relating to security. Mr. Zeitler volunteered to look into how regulatory agencies were established for the banking industry, which might provide a model for the security community. (ACTION - ZEITLER) September 12, 1990 Mr. Cooper raised his concerns about e-mail privacy and the need for the Board to examine the issue. It was agreed that the issue would be considered at the December meeting. (ACTION - SECRETARY) National Research and Education Network (NREN) Mr. Michael R. Nelson, Professional Staff Member of the Senate Committee on Commerce, Science, and Transportation, provided an overview of the Congressional perspective on NREN. (The views he presented were his own and not necessarily those of the Committee.) The High Performance Computing Act, S. 1067, would fund the development of NREN, which would be an extension of the National Science Foundation (NSF) network. Computer security responsibilities are specified for NIST in S. 1067, although no increase in authorization for NIST is included. However, it is expected that an increase in appropriations for NIST would occur for the NREN work. Board members emphasized the need for this additional funding. Dr. Charles Brownstein, Acting Assistant Director for Computer Information Science and Engineering, National Science Foundation, provided an overview of NREN from the NSF's perspective. (See Attachment F.) An overview of NSFNET and the many definitionS of network were discussed. Also, the architecture of the present Internet and the types of usage on the NSFNET were briefed. Types of institutions connected to the network, the Federal Networking Council, and the genesis of NREN were discussed as well. See the attachment previously cited for further details. Professor Lance Hoffman of the George Washington University, provided the Board with an overview of the security and policy implications of national and international networks. (See Attachment G.) His presentation was adapted from an Office of Technology Assessment study on security and privacy in the design and management of NREN: Topics covered included: the emergence of a new era in world-wide communications, the present window of opportunity to provide security and privacy in NREN from its inception, existing networks and services, emerging technical, policy and legal issues, the adequacy of existing policy setting mechanisms, and similar experiences from which NREN may benefit. Professor Hoffman concluded his remarks with a recommendation that an eclectic conference gathering people from many disciplines would be an appropriate way to start to address these issues. During discussion following the presentations the Chairman summarized the Board's interest in having periodic briefings on the status of NREN. However, there was general agreement that it would be premature for the Board to take any position on the network. Computer Security Professional Series Mr. Roback provided the Board with a brief overview of a study for which NIST has been collecting federal position descriptions (PDs), which focuses on whether a separate position designation series should be estabLished for computer security positions. First has collected approximately one hundred PDs from the civilian side of government. No analysis has been conducted yet. Creating a separate series requires convincing the Office of Personnel Management that computer security is a distinct career field and subject matter discipline. It was also mentioned that a good definition of what a computer security position entails is required. The Board agreed to discuss this issue in some detail at the December meeting. (ACTION - SECRETARY) Formal Approval of Board Letters The Board reviewed the final text of the letters to the Director of NIST and the Secretary of Commerce on the Computer Security Guidelines and ITSEC, respectively. The Board unanimously adopted each letter. Data Categorization Data Categorization had been a prior topic of discussion among Board members who wished to reemphasize their desire to focus on the topic. After a brief discussion, the Board agreed that it was not able to work on the topic in detail at this meeting; however, it would be the subject of study at the December meeting. Board members requested examples of how agencies categorize unclassified information. Mr. Cooper volunteered to give an overview of existing schemes at the December meeting. Dr. Katzke will assist in this effort. (ACTION - COOPER and KATZKE.) Miscellaneous Mr. Burrows informed the Board that there was a topic that would be useful for the Board to discuss which is classified. He encouraged all members who did not have active security clearances to submit their documents or to forward existing clearances to NIST. Once the majority of Board members have done so, the classified topic can be discussed. (ACTION - SECRETARY) On another topic, the Chairman stated for the record that no non- federal Board members were involved in procurement activities that fell under the procurement integrity act, which was in effect for a portion 1989. Close There being no additional business, the Chairman adjourned the meeting at 2:15 p.m. Lynn McNulty Secretary