[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CSSPAB June 1995
URL: http://csrc.ncsl.nist.gov/csspab/minutes.695
[Reformatted for easier reading]
MINUTES OF THE
JUNE 7-8, 1995 MEETING OF THE
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
Wednesday, June 7, 1995
Introduction
A quorum being present, the Chairman, Dr. Willis Ware, called
the meeting to order at 9:00 a.m. at the National Institute of
Standards and Technology (NIST), Gaithersburg, Maryland.
Besides Dr. Ware, the following Board members were present:
Charlie Baggett Jr., Genevieve Burns, Cris Castro, Don
Gangemi, Sandra Lambert, Joseph Leo, Henry Philcox, Randy
Sanovic, Linda Vetter, Steve Walker, and Bill Whitehurst.
Mr. Ed Roback, Board Executive Secretary and newly appointed
Designated Federal Official, discussed some of the handouts
provided to the Board. Most important, was a copy of a draft
House bill referred to as the "Department of Commerce
Dismantling Act." If enacted, part of NIST would be
transferred to the National Science Foundation. The Commerce
Program Resolution Agency (CPRA) would be established and
attempt to sell NIST laboratories (and other specified
elements of the Department of Commerce) to the private sector.
If not sold within 18 months of enactment, CPRA would submit
their recommendations to Congress on the appropriate
disposition of the property and functions of the laboratories.
OMB Circular A-130, Appendix III Update and Review of Comments
and "NII Security: The Federal Role"
Mr. Ed Springer of the Office of Information and Regulatory
Affairs, Office of Management and Budget (OMB), updated the
Board on the recently signed Paperwork Reduction Act of 1995.
(Copies are available for distribution to the Board.) (ACTION
- SECRETARY). Mr. Springer said that security remains a
concern and is supported by strong language in the law
requiring agencies to secure their systems. Mr. Springer
updated the Board on Appendix III to OMB Circular A-130.
Since his briefing to the Board in March, the comment period
for the proposed changes to Appendix III has closed. OMB
received twenty-nine written comments to date. He solicited
Board members for their reactions to the draft proposal. Mr.
Springer was asked how OMB will enforce the requirements of
Appendix III. He said enforcement comes through oversight and
the budget process. There is a sharper focus on where agencies
can go for help. One Board member asked if OMB plans to
develop a standard set of behaviors. Mr. Springer replied
that OMB will not go that far; however, Appendix III addresses
the risks for agencies to use as a guideline for security
considerations. Board members noted that agency visits to
senior management regarding security plans, as was conducted
in the 1989-1990 timeframe, seemed successful. Mr. Springer
said that the Federal Managers Financial Integrity Act
provides oversight of the requirement for agencies to prepare
new plans. Mr. Springer agreed to brief the Board at its
September meeting to further discuss the comments received and
current status. He mentioned that the final document "NII
Security: The Role of Federal Government," would be out soon
and Board members would receive copies. (ACTION - SECRETARY).
Defensive Information Warfare & Unclassified Government and
Private Sector
Mr. Martin Hill, Deputy Director for Information Warfare
Programs, Office of the Assistant Secretary of Defense,
briefed the Board on Information Warfare (IW) from a DoD
perspective. He said that commanders should not depend on
information and information systems that they cannot rely on.
He used the example of Desert Storm, which was a won through
the use of intelligence; Iraq, in effect, lost the war before
it even began. Mr. Hill said that IW is driven by daily
attacks on U.S. computer networks. The national security
construct is changing because DoD utilizes commercial sector
security and shares their vulnerabilities. The DoD
unclassified definition of IW is "Actions taken to achieve
information superiority in support of national military
strategy by affecting adversary information and information
systems while leveraging and protecting our information and
information systems." Some of the areas that need defending
are: leadership; command facilities; integrated air defense
and controls; computers, software, data bases, and displays;
power production sources; and links to media. The U.S. IW
strategy is to:
- Use U.S. technological superiority to provide the right
information to the right place at the right time,
- Aggressively defend against attacks on our information, and
- Use offensive techniques to attain and maintain information
superiority.
Mr. Hill also emphasized the need for and importance of
training. He said they have assembled "Red Teams" made up of
DoD personnel that converge on other DoD systems to determine
their vulnerabilities. When asked how DoD could best
communicate their requirements to the commercial sector, Mr.
