home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Handbook of Infosec Terms 2.0
/
Handbook_of_Infosec_Terms_Version_2.0_ISSO.iso
/
text
/
csspab
/
minutes.txt
< prev
next >
Wrap
Text File
|
1995-09-15
|
27KB
|
468 lines
MINUTES OF THE
MARCH 22-23, 1995 MEETING OF THE
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
Wednesday, March 22, 1995
Introduction
A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m.
at the Holiday Inn, Gaithersburg, Maryland. Besides Dr. Ware, the following Board members
were present: Charlie Baggett Jr., Genevieve Burns, Cris Castro, Don Gangemi, Sandra Lambert,
Henry Philcox, Randy Sanovic, Stephen Trodden, Steve Walker, and Bill Whitehurst.
Mr. McNulty informed the Board that he is retiring from government service, effective April 28,
1995. He appointed Mr. Ed Roback Designated Federal Official for the Thursday meeting.
The Board devoted the entire first day of the meeting to a thorough discussion and review of the
assurance component of the process for evaluating security products against a criteria. It did so
because the assurance issue has been an extremely troubling dimension of the evaluation process
for many years. The entire meeting was held in open, public session.
Assurance Framework
Dr. Stuart Katzke, Chief, NIST Computer Security Division, discussed a framework for
assurance. Some of the questions about assurance that need to be addressed, for example, are:
What is assurance? Who requires assurance? When are assurance measurements needed/useful?
Dr. Katzke presented a framework that includes dimensions (Factors), assurance levels (ALs),
metrics/values (Dimensions & ALs), and assurance equivalence classes. Factors that contribute to
assurance are: Verification Process (Testing), Development Process, Qualifications, Operational
Track Record of System or Product, and Operational Track Record of Developer on Prior
Systems/Products
He also discussed values/metrics for measuring various dimensions of assurance. He presented an
example diagram and pointed out that one dimension could be the verification process. He also
offered a diagram of assurance levels in a hierarchical design with low, medium, and high. Dr.
Katzke said that the plan is to develop a framework that involves all stakeholders. Currently,
NIST/NSA plans to engage the IT community in the development of a framework and short term metrics
for assurance. An annual workshop on assurance is also planned, which will be co-sponsored by
NIST. (See Reference #1).
Assurance Components
Mr. Bill Marshall, NSA, addressed the components of an assurance framework from the
perspectives of an information security analyst, the supplier community, and an information
systems security customer. He discussed the reasons someone would look for an information
security solution. He said that a customer may have information that needs protection by value or
by direction, which could be legislative or regulatory. The customer may also have information
that they perceive to be subject to unacceptable risk. Mr. Marshall said that customers would
make informed decisions, as they would when buying any product, by gathering information,
relying on experts, and using accepted metrics.
The customer is generally not aware of the qualification options. Therefore, the customer would
need to use some standards set by either regulatory agencies or the professional community. With
regard to specification, the first thing customers need to do is examine their security policy. He
needs to verify that assurance is provided by the vendor and that the product has been time-tested.
Mr. Marshall summarized by saying that the same level of risk reduction can be achieved in
several ways. (See Reference #2).
Canadian Perspective on Achieving Assurance
Mr. Vince Muolo, Manager, Industrial Programs and Initiatives, Communications Security
Establishment (CSE), Canada, briefed the Board on the CSE's perspective on information
technology security product assurance in the context of information security product evaluations.
CSE provides advice and guidance to the federal government of Canada on Information
Technology Security with emphasis on security evaluations of the security aspects of information
technology products and systems. CSE is using third party product evaluations and product
reviews, neither of which have proven successful in achieving the levels of timeliness and
assurance desired simultaneously. As a result, CSE is planning to explore new approaches to
information security product assurance. Mr. Muolo described assurance as a measure of
confidence that the security functionality will perform as claimed. Products gain assurance
through evaluations under the CSE's Trusted Product Evaluation Program (TPEP). A trusted
product allows the end user of the product to make assumptions about the security behavior of
the product and how it can be used to counter threats in the target environment. Currently, CSE
has two processes for adding assurance to products: (1) product review, and (2) evaluation. (See
Reference #3).
