1995 ANNUAL REPORT OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD (CSSPAB) MARCH 1996 TABLE OF CONTENTS Executive Summary. . . . . . . . . . . . . . . . . . . . . . . .1 I. Introduction. . . . . . . . . . . . . . . . . . . . . . . . .3 Board's Establishment and Mission . . . . . . . . . . . . .3 Board Charter . . . . . . . . . . . . . . . . . . . . . . .3 Membership. . . . . . . . . . . . . . . . . . . . . . . . .4 II. Major Issues Discussed . . . . . . . . . . . . . . . . . . .5 Government-wide Electronic Mail Services. . . . . . . . . .6 Adoption of the Common Criteria . . . . . . . . . . . . . .6 Activities of the Security Policy Board . . . . . . . . . .6 Cryptography-related NIST Sponsored Meetings. . . . . . . .7 III. Advisory Board Correspondence . . . . . . . . . . . . . . .8 Exhibits. . . . . . . . . . . . . . . . . . . . . . . . . .8 IV. Conclusions. . . . . . . . . . . . . . . . . . . . . . . . 27 LIST OF APPENDICES A - 1995 Board Resolutions B - Computer Security Act of 1987 C - Charter D - March Agenda and Minutes E - June Agenda and Minutes F - September Agenda and Minutes G - Federal Register Notice Executive Summary This Annual Report documents activities of the Computer System Security and Privacy Advisory Board (CSSPAB) during 1995, its seventh year. The Board, which met three times during the year, was established by Congress through the Computer Security Act of 1987 to identify emerging computer security and privacy issues. Dr. Willis Ware, of RAND, has served as Chairman of the Board since July 1989. The Board continued to review cryptography related issues. They heard briefings on escrowing release procedures, escrow program procedures, U.S. export procedures, international Cryptography proposals, international corporate key escrow, alternative key escrow approaches, and software-based key escrow encryption. The General Services Administration, briefed the Board twice in 1995 with regard to its Security Infrastructure Program Management Office (SI-PMO). The SI-PMO's goals were to work with individual agencies, design pilots, coordinate implementations across agencies, promote the use of an information security infrastructure within government, and make recommendations to resolve conflicts in implementation and funding of this information security infrastructure. There was discussion of the near term goals including establishing a formal liaison between the SI-PMO and The Canadian Government. During the year, some of the other major areas of discussion were: 1) government electronic mail services being provided by the General Services Administration Electronic Messaging Program Management Office (E-Mail PMO). The PMO's vision is to produce "business quality" e-mail, intermediate e-mail, and basic e-mail; 2) the state of the Common Criteria (CC), assurance approaches and issues, and whether there might be a need to simplify the CC; 3) the Security Ppolic Board (SPB) activities. Members of the CSSPAB expressed their concern with regard to the SPB's [setting policy for unclassified sensitive information in addition to classified information] in light of the national security scope of Presidential Decision Directive 29; and 4) the need for additional cryptography-related meetings to correct misunderstandings and ensure broadest acceptability of a proposal for exportability of 64-bit key escrow encryption. Because of the importance of the four areas above, the Board passed the following resolutions: 1. Resolution 95-1, which discusses the proliferation of e-mail systems in government and the lack of security and privacy policy and supporting strategy. 2. Resolution 95-2, which discusses the complexity of developing a Common Criteria and the time it has taken, and is expected to take, for adoption and subsequent evaluations to begin. 3. Resolution 95-3, which discusses concerns about the Security Policy Board proposal to "...have authority over all classified and unclassified but sensitive systems." 4. Resolution 95-4, which discusses actions taken by the government to focus its attention on the long-standing issues related to export control of cryptography. I. Introduction Board's Establishment and Mission The passage of the Computer Security Act of 1987 (P.L. 100-235, signed into law on January 8, 1988) established the Computer System Security and Privacy Advisory Board. The Board was created by Congress as a federal public advisory committee in order to: identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy. Appendix A includes the text of the Computer Security Act of 1987, which includes specific provisions regarding the Board. The Act stipulates that the Board: - advise the National Institute of Standards and Technology (NIST) and the Secretary of Commerce on security and privacy issues pertaining to federal computer systems; and - report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget (OMB), the Director of the National Security Agency (NSA), and appropriate committees of Congress. Board Charter The Board was first chartered on May 31, 1988 and was rechartered for a third time on March 24, 1994 by U.S. Department of Commerce Assistant Secretary for Administration, Thomas Bloom. (See Appendix B for the text of the current charter.) Consistent with the Computer Security Act of 1987, the Board's scope of authority extends only to those issues affecting the security and privacy of unclassified information in federal computer systems or those operated by contractors or state or local governments on behalf of the federal government. The Board's authority does not extend to private sector systems (except those operated to process information for the federal government), systems which process classified information, or Department of Defense unclassified systems related to military or intelligence missions as covered by the Warner Amendment (10 U.S.C. 2315). Membership The Board is composed of twelve computer security experts in addition to the Chairperson. The twelve members are, by statute, drawn from three separate communities: - four members from outside the Federal Government who are eminent in the computer or telecommunications industry, at least one of whom is representative of small or medium sized companies in such industries; - four members from outside the Federal Government who are eminent in the fields of computer or telecommunications technology, or related disciplines, but who are not employed by or representative of a producer of computer or telecommunications equipment; and - four members from the Federal Government who have computer systems management experience, including experience