Hill said that they conduct seminars and "war games" which are
both attended by industry. (See Reference #1.)
X/Open Security Branding Proposal
Mr. Peter Callaway, Senior Security Technologist for IBM,
provided the Board with an update on the X/Open security
branding proposal. Mr. Callaway was speaking from three
perspectives: IBM (a member of X/Open), X/Open, and as a user.
He said that X/Open feels they have the appropriate and proven
experience by setting industry standards and performing
conformance branding. X/Open has the commitment of vendors to
build products to their specifications with regard to
technical plans established with vendor cooperation and
commitment to product follow-through. X/Open Branding is a
certification scheme for conformance verification, not
evaluation. Currently, X/Open branding requires evidence of
successful execution of a test suite where appropriate test
suites are available. It requires a conformance statement
questionnaire and a trademark license agreement to be
completed by the applicant. (See Reference # 2.)
Security Policy Board (SPB) Update
Ms. Vicki LaBarre, Security Policy Board (SPB) Staff, briefed
the Board on the progress of the SPB. Ms. LaBarre reminded
the Board of the role of the SPB as chartered by Presidential
Decision Directive (PDD)-29. The SPB and Security Policy
Forum are jointly chaired by DoD and intelligence community
members, but their members include non-DoD and
non-intelligence community representatives. Ms. LaBarre
relayed that the SPB considers itself an "honest broker" to
identify issues and positions from all parties on key
questions. She said that the fundamental question is whether
the executive branch needs a single, consolidated INFOSEC
policy making mechanism.
If a consolidated INFOSEC policy making mechanism is needed:
Can the existing SPB structure created by PDD-29 meet that
need?
- If yes: how should an information systems security
committee be chartered and constituted?
- If not: how could/should the SPB/SPF be modified to become
an effective INFOSEC policy mechanism? What other existing
entity in the executive branch could act, or be modified to
act as the executive branch's INFOSEC policy making
apparatus? What kind of new entity could be created to
meet this policy making need?
If a consolidated INFOSEC policy making mechanism is not
needed:
- How can the existing INFOSEC policy and advisory boards,
committees, forums, etc., be made to more effectively
identify, prioritize, resource and act on major INFOSEC
issues and vulnerabilities affecting the national interest?
- Are executive branch INFOSEC resources adequate to provide
for acceptable security for government information systems?
- Are existing INFOSEC resources appropriately located and
distributed within the executive branch?
Recently the SPB staff convened a special working group to
draft a resolution to call for compiling a list of major
INFOSEC issues. The matter will be discussed at the Security
Policy Board Forum meeting on June 23. In summary, Ms.
LaBarre emphasized that we must to do a better job of INFOSEC
governmentwide which is doable if everyone works together for
the common good.
Throughout Ms. LaBarre's presentation, some Board members
expressed serious concerns about many aspects of the SPB's
charter, the first SPB staff report and their present stance
on the effort of a single policy making mechanism. Some Board
members expressed the view that the initial report was not
clear with regard to what kind of information would encompass
"national interest." She said that the first report was purely
a "think piece" to stimulate discussion, which it has done.
(See Reference #3.)
Commercial Key Escrow Update
Mr. Steve Walker, President, Trusted Information Systems
(TIS), presented the Board with an update of TIS' Commercial
Key Escrow (CKE) activities. Mr. Walker recently met with
senior management of National Semiconductor Corporation. They
discussed a proposal to use CKE in an escrowing approach
called Commercial Automated Key Escrow (CAKE) in which the CKE
system has been modified to work with National's PersonaCard
cryptographic hardware tokens. Mr. Walker believes that this
approach meets the needs expressed by the Vice President.
CAKE does the following:
1. It removes all very strong cryptography from software.
2. It uses these special CAKE tokens to automatically escrow
an encrypted copy of every message key within the message
envelope itself, in a special Data Recovery Field (DRF)
consisting of the message key and Data Recovery Center
(DRC) and token identifiers, encrypted with the public key
of a Designated DRC.
3. It provides access to DRFs via the private key of the DRCs,
and allow any user to establish their own DRC to safeguard
corporate information.
4. It uses well known cryptographic algorithms such as DES,
triple DES and RSA, instead of algorithms such as Skipjack.
