[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NSA/ARPA/DISA joint research office Memo of Agreement



[I found this at the ARPA web site while looking up the programs there
that are trying to deploy crypto in the Internet.  You can read it as
plain text, the HTML crud peters out after the first page.  If you
look at it on the web, they have reproduced the signatures from the
signature page in a GIF file.  -- John]

<BASE HREF="http://www.ito.darpa.mil/ResearchAreas/Information_Survivability/MOA.html">

<HTML>
<HEAD>
<TITLE>MOA - Information Systems Security Research Joint Technology
Office</TITLE>
</HEAD>
<BODY>
 


<CENTER>
<H3>Memorandum of Agreement<BR>
Between<BR>
The Advanced Research Projects Agency,<BR>
The Defense Information Systems Agency, and<BR>
The National Security Agency<BR>Concerning<BR>
The Information Systems Security Reseach Joint Technology Office</H3>
</CENTER>

<H3>Purpose</H3>

The Advanced Research Projects Agency (ARPA), the Defense Information
Systems Agency (DISA), and the National Security Agency (NSA) agree to
the establishment of the Information  System Security Research Joint
Technology Office (ISSR-JTO) as a joint activity.  The ISSR-JTO is
being established to coordinate the information systems security
research programs of ARPA and NSA.  The ISSR-JTO will work to optimize
use of the limited research funds available, and strengthen the
responsiveness of the programs to DISA, expediting delivery of
technologies that meet DISA's requirements to safeguard the
confidentiality, integrity, authenticity, and availability of data in
Department of Defense information systems, provide a robust first line
of defense for defensive information warfare, and permit electronic
commerce between the Department of Defense and its contractors.

<H3>Background</H3>

In recent years, exponential growth in government and private sector
use of networked systems to  produce and communicate information has
given rise to a shared interest by NSA and ARPA  in focusing
government R&D on information systems security  technologies.  NSA and
its primary network security customer, DISA, have become increasingly
reliant upon commercial information technologies and services to build
the Defense Information Infrastructure, and the inherent security of
these technologies and services has become a vital concern.  From
ARPA'S perspective, it has become increasingly apparent that security
is critical to the success of key ARPA information technology
initiatives.  ARPA's role in fostering the development of advanced
information technologies now requires close attention to the security
of these technologies.<P>

NSA's security technology plan envisions maximum use of commercial
technology for sensitive but unclassified applications, and, to the
extent possible, for classified applications as well.  A key element
of this plan is the transfer of highly reliable government-developed
technology and techniques to industry for integration into commercial
off-the-shelf products, making quality-tested security components
available not only to DoD but to the full spectrum of government and
private sector users as well.  ARPA is working with its contractor
community to fully integrate security into next generation computing
technologies being developed in all its programs, and working with the
the research community to develop strategic relationships with
industry so that industry will develop modular security technologies
with the capability of exchanging appropriate elements to meet various
levels of  required security.<P>

NSA and ARPA now share a strong  interest in promoting the development
and integration of security technology for advanced information
systems applications.  The challenge at hand is to guide the efforts
of the two agencies in a way that optimizes use of the limited
research funds available and maximizes support to DISA in building the
Defense Information Infrastructure.<P>

NSA acts as the U.S. Government's focal point for cryptography,
telecommunications security, and information systems security for
national security systems.  It conducts, approves, or endorses
research and development of techniques and equipment to secure
national security systems.  NSA reviews and approves all standards,
techniques, systems, and equipment related to the security of national
security systems.  NSA's primary focus is to provide information
systems security products, services, and standards in the near term to
help its customers protect classified and national security-related
sensitive but unclassified information.  It develops and assesses new
security technology in the areas of cryptography, technical security,
and authentication technology; endorses cryptographic systems
protecting national security information; develops infrastructure
support technologies; evaluates and rates trusted computer and network
products; and provides information security standards for DoD.  Much
of the work in these areas is conducted in a classified environment,
and the balancing of national security and law enforcement equities
has been a significant constraint.<P>

ARPA's mission is to perform research and development that helps the 
Department of Defense to maintain U.S. technological superiority over
potential adversaries.  At the core of the ARPA mission is the goal to
develop and demonstrate revolutionary technologies that will
fundamentally enhance the capability of the military.  ARPA's role in
fostering the development of advanced computing and communications
technologies for use by the DoD requires that long term solutions to
increasing the security of these systems be developed.  ARPA is
interested in commercial or dual-use technology, and usually
technology that provides revolutionary rather than evolutionary
enhancements to capabilities. ARPA is working with industry and
academia to develop technologies that will enable industry to provide
system design methodologies and secure computer, operating system, and
networking technologies.  NSA and ARPA research interests have been
converging in these areas, particularly with regard to protocol
development involving key, token, and certificate exchanges and
processes.<P>

One of the key differences between ARPA's work and NSA's is that
ARPA's is performed in unclassified environments, often in university
settings.  This enables ARPA to access talent and pursue research
strategies normally closed to NSA due to security considerations.
Another difference is that while NSA's research is generally built
around developing and using specific cryptographic algorithms, ARPA's
approach is to pursue solutions that are independent of algorithm used
and allow for modularly replaceable cryptography.  ARPA will, to the
greatest extent possible, allow its contractor community to use
cryptography developed at NSA, and needs solutions from NSA on an
expedited basis so as not to hold up its research program.<P>

DISA functions as the Department of Defense's information utility.
Its requirements for information systems security extend beyond
confidentiality to include protection of data from tampering or
destruction and assurance that data exchanges are originated and
received by valid participants.  DISA is the first line of defense for
information warfare, and needs quality technology for detecting and
responding to network penetrations.  The growing vulnerability of the
Defense information Infrastructure to unauthorized access and use,
demonstrated in the penetration of hundreds of DoD computer systems
during 1994, makes delivery of enabling security technologies to DISA
a matter of urgency.

