home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Handbook of Infosec Terms 2.0
/
Handbook_of_Infosec_Terms_Version_2.0_ISSO.iso
/
text
/
csspab
/
90-rpt.txt
< prev
next >
Wrap
Text File
|
1995-09-15
|
120KB
|
2,834 lines
1990 Annual Report
of the
National Computer System Security
and
Privacy Advisory Board
March 1991
TABLE OF CONTENTS
Executive Summary. . . . . . . . . . . . . . . . . . . . . . . i
I. Introduction . . . . . . . . . . . . . . . . . . . . . . . 1
Board's Establishment and Mission . . . . . . . . . . 1
Board's Charter . . . . . . . . . . . . . . . . . . . 1
Membership. . . . . . . . . . . . . . . . . . . . . . 2
II. Major Issues Discussed. . . . . . . . . . . . . . . . . . 4
NIST's Computer Security Budget . . . . . . . . . . . 4
Data Categorization . . . . . . . . . . . . . . . . . 4
E-Mail Security and Privacy . . . . . . . . . . . . . 5
Computer Security Evaluation Criteria . . . . . . . . 5
Computer Security Guidelines (Handbook). . . . . . . 6
III. Advisory Board Correspondence. . . . . . . . . . . . . . 7
NIST's Computer Security Budget . . . . . . . . . . . 7
Development of Computer Security Guidelines . . . . . 7
Information Technology Security Evaluation
Criteria . . . . . . . . . . . . . . . . . . . . 7
Exhibits. . . . . . . . . . . . . . . . . . . . . . . 8
IV. Future Advisory Board Activities. . . . . . . . . . . . . 31
V. Conclusions. . . . . . . . . . . . . . . . . . . . . . . . 33
Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Executive Summary
This Annual Report documents the activities of the National Computer
System Security and Privacy Advisory Board during 1990, its second
year. The Board, which met three times during the year, was
established by Congress through the Computer Security Act of 1987
to identify emerging computer security issues. Dr. Willis Ware of
RAND has served as Chairman of the Board since March of 1989.
The Board formally identified three areas of emerging concern and
has issued letters containing the Board's positions and
recommendations to appropriate executive and congressional
officials. These were:
- NIST's Computer Security Program Budget;
- the Information Technology Security Evaluation Criteria;
and
- the Need for Computer Security Guidelines.
The Board also established a work plan for 1991 which identified
candidate topics for in-depth examination, including:
- Computer Security Guidelines
- NIST Plans and Activities;
- Privacy - EC Green Paper;
- Implementation of the Computer Security Act of 1987;
- Software Engineering and Reliability;
- Security and the Public Switched Network;
- Use of Security Products and Features;
- Rewrite of NSDD-145 and the NIST/NSA Memorandum of
Understanding;
- Computer Emergency Response Team (CERT);
- Digital Signature; and
- International Hacking.
With such a list of important topics to examine, plus the ever
growing relevant new issues and public policy questions, it is clear
that much work lies ahead for the Board in 1991 and beyond. I. Introduction
Board's Establishment and Mission
The passage of the Computer Security Act of 1987 (P.L. 100-235,
signed into law on January 8, 1988 by President Reagan) established
the Computer System Security and Privacy Advisory Board. The Board
was created by Congress as a federal public advisory committee in
order to:
identify emerging managerial, technical, administrative, and
physical safeguard issues relative to computer systems security
and privacy.
Appendix A includes the text of the Computer Security Act of 1987,
which includes specific provisions regarding the Board. The Act
stipulates that the Board:
- advises the National Institute of Standards and Technology
and the Secretary of Commerce on security and privacy
issues pertaining to federal computer systems; and
- reports its findings to the Secretary of Commerce, the
Director of the Office of Management and Budget (OMB), the
Director of the National Security Agency (NSA), and
appropriate committees of Congress.
Board's Charter
The Board was first chartered on May 31, 1988 and was rechartered
on May 30, 1990 by U.S. Department of Commerce Assistant Secretary
for Administration Thomas Collamore. (See Appendix B for the text
of the current charter.) It should be noted that because of the
time necessary for the rechartering, the Board meeting scheduled for
June could not be officially noticed in the Federal Register. Since
a committee must have a current charter in order to notice a
meeting, and since at least 15 days notice is required, the decision
was made on May 8, 1990 to cancel the June meeting.
Consistent with the Computer Security Act of 1987, the Board's scope
of authority extends only to those issues affecting the security and
privacy of unclassified information in federal computer systems or
those operated by contractors or state or local governments on
behalf of the federal government. The Board's authority does not
extend to private sector systems (except those operated to process
information for the federal government) or systems which process
classified information or Department of Defense unclassified systems
related to military or intelligence missions as covered by the
Warner Amendment (10 U.S.C. 2315).
Membership
The Board is composed of twelve computer security experts in
addition to the Chairperson. The twelve members are, by statute,
drawn from three separate communities:
- four experts from outside the federal government, one of
whom is a representative of a small- or medium- size firm;
- four non-government employees who are not employed by or a
representative of a producer of computer or
telecommunications equipment; and
- four members from the federal government, including one
from the National Security Agency of the Department of
Defense.
Currently, Dr. Willis H. Ware, a senior researcher of the Corporate
Research Staff of RAND, serves as Chairman of the Board. He was
appointed in July 1989 following consultation with Congress which
determined that it was inappropriate for a NIST official to chair
the Board. As of December 1989, the full membership of the Board
was as follows:
- Chairman
Willis H. Ware, RAND
- Federal Members
Bill D. Colvin, National Aeronautics and Space
Administration
Roger M. Cooper, Department of Agriculture
Patrick Gallagher, National Security Agency (nominated)
Rhoda R. Mancher, Department of Veterans Affairs
- Non-federal, Non-Vendor
Robert H. Courtney, RCI Inc.
John A. Kuyers, Ernst and Young (renominated)
Eddie L. Zeitler, Fidelity Security Services, Inc.
(vacancy)
- Non-federal
Steven B. Lipner, Digital Equipment Corp.
Lawrence L. Wills, International Business Machines Corp.
Jack L. Hancock, Pacific Bell
(vacancy)
NIST's Associate Director for Computer Security, Mr. Lynn McNulty,
serves as the Board's Secretary and is the Designated Federal
Official (DFO) under the Federal Advisory Committee Act. The DFO
is responsible for ensuring that the Board operates in accordance
with applicable statutes and agency regulations. Additionally, the
DFO must approve each meeting and its agenda. Through the
Secretariat, NIST provides financial and logistical support to the
Board as stipulated by the Computer Security Act of 1987.
During 1990, the terms of Mr. Walter Straub (Rainbow Technologies,
Inc.) and Mr. Robert Morris (National Security Agency) expired.
Additionally, Mr. Jack Simpson (Mead Data Central, Inc.) resigned
on March 9, 1990. NSA chose Mr. Patrick Gallagher, Director of the
National Computer Security Center, as their designated
representative member on the Board. As of December, 1990, NIST's
nominations to fill existing Board vacancies were still being
processed.
II. Major Issues Discussed
The following section summarizes the discussions held by the Board
in 1990. Additionally, the Board accomplishes a lot of informal,
non-decisional, background discussion and preparation for meetings
by e-mail between meetings. The Board's activities also complement
the other activities of the Board's members, several of whom are
quite active in many aspects of these topics. Note that the minutes
and agenda from the March, September, and December meetings are
included as Appendices C to E, respectively. The required Federal
Register notices for the meetings are presented in Appendix F.
The substantive work of the Board during 1990 was devoted to various
topics related to the security of federal unclassified automated
information systems. Among the most important were:
- NIST's Computer Security Program Budget;
- Data Categorization;
- E-Mail Privacy and Security;
- Computer Security Evaluation Criteria; and
- Computer Security Guidelines.
NIST's Computer Security Budget
In 1989, the President had requested a substantial increase for
NIST's computer security program. In late September 1989, the
proposed increase for NIST's computer security program was cut by
conference committee action. This led to discussions among Board
members as to the inadequacy of the current budget, $2.5 million at
the time. The Board decided at its December 1989 meeting to send
a letter to Congress stressing the need for a higher funding level.
The letters could not be formally approved until March 1990 since
the letters had to be adopted by the Board in open session. The
President's budget for FY-91 requested an increase for the computer
security program, which ultimately resulted in an increased $1
million for the program.
Data Categorization
Since June of 1989, the Board has discussed the issue of data
categorization of unclassified information. This topic continued
to be one of interest in 1990, although members of the Board hold
widely divergent opinions as to the desirability and feasibility of
developing a standard government-wide categorization scheme.
During the year, several Board members argued against the
desirability of defining or categorizing sensitive information. The
essence of their position was that all information held by
government agencies has some degree of sensitivity, as defined in
terms of its unauthorized disclosure, loss of integrity, or
inadvertent or intentional destruction. It was stated that in most
instances the development of sensitivity policies have focused
entirely upon the confidentiality aspects of the problem to the
exclusion of integrity and availability requirements. Any Board
recommendation would serve to continue this pattern of confusing the
fundamental security issues affecting the protection of unclassified
information. The underlying concern was to develop a policy that
would supplement the requirement expressed in the Computer Security
Act of 1987 to protect "sensitive" information.
In December 1990, during an extensive session on the topic,
representatives from five government agencies were invited to share
their positions on the topic with the Board. As with the Board
itself, their positions varied; however, while most believed that
such a scheme would be useful, they disagreed as to the feasibility
of actually developing a scheme that would be useful across all
agencies. A representative from the Canadian government also shared
their experiences with a statutory based categorization scheme which
is working very well.
The Board continues to examine this issue recognizing the importance
of this issue and its far reaching implications. As of December,
the Board asked two of its members to look further into the issue
and report back in March 1991.
E-Mail Security and Privacy
At the suggestion of Mr. Cooper at the September meeting, the Board
developed a session to e-mail privacy and security issues at the
December meeting. The Board heard from representatives of the E-
Mail Industry Association, American Bar Association, and a public
interest group, the Computer Professionals for Social
Responsibility.
Action by the Board on this matter was anticipated for 1991.
Computer Security Evaluation Criteria
Two distinct items are included in this category: 1) the European-
developed draft Information Technology Security Evaluation Criteria
(ITSEC) and the NIST response to that document and 2) the NIST and
NSA effort to develop appropriate standards and guidelines for U.S.
Government use.
At the September meeting, the Board examined the ITSEC and heard one
vendor's reactions to it. The Board also was presented with NIST's
official position on the document as relayed to the Europeans in a
letter in August. In December, NIST provided the Board with an
update on the ITSEC's progress and the European Community-sponsored
conference held in Brussels in September on it. The Board was also
informed of efforts by NIST and NSA to arrive at a common response
to the ITSEC. The Board, agreeing on the significance of the ITSEC
effort and resulting possible implications for U.S. international
trade, voted to send a letter to the Secretary of Commerce outlining
their position on the U.S. government's role. (See next chapter for
text of the letter and the response.)
Intertwined with the ITSEC topic was a discussion of what NIST
should be doing, if anything, to develop a appropriate standards and
guidelines for the federal government's use. Positions ranging from
the need to modify the Orange Book to the non-usefulness of such a
document were vigorously debated. In December, NIST and NSA
announced their joint effort to develop a single federal criteria
document, which would not begin with the Orange Book as an initial
approach. NIST stressed that there was much that could be learned
from users of trusted systems and that it would be holding a
conference to gather the "lessons learned."