in computer systems security and privacy, at least one of whom shall from the National Security Agency. Currently, Dr. Willis H. Ware, a senior researcher of the Corporate Research Staff of RAND, serves as Chairman of the Board. He was appointed in July 1989. As of December 1995, membership of the Board consisted of the following: - Chairman Willis H. Ware, RAND - Federal Members Charlie C. Baggett, Jr. Department of Defense, National Security Agency Joseph Leo, Department of Agriculture, Food and Consumer Service Gloria Parker, Department of Education - Non-Federal, Non-Vendor Genevieve M. Burns Sandra Lambert, Citibank Randolph Sanovic, Mobil Corporation Rick Winegarten, Computing Research Associates - Non-Federal, Vendor Addison Fischer, Fischer International Systems Corp. George Spix, Advanced Consumer Technology, Microsoft Corp. Linda Vetter, Walker Interactive Systems Bill Whitehurst, International Business Machines Corp. In June, Mr. Henry Philcox, Department of the Treasury, Internal Revenue Service, resigned from the federal government and consequently the Board, leaving a vacancy in the federal member category. That vacancy was filled by Ms. Gloria Parker, Director, Information Resources Group of the Office of Management at the Department of Education. In September, the terms of Messrs. Cris Castro, Don Gangemi, and Steve Walker expired, leaving three vacancies in the Non-Federal, Non-Vendor, and Non-Federal, Vendor memberships. Those vacancies were filled by Mr. George Spix, Advanced Consumer Technology; Mr. Rick Weingarten, Computing Research Association; and Mr. Addison Fischer, Fischer International Systems Corp. In December, Mr. Stephen Trodden, Department of Veterans Affairs, resigned from the federal government leaving a vacancy in the federal member category. That vacancy remains open. NIST's Associate Director for Computer Security, Mr. Lynn McNulty, served as the Board's Executive Secretary and the Designated Federal Official (DFO) under the Federal Advisory Committee Act from the Board's inception. Mr. McNulty retired from the federal government in April. Mr. Ed Roback was then assigned as the DFO and Executive Secretary. The DFO is responsible for ensuring that the Board operates in accordance with applicable statutes and agency regulations. Additionally, the DFO must approve each meeting and its agenda. Through the Secretariat, NIST provides financial and logisttical support to the Board as stipulated by the Computer Security Act of 1987. II. Major Issues Discussed The following section summarizes some of the major issues discussed by the Board in 1995. Additionally, the Board accomplishes much informal, non-decisional, background discussion and preparation for meetings by electronic mail between meetings. The Board's activities complement those of the individual Board members. Note that all 1995 Board resolutions are presented as Appendix A and the minutes and agendas from the March, June, and September meetings are included as Appendices D through F respectively. The required Federal Register announcement notices for the meetings are presented in Appendix G. The work of the Board during 1995 was devoted to various topics related to security of federal unclassified automated information systems. Among the most important were: - Government-wide Electronic Mail Services; - Adoption of the Common Criteria; - Activities of the Security Policy Board; and - Cryptography-related NIST Sponsored Meetings. Government-wide Electronic Mail Services Mr. Jack Finley, Director, Electronic Messaging Program Management Office (E- MMail PMO) at the General Services Administration, briefed the Board on the status of security in E-Mail. He said that the government-wide e-mail vision is to produce "business quality" e-mail, intermediate e-mail, and basic e-mail. He defined "business quality" e-mail as having a level of security to conduct financial and regulatory business for the unclassified arena. The Board was concerned about security not being adequately addressed in the PMO effort and suggested that Mr. Finley add security and privacy requirements as a separate focus area and that it be number one on the list. The Board passed Resolution 95-1 recommending that the Office of Management and Budget examine all of the e- mail security and privacy issues and develop an overarching security and privacy policy. Adoption of the Common Criteria The Board discussed the state of the Common Criteria (CC) and assurance approaches and issues. The Board is concerned as to when the CC will be widely accepted and used or whether to adopt the ITSEC and then migrate to the CC. They also questioned if there might be a need to simplify the CC. After a lengthy discussion regarding these concerns, the Board passed Resolution 95-2 recommending that federal programs with requirements for evaluated low assurance level systems should e encouraged to use trusted systems evaluated at U.S. TCSEC C2, European ITSEC E2, or Canadian CTCPEC T3 level. They also suggested that NIST and NSA clarify the equivalence of C2, E2, and T3. Activities of the Security Policy Board The Board heard from Mr. Peter Saderholm, Director, Security Policy Board (SPB) Staff, on the proposed activities of the SPB, which was created based on a recommendation by the Joint Security Commission report of February 28, 1994. Presidential Decision Directive (PDD) 29 was signed by the President and articulates the roles and responsibilities for the SPB. Board members were provided a "fact sheet" on PDD29. The Board expressed its concern with the SPB's activities with regard to [setting policy for unclassified sensitive information in addition to classified information] in light of the national security scope of PDD29. The Board expressed its concerns in a letter to Mr. John M. Deutch, Deputy Secretary of Defense, along with Resolution 95-3. The Computer Security Act of 1987 divides the responsibility between NIST and NSA, particularly charging NIST with producing standards and guidance for unclassified, non-intelligence related systems. Through Resolution 95-3, the Board expressed its concern about the SPB proposal to "...have authority over all classified and unclassified but sensitive systems." The Board recommended that the SPB not continue with its plans to control unclassified sensitive systems until broader input of issues is gathered. Cryptography-related NIST Sponsored Meetings After hearing presentations and having discussions about the cryptography- related meetings sponsored by NIST in September, including summaries from two of the Board's members, the Board drafted and