UK Perspective on Achieving Assurance
Mr. Allen Borrett, CESG, UK, briefed the Board on approaches to assurance by the UK. The UK ITSEC
scheme should meet the needs of government and industry with respect of cost-effective secure IT
products and systems. The scheme would provide a basis for mutual international recognition and
produce identical evaluation results. Mr. Borrett discussed the following differences between the
US/UK evaluation process:
- The UK evaluations are not government sponsored, and the sponsor sets the time and money
constraints to the evaluator.
- The UK is more methodology focused, while the US is more principle based.
- The UK evaluators work, in conjunction with the developer, begins with the
development process through the product implementation phase. They obtain the necessary
documentation and understand product development as it is being done. The US begins the evaluation
process at the end of the product implementation phase.
Mr. Borrett said that the UK uses Certified Licensed Evaluation Facilities (CLEFs) that are
non-government resourced evaluation facilities. The demand for CLEFs is growing. The UK will have
five operational CLEFs soon and a sixth one is expected. He said that overall, the ITSEC
evaluation time and cost required is significantly less than the US process. The primary reason is
because their process is sponsor controlled and flexible. (See Reference #4).
Assurance Economics
Mr. Joel Sachs, the Sachs Groups, presented his company's view on the economics of assurance.
He discussed internal economics, which include: threats to the target enterprise, weaknesses as
they relate to vulnerabilities, and risks such as operational impacts and acceptable/unacceptable
risks. He discussed the need for a viable information security economy that includes some of the
following: (A) Freeing the market to resolve risk, trust, and assurance for enterprise, systems,
and products. (B) Understanding and accommodating multiple business models across and
among the players. (C) Developing assurance framework and metrics, both qualitative and
quantitative, to define and delineate value. (See Reference #5).
Capability Maturity Modeling Project
Mr. David Kitson, Software Engineering Institute (SEI), Carnegie Mellon University, briefed the
Board on the role and significance of the SEI Software Capability Maturity Modeling (CMM) for
software. With regard to the transition of technology, the mission is to provide leadership in
advancing the state-of-the-practice of software engineering to improve the quality of systems that
depend on softwre. The vision is to bring engineering discipline to the development and
maintenance of software. CMM is a common-sense application, a community-owned guide and a
model for organizational improvement. Some of the benefits of model-based improvement are to:
- Establish a common language;
- Build on a set of processes and practices developed with input from a broad selection of
the software community;
- Provide a framework for prioritizing actions and performing reliable and consistent
appraisals; and
- Support industry-wide comparisons.
The risks of model-based improvements are simplifications of the real world and a lack of
comprehensive scope. Interpretation and tailoring must be aligned to business objectives. Mr.
Kitson discussed the five maturity levels, the CMM s key process areas, and the evolution of the
process capability. He said that broad-scale acceptance of the CMM is based on plausibility of a
common-sense model and experience in other industries. The CMM is a living document, which
will be revised. Contributions are solicited from the community. (See Reference #6).
Security Engineering Capability Maturity Model and Trusted Capability Maturity Model
Mr. John Adams, National Security Agency, briefed the Board on a Trusted Capability Maturity
Model (TCMM). The TCMM will allow organizations to use one reference model and derive
from it the benefits of two models, software process improvement and increased software
assurance. There are two components of the TCMM: (1) A Software Capability Maturity Model
and (2) a Trusted Software Development Methodology.
Mr. Adams also described the Security Engingineering Capability Maturity Model (SECMM).
The purpose of the model is to:
- Increase asssurance in system trustworthiness;
- Reach a point to transfer assurance from evaluation to development process;
- Provide consistent maturity framework for security engineering development processes;
- Provide security engineering process improvement mechanisms; and
- Provide process-based assurance measurement mechanisms.
The model structure is based on a maturity framework (similar to the SEI model). It tailors
management and organizational processes and adds evolutionary security engineering processes.
Mr. Adams said that to date the SECMM has accomplished a draft model, which includes a
framework for process improvement, independent of specific organizational structure. The draft
model was presented at the NIST/NSA National Computer Security Conference in October,
1994. There was a public workshop in January, 1995 and received overwhelming community
endorsement. Future directions include expanding the scope of the SECMM market. It has
focused only on the NSA/DoD community. As a follow-on to the workshop, there will be three
working groups driven by industry: (1) a steering work group to define the key process, (2) an
authoring work group for overall strategy, and (3) an application work group to define
measurement techniques. (See Reference #7).