Computer Security Guidelines (Handbook)
In mid-1990, Mr. Courtney suggested to Board members that they
endorse a recommendation to NIST to develop a set of computer
security guidelines to aid federal agencies in the selection of
cost-effective security measures. He also prepared a draft outline
for NIST's use. After discussion of the outline at the September
meeting, and minor modifications, the Board recommended to the
Director of NIST that he give the development of such a document
high priority. The Director responded that NIST would be examining
ways to meet the need addressed by the Board.
III. Advisory Board Correspondence
During FY-89, the Board issued letters reporting the Board's
findings on the three important issues:
- the level of funding of NIST's computer security program
budget;
- the draft European Information Technology Security
Evaluation Criteria; and
- the development of computer security guidelines.
Also, the Chairman conducted correspondence with the Department of
Commerce's General Counsel regarding the legal constraints on the
Board. Finally, the Secretary of Commerce forwarded the Board's
1989 Annual Report to the Congress and Administration officials.
NIST's Computer Security Budget
On April 20, 1990, the Board issued a letter to Congressional
officials on the state of NIST's computer security program budget
and recommended that it be increased, as the President requested in
his FY-91 budget request. The Board's letter was forwarded to the
Congress by the Secretary of Commerce. The increase was ultimately
approved and in FY-91 the program budget was increased by $1 million
to $3.5 million.
Development of Computer Security Guidelines
On October 10, 1990, following action at its September meeting, the
Board issued a letter to the Director of NIST recommending that NIST
develop and issue a comprehensive set of computer security
guidelines. The Board also provided NIST with a proposed outline
of the envisioned publication. On October 26, 1990, Dr. Lyons
responded that he was reviewing alternatives to meet the need
developed by the Board. NIST now plans to use the outline as the
basis for a Computer Security Handbook, to be developed under
contract to NIST.
Information Technology Security Evaluation Criteria
The Board also issued its findings on October 20, 1990, regarding
the draft European-developed Information Technology Security
Evaluation Criteria document. The Board recommended that this
important trade issue be coordinated among all concerned federal
agencies. Also, the Board sought active protection of U.S.
interests via the International Standards Organization process.
Secretary of Commerce Mosbacher replied on December 18, 1990 that
the Department would be following this important issue.
Exhibits
The Board's correspondence and replies (when received) are included
in the following exhibits:
Exhibit I Apr 20, 1990 Budget letter from Chairman Ware
(No replies were received.)
Exhibit II May 22, 1990 Budget letter from Secretary of
Commerce Mosbacher to the Honorable Robert C.
Byrd, et al.
Exhibit III May 24, 1990 Transmittal of 1989 Annual Report
by Secretary Mosbacher
(No replies were received.)
Exhibit IV Apr 9, 1990 Letter from Chairman to U.S.
Department of Commerce General Counsel on
legal issues
Exhibit V May 17, 1990 Answer from General Counsel to
Chairman Ware
Exhibit VI Oct 10, 1990 Chairman's letter to NIST
Director Lyons regarding computer security
guidelines (Handbook)
Exhibit VII Oct 20, 1990 Board letter to Secretary
Mosbacher regarding the Information Technology
Security Evaluation Criteria
Exhibit VIII Oct 26, 1990 answer to the Board from NIST
Director Lyons
Exhibit IX Dec. 18, 1990 answer from Secretary Mosbacher
to the Board Exhibit I
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
Established by the Computer Security Act of 19877
APR 20 190
Honorable Robert C. Byrd
Chairman, Committee on Appropriations
United States Senate
Washington D.C. 20510-6025
Dear Mr. Chairman:
The Computer System Security and Privacy Board, established under
Section 21 of the Computer Security Act of 1987 (P.b. 100-235],
herewith conveys its finding, as stipulated under Section 21(b) (3)
of the Act, on the issue of budget support for the National
Institute of Standards and Technology (NIST), I and its National
Computer Systems Laboratory (NCSL).
Through the Act, Congress assigned to the NIST/NCSL responsibility
in Section 20(a) "to (develop] standards, guidelines, .... methods
and techniques for cost-effective security...(in Federal computer
systems]." At our recent meetings, the Board discussed the funding
level of NIST/NCSL for the computer security program to meet the
Congressionally mandated goal.
Congress did not provide FY-90 funding commensurate with the
relevant technical and managerial issues that must be addressed.
The Board believes that the current funding level of 52.5 million
for the NIST/NCSL computer security program is inadequate, a view
consistent with the White House support of a $6.0 million funding
level in FY-90. With limited funding, Congress must appreciate that
issues which led to the passage of legislation will not be promptly
addressed, and that adequate solutions will be delayed.
With the integration of computer systems into all aspects of our
daily lives and the national economy, the failure to address system
protection and security controls could have potentially serious
consequences for the nation. Moreover, money spent on improving the
security posture of government computer systems will be more than
recouped from savings that result from more effective and safer
system operation with more reliable and accurate data.
For these reasons, we solicit your support for the President's
proposal to increase FY-91 funding to the NIST/NCSL program.
The Board is available to explore the issue further or to amplify
its views on the matter.
Sincerely,
Willis R. Ware
Chairman
Addressees to receive the recommendations on the computer security
budget of the National Institute of Standards and Technology, U.S.
Department of Commerce, from the Computer System Security and
Privacy Advisory Board:
Honorable Ernest F. Hollings
Chairman, Committee on Commerce, Science,
and Transportation
United States Senate
Washington, D.C. 20510-6125
Honorable Jamie L. Whitten
Chairman, Committee on Appropriations
House of Representatives
Washington, D.C. 20515-6015
Honorable Robert A. Roe
Chairman, Committee on Science, Space,
and Technology
House of Representatives
Washington, D.C. 20515-6301
Honorable John Conyers, Jr.
Chairman, Committee on Government Operations
House of Representatives
Washington, D.C. 20515-6143
Exhibit II
May 22, 1990
Honorable Robert C. Byrd
Chairman, Committee on Appropriations
United States Senate
Washington, DC 20510-6025
Dear Mr. Chairman:
I am please to submit the enclosed report on the computer security
budget for the National Institute of Standards and Technology from
the Computer System Security and Privacy Advisory Board, U.S.
Department of Commerce, in compliance with the Computer Security Act
of 1987.
Sincerely
Robert A. Mosbacher
Honorable Robert C. Byrd
Chairman, Committee on Appropriations
United States Senate
Washington, DC 20510-6025
Honorable Ernest F. Hollings
Chairman, Committee on Commerce, Science
and Transportation
United States Senate
Washington, D.C. 20510-6125
Honorable Jamie L. Witten
Chairman, Committee on Appropriations
House of Representatives
Washington, D.C. 20515-6301
Honorable Robert A. Roe
Chairman, Committee on Science, Space,
and Technology
House of Representatives
Washington, DC 20515-6301
Honorable John Conyers, Jr.
Chairman, Committee on Government Operations
House of Representatives
Washington, D.C. 20515-6143 Exhibit III
May 24 1990
Honorable John Conyers, Jr.
Chairman, Committee on
Government Operations
House of Representatives
Washington, D.C. 20515-6143
Dear Mr. Chairman:
I am pleased to submit the Annual Report of the Computer System
Security and Privacy Advisory Board, U.S. Department of Commerce,
for calendar year 1989, in compliance with the Computer Security
Act of 1987.
Sincerely,
Robert A. Mosbacher
Honorable Robert C. Byrd
Chairman, Committee on Appropriations
United States Senate
Washington D.C. 20510-6025
Honorable Ernest F. Hollings
Chairman, Committee on Commerce, Science,
and Transportation
United States Senate
Washington, D.C. 20510-6125
Honorable Jamie L. Whitten
Chairman, Committee on Appropriations
House of Representatives
Washington, D.C. 20515-6015
Honorable Robert A. Roe
Chairman, Committee on Science, Space,
and Technology
House of Representatives
Washington, D.C. 20515-6301
Exhibit IV
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
Established by the Computer Security Act of 1987
APR 09 1990
Wendell L. Willkie II, Esquire
General Counsel
U.S. Department of Commerce
Washington, DC 20230
Dear Mr. Willkie:
During a recent meeting of the Computer System Security and Privacy
Advisory Board (CSSPAB) established under Section 3 of the Computer
Security Act of 1987 (Public Law 100-235), several items of CSSPAB
functioning were discussed at length in public session with Mr.
Michael Rubin of your office. Admittedly, some of these things are
interpretive in nature or even uncertain in view of the words of the
law and its legislative history. Accordingly, on behalf of the
Board, I am formally soliciting an official departmental written
legal opinion on the following questions. Your guidance will great.
assist the effective functioning of the CSSPAB and will hopefully
resolve confusion which has arisen as to its proper role,
relationship to the Department of Commerce, and obligations under
various laws.
l. What is the relationship between the CSSPAB and the Federal
Advisory Committee Act? Is it necessary that the CSSPAB be
established pursuant to the procedures of the Federal
Advisory Committee Act, or does the Computer Security Act in
and of itself provide a sufficient basis for the CSSPAB to
function?
2. In view of the wording of PL 100-235, what is the
relationship between the CSSPAB and the Department of
Commerce? Although the CSSPAB resides within the Department,
does it follow that the Department must establish the
CSSPAB's charter and set its agenda? To what degree does the
Board have any independence from the Department? Do the
members of the Board have the power to amend the CSSPAB's
charter? To what extent are the DOC administrative review
and approval procedures for correspondence relevant to
CSSPAB?
3. The duties of the CSSPAB include the statutory responsibility
to report its findings to the Secretary of Commerce, the
Director of the Office of Management and Budget, the Director
of the National Security Agency, and appropriate the
committees of the Congress. The question has arisen
whether these reporting requirements are sequential or
concurrent. Can the CSSPAB, for example, reports its
findings directly to the Congress or must it report its
findings to Congress through the Secretary? Is it legally
Significant that Congress did not use the preposition
"through" but Stated "to...the Congress" when it described
the Board's reporting requirements?
4. The CSSPAB is Comprised of the Chairman and twelve members,
four of whom are required to be Federal employees. If the
Board were to make findings Concerning a specific legislative
proposal affecting computer security and Communicated these
findings in its reports to Congress, how can the Board
protect its Federal members from running afoul of the anti-
lobbying provisions of 18 USC 1913? Must the Federal members
abstain from all votes affecting legislative issues?
5. The non-Federal members are concerned over the application of
the Procurement Integrity Act to their activities with the
Board. While the PIP Act has been suspended for one year,
there was an overlap period of time in which the statute was
in existence. We would like a summary of the Act's
application to our activities during that period of time.
I would appreciate your prompt consideration of these questions In
the event it is considered inappropriate for the Commerce General
Counsel to provide advice to the Board on these issues, who would
be the proper authority? Would it be inappropriate for the CSSPAB
to seek legal advice from the Office of Legal Counsel of the Justice
Departments Would it be wise to Solicit an opinion from the DOJ in
addition to that from your office?
I thank you in advance for your time and consideration of these
issues. Your guidance is much appreciated.
Sincerely,
Willis H. Ware
Chairman
Exhibit V
UNITED STATES DEPARTMENT OF COMMERCE
Office of the General Counsel
Washington. D.C. 20230
MAY 17 1990
Mr. Willis H. Ware
The National Computer System Security
and Privacy Advisory Board
NIST Technology Building, Room B154
Gaithersburg, Maryland 20899
Dear Mr. Ware:
This is in response to your letter to the General Counsel requesting a
written opinion on several issues concerning the status and operation of
the Computer Systems Security and Privacy Advisory Board (CSSPAB)
(Board). for the sake of clarity, each of your questions is set forth
below, followed by the corresponding answer.