passed Resolution 95-4 asking for additional interactions between the government and the private sector. The Board feels that additional meetings would correct misunderstandings and ensure broadest acceptability of an August proposal for exportability of 64-bit key escrow encryption. The Board said that further discussion is necessary to clarity the proposed export criteria. III. Advisory Board Correspondence During 1995, the Board issued five letters to: 1) The Honorable Ronald Brown, Secretary of Commerce, with regard to the insufficient attention paid to security and personal privacy in the plan for government-wide electronic mail services; 2) The Honorable Ronald Brown, Secretary of Commerce, with regard to the progress of the Trusted Computer System Evaluation Criteria document; 3) The Honorable John M. Deutch, Deputy Secretary of Defense, with regard to more extensive and deeper consideration by the Security Policy Board to combine the security responsibility for both the defense and the non-defense environments; 4) The Honorable John M. Deutch, Director of Central Intelligence Agency, with regard to the clarification of Presidential Decision Directive 29; and 5) Dr. Michael Nelson, Co-Chair, Interagency Working Group on Encryption and Telecommunications, with regard to the negative and confused responses to NIST cryptography-related announcements. Exhibits The Board's correspondence and replies (when received) are included in the following exhibits: Exhibit I: Letter dated May 5, 1995, from Chairman Ware to The Honorable Ronald Brown, Secretary of Commerce. Exhibit II: Answer from Alan P. Balutis, Director for Budget, Planning and Organization, Department of Commerce. Exhibit III: Letter dated May 5, 1995, from Chairman Ware to the Honorable Ronald Brown, Secretary of Commerce. Exhibit IV: Answer from Dr. Stuart Katzke, Chief, Computer Security Division, NIST. Exhibit V: Letter dated May 5 1995, from Chairman Ware to The Honorable John M. Deutch, Deputy Secretary of Defense. Exhibit VI: Answer from Keith R. Hall, Central Intelligence Agency. Exhibit VII: Letter dated June 14, 1995, from Chairman Ware to The Honorable John M. Deutch, Director of Central Intelligence Agency. Exhibit VIII: Letter dated October 4, 1995, to Dr. Michael Nelson, Co-Chair, Interagency Working Group on Encryption and Telecommunications. Exhibit IX: Answer from Dr. Michael Nelson, Co-Chair, Interagency Working Group on Encryption and Telecommunications Exhibit I The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 May 5, 1995 The Honorable Ronald Brown U.S. Department of Commerce Washington, DC 20230 Dear Mr. Secretary: The Computer System Security and Privacy Advisory Board (CSSPAB) is directed under the Computer Security Act of 1987 to identify emerging public policy issues related to information, computers and communications technology; and to bring them to the attention of national decision makers for consideration. The CSSPAB has been briefed three times on the plan for government-wide electronic mail service. It remains our conviction that insufficient attention has yet been paid to the major concerns of system security and personal privacy. To this end, enclosed you will find a copy of resolution 95-1 adopted at our March meeting. The intent of this action is to bring a focus to the twin issues of security and privacy. Our proposal that OMB become involved rests [1] on our belief that the diverse needs of the many federal agencies have not been reflected in the work to date, and [2] that OMB is properly the source of the policy guidance that must be put into place. It is the intent of the CSSPAB to remain in touch with the problem. Sincerely, /s/ Willis H. Ware, Ph.D. Chairman Enclosure CC: Dr. Arati Prabhakar Identical letters sent to: Honorable Alice Rivlin, OMB, Mr. Roger W. Johnson, GSA Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 95-1 March 23-24, 1995 The Board recognizes the proliferation of e-mail systems in government; however, there appears to be a lack of security and privacy policy and supporting strategy. Action must be taken to correct this deficiency. The Board recommends that the Office of Management and Budget examine all of the e-mail security and privacy issues, and develop an overarching security and privacy policy which satisfies the diverse requirements of government. FOR: Baggett, Castro, Gangemi, Lambert, Philcox, Sanovic, Trodden, Vetter, Walker, and Whitehurst AGAINST: None ABSTAIN: None UNAVAILABLE FOR VOTE: Burns Exhibit II June 6, 1995 Dr. Willis H. Ware, Ph.D. Chairman, National Computer System Security and Privacy Advisory Board Dear Dr. Ware: On behalf of the Secretary of Commerce, thank you for sharing the concerns of the Computer System Security and Privacy Advisory Board for government-wide electronic mail security and privacy. I share your concerns and agree that appropriate action satisfying the diverse needs of government agencies is required. A General Services Administration (GSA) program office manages electronic mail service activities government-wide. System security and privacy issues are an important part of the responsibilities of that office. My staff concerned with information technology security will pursue the resolution of these issues with GSA. I agree that the Office of Management and Budget (OMB) should issue any policy necessary to ensure adequate security and privacy for government electronic mail services. Such action is consistent with OMB's current emphasis on security and privacy for the National Information Infrastructure. I appreciate the Board's continued dedication to the identification of emerging computer security issues and look forward to hearing from you in the future. Sincerely, /s/ Alan P. Balutis Director for Budget, Planning and Organization Exhibit III The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 May 5, 1995 The Honorable Ronald Brown U.S. Department of Commerce Washington, DC 20230 Dear Mr. Secretary: The Computer System Security and Privacy Advisory Board (CSSPAB) is directed under the Computer Security Act of 1987 to identify emerging public policy issues related to information, computers and communications technology; and to bring them to the attention of national decision makers for consideration. Ever since the thought first surfaced in approximately 1989 that a follow- on document to the famed Trusted Computer System Evaluation Criteria (TCSEC, also known as the "Orange Book") must be developed to reflect the information security needs of non-defense government, the CSSPAB has been briefed intermittently by NIST on progress. Initially the effort