Update on X/Open Branding Project
Mr. Bill Whitehurst, IBM, gave a brief update of the activities of the X/Open Branding Project.
Two major components exist within their branding concept: (1) the ability to implement
functionality based on a minimum set of assurance functionality requirements (MSFR), and (2) the
confidence in the development process for achieving the functionality.
He said that the workgroup meeting, hosted by Hewlett Packard, was held early in March. The
group plans to re-write their document to include some type of evaluation process prior to the
vendor product getting branded. X/Open plans to have a public review of the changes this
summer.
Vendor Perspective
Ms. Linda Vetter, Oracle Corporation, presented oracle's views of security assurance. She
discussed three types of assurance issues: (1) governent evaluation and certification; (2) third
party evaluation and certification (government and business sponsored); and (3) vendor claims.
Ms. Vetter explained Oracle s evaluation experience for two DBMS server products, Oracle7 and
Trusted Oracle7, in both the US and the UK. Oracle used the US TCSEC TPEP evaluation for
B1 and C2 systems. They also used the UK ITSEC evaluation for E3 systems (which is the
equivalent for US B1 and C2 systems). The UK process took significantly less time and cost less
money for an identical product. Ms. Vetter suggested that NIST/NSA look into developing
equivalent/comparable trust levels between the two different evaluation criteria methods as well as
those for other countries. This would minimize the need to have different evaluations performed
(one for each country) for the same product.
Oracle has on-going work in other areas (e.g., RAMP, CMM, ISO, and Audits) as well as
multiple CLEFS with the UK, Sweden, France and Germany. Ms. Vetter explained the
differences in criteria between the TCSEC and the ITSEC. She said that the ITSEC requirements
for the content of evaluation deliverables formed a superset of the corresponding TCSEC
requirements for the evaluations. However, the TCSEC creates a framework for the presentation
of these requirements and there can be little deviation from this.
Oracle would like to see more concentration on low-end assurance requirements and processes.
This would enable various sectors like health care, banking, and financial industries to have
protection for unclasified to sensitive data. Ms. Vetter encouraged NSA to continue its efforts in
modeling (Common Assurance Framework, TCMM, and SE CMM) and would discourage any
more efforts in product profiling. The modeling efforts encourage vendor quality improvement,
promotes flexibility in meeting assurance objectives, and are transferable to other private sector
domains besides DoD. (See Reference #8).
Wrap-up and Restatement of Issues
Dr. Katzke summarized the discussion of assurance by saying that opportunities exist to look at
alternatives. He is not sure what the government's role is or which areas to concentrate on with
respect to cost. He said that he could continue with the same level of effort that is going on now
with community involvement. He is open to suggestions with regard to the assurance process.
Discussion
After a lengthy discussion on the state of the Common Criteria (CC) and assurance approaches
and issues, some of the major points from individual Board members included:
- Concern as to when the CC will be widely accepted and used;
- Whether to adopt the ITSEC now and migrate to CC;
- The need to simplify the CC;
- Building assurance and quality into the new assurance framework;
- Clearly define assurance needs to be universally understood;
- Conduct more C2 and below evaluations in the US;
- Concentrate on low-end assurance; and
- Bring key industry players into the process.
The meeting recessed at 5:45 pm.
Thursday, March 23, 1995
Chairman's Time
Dr. Ware introduced Mr. Joseph Leo, Deputy Administrator for Management, Food and
Consumer Service, U.S. Department of Agriculture. Mr. Leo is a member designate to fill a
government position on the Board.
After minor changes from Mr. Whitehurst, Board members voted on and unanamously approved
the minutes of the December 1994 meeting.
During this time, Board members continued their discussion of criteria and assurance from the
previous day. Some of the major points of the discussion from Board members included the need:
- for OMB to state the need for C2 level evaluation compliance for various
government product purchases;
- for NSA to make a statement about equivalency among all existing non-US trust
levels;
- to begin using components of the Common Criteria and gradually migrate to it;
- to continue a wide range of assurance framework options and procedures; and
- to focus on low-end assurance methods and encourage C2 level evaluation along the
following Canadian AL-1 evaluation.