Question 1
What is the relationship between the CSSPAB and the Federal Advisory
Committee Act? is it necessary that the CSSPAB be established pursuant
to the procedures of the Federal Advisor Committee Act, or does the
Computer Security Act in and of itself provide a sufficient basis for
the CSSPAB to function?
Answer
The Computer Security Act of 1987 provides for the establishment of the
CSSPAB. P.L. 100-235, 3(2) , 101 Stat. 1727, 15 U.S.C. s 278g-4. The
Board consists of a chairman, eight members from outside the Federal
government and four members from the Federal government. The members
are appointed by the Secretary of Commerce. The duties of the CSSPAB
are:
1) to identify emerging managerial, technical, administrative, and
physical safeguard issues relative to computer system security and
privacy;
2) to advise the National institute of Standards and Technology and the
Secretary of Commerce on security and privacy issues pertaining to
Federal computer systems; and
3) to report its findings to the Secretary of Commerce, the Director of
the Off ice of Management and Budget, the Director of the National
Security Agency, and the appropriate committees of the Congress.
15 U.S.C. S 278g-4(b).
The Federal Advisory Committee Act (FACA) (5 U.S.C. App. 2) imposes
certain procedural and administrative requirements on advisory
committees. The definition of advisory committee includes any
committee, board, commission, conference, panel, task force, or other
similar group established by statute in the interest of obtaining advice
or recommendations for any Federal agency. 5 U.S.C. App. 2 S 3(2). The
requirements of the FACA are applicable to every advisory committee
"except to the extent that any Act of Congress establishing such
advisory committee specifically provides otherwise." 5 U.S.C. App. 2 4.
Since the CSSPAB is tacked with advising the National institute of
Standards and Technology (NIST) and the Secretary of Commerce on
security and privacy issues pertaining to Federal computer systems, it
is an advisory committee. The legislation establishing the CSSPAB
provides that it is established within the Department of Commerce. 15
U.S.C. 278g-4(a). The legislation also does not exempt the CSSPAB from
any of the FACA's provisions. Consequently, the FACA's requirements are
fully applicable to the CSSPAB. The CSSPAB is subject to all of the
provisions of the FACA and the CSSPAB cannot meet or take any other
action until the procedural and administrative requirements of the FACA
have been satisfied.
Question 2
in view of the wording of PL-235, what is the relationship between the
CSSPAB and the Department of Commerce (DOC)? Although the CSSPAB
resides within the Department, does it follow that the Department must
establish the CSSPAB's charter and set its agenda? To what degree does
the Board have any independence from the Department. Do the members of
the Board have the power to amend the Board's charter? To what extent
are the HOC administrative review and approval procedures for
correspondence relevant to CSSPAB?
Answer
As stated above, the CSSPAB is an advisory committee Within.the
Department of Commerce. The FACA requires each agency to "exercise
control and supervision over the establishment, procedures, and
Accomplishments of advisory committees established by that agency." 5
U.S.C. App. 2 S 8(b). Agencies are also required to file a charter for
each advisory committee. ID. 9(c). Charters for advisory Committees
over which the Department has jurisdiction are required to be prepared
and filed in accordance with the procedures set forth in Part 2, Chapter
2, Section 3 of the Departments (Committee Management handbook. The
CSSPAB's charter must be prepared and filed in accordance with these
procedures.
The FACA also provides that a designated Federal official or employee
must attend each meeting of an advisory Committee and that no advisory
committee shall conduct any meeting in the absence of that officer or
employee. Advisory committees are prohibited from holding meetings
except with the advance approval of the designated Federal official.
Further, the agenda of every advisory committee meeting must be approved
by this official.
5 U.S.C. App. 2 S 10 (e), (f). Accordingly, the CSSPAB is prohibited
from operating independently of the Department of Commerce. The
meetings and agenda of CSSPAB must be approved by the appropriate
Department official. The CSSPAB's charter also cannot be amended by the
members. Any charter amendment must be effected in accordance with the
procedures set forth in Part Two, Chapter Two, Section D of the
Department's Committee Management Handbook, which requires the approval
of amendments by the Assistant Secretary for Administration. Likewise,
since the CSSPAB reports through the Director of NIST, the
administrative review and approval procedures applicable to the
correspondence of advisory committees within the jurisdiction of the
Department are fully applicable to the CSSPAB
Question 3
The duties of the CSSPAB include the statutory responsibility to report
its findings to the Secretary of Commerce, the Director of the Office of
Management and Budget, the Director of the National Security Agency and
the appropriate committees of Congress. The question has arisen whether
these reporting requirements are sequential or concurrent. Can the
CSSPAB, for example, report Its findings directly to Congress or must it
report its findings to Congress through the Secretary? is it legally
significant that Congress did not use the preposition "through" but
stated "to.....the Congress" when it described the Board's reporting
requirements?
Answer
The Computer Security Act does require the CSSPAB to report to several
entities in addition to the Secretary of Commerce. However, nothing in
the legislation or in the legislative history indicates that the
reporting to the various entities is to be concurrent. Although the
statute establishing the CSSPAB does not explicitly require that all
reports shall be made through the Department, the reporting requirements
must be viewed in light of the placement of the CSSPAB within the
Department of Commerce.
The CSSPAB is required to submit its reports in accordance with the
CSSPAB charter. The charter provides that the Board report "through the
Director of [NIST]." This requirement is consistent with the position of
the CSSPAB as an advisory committee within the Department. Thus, the
CSSPAB cannot report directly to Congress but must report through the
Director of NIST as required by the CSSPAB charter. We view the
requirement that the CSSPAB report to entities other than the Secretary
as an expression of congressional intent that the other entities be kept
informed, not as a mandate for the CSSPAB to operate independently of
the Department in which it has been established.
Question 4
The CSSPAB is comprised of the Chairman and twelve members, four of whom
are required to be Federal employees. If the Board were to make
findings concerning a specific legislative Proposal affecting computer
security and communicated these findings in its reports to Congress, how
can the Board protect its Federal members from running afoul of the
anti-lobbying provisions of 18 U.S.C. 1913? Must the Federal members
abstain from all votes affecting legislative issues?
Answer
18 U.S.C. 1913 provides that:
No part of the money appropriated by any enactment of Congress
shall, in the absence of express authorization by Congress, be
used directly or indirectly to pay for any Personal SerVice,
advertisement,. telegram, telephone, letter, printed or written
matter, or other device, intended or designed to influence in any
manner a Member of Congress, to favor or oppose, by vote or
otherwise, any legislation or appropriation by Congress, whether
before or after the introduction of any bill or resolution
proposing such legislation or appropriation; but this shall not
prevent officers or employees of the United States or of its
Departments or agencies from communicating to members of Congress
on the request of any Member, or to Congress, through the proper
official channels, requests for legislation or appropriations
which they deem necessary for the efficient conduct of public
business (emphasis added).
This law specifically authorizes Federal officials to communicate
their views on pending legislation to Congress "through proper
official channels." The CSSPAB is required by law and its charter
to report to the appropriate Committees of Congress regarding
computer systems security and privacy issues. The CSSPAB may have
occasion to make findings or recommendations regarding specific
legislative proposals affecting computer security. The
communication of any such findings or recommendations in a report
to Congress (through the Director of NIST as required by the CSSPAB
charter) would be a communication through a proper official
channel. Consequently, the Federal members.of the CSSPAB would not
be in contravention of 18 U.S.C. S 1913 and need not abstain from
votes affecting legislative issues.
Question 5
The Non-Federal members are concerned over the application of the
Procurement integrity Act to their activities with the Board. while
the PIP Act has been suspended for one year, there was an
overlap period of time in which the statute was in existence. We
would like a summary of the Act's application to our activities
during that period of time.
Answer
The Procurement Integrity Act of 1988 became effective July 16,
1989. Congress suspended the provisions of the Act from December
1, 1989 through November 30, 1990. The Administration hopes that
before November 30th, new legislation will be enacted to supersede
the more troublesome aspects of the suspended Act. It is expected
that any new legislation would exempt members of advisory boards or
committees from its coverage.
As you recognize, between July 16, 1989 and November 30, 1989, the
Act affected the activities of any procurement of official who
participated personally and substantially in any phase of an agency
procurement. For purposes of the Act, procurement officials of an
agency included consultants, experts, or advisers (other than a
competing contractor) who acted on behalf of, or provided advice
to, the procuring agency with respect to a procurement.
You must therefore determine whether non-Federal Board members
participated personally and substantially in the conduct of any
Federal agency procurement. Personal and substantial participation
in a procurement may have occurred if Board members provided advice
to an agency about contract specifications or related procurement
matters between July 16, 1989, and November 30, 1989. If a Board
member's advice constituted active and significant involvement in
activities directly related to a procurement, the Board member
became a procurement official for purposes of that procurement.
As a procurement official, the Board member's activities were
affected in the following ways:
o He was barred from seeking employment with or business
opportunities from a competing contractor or its agents
until December 1, 1989 or the conclusion of the
procurement, whichever event came first.
o He was prohibited from participating in any manner on
behalf of a competing contractor in negotiations
leading to the award, modification, extension of a
contract for such procurement until December 1, 1989.
o He was prohibited from participating personally and
substantially on behalf of the competing contractor in
the performance of such contract until December 1,
1989.
o He was barred-from seeking or receiving, directly or
indirectly, any money, gratuity, or other thing of
value from any competing contractor or its agents.
In addition, any member of the Board who was given authorized or
in addition, any proprietary Unauthorized access to or
source selection information regarding any agency
procurement was barred from knowingly disclosing such information,
directly or indirectly, to any person other than a person authorized by
the head of such agency or the contracting officer to receive such
information. This prohibit. applied without regard to one's status a£
a procurement official
Should the suspended Act take effect again on November 30, 1990,
questions might arise about its continuing application to activities
that occurred between July 16, 1989 and November 30, 1989. In this
event, you might wish to consult us for additional advice.
As a final matter, let me assure you that it is entirely appropriate for
the CSSPAB to seek advice from this office. Since the CSSPAB an
advisory committee within the Department of Commerce, advice of its
status and operation must be based upon an interpretation of
Departmental requirements as well as the establishing legislation.
Please feel free to contact this office again if you have additional
questions on this matter.
Sincerely,
Dan Haendel
Deputy General Counsel
Exhibit VI
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
October 10, 1990
Dear Dr. Lyons:
The Computer System Security and Privacy Advisory Board was
established within the Department of Commerce by the Computer Security
Act of 1987, P.L. 100-225. The charter of the Board establishes a
specific objective for the Board to advise the national Institute of
Standards and Technology (NIST) and the Secretary of Commerce on
security and privacy issues pertaining to Federal computer systems.
The purpose of this letter is to advise you of the unanimous concern
of the Advisory Board that information security guidelines be written
and published by FIST. We feel that these guidelines are a basic
building block of the governments information infrastructure program
and will provide the necessary detailed guidance to Federal agencies
to ensure proper safeguards for unclassified systems.
There are numerous laws and regulations requiring attention to
computer security and privacy, but the missing link is the proposed
FIST guidelines.
1. Privacy Act of 1974 (P.L. 92-579) -- Provides for the protection
and accuracy of information about individuals.