was called the Minimum Federal Security Requirements; then it became the New Federal Criteria; then it became the Common Criteria. At each stage, no completed document ever emerged until the present prospect of a final draft of the Common Criteria in early 1996. Overall, six or more years will have elapsed without progress of any kind in the United States toward adapting TCSEC concepts to non-defense government. Whatever emerges in 1996 will probably require a minimum of two years for industry to respond; hence, the government cannot expect products evaluated against the Common Criteria until about 1998. Meanwhile, important new government information systems are being designed and older ones, upgraded. We believe that something can be done promptly for systems which do not require extremely high operational security protection. It is the intent of our resolution 95-2 (copy enclosed) to [1] encourage rapid and continued progress on the Common Criteria, but [2] at the samee time exploit what is now in hand and has already been accomplished. The so-called C- 2 level of criteria, and the comparable European E-2 and the Canadian T3, can afford substantial security for many systems in federal agencies. Importantly, commercial products exist which have been evaluated against one or more of the criteria noted. No additional technical work needs to be done. Some policy directives and clarifying guidance are needed, but completing such administrative actions could be easily achieved. Sincerely, /s/ Willis H. Ware, Ph.D. Chairman Enclosure CC: Dr. Arati Prabhakar Identical letters were sent to: Honorable Alice Rivlin, OMB Vice Admiral J. Michael McConnell, NSA cc: Mr. Edward Hart, NSA Mr. John Davis, NSA Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 95-2 MARCH 23-24, 1995 The Board recognizes the complexity of developing the Common Criteria. However, the time that it has taken, and is expected to take, for adoption and subsequent evaluations to begin is impacting the availability of Low Assurance Level products and the cost to industry to provide those products. The Board strongly recommends the following actions take place: 1. Federal programs with requirements for evaluated low assurance level systems should be encouraged to use trusted systems evaluated at U.S. TCSEC C2, European ITSEC E2, or Canadian CTCPEC T1 level. 2. NIST and NSA should: - publicly clarify the equivalence of C2, E2, and T1; - continue work on the Common Criteria with the intention to adopt it as soon as possible; and - continue work on other trusted system assurance methodologies such as Capability Maturity Models. FOR: Baggett, Castro, Gangemi, Lambert, Philcox, Sanovic, Trodden, Walker, and Whitehurst AGAINST: NONE ABSTAIN: NONE NOT AVAILABLE FOR VOTE: Burns Exhibit IV May 23, 1995 Dr. Willis Ware Chairman Computer System Security and Privacy Advisory Board The Rand Corporation 1700 Main Street Santa Monica, CA 90406-2138 Dear Dr. Ware: On behalf of the Secretary of Commerce, I would like to thank you and the Board for forwarding your recent resolution regarding products evaluated under the U.S., Canadian, and European evaluation schemes. In conjunction with our colleagues at the National Security Agency, we are currently studying your suggestion. I expect to be able to address our reaction to your recommendation at the next Board meeting. I look forward to seeing you in June. Sincerely, /s/ Stuart Katzke Chief, Computer Security Division Computer Systems Laboratory Exhibit V The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 May 5, 1995 The Honorable John M. Deutch Deputy Secretary of Defense 1010 Defense Pentagon Washington, DC 20310-1010 Dear Mr. Deputy Secretary: The Computer System Security and Privacy Advisory Board (CSSPAB) is directed under the Computer Security Act of 1987 to identify emerging public policy issues related to information, computers and communications technology; and to bring them to the attention of national decision makers for consideration. Enclosed for your information is a copy of resolution 95-3 adopted by the CSSPAB at its meeting of March 23, 1995. Our position stems from several points which we believe collectively make it essential to have much more extensive and deeper consideration of the thought expressed by the Security Policy Board in its document of November 1994 namely, to combine in one organization the security responsibility for both the defense and the non-defense environments. First, we do understand that the issue of information security is government-wide, and that the broad expertise of the NSA must be applied to reaching cost-effective and cost-acceptable solutions. But, we are uneasy about making the viewpoint inherent in defense interests become the dominating guidance for the rest of government for several reasons. 1. As provided in the Computer Security Act, the responsibility is presently divided between the NSA and the NIST. In particular, NIST is charged with producing standards and guidance for non-defense government. 2. The defense view of the threat against its information assets is properly predicated on decades of experience in dealing with foreign and unfriendly opponents. The threat that the information assets of non-defense face is not the same, and to meet the defense threat model across government would imply unnecessary cost and operational burdens. 3. The defense threat is relatively static, changing only slowly as the interests and motivations of foreign opponents change. In contrast, the non-defense threat can be very dynamic, changing rapidly as penetrators and/or insiders achieve success. 4. The personnel issue is quite different in defense than in non-defense government. Many defense personnel have been cleared, which process establishes confidence in their trustworthiness. Other defense personnel come under military discipline and law. In non-defense government, neither is in general true. This affects important dimensions of the threat and of operational procedures. 5. The paradigm in defense for dealing with information security is not applicable to non-defense government. Within defense, cost has historically not been an issue; whatever was necessary to protect information, especially classified material, was done. In non-defense government, cost is significant and some level of risk can be accepted from operating less than fully secure information systems with people whose trustworthiness has not been formally investigated. 