Security In Governmentwide E-Mail
Mr. Jack Finley, Director, Electronic Messaging Program Management Office (E-Mail PMO) at
the General Services Administration (GSA), briefed the Board on the status of security in E-Mail.
He said the E-Mail PMO has three focus areas: (1) functional requirements, (2) management
requirements, and (3) technical requirements. Mr. Finley said that security is an element in each
one of the three focus areas.
There are five PMO program functions: (1) program management to develop a two-year plan,
(2) directory service support for registration services, and directory synchronization etc., (3)
value added services for a centralized e-mail help desk, electronic support services, and a model
service center, (4) cross cutting initiatives to implement guidance and training, gateway
specifications etc., and (5) common system components for standards convergence, requirements
definition and X.400 address simplification.
The PMO strategic plan will promote and support electronic messaging business process, increase
operational quality, productivity and effectiveness of governmentwide messaging, and provide
professional help desk services. The governmentwide e-mail vision is to produce business quality
e-mail, intermediate e-mail, and basic e-mail. Mr. Finley defined business quality e-mail as having
a level of security to conduct financial and regulatory business for the unclassified arena.
The Board continues to be concerned about security not being adequately addressed in the PMO
effort. The Board suggested that Mr. Finley add security and privacy requirements as a separate
focus area and that it be number one on the list. The Board also noted that there was no mention
of security policy documentation or an implementation strategy. Mr. Finley said that security
policy efforts are being undertaken by the NIST Public Key Infrastructure (PKI) Steering
Committee and other security infrastructure issues are addressed through the Security
Infrastructure Program Management Office (SI-PMO).
(See Reference #9).
Mr. Al Williams, Director, Federal Information Security Infrastructure Program Management
Office (SI-PMO) at GSA, gave the Board an update on the progress of the SI-PMO. The PMO is
Co-chaired by GSA and DoD. The charter is due to be signed by DoD and the Government
Information Technology Services (GITS) Working Group by May 1, 1995. A Program Action
Plan is expected to be completed by April. The primary role of the PMO is to provide
governmentwide support and coordination of federal activities necessary to implement an
information security infrastructure for the use of the federal government. A more specific goal is
that the SI-PMO, working with individual agencies, will design pilots, coordinate implementations
across agencies, promote the use of an information security infrastructure within government, and
make recommendations to resolve conflicts in implementation and funding of this information
security infrastructure. The PMO is not chartered, staffed, or funded to manage specific product
developments, or to manage the development programs of individual government agencies. The
total SI-PMO is composed of DoD, civilian agencies, financial institutions, medical/health care,
and technical elements. The PMO security objectives show support for multiple technologies that
include: RSA, DSS with DES encryption, FORTEZZA, and other X.509 variants. (See
Reference #10).
Security Policy Board
Mr. Peter Saderholm, Director, Security Policy Board (SPB) Staff, briefed the Board on the
proposed activities of the SPB. He said the creation of the SPB was based on a recommendation
by the Joint Security Commission report of February 28, 1994. Presidential Decision Directive
(PDD) 29, signed by the President on September 10, 1994, articulates the roles and
responsibilities for the SPB, the Security Policy Advisory Board, and the Security Policy Forum.
Board members were provided a "fact sheet" on PDD29. Some Board members expressed
concern with the SPB's activities with regard to [setting policy for unclassified sensitive
information in addition to classified information] in light of the national security scope of PDD29.
Mr. Saderholm mentioned the need for the Board and the SPB to work together regarding
privacy and security policy issues for unclassified sensitive information. He expressed his desire
to continue dialogue with the Board and to build cooperative arrangements with industry
representation when dealing with the protection of unclassified information. He said that the SPB
is abiding by the Computer Security Act of 1987 and therefore, will not be responsible for policy
surrounding unclassified information. However, he noted that the SPB will need to facilitate
cross-sharing of information with those responsible for setting unclassified information protection
policy. (See Reference #11).