2. Federal Managers Financial Integrity Act (P.L. 97-225) --
Requires the use of internal controls to reduce fraud, waste and
abuse.
3. OMB Circular A- 123 -- Requires the establishment and periodic
review of internal controls.
4. OMB Circular A-130 -- Assigns government-wide security
responsibilities and describes minimum agency security program
components.
5. OMB Circular 90-08 -- Provide guidance to Federal agencies
on computer security Planning.
6. Computer security Act of 1987 (P.L. 100-235) -- Assigns primary
responsibility for Providing guidance and assist for
unclassified computer security.
7. President's FY-91 Budget, managing for Integrity and efficiency
Section -- Describes the need for data integrity and accuracy
Clearly the concerns of the Congress and the Office of Management and
Budget regarding the need for improved computer security of the
Government's unclassified systems have been repeatedly addressed. The
Board shares these concerns and has identification the lack of a
Comprehensive computer security guideline as adversely affecting the
Government's ability to effectively and efficiently implement these
laws and regulations. Such guidelines would have immediate
government-wide benefits in the strengthening of Controls, resulting
in improved computer security.
Recognizing the technical and fiscal resource constraints of NIST, and
other competing Priorities, the Advisory Board has independently
Produced an outline of these guidelines (enclosed). We are now
requesting that you recognize this need, and Consider whatever
managerial alternatives are at your disposal to expedite the writing
and issuance of these guidelines.
Thank you for your time and consideration of. our recommendation I am
available to discuss this with you at your convenience.
Sincerely,
Willis H. Ware
Chairman
Enclosure
ENCLOSURE
A SYSTEMATIC APPROACH TO INFORMATION SECURITY
1. Purpose
It is intended that this document be used as a handbook to guide
the selection and implementation of security measures in data
processing and data communications environments. It does not
provide exhaustive treatment of every aspect of computer and
telecommunications security. It does provide references to other
material which can be used to augment that presented here.
A major difference between this material and other, similar
efforts is that it offers guidance to specific references in its
bibliography as a function of the particular problem being
addressed. For example, if the problem is control of access to
data at the record and field level , the reader will not be
directed to the many papers on generalized access control at the
file or data set levels, but rather to references to papers on
only that aspect of access control.
It has been our experience that it can be irritating and very
time consuming to be given broadly-based references which force
the reader to acquire and read many papers to find which, if any
of them, contain the desired, specific information.
2. Scope
It is intended that this handbook provide material and references
which will assist in identifying, implementing, and assessing the
relative cast and adequacy of security controls in data
processing and telecommunications environments.
3. Definitions of Key Terms
There is no broad agreement on what is meant by many of the most
commonly used computer security-related terms, such as integrity,
quality, value, accountability, auditability, access control, and
even data and computer security. An understanding of such terms
constitutes a virtual sine qua non for the usefulness of the
following material.
4. Computer Security Policy Statements
Treat here the need for policy statements, guidance in the
preparation and issuance, and sample policies which have proven
effective. Include here comments on enforcement.
5. Assigning Responsibility for Computer Security
Guidance in the selection of organizational configurations for
managing computer security programs and the assignment of
responsibilities for security.
6. The Importance of a Rational and Systematic Approach to Computer
Security
Unless the computer security program is conceived as a wholly
coherent, properly integrated set of measures it will not yield
adequate security at a reasonable cost. This point must be made
as forcefully as possible. This is a very important topic. There
are virtually no steps-in-the-right. direction which are
meaningfully effective until they have been augmented by other
measures essential to their effectiveness. For example, we have
seen many systems in which there have been implemented password
schemes which do nothing, that is, they support neither access
control nor activity logs.
7. Economics of Security
It is important that those-securing systems understand that
solutions to security problems which cost more than simply
tolerating those same problems are not cost-effective. There
are times when the implementation of controls which are not cost-
effective are dictated by other considerations, but these are
relatively rare and should be the exceptions rather than the
rule.
8. Threats and Vulnerabilities
It is all but impossible to implement cost-effective or even just
adequately effective security measures without a proper
understanding of the threats to and vulnerabilities of the
systems involved. Failure to fully grasp both the threats and
vulnerabilities seems to us.the greatest single cause for
failures to properly secure information systems.
9. Risk Analyses
This section should contain descriptions of and references to the
more prominent or commonly used of the many different schemes for
assessing risks in a data processing environment and some notes
of caution about their use.
10. Human Resources
11. Employee Awareness Programs
Treatment-of the need for, identification of materials and their
sources, and suggestion for their use.
12. Data Categorization
Here should be addressed the matter of marking or labelling data
to indicate the nature and degree of their sensitivities. We use
the term categorization to avoid using classification because
that latter term has military or intelligence implications
related to protection against only unauthorized disclosure. There
are more data which are sensitive to accidental or intentional
modification or destruction than there are data sensitive to
disclosure.
13. Personal Identification and Authentication
It is important to emphasize here the near-total dependence
of many other controls on adequate personal identification
schemes which are practicable of implementation in the work
environments being secured. Fairly exhaustive treatment of
the various schemes for personal identification is needed
here without sending the reader to find too many other
papers before he fully understands what this is all about.
13.1 Supporting physical security
13.2 Supporting system, application, data base and network
protection
14. Access Control for the protection of:
14.1 system controls
14.2 data bases
14.3 applications
14.4 networks
15. Individual accountability (logging and log processing)
16. System Integrity
16.1 Hardware
16.2 Programs
16.2.1 System Control Programs
16.2.2 Application code
16.2.2.1 Purchased
16.2.2.2 In-House Generated
16.3 Physical Security
16.4 Contingency Planning
16.4.1 Emergency Response Measures
16.4.2 Back-Up Plans
16.4.3 Recovery Plans
16.5 Security Procedures and Practices
16.6 Protection against Electromagnetic or Acoustic
Eavesdropping
16.7 Protection against Communications Intercept This
section should include enough guidance in
cryptography to understand those aspects essential to
the selection and implementation of appropriate
means. In addition, it should provide enough
information to relieve fear that cryptography is too
complex, costly or burdensome for most conventional
systems. References to more detailed treatments of
cryptography are important.
17. Message Authentication and Digital Signatures
18. Microcomputer Security
Physical and logical. Include comments on legal/ethical
issues involving software.
19. Security in Local Area Networks
20. Viruses, Worms, Trojan Horses, etc.
21. The importance of Federal, National and International
Standards in the Selection and Implementation of Security
Measures to Assure Quality and Availability
22. Monitoring Security Measures and Controls
Describe here the very important role of the internal audit
function in seeing that all appropriate security controls
have been selected and implemented.
Exhibit VIII
UNITED STATES DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
(formerly National Bureau of Standards)
Gaithersburg, Maryland 20899
OFFICE OF THE DIRECTOR
OCT 26 1990
Dr. Willis Ware
Chairman, Computer System Security and
Privacy Advisory Board
The Rand Corporation
1700 Main Street
P.O. Box 2138
Santa Monica, CA 90406-2138
Dear Dr. Ware:
Thank you for your recent recommendation from the Computer System
Security and Privacy Advisory Board on the need for the National
Institute of Standards and Technology (NIST) to issue computer
security guidelines. We at NIST share the Board's interest in
seeing that timely computer security standards and guidelines are
developed and promulgated. The outline developed by the Board
appears to provide a useful framework for those seeking to
utilize appropriate computer security measures.
I will be meeting with James Burrows, Director of the National
Computer Systems Laboratory, to discuss alternatives for the
development of a document to meet the needs identified by the
Board. I have asked him to keep the Board apprised of our
progress on this matter.
Let me take this opportunity to emphasize my appreciation for the
continued efforts of the Board to improve the level of computer
security in the federal government. I look for-bard to receiving
further reports from the Board.
Sincerely,
John W. Lyons
Director
Exhibit IX
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
Established by the computer Security Act of 1987
OCT 20 1990
Honorable Robert A. Mosbacher
Secretary of Commerce
Washington, DC 20230
Dear Mr. Secretary:
Pursuant to its responsibility under the Computer Security Act of
1987, the Computer System Security and Advisory Board wishes to
call the following issue to your attention.
The European Community has developed and circulated for comment a
draft Information Technology Security Evaluation Criteria
document. This proposed standard is similar to but different in
important ways from the U.S. Trusted Computer System Evaluation
Criteria. Both are intended as guidance to computer vendors in
developing secure computer systems and products.
Since much of U.S. industry is multi-national, the possibility of
a European standard significantly different from a U.S. posture
is an important issue.
Such divergence could:
a) Impact the ability of the U.S. computer industry to
market in Europe; and
b) Impact multi-national users who operate computer
systems in various countries which may be required to
use local Standardization.
The situation is properly being monitored by the National Institute
of Standards and Technology (NIST) and the National Computer Security
Center of the National Security Agency (NSA).
However, we believe this is an important emerging issue and therefore
we strongly recommend that you:
a) Actively coordinate this issue within the government
including such departments as the U.S. Department of
State, International Trade Administration and Office of
the U.S. Trade Representative; and
b) Actively protect the interests of U.S. industry via
our international representation in the
International Standards Organization arena.
It is of the utmost national importance that the efforts of NIST
and NSA be sustained, encouraged, and supported.
Sincerely,
Willis H. Ware
Chairman
Exhibit X
December 18, 1990
Dr. Willis Ware
Chairman, Computer System Security and
Privacy Advisory Board
c/o The Rand Corporation
1700 Main Street
P.O. Box 2138
Santa Monica, CA 90406-2138
Dear Dr. Ware:
Thank you for your letter regarding the recommendations of the
Computer System Security and Privacy Advisory Board concerning
the draft information Technology Security Evaluation Criteria
developed by the European Community. I have asked the Office of
the Under Secretary for Technology to examine the important
issues raised in your letter. Also, the National Institute of
Standards and Technology is working with the Europeans to address
United States' concerns with their draft criteria.
I would like to take this opportunity to express my appreciation
for the continued efforts of the Board to improve the level of
computer security in the federal government. I look forward to
receiving further reports from you.
Sincerely,
Robert A. Mosbacher
IV. Future Advisory Board Activities
At its December meeting, the Board discussed a number of agenda
topics for its 1990 meetings. Among the more important topics
and questions of possible interest are:
Computer Security Guidelines and Standards
The Board would like to continue to receive updates of NIST plans
and programs for an international solution/harmonization of
computer security requirements and continue to monitor European
developments. Also to be included are updates from NSA on Orange
Book experiences and plans for any additional guidance and
standards.
NIST Plans and Activities
Includes regular updates of status of completing guidelines
document suggested by the Board and updates on current NIST
projects and workplans, including priorities, schedule for
rewrite of outdated guides, and work deferred due to lack of
resources.
Privacy - EC Green Paper
This topic includes a briefing of EC Green paper vis-a-vis U.S.
position which should include status report from Congress. Also,
included are briefings on current privacy issues by
organizations, individuals with competing views, and possibly
Congressional staff.
Implementation of the Computer Security Act of 1987
Subsumed under this heading are various related issues the Board
would like to address in 1991. These include an examination of
Office of Management and Budget policies, including the
anticipated rewrite of OMB Circular A-130. Also of interest is
the role of the Inspector General in computer security. Computer
security training and its effectiveness are also to be studied.
Lastly, the Board would look into the status of OMB/NIST/NSA
security planning agency visits.
Software Engineering and Reliability
Much attention is focussed on security environments, products and
data bases. Less has been said about the quality and reliability
of application software. An April, 1990 Congressional report
(Bugs in the Program) questions whether the federal government is
capable of developing software as reliable as it needs. The
Board would like to be briefed on the state-of-the-art in
software reliability.