CERTIFIED as a true and accurate summary of the meeting Willis Ware Chairman APPENDIX E Meeting of the Computer System Security and Privacy Advisory Board December 11-12, 1990 Holiday Inn Crowne Plaza, Crystal City, Virginia Tuesday. December 11, 1990 9:00 Meeting Overview Lynn McNulty Executive Secretary 9:10 Remarks from the Chair Willis Ware Chairman E-Mail Security and Privacy 9: 15 E-Mail Industry Perspectives Mike Cavanagh Executive Director, E-Mail Industry Association and Gary Levine Chairman, E-Mail Industry Association Security Committee 10:00 Break 10: 15 Legal and Academic Perspectives George Trubow The John Marshall Law School (Chicago, IL) 11:00 Computer Professionals for Social Responsibility on E-Mail Privacy Marc Rotenberg Director, Washington Office, CPSR 11:30 Discussion 12:00 Lunch Commuter Security Personnel 1:30 Overview of Issues Lynn McNulty Board Secretary 1:40 Federal Agency Panel James Oberthaler Patent Trademark Office U.S. Department of Commerce Col. Al Kondi U.S. Army Steve Smith Federal Aviation Administration U.S. Department of Transportation Information Technology Security Evaluation Criteria & NIST/NSA Efforts 2:30 James H. Burrows Director, National Computer Systems Laboratory, NIST Patrick R. Gallagher Director, National Computer Security Center, NSA National Research Council Retort 3:30 Computers at Risk - Safe Computing in the Information Age Marjorie Blumenthal National Research Council 4:30 Close Wednesday, December 12. 1990 Data Categorization 8:30 Issue Overview Roger Cooper 8 : 45 Federal Agency Panel - Federal Computer Security Program Managers John Tressler U.S. Department of Education Jules Romagnoli U.S. Department of State Dolph Cecula Bureau of the Census U.S. Department of Commerce John Hornung U.S. Customs Service 10:00 Break 10:15 Agnes Schryer Treasury Board Secretariat, Administrative Policy Branch Government of Canada 10:45 Bruce Bucklin Acting Chief Technical Operations Section Drug Enforcement Administration 11:15 Discussion 12:00 Lunch Board's 1991 Work Plan 1:30 Subcommittee Report of Draft Prioritized Items for 1991 Agenda Bill Colvin and Larry Wills Board Members 2:00 Discussion 2:30 Public Participation (as necessary) 3:00 Close MINUTES OF THE DECEMBER 11-12, 1990 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD December 11, 1990 Call to Order The seventh meeting of the Computer System Security and Privacy Advisory Board was called to order at 9:00 a.m. by the Chairman, Dr. Willis Ware. All portions of the meeting were open to the public. All members were present with the exception of Mr. Hancock who was unable to attend. Opening remarks were delivered by Mr. Lynn McNulty, Executive Secretary. He expressed the Board's welcome to Mr. Steve Walker, of Trusted Information Systems, who has been nominated for membership and was in attendance. Mr. Gallagher, the designated representative from the National Security Agency, asked whether he and Mr. Walker would be receiving formal appointments to the Board. Mr. McNulty responded that the appointments were still at the Department of Commerce for clearance. It was also announced that the third nominee for membership is Mr. Charles McQuade of SIAC, Corp. E-Mail Security and Privacy Mike Cavanagh, Executive Director of the E-Mail Industry Association (EIA) and Mr. Gary Levine, Chairman of EIA's Security Committee provided the Board with EIA's perspectives on e-mail security and privacy issues. Mr. Cavanagh delivered a prepared statement (Attachment A). EIA has identified the following four key recommendations: 1) the need for a public key cryptographic- based digital signature; 2) the need to waive export restrictions on RSA and DES and to develop unlimited export licenses; 3) the need to foster greater use of security and authentication in government networks; and 4) the need for Congress to establish a taskforce to enable legal recognition of digital signatures. Professor George Trubow of the John Marshall Law School gave an overview of the various legal issues surrounding privacy, confidentiality and security. There are three legal areas of privacy: 1) tort law 2) Constitutional law; and 3) informational privacy. Tort law deals with civil wrongs including tort of "intrusion in the seclusion" of an individual. Publication of a private fact is one example. Constitutional law mostly deals with autonomy of individuals making choices about themselves. The only Constitutional reference to informational privacy is found in the 4th Amendment (Search and Seizure). It is important to bear in mind however, that the Constitution is a constraint on the actions of government, not private organizations. Informational privacy essentially deals with laws and regulations regarding the protection of information (e.g., Freedom of Information Act and the Privacy Act of 1974). The Electronic Communications Privacy Act (ECPA) of 1988 is significant and provides protection in three ways: l) makes it illegal to intercept communications, 2) protects against disclosure of intercepts, and 3) prohibits use of intercepted information. ECPA becomes important as it authorizes interception during the "normal course of