6. While the basic safeguards are likely to be generally the same for either situation (e.g., audit trails, logon authenticators, administrative procedures), the installed set to meet the threat is likely to be quite different for the two environments. Thus, the CSSPAB feels that a proper resolution of handling information security within the federal government will not be achieved by the proposals in the SPB November 1993 report. To this end, the Board will continue its interaction with the Security Policy Board at its June meeting and for as long thereafter as needed. Sincerely, /s/ Willis H. Ware, Ph.D. Chairman Enclosure CC: Emmett Paige Keith Hall Identical letters were sent to: Mr. Richard L. Haver, CIA Mr. George Tenet, National Security Agency Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 95-3 March 23-24, 1995 The Board is concerned about the Security Policy Board (SPB) proposal of November 27, 1994, to "... have authority over all classified and unclassified but sensitive systems." Therefore, the Board recommends that the SPB not proceed with its plans to control unclassified but sensitive systems until broader input of issues is gathered. To that end, the Board would like to have the opportunity to be fully involved in working on these issues. FOR: Castro, Gangemi, Lambert, Philcox, Sanovic, Vetter, Walker and Whitehurst AGAINST: Trodden ABSTAIN: Baggett NOT AVAILABLE FOR VOTE: Burns Exhibit VI Executive Director for Intelligence Community Affairs Washington, D.C. 20505 15 June 1995 Dr. Willis H. Ware Chairman The National Computer System Security and Privacy Advisory Board National Institute of Standards and Technology Gaithersburg, Maryland 20899 Dear Dr. Ware: I am responding to your letter of 5 May 1995 to Mr. Haver regarding the role of the Security Policy Board (SPB) in the area of information systems security. I appreciate the concerns of the National Computer System Security and Privacy Board, including its concern about ""making the viewpoint inherent in defense interests become the dominating guidance for the rest of government..." I can assure you that is not the intention of the SPB. The SPB has been concerned about the lack of attention being paid to areas of information systems security issues of common concern to both the Defense/Intelligence and civilian communities. At its April 1995 meeting, the SPB was concerned that current vulnerabilities in information systems could lead to a catastrophic failure, and that it was in the national interest to identify and begin to address critical areas affecting both communities. I am strongly in favor of steps which will bring the two communities together in a manner where the interests of both are fairly represented. If this can be achieved, the nation will be well served and relevant equities protected. Knowing your interest in this endeavor, I would only encourage you to support such an approach as we take on this important issue. Sincerely, /s/ Keith R. Hall CC: Dr. Arati Prabhakar Identical letters were sent to: Honorable Alice Rivlin, OMB Mr. Roger W. Johnson, GSA Exhibit VII The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 June 14, 1995 The Honorable John Deutsch Director of Central Intelligence Agency Co-Chair, Security Policy Board Washington, DC 20505 Dear Chairman Deutsch: The Computer System Security and Privacy Advisory Board (CSSPAB) is a statutory group created by the Computer Security Act of 1987. Our mission includes identifying problems arising from the interplay of computer and communications technology with government agencies plus latent privacy impacts of the same technologies. Our obligation is to bring such matters to the attention of proper government officials. We have just concluded a two-day meeting at which we heard for the second time from the staff of the Security Policy Board (SPB). We are not taking a position, but we do believe that the scope of Presidential Decision Directive 29 (PDDD-29) needs to be clarified. Specifically, it is unclear whether it extends to sensitive unclassified systems under the jurisdiction of the Computer Security Act of 1987. It has been suggested this issue is interfering with progress on computer security matters. Our access to the document PDD-29 is limited to a "fact sheet," but the phrasing seemingly intends that the purview of the SPB be limited to the defense and intelligence communities. In particular the phrase "national security" is used in the document, rather than some broader phrase such as "national interest." The membership of the SPB and Security Policy Forum reflects a focus upon classified-related activities. As we have listened to presentations from the SPB staff, it appears that the presently planned scope of its interests is broader than PDD-29 intended; namely, to address both classified and unclassified systems. This has led to some confusion among the participants in various meetings, and more importantly, to conflict among them. Civil agencies see the seemingly expanded thrust of the SPB as an attempt by the defense and intelligence communities to capture the computer security mission for the country. This particular issue is not new, but has existed ever since the debate connected with passage of the Computer Security Act. It is no less an essential and critical issue today. Because of the tensions, it is proving awkward for the SPB to move forward. It is also difficult for the CSSPAB to contribute useful comments. We urge that the scope of PDD-29 be clarified publicly and unambiguously; and implementation actions taken should be consistent with such clarification. The CSSPAB is available to discuss this matter further with you or with someone of your designation. Sincerely, /s/ Willis H. Ware, Ph.D Chairman cc: Keith Hall Jeremy C. Clark Peter Saderholm bc: Vicki LaBarre Identical letter sent to: The Honorable Walter Slocum, Acting Deputy Secretary of Defense Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 Exhibit VIII The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 October 4, 1995 Mr. Michael Nelson Co-Chair, Interagency Working Group on Encryption and Telecommunications Office of Science and Technology Policy Washington, DC 20500 Dear Dr. Nelson: The Computer System Security and Privacy Advisory Board (CSSPAB) is directed under the Computer Security Act of 1987 to identify emerging public policy issues related to information, computers and communications technology; and to bring them to the attention of national decision makers for consideration. At its recent meeting, the Board received presentations and other discussion about the September 6-7, 1995 cryptography-related meetings sponsored by NIST. This included summaries from two of our own members who attended. The response to earlier NIST