Security and the Public Switched Network
A number of studies have highlighted the vulnerabilities of the
public switched network. At the moment, much activity is taking
place behind closed doors on this issue, particularly in the
National Security Emergency Preparedness arena. At some point
this issue needs to be surfaced and examined by the Board.
Use of Security Products and Features
A study conducted by the President's Council on Integrity and
Efficiency indicated that many security functions and features
were either unused or misused by system administrators and users.
The experience of emergency response teams further bears this
out. The Board would like to examine what must be done to change
this and whether better guidelines are needed on how to use basic
security tools such as passwords.
Rewrite of NSDD-145 and the NIST/NSA Memorandum of Understanding
The Board would like to continue to receive written updates or
briefings by NSA/NIST on the status of the NIST/NSA Memorandum of
Understanding and the recent Presidential directive on computer
and telecommunications security.
Computer Emergency Response Team (CERT)
The Board believes that it would be useful to hear from NIST,
other participants in the CERT program as well as victims of
malicious software attacks. Periodic briefings on the CERT
system and what lessons can be learned to improve security would
be useful. Since most incidents occur because accepted routine
security practices are not followed, should this not be well
publicized, as an awareness or training tool?
Digital Signature
It is likely that during 1991 the Board will have the opportunity
to examine the new digital signature algorithm.
International Hacking
Cases continue to be uncovered such as those that Cliff Stoll
documented seems to be happening. Hackers continue to exploit
the same old vulnerabilities that Stoll and many others have
documented. Where is the accountability for taking care of known
problems? Second, there appears to be continuing organizational
confusion on the international hacking problem (i.e., who in the
government, if anyone, is or should be responsible?)
V. Conclusions
During its second year, the Board continued to build the
foundation toward progress in the years ahead. It developed a
work plan and established its priorities. The Board has begun to
examine those issues which it should study further and has heard
from a number of agencies and organizations as to its role and
duties. While the Board has initiated an action plan to identify
emerging computer security and privacy issues, much remains to be
accomplished in successfully addressing the challenges of the
1990s.
APPENDIX A
Computer Security Act of 1987
See Separate File APPENDIX B
Charter of the
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
See Separate File APPENDIX C
AGENDA
March 13-14 Meeting of the
Computer System Security and Privacy Advisory Board
Marriott Hotel
Gaithersburg, Maryland
Tuesday, March 13, 1990
9:00 Computer Security Issues Update
Lynn McNulty, Board Secretary
9:30 Review of Revision of NSDD-145
Lynn McNulty
10:00 Review of Board's Progress
Willis Ware, Board Chairman
10:30 Break
10:45 Discussion of Export Draft Paper
Willis Ware, Board Chairman
12:00 Lunch
1:15 National Computer Security Center FY-1990 Program
Patrick Gallagher, Director
National Computer Security Center
2:30 Break
2:45 Board Discussion
3:15 Update on Computer Security and Telecommunications
Council Activities
Stuart Katzke
Chief, NIST Computer Security Division
Closed Session
3:30 NIST Five-year Budget/Plan Update
Stuart Katzke
Chief, NIST Computer Security Division
4:30 Close first Day
End of Closed Session
Wednesday, March 14, 1990
9:00 Board Discussion of Civil Orange Book Alternatives
Leader(s) to be Determined
10:15 Break
10:30 Discussion of Civil Orange Book Alternatives cont.
11:45 Lunch
1:00 Board Open Discussion with NIST Director Dr. John
Lyons
2:00 Subcommittee Reports and Public Participation (as
necessary)
CSSPAB Work Plan Subcommittee Update Larry Wills
Information Categorization Subcommittee Update
Rhoda Mancher
NIST FY-90 Plan Review Subcommittee Update Robert
Courtney
2:30 New Topics or Continuation of Prior Discussions
3:30 Close of Meeting
MINUTES OF THE
MARCH 13-14, 1990 MEETING OF THE
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
March 13, 1990
Call to Order
The fifth meeting of Computer System Security and Privacy Advisory
Board, held on March 13-14, 1990 at the Marriott Hotel in
Gaithersburg, Maryland, was called to order at. 9:00 a.m. by
Chairman Willis Ware. Eleven members were in attendance in addition
to the Chairman. (One vacancy exists on the Board due to the
resignation of Mr. Simpson.) Mr. Lynn McNulty, Board Secretary,
reviewed the agenda and future Board meeting dates. The next five
meetings will be held as follows:
June 14-15, 1990 Beckman Center, Irvine, CA
September 11-12, 1990 Reston, VA
December 11-12, 1990 Washington, DC area
March 19-20, 1991 West Coast
June 18-19, 1991 Washington, DC area
September 18-19, 1991 TBD
Mr. McNulty announced that the process to renew the charter (which
expires on May 31, 1990) would be initiated shortly to allow
sufficient time for processing through the Department of Commerce.
(Under the Federal Advisory
Committee Act, no advisory committee can operate without a valid
charter.) Any comments from the Board on the charter were requested
by April 1, 1990. Also, Board members were requested to submit
nominations to fill the vacancy to the Secretary as soon as
possible. (ACTION - BOARD MEMBERS)
Computer Security Issues Update
During a review of current computer security news, it was announced
that NIST was assuming the sponsorship of the federal Computer
Security Educators Forum. The Board expressed its concern about the
already limited funds and personnel available to the National
Computer Systems Laboratory (NCSL) and recommended that NCSL not
assume this undertaking. NCSL personnel responded that sponsorship
entailed little additional work and would be useful as a vehicle to
increase the training and awareness aspects of the computer security
program at nominal expense. Many members recommended that NCSL
contact the Office of Personnel Management to see if it would be
willing to assume this role.
The recent Department of Defense license of RSA public key
cryptography was briefly discussed. A DoD visitor, Mr. Viktor
Hampel, indicated DoD's flexibility on the issue and the willingness
of the Protection of Logistics/Unclassified Program to brief the
Board at a future meeting. (ACTION - SECRETARY)
OMB Circular 90-xx Update
Mr. Gene Troy, Manager of the Agency Assistance Group of NCSL's
Computer Security Division, reported briefly on the progress of
drafting OMB Circular 90-xx on computer security planning.
Highlights of the proposed Circular include the modification of the
NIST/NSA computer security plan review process. Agencies will
continue to maintain existing plans and prepare plans for new
systems. An internal review mechanism will be established to assure
that the plans are completed. A team-from OMB, NIST, and NSA will
visit agencies to review these plans and discuss pertinent security
issues. It is OMB's goal to have the document ready for Mr.
Darman's signature by May 1, 1990. The Board also asked that Mr.
Edward Springer of OMB be invited by the Board Secretary to attend
the second day of the meeting.
Review of Board's Progress
The Chairman opened the discussion by noting that bureaucratic
constraints have sometimes hampered advisory bodies like the Board
from making as much progress as would have been desirable. Mr.
Kuyers expressed strong personal concern about the Board's inability
to act independently as he believed intended by Congress. He also
expressed a sense of personal frustration about the lack of progress
made by the Board and all of the administrative processing necessary
to transmit the Board's findings through the Secretary of Commerce.
Also, there was general concern about the timeliness of getting
Board letters issued. The delay appears to have been due to a
combination of drafting and redrafting cycles as well as the
requirement to issue Board findings through the Secretary of
Commerce. It was noted that Mr. Rubin, Deputy Chief Counsel (of the
Department of Commerce) for NIST, would-be able to meet with the
Board late in the day to review pertinent legal issues.
In discussing ways to increase the Board's efficiency, Mr. Zeitler
suggested that small subcommittees be established to develop draft
white papers for discussion at each meeting.
Board Actions - Approval of Export Control and NIST Budget Letters
The Chairman prefaced his remarks by indicating that he was a member
of the National Research Council's Computer Science and Technology
Board, which is also addressing export controls. He indicated the
need for the record to show that he is in favor of a public airing
of the export control issue. He also indicated that if the Board
had a problem with his participation in the discussion he would
recuse himself for the duration. Hearing no objection, the
discussion began.
The Secretary distributed copies of the draft export control and
NIST budget letter for the Board's consideration. Modifications
were proposed by the members in the areas of application software
integrating cryptologic features and syntax. After the NCSC
presentation, the letters were revised and distributed to the Board
for a vote. A vote was held on the budget and export letters.
However, the Board later decided to modify the letters again. The
Board also voted, in public session, to unanimously accept the 1989
Annual Report. The next day, on March 14, 1990, the Board, in a
public session voted
of 8 in favor with 4 (federal member) abstentions, agreed to forward
the budget letter, as modified. The version of the export letter to
be sent to the executive branch was unanimously approved. The
version to be sent to Congress was approved with a vote of 9 in
favor with 3 (federal member) abstentions. The Chairman stated for
the record that in approving these letters the Board, to the best of
its knowledge, has acted in full compliance with applicable laws,
Commerce regulations, and its charter, as verbally discussed by the
Deputy Chief Counsel for NIST. In accordance with the Federal
Advisory Committee Act, copies of these approved letters were
requested and were made available to members of the public and press
in attendance.
National Commuter Security Center - Mr. Patrick Gallagher
Mr. Patrick Gallagher, Director of the National Computer Security
Center (NCSC), presented an overview of the Center's FY-90
activities. He was accompanied by Mr. Terry Ireland and Mr. Tom
Malarkey. Mr. Ireland discussed NCSC's COMPUSEC research while Mr.
Malarkey discussed the various documents issued by the Center. He
indicated that a number of NCSC developed documents may be useful to
the civilian side of government and had been offered to NIST. In
response to a Board question, Mr. Gallagher indicated that the
Center's budget was $40 - $45 million and was staffed by
approximately 200 people.
In discussing integrity criteria, Mr. Gallagher said that developing
an integrity model could take a year, perhaps less, depending upon
the acceptance of a specific model. Mr. Lipner suggested building a
prototype system incorporating controls along the lines of the
Clark/Wilson model and publishing the results within one year.
NCSL's Dr. Katzke said that NCSC and NIST are looking into the
integrity issue and focusing on the development of an integrity
document, expected by the end of April 1990.
Computer and Telecommunications Security Council (CTSC) Update - Dr.
Katzke
Dr. Katzke updated the Board on the activities of the CTSC and his
reorientation of the Council toward an affiliation of Working
Groups. Any recommendations or decisions resulting from the working
groups will be issued as CTSC documents and announced by NIST press
releases. Mr. Wills requested that the Board receive a briefing on
the professional certification of computer security professionals.
(ACTION - SECRETARY) Dr. Katzke indicated that he will be pleased to
provide the Board with updates on the CTSC as progress occurs.
NIST Five Year Budget/Plan Update - Dr. Katzke
During a brief closed session, Dr. Katzke briefed the Board on
planned budgets for NIST's computer security program. No decisions
or recommendations were made by the Board as a result of this
briefing.
Board Legal Issues
Mr. Michael Rubin, Deputy Chief Counsel for NIST, briefed the Board
on the intent of the Computer Security Act, with particular emphasis
on the reporting requirements of the Board's documents. The Board
automatically falls under the rules of the federal Advisory
Committee Act and was established within the Department of Commerce.