5. Finally, it gives American computer and communications
industries the ability to easily export strong and very
strong encryption as part of their information highway
products.
Mr. Walker briefly discussed the software binding issue which
have been put off by implementation into the PCMCIA card but,
it still needs to be tried and a software vendor is being
sought to do so. The card implementation is aimed at files
and e-mail, not telephony. There is initial concern with
regard to cost, however, it is tamper proof and cannot be
distributed over the Internet. Mr. Walker said they are
seeking export approval with DES and CKE and hopes for a
position resolution in the near future. (See Reference #4.)
The meeting recessed at 5:20 pm.
Thursday, June 8, 1995
SI-PMO Action Plan Briefing
Mr. Al Williams, Acting Director of the Security
Infrastructure Program Management Office (SI-PMO) at GSA,
updated the Board on the activities and progress of the
SI-PMO. He discussed some of the near term goals: identifying
and resolving critical policy issues related to support
multiple technologies, developing a security architecture,
defining user-to-user and user-to SI specifications, and
establishing a formal liaison between the SI-PMO and the
Canadian Government. Board members asked about milestones.
Mr. Williams directed members to the summary of the near-term
actions and milestones in the Action Plan appendix. When
asked who has received the Action Plan, Mr. Williams replied
that it was distributed to the Government Information
Technology Services Group, the National Information
Infrastructure Security Issues Forum, the Electronic Commerce
Acquisition Program Management Office, the E-Mail Program
Management Office, NSA, NIST, and the PKI Steering Committee.
The Board commended Mr. Williams for working an issue with a
real time frame. Mr. Williams was invited to come back and
update the Board as he feels appropriate. (See Reference #5.)
Common Criteria Update
Dr. Stu Katzke, Chief, NIST Computer Security Division,
updated the Board on the Common Criteria (CC) effort. He
discussed the Common Criteria for Information Technology
Security Evaluation workshop on May 11-12 in Ottawa, Canada.
Approximately 40 people from Europe, Canada, the U.S., and
Japan participated in the workshop. The workshop served to
allow the CC Editorial Board to:
- provide general information on the comments received and
the planned changes to the document based on these
comments; and
- receive added clarifications on the reviewers' comments on
the document so they can update the document to reflect the
expert opinions.
The number of assurance levels and where they are were
discussed; however, that issue is not as high on the list as
the six key global issues below:
1. Document Organization - understandability and usefulness;
2. Extensibility of Requirements - support of ITSEC is
unclear;
3. Extensibility of CC - how to maintain the CC;
4. Protection Profile - relationship unclear;
5. Protection Profile - selection of requirements; and
6. Dependencies and Binding - completeness/correctness.
Dr. Katzke said that the NCSC plans to perform evaluation
trials by January of 1996. (See Reference #6.) Mr. Charlie
Baggett volunteered to brief the Board in September on trial
evaluations. (ACTION - SECRETARY AND MR. BAGGETT.)
The discussion then turned to the Board's March resolution
(95-2) which recommended to NIST and NSA that a statement be
made regarding the equivalence of C2-level evaluated products.
Mr. Lou Giles of NSA briefed the Board on NIST and NSA's
response to that recommendation. In July, NIST and NSA will
publicly clarify the relationship between TCSEC C2, ITS EC E2,
and CTCPEC T1 levels to encourage federal programs with
requirements for evaluated low assurance level products to use
trusted products evaluated at these levels. NIST and NSA
will publish a Bulletin in July 1995, which will describe a
structure for the selection and acceptability of these
products. The Bulletin will include an appendix listing the
products evaluated and in evaluation under each criteria.
(See Reference #7.)
Mr. Giles used the phrase "selection preferences for C2
requirements." Some Board members said that the word
preference takes away from equivalency and they are concerned
that the list of requirements is a preference list rather than
a menu. Selection preferences for C2 requirement are
as follows:
- C2 products on U.S. EPL;
- Products under U.S. TCSEC Evaluation (C2);
- FPC2/T1 products on Canadian EPL or
FC2/E2 products on European EPL; and
- Products under CTCPEC (FPC2/T1) or ITSEC (FC2/E2)
Evaluation.
Some Board members are concerned that the list suggests that
U.S. products be used first, thereby implying that they are
better than other products. In discussion, most Board members
recommended they order the products in rank of completed vs
non-completed.