cryptography-related announcements that appeared in the Federal Register (e.g., the Escrowed Encryption Standard) proved to have been negative and confused; repeating such an event cannot be risked in regard to the present cryptography initiative announced on August 17. The Board is convinced that the two days of discussion did not begin to reach consensus or adequate understanding of the proposal, and it may have raised more questions than it resolved. We cannot be comfortable with the proposal to put a formal announcement in the Federal Register in the next month or so. Because we are convinced that additional discussion is essential before proceeding to the public comment phase, the Board passed the attached resolution. In brief, it calls for additional meetings between the government and the private sector to resolve details not now mutually understood, and to work toward wider acceptance of the proposal by industry. Unless this is done, the Board feels that the government is taking an unnecessary risk that the present proposal will not get public and corporate acceptance and thus, introduce yet more delay and impediments to progress on resolution of the cryptographic export issue. We would welcome your reaction to our resolution. Sincerely, /s/ Willis H. Ware Chairman Attachment cc: Ray Kammer, Clinton Brooks, Geoff Grieveldinger, Edward Allen, Bruce McConnell, Martha Harris, Randolph Williams Original letter also sent to Edward Appel Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 95-4 September 13-14, 1995 The Board is encouraged by the recent actions that the government has taken to focus its attention on the long-standing issues related to export control of cryptography. We believe additional interactions between the government and the private sector are necessary to correct misunderstandings and to ensure broadest acceptability of the August 17, 1995 proposal. Specifically we believe it is necessary to develop a strategy which includes significant private sector input to reach mutual consensus on the direction to be taken regarding this critical business issue. To that end, we believe additional joint government-private sector meetings are vital to success. The goal of these efforts should be to facilitate the adoption of policy to control the exportability for commercially-viable cryptography. FOR: Baggett, Burns, Castro, Gangemi, Lambert, Leo, Parker, Sanovic, Trodden, Vetter, Walker, and Whitehurst AGAINST: None ABSTAIN: None Motion Unanimously Approved Exhibit IX NATIONAL SECURITY COUNCIL WASHINGTON, D.C. 20506 October 30, 1995 Dear Mr. Ware: Thank you for providing the resolution of the Computer System Security and Privacy Advisory Board regarding the Administration's encryption initiative. Some possible misconceptions deserve a few words. Besides the public meetings at NIST in September, we plan follow-up publication of criteria for exportable key-escrow software in the Federal Register for additional public comment and another public meeting. Since this past summer, we have had a series of meetings with industry, both companies individually and through groups representing interested segments, such as software manufacturers. We have responded to many calls, and the Interagency Working Group on encryption has spent many hours listening to the views of hundreds of parties. We have been able to clarify and simplify the draft criteria through this dialogue. We have heard the interests of the hardware encryption manufacturers, software encryption manufacturers, academics, government, user groups, privacy advocates and a host of other interested individuals and organizations. We continue to process what we are learning, and to participate in many for all to gather additional input. Unfortunately, it is difficult to balance the interests and needs of the U.S. Government, public and industry. There is clearly a wide range of opinions: Some still oppose key escrow encryption, some wish no or few controls placed on encryption by the government and some are pressing to sell products which provide strong encryption, with private key escrow systems acceptable to the government. We intend to proceed with all due haste to facilitate export of strong key escrow encryption (both software and hardware) that meets our standards; and to incorporate such encryption into a Federal Information Processing Standard. We will make every effort we can to perfect the criteria applied. However, as time passes and technology changes, we know that the criteria will be revisited. Thus, we should not slow the process any more in the vain hope of producing criteria acceptable to everyone. Marketplace acceptance of key escrow encryption is a vital facet of our encryption policy initiative. We believe that key escrow encryption is the most responsible method currently available to balance the need for privacy with the need for government's court-authorized access to intercepts or seized records. We invite your participation in the upcoming public meetings and comment period on this initiative. Please do not hesitate to continue our dialogue on this important topic in any way you see fit. Sincerely, /s/ Edward J. Appel /s/ Michael Nelson Co-Chairmen, Interagency Working Group on Encryption IV. Conclusions During 1995, the Computer System Security and Privacy Advisory Board held three meetings to look at important security issues involved with federal computer systems, and in particular, security in government-wide electronic mail services, adoption of the common criteria, and the activities of the Security Policy Board. The Board also followed cryptographic-related NIST sponsored meetings. The Board expressed its concern with regard to the negative and confused responses to NIST cryptography announcements. Each of the above issues is reflected in resolutions in this document. The Board will continue to follow key escrow and other cryptographic developments in 1996 as well as new issues as necessary. APPENDIX A Resolutions 95-1 through 95-4 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 95-1 March 23-24, 1995 The Board recognizes the proliferation of e-mail systems in government; however, there appears to be a lack of security and privacy policy and supporting strategy. Action must be taken to correct this deficiency. The Board recommends that the Office of Management and Budget examine all of the e-mail security and privacy issues, and develop an overarching security and privacy policy which satisfies the diverse requirements of government. FOR: Baggett, Castro, Gangemi, Lambert, Philcox, Sanovic, Trodden, Vetter, Walker, and Whitehurst AGAINST: None ABSTAIN: None UNAVAILABLE FOR VOTE: Burns COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 95-2 MARCH 23-24, 1995 The Board recognizes the complexity of developing the Common Criteria. However, the time that it has taken, and is expected to take, for adoption and subsequent evaluations to begin is impacting the availability of Low Assurance Level products and the cost to industry to provide those products. The Board strongly recommends the following actions take place: 1. Federal programs with requirements for evaluated low assurance level systems should be encouraged to use trusted systems evaluated at U.S. TCSEC C2, European ITSEC E2, or Canadian CTCPEC T1 level. 