Mr. Rubin explained that Board decisions can only be made during
open session of the Board. A report or letter has no status until
the Board has met in public meeting, properly noticed in the federal
Register, and voted upon it. The Board appreciates the intent of
the FACA and the necessity to conduct government business in open
session and will fully comply. The Department has taken the view
that advisory committees are part of the Executive Branch and,
therefore, subject to its constraints. The Department also holds
the view that any transmittal or reports or correspondence has to be
routed through the Department of Commerce. The Department has taken
the view that advisory committees are part of the Executive Branch
and, therefore, subject to its constraints. Mr. Rubin noted that
the Justice Department also supports this position. It was
recommended that each of the federal members consult with his agency
attorneys to determine how to handle Board issues, and in
particular, the possible appearance of "lobbying." following Mr.
Rubin's departure, the Board's discussion continued.
Board members noted that very few other advisory committees have a
direct statutory reporting authority to the head of an agency and to
the Congress. It was suggested that this might be taken to Congress
for a further explanation of their intent.
Mr. Colvin pointed out that he believes the Board has the right to
request a legal opinion from the Department of Justice regarding the
Board's reporting mechanism. The purpose of this request would be
twofold: 1) to protect the federal members of the Board and 2) to
protect the non-federal members with regard to the federal Integrity
in Procurement Act. He suggested that the method of pursing this
would be to submit a request to the Director of NIST and ask him to
forward it to the Commerce General Counsel. The Chairman asked Mr.
Colvin to draft an appropriate letter. (ACTION - MR. COLVIN)
March 14, 1990
Civil Orange Book Alternatives
Following a briefing by Ms. Lisa Carnahan concerning the Board's e-
mail system, Mr. Lipner led the Board in a discussion of
alternatives for a civilian orange book. He expressed the opinion
that the current active international efforts in this area,
particularly in the integrity arena, underscore the need for U.S.
action by responsible private and public organizations. During the
wide-ranging discussion, Mr. Courtney suggested that a civilian
yellow book could probably be developed and offered to develop an
outline for the Board's consideration within thirty days. (ACTION -
MR. COURTNEY) Also, it was agreed that the Board should send a
letter to NIST emphasizing its concerns on the integrity issue. Mr.
Courtney agreed to draft such a letter for the Board's
consideration. (ACTION - MR. COURTNEY) It became clear that the
Board needed more time to consider this issue and would like to do
so at the next meeting. (ACTION - SECRETARY) Mr. Burrows expressed
his view that NIST should begin with a civilian yellow book. The
Chairman questioned Mr. Burrows regarding putting manpower on the
effort required to turn Mr. Courtney's outline into a document.
Discussion with the Director NIST
After lunch, Mr. Burrows introduced Dr. Lyons to the Board. Dr.
Lyons presented a brief overview of current NIST activities, its
budget, and its redirection into the advanced technology program.
He remarked that, in spite of the past budget shortfalls, NCSL's
computer security program had done well. He was pleased that the
President's budget included a request for an additional $2.5
million. Mr. Cooper raised the Board's concerns with export control
and the issue of cryptography, particularly in light of
international efforts in the computer security standards arena. Dr.
Lyons responded that the whole issue of computer exports had changed
a great deal in the past 18 months.
Mr. Morris asked Dr. Lyons how the Board can help NIST. Dr. Lyons
replied that NIST has a number of advisory groups and that they
assist by reviewing program plans and putting ■tasks in priority
order. Evaluation of NIST programs, whether good or bad, is also
useful. Technical details and assessment reports are of particular
benefit. Reports are useless if they deal with increasing the
budget by threefold. Dr. Lyons expressed NIST appreciation for the
Board's efforts and welcomes all their comments and reports.
People-to-People Tour of USSR on System Control Issues
Mr. Wayne Madsen, who will be participating in a "People-to-People"
visit to the USSR, gave a presentation on his upcoming trip. He
explained the Soviets' interest about information concerning
advanced technology, including: microcomputer security, PIN
security, viruses, risk assessment, network security risks,
auditing, and computer crime. Board members expressed their desire
to invite Mr. Madsen back to give a follow-up report on his visit.
-The Board then voted upon the revised versions of the export and
NIST budget letters, as discussed above.)
Board future Activities
Mr. Larry Wills conducted a brief overview of future board
activities. Among the items of interest to the Board: NIST
resources, NSDD-145 re-write, the NIST/NSA Memorandum of
Understanding, proliferation of competing national computer security
standards, public key cryptography, network security, privacy,
telecommunications security, OMB Circular A-130, NIST Security
programs, the data categorization and labelling issue, and self-
assessment. Also, the Board expressed interest in having a
presentation on the training aspects of the Computer Security Act.
The Board is interested in hearing whether such training has been
effective. Central agencies could be asked for input in writing.
The Chairman and the Secretary will look into the issue for the
September meeting. (ACTION - CHAIRMAN AND SECRETARY)
OMB Perspective on OMB Bulletin go-xx
In response to the Board's request to hear directly from OMB
regarding its draft Bulletin 90-xx, Mr. Edward Springer of the
Office of Information Policy discussed with the Board the status of
the draft Bulletin. Of particular concern was the perceived lack of
accountability as to what happens if the
agencies do not comply with the directive. Mr. Springer stated that
OMB has the option to take non-compliance to a high level of agency
management, and to make sure that the agency's budget is
appropriately handled. Mr. Kuyers recommended that the enforcement
issue be stated more bluntly.
Public Participation
Mr. Viktor Hampel of DoD restated his concerns regarding DoD's
license to-use public key cryptology and Mr. Wayne Madsen expressed
the opinion that privacy, as this relates to the confidentiality of
information resident on computer systems will become a significant
issue during this decade. He stated that Congress will probably
revise the Privacy Act of 1974.
Close
There being no additional business or comments, the Chairman
adjourned the
meeting at approximately 3:00 p.m.
Lynn McNulty
Secretary
CERTIfIED as a true and
accurate summary of the
meeting
Willis Ware
Chairman
APPENDIX D
Computer System Security and Privacy Advisory Board
September 11-12, 1990
Agenda
9:00 Welcome & News Update
Ed Roback, Acting Board Secretary
9:10 Chairman's Remarks
Willis Ware, Chairman
I. Information Technology Security Evaluation Criteria
9:15 Overview of the Information Technology Security
Evaluation Criteria (ITSEC) Gene Troy, Manager, Agency
Assistance Group, NIST
9:30 Position of U.S Government for Unclassified Systems
Community
James Burrows, Dir., National Computer Systems
Laboratory
10:15 Break
10:30 A Vendor's Reaction to the ITSEC
William R. Whitehurst
International Business Machines Corp.
11:00 Discussion
11. Data Categorization Issues
11:30 Data Categorization Discussion
12:30 Lunch
111. Civilian Guidance Document
1:45 Questions/Clarification of A Proposed Outline for
Commuter Security Guidelines
Robert Courtney
2:00 Discussion of A Proposed Outline for Commuter Security
Guidelines
IV. Board's Progress Report
3:45 Status of Board's Work Efforts
V. USSR Visit Update
4:10 Update of "People-to-People" Visit to USSR
Wayne Madsen
4:30 Close
5:00 (Impromptu Social Hour)
September 12, 1990
VI. National Research and Educational Network
8:30 Congressional Perspectives on NREN Michael R. Nelson
Professional Staff Member Senate Committee on Commerce,
Science, and Transportation
9:00 National Research and Educational Network - Information
Briefings
Dr. Charles Brownstein
Acting Assistant Director for Computer Information
Science and Engineering
National Science Foundation
10:15 Break
10:30 Public Policy Issues Raised by National Networks
Prof. Lance J. Hoffman
The George Washington University
VII. Need for Government Commuter Security Professional
Series
11:15 Computer Security Professional Series
Ed Roback, NIST
VIII. Planning Session for 1990-1991 Program Year
11:35 Future Issues and Subcommittee Identification
12:00 Lunch
IX. NSDD-145 Rewrite and Role of NIST and NSA
1:15 Role of NIST and NSA in the Post-NSDD-145 Era
Bob Courtney
X. Discussion
1:45 Board Discussion - Continued & Pending Items
3:15 Presentation of Certificates of Appreciation
3:30 Close MINUTES OF THE
SEPTEMBER 11-12, 1990 MEETING OF THE
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
September 11, 1990
Call to Order
The sixth meeting of the Computer System Security and Privacy
Advisory Board was called to order at 9: 00 a.m. by the Chairman,
Dr. Willis Ware. All portions of the meeting were open to the
public. All members were present with the exception of Messrs.
Kuyers, Lipner and Morris, who were unable to attend. Also, Mr.
Michael Rubin, Deputy Chief Counsel for the National Institute of
Standards and Technology (NIST), was available during the meeting
to answer any legal issues which may have arisen; none did. Mr.
Ed Roback of NIST served as Acting Board Secretary for the
meeting in Mr. McNulty's absence.
Opening remarks were delivered by Mr. Roback. First, he welcomed
Mr. Patrick Gallagher, Director of the National Computer Security
Center of the National Security Agency (NSA), who has been
nominated by the Director of NSA to serve on the Board. Secondly,
it was announced that the Board has been officially rechartered
by the Assistant Secretary for Administration for another two
years, to expire in May 1992. Also, the July 10, 1990, computer
security hearings were discussed, as was the possibility of
government furloughs. The furloughs and possible budget cuts may
affect the December Board meeting.
Information Technology Security Evaluation Criteria
Mr. Gene Troy, Head of the Agency Assistance Group of NIST's
Computer Security Division, gave the Board a summary overview of
the draft European-developed Information Technology Security
Evaluation Criteria (ITSEC). (See Attachment A.) Next, he
reviewed NIST's efforts to evaluate the ITSEC and arrive at a
position on the document. NIST's comments on the ITSEC were
provided to the Europeans in a letter dated August 2, 1990. Mr.
Troy's comments included the need for the clustering of
functionality and correlation of levels of functionality and
assurance. Additionally, the ITSEC was critiqued from both the
user and vendor perspective. Finally, Mr. Troy explained NIST's
position that a significant number of supporting documents need
to be developed to complement the ITSEC, including the selection
of specific security mechanisms for a specific threat
environment, and the need for specific instructions for the
performance of evaluations against the ITSEC.
Discussion followed the formal presentation. The ITSEC clearly
proposes conducting computer security evaluations in a
dramatically different way from the Orange Book approach. The
link between the development and manufacturing process and the
resulting level of security is also linked by the ITSEC approach.
Additionally, Mr. Burrows pointed out that it is clear that the
European Community (EC) has many concerns regarding health,
safety, and the environment, which they link to secure software.
Traditionally, the U.S. approach has been to let the user be
responsible for such consequences and not have the government
regulate them.
Mr. Burrows also discussed the body of knowledge that the National
Computer Security Center (NCSC) has amassed over the years by
conducting Orange Book evaluations. It appears that the benefits of
this experience is not available to those outside of the Center,
although it may be of great potential benefit to the EC. Many
additional questions regarding the ITSEC remain unanswered. Who
will do the evaluations and who will bear the costs? Can
manufacturers conduct their own evaluations? The development of
international criteria should not be rushed until we are sure we
have learned what we can from our experiences with the Orange Book.
Mr. William Whitehurst of IBM followed with a presentation of a
vendors perspective of the ITSEC. (See Attachment B.) He opened
with an overview of the concerns of European nations with the Orange
Book and the NCSC evaluation process. The current process is viewed
as controlled by the Defense Department and restricted to U.S.
vendors. Additionally, the Orange Book focuses primarily on
confidentiality and not on integrity or availability issues.