business use." Current law has loopholes and leaves employees in the private sector unprotected. What is needed is something to cast a better balance between "permissible" private activities and privacy concerns. If the Board accepts that work is needed, it should bring the issue to the attention of anyone it can. The Chairman asked how the Board could get at the problem. Professor Trubow replied that ECPA could be modified by Congress. Mr. Marc Rotenberg, Director of the Washington Office of Computer Professionals for Social Responsibility presented his personal views regarding e-mail privacy. (See Attachment B.) Commuter Security Personnel Mr. McNulty introduced the discussion on federal agency recruitment and staffing of computer security positions. NIST has been collecting position descriptions for federal agency full-time computer security positions. While a full report is not yet available, preliminary analysis shows that there is a clear lack of consistency across agency boundaries regarding the personnel series in which these positions are assigned. Members of the panel included the following computer security program managers: Mr. Steve Smith, Federal Aviation Administration, Col. Al Kondi, U.S. Army, and Mr. James Oberthaler, Patent and Trademark Office (PTO), U.S. Department of Commerce. Each speaker provided a brief overview of their agency and its computer security program. Mr. Smith has personnel in various series, including the 334, 080, 3091 and 1801 series. (See Attachment C.) Col. Kondi has a staff of 22 people in both the 080 and 334 series. Across the Army there are about 300 full time INFOSEC personnel (approximately 150 in COMPUSEC and 150 in COMSEC). Mr. Oberthaler has recently set up a new program at PTO. His office has a staff of five, all in the 334 series. He views the 334 series as a broad category and, consequently, did not agonize over the choice of series. One major issue PTO had to confront was how to gain the necessary visibility for a program to be successful. In the ensuing discussions, Mr. McNulty said that NIST would have a draft of the personnel issues paper at an upcoming Board meeting. (ACTION - Mr. McNulty) It was also mentioned that in the next issue of Access, the International Information System Security Certification Consortium would announce its certification program for security professionally, which ties into the issue before the Board. Information Technology Security Evaluation Criteria & NIST/NSA Efforts Mr. James Burrows opened the discussion of the draft European Information Technology Security Evaluation Criteria (ITSEC) and MIST's current efforts in this area. A summary of the September 1990 meeting in Brussels was presented. Most comments received by the Europeans emphasized that although the ITSEC described features which would look useful to a user, the features were not adequately linked together. Also, the European Community appears to want to gain at least two years experience with a draft criteria document before adopting it in final. Mr. Burrows also emphasized that the Europeans do not have to invite the U.S. in to participate. However, it may be to their advantage to do so if the U.S. had something to offer, such as the experiences of users of trusted systems, which NIST is working to obtain. Dr. Katzke announced that this topic would be discussed at the next Board meeting when NIST's work plan is presented. (ACTION -NIST) NIST utilized the Board meeting to present a press release, announcing the joint intention of NIST and the National Security Agency (NSA) to develop a federal criteria document. Messrs. Burrows and Gallagher jointly announced their plans. (See Attachment D.) They will be co-chairing a conference in February to look at experiences with trusted systems. Mr. Burrows also stressed that it was not NIST's intention to simply add to the Orange Book, but that a wholesale re-examination of federal requirements would be undertaken. Dr. Ware summed up the Board's comments as collectively expressing a sense of urgency and volunteered that the Board would do whatever it could to assist the effort. National Research Council Report Ms. Marjorie Blumenthal of the National Research Council (NRC) and Staff Director of the System Security Study Committee presented an overview of the recent NRC report Commuters at Risk - Safe Computing in the Information Age. The report was sponsored by the Defense Advanced Research Projects Agency. Of particular interest to the Board in the report were: - concerns with export controls on cryptography and high assurance level trusted systems; - the recommendation for the founding of an Information Security Foundation; and - the recommendation to promulgate a comprehensive set of Generally Accepted System Security Principles to provide a clear articulation-of essential security features, assurances, and practices. As the report was released just prior to the Board's meeting, members had not had sufficient time to fully review the study. Therefore, it was agreed that the Board would defer taking a position. Wednesday. December 12 1990 Data Categorization Mr. Cooper introduced the discussion of data categorization