2. NIST and NSA should: - publicly clarify the equivalence of C2, E2, and T1; - continue work on the Common Criteria with the intention to adopt it as soon as possible; and - continue work on other trusted system assurance methodologies such as Capability Maturity Models. FOR: Baggett, Castro, Gangemi, Lambert, Philcox, Sanovic, Trodden, Walker, and Whitehurst AGAINST: NONE ABSTAIN: NONE NOT AVAILABLE FOR VOTE: Burns COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 95-3 March 23-24, 1995 The Board is concerned about the Security Policy Board (SPB) proposal of November 27, 1994, to "...have authority over all classified and unclassified but sensitive systems." Therefore, the Board recommends that the SPB not proceed with its plans to control unclassified but sensitive systems until broader input of issues is gathered. To that end, the Board would like to have the opportunity to be fully involved in working on these issues. FOR: Castro, Gangemi, Lambert, Philcox, Sanovic, Vetter, Walker and Whitehurst AGAINST: Trodden ABSTAIN: Baggett NOT AVAILABLE FOR VOTE: Burns COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 95-4 September 13-14, 1995 The Board is encouraged by the recent actions that the government has taken to focus its attention on the long-standing issues related to export control of cryptography. We believe additional interactions between the government and the private sector are necessary to correct misunderstandings and to ensure broadest acceptability of the August 17, 1995 proposal. Specifically we believe it is necessary to develop a strategy which includes significant private sector input to reach mutual consensus on the direction to be taken regarding this critical business issue. To that end, we believe additional joint government-private sector meetings are vital to success. The goal of these efforts should be to facilitate the adoption of policy to control the exportability for commercially-viable cryptography. FOR: Baggett, Burns, Castro, Gangemi, Lambert, Leo, Parker, Sanovic, Trodden, Vetter, Walker, and Whitehurst AGAINST: None ABSTAIN: None Motion Unanimously Approved APPENDIX B Computer Security Act of 1987 See separate text on the Computer Security Resource Clearinghouse APPENDIX C Charter See separate text on the Computer Security Resource Clearinghouse APPENDIX D March Agenda and Minutes Meeting of the Computer System Security and Privacy Advisory Board March 22-23, 1995 Holiday Inn Gaithersburg, Maryland WEDNESDAY, MARCH 22, 1995 I. INTRODUCTION 9:00 Welcome Lynn McNulty, Board Secretary 9:10 Opening Remarks Willis Ware, Chairman II. ASSURANCE APPROACHES AND ISSUES 9:15 Assurance Framework Stu Katzke, NIST 9:45 Assurance Components Bill Marshall, NSA 10:15 BREAK 10:30 Canadian Perspective on Achieving Assurance Deitra Kimpton, CSE, Canada 11:00 UK Perspective on Achieving Assurance Allan Borrett, CESG, UK (Assigned to NSA) 11:30 Assurance Economics Joel Sachs, The Sachs Groups 12:00 LUNCH 1:30 Capability Maturity Modeling Project David H. Kitson, Software Engineering Institute 2:00 Security Engineering Capability Maturity Model and Trusted Capability Maturity Model John J. Adams, NSA 2:30 BREAK 3:15 Update on X/Open Branding Project Bill Whitehurst, IBM 3:45 Vendor Perspective Linda Vetter, Oracle 4:15 Wrap-up and Restatement of Issues Stu Katzke, NIST 4:30 Discussion 5:00 RECESS THURSDAY, MARCH 23, 1995 III. BOARD DISCUSSION 9:00 Chairman's Time 10:15 Role-based Access Control -- Time Permitting Dave Ferraiolo, Janet Cugini, NIST 10:30 BREAK IV. SECURITY IN GOVERNMENT-WIDE E-MAIL 10:45 GSA Perspective Al Williams, GSA 12:00 LUNCH V. SECURITY POLICY BOARD 1:30 Security Policy Board Briefing Pete Saderholm, Director of Security Policy Board Staff Federal Computer Security Program Managers' Forum Opinion Sadie Pitcher, Forum Co-Chair VI. KEY ESCROW UPDATE 2:15 Status of Key Escrow Initiative Steve Walker, TIS 2:45 BREAK VII. OMB ACTIVITIES 3:00 OMB Circular A-130, Appendix III Revision and Reauthorization of the Paperwork Reduction Act Ed Springer, OMB VIII. PUBLIC COMMENT PERIOD and BOARD DISCUSSION 4:00 Public Comment: (max. 5min. per speaker - sign up in advance with secretary) 4:30 ADJOURN ------------------------- Next Meeting June 7-8, 1995 NIST Lecture Room E Gaithersburg, Maryland MINUTES OF THE MARCH 22-23, 1995 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Wednesday, March 22, 1995 Introduction A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m. at the Holiday Inn, Gaithersburg, Maryland. Besides Dr. Ware, the following Board members were present: Charlie Baggett Jr., Genevieve Burns, Cris Castro, Don Gangemi, Sandra Lambert, Henry Philcox, Randy Sanovic, Stephen Trodden, Steve Walker, and Bill Whitehurst. Mr. McNulty informed the Board that he is retiring from government service, effective April 28, 1995. He appointed Mr. Ed Roback Designated Federal Official for the Thursday meeting. The Board devoted the entire first day of the meeting to a thorough discussion and review of the assurance component of the process for evaluating security products against a criteria. It did so because the assurance issue has been an extremely troubling dimension of the evaluation process for many years. The entire meeting was held in open, public session. Assurance Framework Dr. Stuart Katzke, Chief, NIST Computer Security Division, discussed a framework for assurance. Some of the questions about assurance that need to be addressed, for example, are: What is assurance? Who requires assurance? When are assurance measurements needed/useful? Dr. Katzke presented a framework that includes dimensions (Factors), assurance levels (ALs), metrics/values (Dimensions & ALs), and assurance equivalence classes. Factors that contribute to assurance are: Verification Process (Testing), Development Process, Qualifications, Operational Track Record of System or Product, and Operational Track Record of Developer on Prior Systems/Products. He