Next, the resulting consequences of multiple criteria on international
users was presented. Requirements for transnational information flow
may not be met if various conflicting criteria are developed and
implemented. Also, managers of transnational networks will have to
reconcile differences in criteria when configuring systems.
Evaluations to varying national criteria will also be expensive, length
and resource intensive. This may force the development of expensive
unique products for each market while other products may be
unacceptable in certain markets. Also, security incompatibilities,
availability of products and barriers to international data flow may
result. Specific impacts of trusted systems criteria and evaluation
upon vendors were then discussed.
IBM would like to see the development of a single world-wide harmonized
international criteria with associated evaluations by government
agencies. Such a desired result would include international
recognition of national evaluations, which would be designed to be
consistent and compatible. Evaluations of products are seen as the
critical factor in the success of a criteria. Also, IBM believes that
existing Orange Book security criteria and the associated evaluations
have had limited impact. For example, basic requirements (individual
accountability, segregation of duties, and integrity of information and
auditability) have not changed. Other specific IBM concerns included:
an undue emphasis upon assurance-correctness; inadequate descriptions
of functionality; unlikelihood of mutually acceptable mapping of ITSEC
to Orange Book criteria; inconsistent evaluations; the lack of
provision for levels of proof; and the lack of distinction between
products and systems.
Following the presentation, the Board continued its discussion,
focusing upon the EC-sponsored meeting to be held on ITSEC on September
25-26, 1990. Mr. Burrows will be representing NIST at the meeting and
will participate as a panel member. There has also been a proposal by
the EC to form work groups consisting of two members from each EC
nation to work over the next two years to define and develop the
evaluation process and ways for the evaluation to be mutually
recognized throughout the EC when the evaluation is performed within
the EC. Mr. Burrows said that the EC has not invited the U.S. to be
part of their internal process. Mr. Gallagher indicated his concern
that efforts be taken to protect proprietary information and processes
of U.S. businesses as an international standard is developed. Mr.
Burrows asked if the NCSC would be willing to share information and
experiences it has gained from conducting evaluations with others,
including the Europeans. Mr. Gallagher said that he would have to take
a look at the proposal, but did not see any fundamental reason that the
NCSC could not share what it had done.
In discussing what actions the Board should take, Mr. Zeitler stressed
the need for the Board to develop a position that points out that this
issue is an important one for the U.S. to continue to monitor and
participate in the process. Later, the Board unanimously agreed to
send a letter to the Secretary of Commerce identifying its concerns.
(See Attachment C.)
Planning for the Board's 1991 Activities
Mr. Roback reviewed items identified to be of interest to the Board for
its 1990 meetings. Many of these items have been examined, although
not at the level of detail desirable. It was agreed that Messrs.
Colvin, Wills and McNulty would work to develop a list of topics for
meetings for the next year. (ACTION - COLVIN, WILLS, and MCNULTY)
Computer Security Guidelines
Mr. Courtney briefly presented his outline for the development
of proposed computer security guidelines. A rational and systematic
approach to computer security is required. The Board agreed that the
outline was good and the Board should encourage NIST to complete the
entire document. Mr. Courtney asserted that the completed document
would be approximately 150 pages. Mr. Zeitler felt that the document
should be issued as a NIST guideline or standard. Ms. Mancher asked if
every aspect of computer security would be covered in the guideline.
It was agreed that was the goal of the document. The Chairman was
interested in ensuring that the outline will accommodate a system under
development as well as systems already in place. Mr. Courtney
indicated that it would handle both.
Mr. Colvin felt that this document should be given the highest priority
for NIST to produce. Mr. Burrows agreed that NCSL would try to produce
the document; however, because of the present budgetary situation and
with no new funding expected, it may not be possible to pursue this
effort on the timetable the Board would like.
Later, the Board adopted a letter to the Director of NIST transmitting
the Board's outline and recommending that NIST fund its completion.
(See Attachment ■D.)
People-to-People Visit to the USSR
Mr. Wayne Madsen returned to brief the Board on the results of his
recent visit to the USSR. He focused upon concerns the Soviets have in
the computer security area. (See Attachment E.)
Progress Report of Board's Activities
Mr. Roback reviewed a list of accomplishments by the Board since its
inception. These included: issuing a recommendation for computer
security to be a MBO, which was incorporated into the President's
management plan; issuing recommendations on the new OMB circular on
computer security planning; issuing recommendations on NIST's budget
level; and hearing from federal agencies on the development of large
new systems. The Chairman asked the Board to consider whether the
Board is looking at the right issues commensurate with the Computer
Security Act of 1987 and the interests and concerns of the membership.
Comments that members may have should be sent to the Chairman. (ACTION
- ALL MEMBERS)
Mr. Courtney stressed the need for improved communication among Board
members. Other ideas suggested included: the need to look at small
manageable issues one at a time; the need to hear directly from federal
agencies regarding their problems; the need for identifying the
functions of a computer security officer; and the need to examine
practical areas such as computer security awareness. Privacy was also
identified as an area requiring attention. The Chairman suggested that
each issue should have a champion who knew enough about the issue to
develop a short position paper for the Board's consideration before
delving headlong into the issue.
During the discussion, NIST's Dr. Katzke pointed out that the Small
Business Administration had published some material regarding
information security and risk management. He agreed to provide
those documents to the Board (ACTION - KATZKE) Additionally, the Board
briefly considered whether a quasi-government entity should be created
to handle public/private sector issues relating to security. Mr.
Zeitler volunteered to look into how regulatory agencies were
established for the banking industry, which might provide a model for
the security community. (ACTION - ZEITLER)
September 12, 1990
Mr. Cooper raised his concerns about e-mail privacy and the need for
the Board to examine the issue. It was agreed that the issue would be
considered at the December meeting. (ACTION - SECRETARY)
National Research and Education Network (NREN)
Mr. Michael R. Nelson, Professional Staff Member of the Senate
Committee on Commerce, Science, and Transportation, provided an
overview of the Congressional perspective on NREN. (The views he
presented were his own and not necessarily those of the Committee.) The
High Performance Computing Act, S. 1067, would fund the development of
NREN, which would be an extension of the National Science Foundation
(NSF) network. Computer security responsibilities are specified for
NIST in S. 1067, although no increase in authorization for NIST is
included. However, it is expected that an increase in appropriations
for NIST would occur for the NREN work. Board members emphasized the
need for this additional funding.
Dr. Charles Brownstein, Acting Assistant Director for Computer
Information Science and Engineering, National Science Foundation,
provided an overview of NREN from the NSF's perspective. (See
Attachment F.) An overview of NSFNET and the many definitionS of
network were discussed. Also, the architecture of the present Internet
and the types of usage on the NSFNET were briefed. Types of
institutions connected to the network, the Federal Networking Council,
and the genesis of NREN were discussed as well. See the attachment
previously cited for further details.
Professor Lance Hoffman of the George Washington University, provided
the Board with an overview of the security and policy implications of
national and international networks. (See Attachment G.) His
presentation was adapted from an Office of Technology Assessment study
on security and privacy in the design and management of NREN: Topics
covered included: the emergence of a new era in world-wide
communications, the present window of opportunity to provide security
and privacy in NREN from its inception, existing networks and services,
emerging technical, policy and legal issues, the adequacy of existing
policy setting mechanisms, and similar experiences from which NREN may
benefit. Professor Hoffman concluded his remarks with a recommendation
that an eclectic conference gathering people from many disciplines
would be an appropriate way to start to address these issues.
During discussion following the presentations the Chairman summarized
the Board's interest in having periodic briefings on the status of
NREN. However, there was general agreement that it would be premature
for the Board to take any position on the network.
Computer Security Professional Series
Mr. Roback provided the Board with a brief overview of a study for
which NIST has been collecting federal position descriptions (PDs),
which focuses on whether a separate position designation series should
be estabLished for computer security positions. First has collected
approximately one hundred PDs from the civilian side of government. No
analysis has been conducted yet. Creating a separate series requires
convincing the Office of Personnel Management that computer security is
a distinct career field and subject matter discipline. It was also
mentioned that a good definition of what a computer security position
entails is required. The Board agreed to discuss this issue in some
detail at the December meeting. (ACTION - SECRETARY)
Formal Approval of Board Letters
The Board reviewed the final text of the letters to the Director of
NIST and the Secretary of Commerce on the Computer Security Guidelines
and ITSEC, respectively. The Board unanimously adopted each letter.
Data Categorization
Data Categorization had been a prior topic of discussion among Board
members who wished to reemphasize their desire to focus on the topic.
After a brief discussion, the Board agreed that it was not able to work
on the topic in detail at this meeting; however, it would be the
subject of study at the December meeting. Board members requested
examples of how agencies categorize unclassified information. Mr.
Cooper volunteered to give an overview of existing schemes at the
December meeting. Dr. Katzke will assist in this effort. (ACTION -
COOPER and KATZKE.)
Miscellaneous
Mr. Burrows informed the Board that there was a topic that would
be useful for the Board to discuss which is classified. He
encouraged all members who did not have active security
clearances to submit their documents or to forward existing
clearances to NIST. Once the majority of Board members have done
so, the classified topic can be discussed. (ACTION - SECRETARY)
On another topic, the Chairman stated for the record that no non-
federal Board members were involved in procurement activities
that fell under the procurement integrity act, which was in
effect for a portion 1989.
Close
There being no additional business, the Chairman adjourned the
meeting at 2:15 p.m.
Lynn McNulty
Secretary
CERTIFIED as a true and accurate summary of the
meeting
Willis Ware
Chairman
APPENDIX E
Meeting of the
Computer System Security and Privacy Advisory Board
December 11-12, 1990
Holiday Inn Crowne Plaza, Crystal City, Virginia
Tuesday. December 11, 1990
9:00 Meeting Overview
Lynn McNulty
Executive Secretary
9:10 Remarks from the Chair
Willis Ware
Chairman
E-Mail Security and Privacy
9: 15 E-Mail Industry Perspectives
Mike Cavanagh
Executive Director, E-Mail Industry Association
and
Gary Levine
Chairman, E-Mail Industry Association Security
Committee
10:00 Break
10: 15 Legal and Academic Perspectives
George Trubow
The John Marshall Law School (Chicago, IL)
11:00 Computer Professionals for Social Responsibility on
E-Mail Privacy Marc Rotenberg
Director, Washington Office, CPSR
11:30 Discussion
12:00 Lunch
Commuter Security Personnel
1:30 Overview of Issues
Lynn McNulty
Board Secretary
1:40 Federal Agency Panel
James Oberthaler
Patent Trademark Office
U.S. Department of Commerce
Col. Al Kondi
U.S. Army
Steve Smith
Federal Aviation Administration
U.S. Department of Transportation
Information Technology Security Evaluation Criteria & NIST/NSA
Efforts
2:30 James H. Burrows
Director, National Computer Systems Laboratory, NIST
Patrick R. Gallagher
Director, National Computer Security Center, NSA
National Research Council Retort
3:30 Computers at Risk - Safe Computing in the Information
Age Marjorie Blumenthal
National Research Council
4:30 Close
Wednesday, December 12. 1990
Data Categorization
8:30 Issue Overview
Roger Cooper
8 : 45 Federal Agency Panel - Federal Computer Security
Program Managers
John Tressler
U.S. Department of Education
Jules Romagnoli
U.S. Department of State
Dolph Cecula
Bureau of the Census
U.S. Department of Commerce
John Hornung
U.S. Customs Service
10:00 Break
10:15 Agnes Schryer
Treasury Board Secretariat, Administrative Policy
Branch
Government of Canada
10:45 Bruce Bucklin
Acting Chief
Technical Operations Section
Drug Enforcement Administration
11:15 Discussion
12:00 Lunch
Board's 1991 Work Plan
1:30 Subcommittee Report of Draft Prioritized Items for
1991 Agenda Bill Colvin and Larry Wills
Board Members
2:00 Discussion
2:30 Public Participation (as necessary)
3:00 Close MINUTES OF THE
DECEMBER 11-12, 1990 MEETING OF THE
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
December 11, 1990
Call to Order
The seventh meeting of the Computer System Security and Privacy
Advisory Board was called to order at 9:00 a.m. by the Chairman,
Dr. Willis Ware. All portions of the meeting were open to the
public. All members were present with the exception of Mr.