by noting the importance of establishing a sound intellectual underpinning for categorization and that agencies were developing categorization schemes with or without guidance from NIST. This results in many uncoordinated and incompatible systems. Five agency representatives were invited to the meeting to share their thoughts and agency's experiences with categorization. Mr. John Tressler of the U.S. Department of Education indicated that his department had a High/Medium/Low categorization scheme used to remind users of their responsibilities for the protection of information. This system is primarily based upon statutory requirements for confidentiality protection. It would, however, be useful to add integrity and availability to the definition. (See Attachments E (l) & (2). Mr. Jules Romagnoli of the U.S. Department of State's Office of Information Systems Security began by discussing the difficulty with working with the definition of "sensitive unclassified" information. At the Department, a formalized category of sensitive unclassified information, "Limited Official Use," exists. However, discrepancies exist between protection of printed information and that stored on magnetic media. The Department has studied the aggregation of unclassified information and found it to be sensitive in the aggregate. Mr. Dolph Cecula, Director of Security at the Census Bureau, U.S. Department of Commerce, said that specific legislation protects census data. Employees take a non-disclosure oath every six months. Information is designated "Census Confidential." A study was conducted in 1973 which looked at categorizing personal information - and failed due to its complexity. Today, functional managers do not understand the definition of sensitive information in OMB Circular A-130. However, in the Census Bureau all employees understand that Title 13 data requires protection. Census systems are treated as though they contain Title 13. Mr. John Hornung of the U.S. Customs Service, said that basic Treasury Department directives provide requirements for the protection of information. Some systems have Limited Official Use information as well as law enforcement information. Other Treasury agencies have additional categories. For example, the IRS has tax information as a separate category. Mr. Cooper noted that while he was at Treasury, it was determined that data categorization was not possible. The panel was asked if a government-wide policy would be useful. Mr. Romagnoli said that there is a need for some standardization, particularly for sharing information. Mr. Cecula agreed that standard categories are needed. There was significant disagreement among Board members as to whether standard categorization is desirable or achievable. Next, Ms. Agnes Schryer of the Administrative Policy Branch, Treasury Board Secretariat of the Government of Canada presented an overview of Canada's unclassified data categories. Theirs is a model based upon appropriate levels of protection. Their sensitive information is "designated" as requiring protection and is marked "PROTECTED." The bulk of this information is personal. Designated information is further delineated with A/B/C markings. (See Attachment F for further information on Canada's scheme.) Employee discipline standards are linked to the protection of designated information. Approximately 60-70% of the government's employees are subject to an "enhanced reliability status" background check. Her advice offered to the Board was to aim for a legislative basis, as was accomplished in Canada, for the categorization scheme. Overall, categorization has proven useful for the Canadians. Mr. Bruce Bucklin, Acting Chief of the Technical Operations Section at the Drug Enforcement Administration presented a strawman approach to data categorization. He emphasized that the material presented was already under revision and viewed this as an ongoing process, which only began in June of 1990. The tentative conclusion they have reached is that four categories is too many while one is not enough. Mr. McNulty asked what the current status was. Mr. Bucklin replied that two categories may be adequate. Their effort is expected to be completed by May, 1991 and is currently utilizing a staff of eight to ten full-time people. The Board agreed that it may wish to take action with regard to data categorization. However, at this time the Board did not have a clear direction in which to proceed. However, it was agreed that Messrs. Lipner and Zeitler would meet to discuss the issue and prepare a recommended course of action. (ACTION - Messrs. Lipner and Zeitler.) Board's 1991 Work Plan Mr. Colvin provided an overview of the Board's proposed work plan for 1991 that he and Mr. Wills had developed. (See Attachment H.) Mr. Wills stressed that members should bear in mind that major privacy legislation may be passed within the next year. In reviewing the document it was agreed that the "Implementation of the Computer Security Act of 1987" should be the highest priority. The meeting was adjourned at 2:30 p.m. Lynn McNulty Secretary CERTIFIED as a true and accurate statement of the meeting Willis Ware Chairman