<H3>The Information Systems Security Research Joint Technology
Office</H3>

This MOA authorizes the ISSR-JTO as a joint undertaking of ARPA, DISA,
and NSA.  It will perform those functions jointly agreed to by these
agencies.  Each agency shall delegate to the ISSO-JTO such authority
and responsibility as is necessary to carry out its agreed functions.
Participation in the joint program does not relieve ARPA, DISA, or NSA
of their respective individual charter responsibilities, or diminish
their respective authorities.<P>

A Joint Management Plan will be developed to provide a detailed
definition of the focus, objectives, operation, and costs of the Joint
Technology Office.  The ISSR-JTO will be jointly staffed by ARPA,
DISA, and NSA, with respective staffing levels to be agreed upon by
the three parties.  Employees assigned to the JTO will remain on the
billets of their respective agency.  Personnel support for employees
assigned to the JTO will be provided by their home organization.  The
ISSR-JTO will be housed within both ARPA and NSA, except as agreed
otherwise by the three parties.  To the greatest extent possible, it
will function as a virtual office, using electronic connectivity to
minimize the need for constant physical co-location.  Physical
security support will be provided by the party responsible for the
specific facilities occupied.  Assignment of the ISSR-JTO Director,
Deputy Director, and management of other office elements will be made
by mutual agreement among the Directors of ARPA, DISA, and NSA upon
recommendation of their staffs.<P>

<H3>Functions</H3>

By mutual agreement of ARPA, DISA, and NSA, the ISSR-JTO will perform
the following joint functions:
<OL>
<LI>Review and coordinate all Information System Security Research
programs at ARPA and NSA to ensure that there is no unnecessary
duplication, that the programs are technically sound, that they are
focused on customer requirements where available, and that long term
research is aimed at revolutionary increases in DoD security
capabilities.

<LI>Support ARPA and NSA in evaluating proposals and managing projects
arising from their information systems security efforts, and maintain
a channel for the exchange of technical expertise to support their
information systems security research programs.

<LI>Provide long range strategic planning for information systems
security research.  Provide concepts of future architectures which
include security as an integral component and a road map for the
products that need to be developed to fit the architectures, taking
into account anticipated DoD information systems security research
needs for command and control, intelligence, support functions, and
electronic commerce.  The long range security program will explore
technologies which extend security research boundaries.

<LI>Develop measures of the effectiveness of the information systems
security research programs in reducing vulnerabilities.

<LI>Work with DISA, other defense organizations, academic, and
industrial organizations to take new information systems security
research concepts and apply them to selected prototype systems and
testbed projects.

<LI>Encourage the U.S. industrial base to develop commercial products
with built-in security to be used in DoD systems.  Develop alliances
with industry to raise the level of security in all U.S. systems.
Bring together private sector leaders in information systems security
research to advise the JTO and build consensus for the resulting
programs.

<LI>Identify areas for which standards need to be developed for
information systems security.

<LI>Facilitate the availability and use of NSA certified cryptography
within information systems security research programs.

<LI>Proactively provide a coherent, integrated joint vision of the
program in internal and public communications.
</OL>
<H3>Program Oversight and Revisions</H3>

The Director, ISSR-JTO, has a joint reporting responsibility to the
Directors of ARPA, DISA, and NSA.  The Director, ISSR-JTO, will
conduct a formal Program Status Review for the Directors of ARPA,
DISA, and NSA on an annual basis, and will submit mid-year progress
reports between formal reviews.  Specific reporting procedures and
practices of the JTO to ARPA, DISA, and NSA will be detailed in the
Joint Technology Management Plan.  This MOA will be reviewed at least
annually, and may be revised at any time, based on the mutual consent
of ARPA, DISA, and NSA, to assure the effective execution of the joint
initiative.  Any of the parties may withdraw from participation in the
MOA upon six months written notice.  The MOA is effective 2 April,
1995.<P>


<IMG
SRC="http://www.ito.darpa.mil/ResearchAreas/Information_Survivability/sigs4.gif"
ALT="Signatures of Dr. Gary L. Denman, Director ARPA; LtGen Albert J.
Edmonds, Director, DISA; VADM John M. McConnell, Director, NSA; Dr.
Anita K. Jones, Director, DDR&E; Emmett Paige, Jr., Assistant
Secretary of Defense for Command, Control, Communications and Intelligence"><P>

<P>

<address>
<HR>
<A
HREF="http://www.ito.darpa.mil/ResearchAreas/Information_Survivability.html">Return
to Information Survivability Page</A> <BR>
Direct comments concerning this WWW site to: <A
HREF="mailto:[email protected]">[email protected]</A></address>
</BODY>
</HTML>