Hancock who was unable to attend.
Opening remarks were delivered by Mr. Lynn McNulty, Executive
Secretary. He expressed the Board's welcome to Mr. Steve Walker,
of Trusted Information Systems, who has been nominated for
membership and was in attendance. Mr. Gallagher, the designated
representative from the National Security Agency, asked whether
he and Mr. Walker would be receiving formal appointments to the
Board. Mr. McNulty responded that the appointments were still at
the Department of Commerce for clearance. It was also announced
that the third nominee for membership is Mr. Charles McQuade of
SIAC, Corp.
E-Mail Security and Privacy
Mike Cavanagh, Executive Director of the E-Mail Industry
Association (EIA) and Mr. Gary Levine, Chairman of EIA's Security
Committee provided the Board with EIA's perspectives on e-mail
security and privacy issues. Mr. Cavanagh delivered a prepared
statement (Attachment A). EIA has identified the following four
key recommendations: 1) the need for a public key cryptographic-
based digital signature; 2) the need to waive export restrictions
on RSA and DES and to develop unlimited export licenses; 3) the
need to foster greater use of security and authentication in
government networks; and 4) the need for Congress to establish a
taskforce to enable legal recognition of digital signatures.
Professor George Trubow of the John Marshall Law School gave an
overview of the various legal issues surrounding privacy,
confidentiality and security. There are three legal areas of
privacy: 1) tort law 2) Constitutional law; and 3) informational
privacy. Tort law deals with civil wrongs including tort of
"intrusion in the seclusion" of an individual. Publication of a
private fact is one example. Constitutional law mostly deals
with autonomy of individuals making choices about themselves. The
only Constitutional reference to informational privacy is found
in the 4th Amendment (Search and Seizure). It is important to
bear in mind however, that the Constitution is a constraint on
the actions of government, not private organizations.
Informational privacy essentially deals with laws and regulations
regarding the protection of information (e.g., Freedom of
Information Act and the Privacy Act of 1974). The Electronic
Communications Privacy Act (ECPA) of 1988 is significant and
provides protection in three ways: l) makes it illegal to
intercept communications, 2) protects against disclosure of
intercepts, and 3) prohibits use of intercepted information. ECPA
becomes important as it authorizes interception during the
"normal course of business use." Current law has loopholes and
leaves employees in the private sector unprotected. What is
needed is something to cast a better balance between
"permissible" private activities and privacy concerns. If the
Board accepts that work is needed, it should bring the issue to
the attention of anyone it can. The Chairman asked how the Board
could get at the problem. Professor Trubow replied that ECPA
could be modified by Congress.
Mr. Marc Rotenberg, Director of the Washington Office of Computer
Professionals for Social Responsibility presented his personal
views regarding e-mail privacy. (See Attachment B.)
Commuter Security Personnel
Mr. McNulty introduced the discussion on federal agency
recruitment and staffing of computer security positions. NIST
has been collecting position descriptions for federal agency
full-time computer security positions. While a full report is
not yet available, preliminary analysis shows that there is a
clear lack of consistency across agency boundaries regarding the
personnel series in which these positions are assigned. Members
of the panel included the following computer security program
managers: Mr. Steve Smith, Federal Aviation Administration, Col.
Al Kondi, U.S. Army, and Mr. James Oberthaler, Patent and
Trademark Office (PTO), U.S. Department of Commerce.
Each speaker provided a brief overview of their agency and its
computer security program. Mr. Smith has personnel in various
series, including the 334, 080, 3091 and 1801 series. (See
Attachment C.) Col. Kondi has a staff of 22 people in both the
080 and 334 series. Across the Army there are about 300 full
time INFOSEC personnel (approximately 150 in COMPUSEC and 150 in
COMSEC). Mr. Oberthaler has recently set up a new program at
PTO. His office has a staff of five, all in the 334 series. He
views the 334 series as a broad category and, consequently, did
not agonize over the choice of series. One major issue PTO had
to confront was how to gain the necessary visibility for a
program to be successful. In the ensuing discussions, Mr.
McNulty said that NIST would have a draft of the personnel issues
paper at an upcoming Board meeting. (ACTION - Mr. McNulty) It
was also mentioned that in the next issue of Access, the
International Information System Security Certification
Consortium would announce its certification program for security
professionally, which ties into the issue before the Board.
Information Technology Security Evaluation Criteria & NIST/NSA
Efforts
Mr. James Burrows opened the discussion of the draft European
Information Technology Security Evaluation Criteria (ITSEC) and
MIST's current efforts in this area. A summary of the September
1990 meeting in Brussels was presented. Most comments received
by the Europeans emphasized that although the ITSEC described
features which would look useful to a user, the features were not
adequately linked together. Also, the European Community appears
to want to gain at least two years experience with a draft
criteria document before adopting it in final. Mr. Burrows also
emphasized that the Europeans do not have to invite the U.S. in
to participate. However, it may be to their advantage to do so
if the U.S. had something to offer, such as the experiences of
users of trusted systems, which NIST is working to obtain. Dr.
Katzke announced that this topic would be discussed at the next
Board meeting when NIST's work plan is presented. (ACTION -NIST)
NIST utilized the Board meeting to present a press release,
announcing the joint intention of NIST and the National Security
Agency (NSA) to develop a federal criteria document. Messrs.
Burrows and Gallagher jointly announced their plans. (See
Attachment D.) They will be co-chairing a conference in February
to look at experiences with trusted systems. Mr. Burrows also
stressed that it was not NIST's intention to simply add to the
Orange Book, but that a wholesale re-examination of federal
requirements would be undertaken. Dr. Ware summed up the Board's
comments as collectively expressing a sense of urgency and
volunteered that the Board would do whatever it could to assist
the effort.
National Research Council Report
Ms. Marjorie Blumenthal of the National Research Council (NRC)
and Staff Director of the System Security Study Committee
presented an overview of the recent NRC report Commuters at
Risk - Safe Computing in the Information Age. The report was
sponsored by the Defense Advanced Research Projects Agency. Of
particular interest to the Board in the report were:
- concerns with export controls on cryptography and
high assurance level trusted systems;
- the recommendation for the founding of an Information
Security Foundation; and
- the recommendation to promulgate a comprehensive set
of Generally Accepted System Security Principles to
provide a clear articulation-of essential security
features, assurances, and practices.
As the report was released just prior to the Board's meeting,
members had not had sufficient time to fully review the study.
Therefore, it was agreed that the Board would defer taking a
position.
Wednesday. December 12 1990
Data Categorization
Mr. Cooper introduced the discussion of data categorization by
noting the importance of establishing a sound intellectual
underpinning for categorization and that agencies were developing
categorization schemes with or without guidance from NIST. This
results in many uncoordinated and incompatible systems. Five
agency representatives were invited to the meeting to share their
thoughts and agency's experiences with categorization.
Mr. John Tressler of the U.S. Department of Education indicated
that his department had a High/Medium/Low categorization scheme
used to remind users of their responsibilities for the protection
of information. This system is primarily based upon statutory
requirements for confidentiality protection. It would, however,
be useful to add integrity and availability to the definition.
(See Attachments E (l) & (2).
Mr. Jules Romagnoli of the U.S. Department of State's Office of
Information Systems Security began by discussing the difficulty
with working with the definition of "sensitive unclassified"
information. At the Department, a formalized category of
sensitive unclassified information, "Limited Official Use,"
exists. However, discrepancies exist between protection of
printed information and that stored on magnetic media. The
Department has studied the aggregation of unclassified
information and found it to be sensitive in the aggregate.
Mr. Dolph Cecula, Director of Security at the Census Bureau, U.S.
Department of Commerce, said that specific legislation protects
census data. Employees take a non-disclosure oath every six
months. Information is designated "Census Confidential." A
study was conducted in 1973 which looked at categorizing personal
information - and failed due to its complexity. Today,
functional managers do not understand the definition of sensitive
information in OMB Circular A-130. However, in the Census Bureau
all employees understand that Title 13 data requires protection.
Census systems are treated as though they contain Title 13.
Mr. John Hornung of the U.S. Customs Service, said that basic
Treasury Department directives provide requirements for the
protection of information. Some systems have Limited Official
Use information as well as law enforcement information. Other
Treasury agencies have additional categories. For example, the
IRS has tax information as a separate category. Mr. Cooper noted
that while he was at Treasury, it was determined that data
categorization was not possible.
The panel was asked if a government-wide policy would be useful.
Mr. Romagnoli said that there is a need for some standardization,
particularly for sharing information. Mr. Cecula agreed that
standard categories are needed. There was significant
disagreement among Board members as to whether standard
categorization is desirable or achievable.
Next, Ms. Agnes Schryer of the Administrative Policy Branch,
Treasury Board Secretariat of the Government of Canada presented
an overview of Canada's unclassified data categories. Theirs is
a model based upon appropriate levels of protection. Their
sensitive information is "designated" as requiring protection and
is marked "PROTECTED." The bulk of this information is personal.
Designated information is further delineated with A/B/C markings.
(See Attachment F for further information on Canada's scheme.)
Employee discipline standards are linked to the protection of
designated information. Approximately 60-70% of the government's
employees are subject to an "enhanced reliability status"
background check. Her advice offered to the Board was to aim for
a legislative basis, as was accomplished in Canada, for the
categorization scheme. Overall, categorization has proven useful
for the Canadians.
Mr. Bruce Bucklin, Acting Chief of the Technical Operations
Section at the Drug Enforcement Administration presented a
strawman approach to data categorization. He emphasized that the
material presented was already under revision and viewed this as
an ongoing process, which only began in June of 1990. The
tentative conclusion they have reached is that four categories is
too many while one is not enough. Mr. McNulty asked what the
current status was. Mr. Bucklin replied that two categories may
be adequate. Their effort is expected to be completed by May,
1991 and is currently utilizing a staff of eight to ten full-time
people.
The Board agreed that it may wish to take action with regard to
data categorization. However, at this time the Board did not
have a clear direction in which to proceed. However, it was
agreed that Messrs. Lipner and Zeitler would meet to discuss the
issue and prepare a recommended course of action. (ACTION -
Messrs. Lipner and Zeitler.)
Board's 1991 Work Plan
Mr. Colvin provided an overview of the Board's proposed work plan
for 1991 that he and Mr. Wills had developed. (See Attachment
H.) Mr. Wills stressed that members should bear in mind that
major privacy legislation may be passed within the next year. In
reviewing the document it was agreed that the "Implementation of
the Computer Security Act of 1987" should be the highest
priority.
The meeting was adjourned at 2:30 p.m.
Lynn McNulty
Secretary
CERTIFIED as a true and accurate statement of the meeting
Willis Ware
Chairman