Federal Computer Security Program Managers Forum Opinion
Ms. Sadie Pitcher, Department of Commerce and Forum Co-Chair, presented the views of the
Forum regarding the SPB report's proposal to form a Information Systems Security Committee
(ISSC). The Forum represents 75 federal government agencies. The Steering Committee of the
Forum drafted a position paper to Ms. Sally Katzen of the Office of Management and Budget on
January 11, 1995. The position paper articulated the following concerns:
- Establishment of a national security dominated ISSC is contrary to the Computer
Security Act and inconsistent with the authority of PDD-29;
- Would undercut the effort for open government;
- National security related information will be viewed as imposing new government
restrictions on access to information;
- The proposal may serve to increase public concerns over the government s
intentions in the field of ISS;
- It is inappropriate for the national security/intelligence communities to
participate in selecting security measures for unclassified systems at civil
agencies;
- The unclassified security focus is on cost-effectiveness, integrity and
availability, not primarily confidentiality, which is the traditional primary concern
of the classified sector; and
- Concern that the SPB report is being misrepresented as Administration policy.
Ms. Pitcher said that OMB was asked to restrict the SPB report implementation to only classified
systems. (See Reference #12).
Status of Key Escrow Initiative
Mr. Steve Walker, Trusted Information Systems (TIS), briefed the Board on the status of
Commercial Key Escrow (CKE). He said, with regard to application vendors, TIS is actively
seeking the participation of commercial software vendors in widespread implementation of CKE
enabled software products. TIS has installed a Data Recovery Center (DRC) on the Internet and
is prepared to distribute sample DRC application software packages to any interested software
application developer. TIS is seeking approval of the US government for export of application
programs using encryption algorithms such as the Data Encryption Standard (DES) when
properly bound with CKE.
Mr. Walker said the advantages of CKE for government interests is that if the TIS CKE system
were to become widely used throughout the private sector and government communities, law
enforcement, national security and private sector interests would be preserved.
Mr. Walker said that TIS has filed for patent protection for its Software Key Escrow (Clipper
equivalent) and CKE systems including the DRC and application software approaches. TIS is
prepared to license its CKE system and software applications technology to any software or
hardware vendor under very favorable licensing terms. TIS is also prepared to license its DRC
system and technology to qualified DRC operators and vendors under similarly favorable licensing
terms. (See Reference #13).
OMB Circular A-130, appendix III Revision and Reauthorization of the Paperwork Reduction
Act
Mr. Ed Springer, Office of Management and Budget (OMB), briefed the Board on the proposed
revision of Appendix III of Circular A-130. Mr. Springer said that the proposal is intended to
guide agencies in securing information as they increasingly rely on an open and interconnected
National Information Infrastructure. It stresses management controls such as individual
responsibility, awareness and training, and accountability, rather than technical controls. The
Appendix proposes to re-orient the federal computer security program to better respond to a
rapidly changing technological environment. It establishes governmentwide responsibilities for
federal computer security and requires federal agencies to adopt a minimum set of management
controls.
As in the previous Appendix III, agencies are still required to establish controls to assure adequate
security for all information processed, transmitted, or stored in federal automated information
systems. This proposal emphasizes management controls affecting individual uses of information
technology. The Appendix requires that these management controls be applied in two areas of
management responsibility, general support systems and major applications. The Federal Register
announcement of the Appendix provides supplementary discussion to aid reviewers in
understanding the changes in emphasis proposed. Mr. Springer said that agencies will phase into
implementing security requirements articulated in Appendix III. (See Reference #14).
Public Comment
During the public comment period, Ms. Sadie Pitcher advised the Board of an effort in progress
by the Federal Information Systems Security Educators Association, a subgroup of the Federal
Computer Security Program Managers' Forum, to revise NIST Special Pub 500-172, Training
Guidelines. This effort is in line with OMB s recommendation to the Department of Commerce,
in Appendix III, to review and update guidelines for training in computer security awareness and
accepted computer security practice.
Board Discussion
After discussion, deliberation, and debate, the Board passed three resolutions. (See Attachments
1-3.)
The meeting adjourned at 6:00 pm.
Attachments
#1 - Resolution 95-1
#2 - Resolution 95-2
#3 - Resolution 95-3
/s/
References Edward Roback
#1 - Katzke slides Secretary
#2 - Marshall slides
#3 - Muolo slides
#4 - Borrett slides
#5 - Sachs slides
#6 - Kitson slides
#7 - Adams slides
#8 - Vetter slides CERTIFIED as a true
#9 - Finley slides and accurate summary
#10 - Williams slides of the meeting
#11 - Saderholm slides
#12 - Pitcher slides
#13 - Walker slides /s/
#14 - Springer paper
Willis Ware
Chairman