Mr. Giles updated TTAP accomplishments. To date the work
group has performed the following:
- Drafted an SOW for TTAP Developmental Commercial Evaluation
(Feb. 95);
- Annotated outline for document on what it takes to be
accredited under NVLAP (Mar. 95);
- Drafted first suggested evaluator actions for TCSEC Class
C2 provided to NVLAP for review (Apr. 95);
- Drafted second suggested evaluator actions for TCSEC Class
C2 (May 95); and
- Drafted first Technical Review Board expectations of a team
(May 95).
Future activities for TTAP include:
- Contract for TTAP Developmental Commercial Evaluation
(Jun/Jul 95);
- Start TTAP Developmental Commercial Evaluation (Aug. 95);
- Conduct lessons learned from contracted effort (May 96);
and
- Expect NVLAP to accredit several Labs (NLT Aug. 96). (See
Reference #8.)
Privacy Update [Statement by Mr. Robert Gellman omitted]
Discussion
During discussion time, Board members voted on and unanimously
approved the minutes of the March, 1995 meeting.
The Board engaged in a lengthy discussion concerning PDD-29
and the intent of the charter of the SPB. Board members
debated the idea of a single policy focal point. They also
debated the phrase in PDD-29 "National Security." One Board
member reminded the Board of a Government Computer News
article that PDD-29 appears to be clouded as to whether the
PDD intended to include sensitive unclassified information in
addition to national security (i.e., classified/Warner
Amendment) information. A motion was moved and seconded
directing the chairman to draft a letter to the Co-Chairs of
the SPB and the SPF, articulating the need for clarification
of PDD-29 and the SPB charter. (ACTION-CHAIRMAN AND
SECRETARY.)
PKI Steering Committee Activities
Mr. Robert Rosenthal, Manager, NIST Protocol Security Group,
briefed the Board on the activities of the Public Key
Infrastructure (PKI) Steering Committee. Three working groups
reside under the Committee: technical (chaired by IRS),
business and legal (chaired by Treasury), and users (chaired
by the SI-PMO). The Steering Committee continues to liaise
with the Canadian and Swedish governments, the Internet
community, the American Bankers and American Bar Associations
and the U. S. Council for International Business. The
Steering Committee is exploring the establishment of a
Cooperative Research and Development Agreement (CRDA) with
industry organizations to:
- Research and Develop a PKI Interoperability Test Plan and
a NIST PKI Test Facility;
- Publish test procedures and lessons learned; and
- Develop and Demonstrate Interoperable Certificate Services
on a wide variety of Internetworked Communications
Facilities.
Mr. Rosenthal said there are workshops and special projects
slated for the future to include a tri-sponsored PKI
Invitational Workshop Series by NIST, the Security
Infrastructure Program Management Office and MITRE. Also
planned, are some interdivision projects such as: PKI, time
and attendance, travel, procurement, and others that will be
available on the "NISTNET." NISTNET is a campus-wide local
area network for NIST. (See Reference #9.)
DISA/ARPA/NSA Memorandum Of Understanding Briefing
Mr. John Davis, Director, NSA's National Computer Security
Center, briefed the Board on the Memorandum Of Understanding
(MOU) between the Defense Information Systems Agency (DISA),
the Advanced Research Projects Agency (ARPA), and the National
Security Agency (NSA). He said that ARPA and NSA are the
major INFOSEC research programs in government and the major
user of INFOSEC is DISA. The Information Systems Security
Research Joint Technology Office was established by a
Memorandum Of Agreement (MOA) in March of 1995 and signed by
the Directors of ARPA/DISA/NSA to coordinate security research
efforts with a heavy reliance upon commercial technology. The
following nine items were called out in the agreement: 1)
Strategic Planning, 2) Review and Coordinate, 3) Evaluate
Proposals, 4) Metrics, 5) Prototypes, 6) COTS, 7) Standards,
8) Crypto and 9) Public. Mr. Davis said this is work in
progress and they are looking for useful results. Vendors
will show their products at the NIST/NCSC National Information
Systems Security Conference (NISSC) in Baltimore in
October. Mr. Davis stated that the intent is not to focus
only on DoD. A Defense solution would be costly, therefore,
commercial products with built in security are needed. (See
Reference #10.)
Public Comment [Omitted]