also discussed values/metrics for measuring various dimensions of assurance. He presented an example diagram and pointed out that one dimension could be the verification process. He also offered a diagram of assurance levels in a hierarchical design with low, medium, and high. Dr. Katzke said that the plan is to develop a framework that involves all stakeholders. Currently, NIST/NSA plans to engage the IT community in the development of a framework and short term metrics for assurance. An annual workshop on assurance is also planned, which will be co-sponsored by NIST. (See Reference #1). Assurance Components Mr. Bill Marshall, NSA, addressed the components of an assurance framework from the perspectives of an information security analyst, the supplier community, and an information Systems security customer. He discussed the reasons someone would look for an information security solution. He said that a customer may have information that needs protection by value or by direction, which could be legislative or regulatory. The customer may also have information that they perceive to be subject to unacceptable risk. Mr. Marshall said that customers would make informed decisions, as they would when buying any product, by gathering information, relying on experts, and using accepted metrics. The customer is generally not aware of the qualification options. Therefore, the customer would need to use some standards set by either regulatory agencies or the professional community. With regard to specification, the first thing customers need to do is examine their security policy. He needs to verify that assurance is provided by the vendor and that the product has been time-tested. Mr. Marshall summarized by saying that the same level of risk reduction can be achieved in several ways. (See Reference #2). Canadian Perspective on Achieving Assurance Mr. Vince Muolo, Manager, Industrial Programs and Initiatives, Communications Security Establishment (CSE), Canada, briefed the Board on the CSE's perspective on information technology security product assurance in the context of information security product evaluations. CSE provides advice and guidance to the federal government of Canada on Information Technology Security with emphasis on security evaluations of the security aspects of information technology products and systems. CSE is using third party product evaluations and product reviews, neither of which have proven successful in achieving the levels of timeliness and assurance desired simultaneously. As a result, CSE is planning to explore new approaches to information security product assurance. Mr. Muolo described assurance as a measure of confidence that the security functionality will perform as claimed. Products gain assurance through evaluations under the CSE's Trusted Product Evaluation Program (TPEP). A trusted product allows the end user of the product to make assumptions about the security behavior of the product and how it can be used to counter threats in the target environment. Currently, CSE has two processes for adding assurance to products: (1) product review, and (2) evaluation. (See Reference #3). UK Perspective on Achieving Assurance Mr. Allen Borrett, CESG, UK, briefed the Board on approaches to assurance by the UK. The UK ITSEC scheme should meet the needs of government and industry with respect of cost-effective secure IT products and systems. The scheme would provide a basis for mutual international recognition and produce identical evaluation results. Mr. Borrett discussed the following differences between the US/UK evaluation process: - The UK evaluations are not government sponsored, and the sponsor sets the time and money constraints to the evaluator. - The UK is more methodology focused, while the US is more principle based. - The UK evaluators work, in conjunction with the developer, begins with the development process through the product implementation phase. They obtain the necessary documentation and understand product development as it is being done. The US begins the evaluation process at the end of the product implementation phase. Mr. Borrett said that the UK uses Certified Licensed Evaluation Facilities (CLEFs) that are non-government resourced evaluation facilities. The demand for CLEFs is growing. The UK will have five operational CLEFs soon and a sixth one is expected. He said that overall, the ITSEC evaluation time and cost required is significantly less than the US process. The primary reason is because their process is sponsor controlled and flexible. (See Reference #4). Assurance Economics Mr. Joel Sachs, the Sachs Groups, presented his company s view on the economics oof assurance. He discussed internal economics, which include: threats to the target enterprise, weaknesses as they relate to vulnerabilities, and risks such as operational impacts and acceptable/unacceptable risks. He discussed the need for a viable information security economy that includes some of the following: (A) Freeing the market to resolve risk, trust, and assurance for enterprise, systems, and products. (B) Understanding and accommodating multiple business models across and among the players. Developing assurance framework and metrics, both qualitative and quantitative, to define and delineate value. (See Reference #5). Capability Maturity Modeling Project Mr. David Kitson, Software Engineering Institute (SEI), Carnegie Mellon University, briefed the Board on the role and significance of the SEI Software Capability Maturity Modeling (CMM) for software. With regard to the transition of technology, the mission is to provide leadership in advancing the state-of- the-practice of software engineering to improve the quality of systems that depend on software. The vision is to bring engineering discipline to the development and maintenance of software. CMM is a common-sense application, a community-owned guide and a model for organizational improvement. Some of the benefits of model-based improvement are to: - Establish a common language; - Build on a set of processes and practices developed with input from a broad selection of the software community; - Provide a framework for prioritizing actions and performing reliable and consistent appraisals; and - Support industry-wide comparisons. The risks of model-based improvements are simplifications of the real world and a lack of comprehensive scope. Interpretation and tailoring must be aligned to business objectives. Mr. Kitson discussed the five maturity levels, the CMM s key process areas, and the evolution of the process capability. He said that broad-scale acceptance of the CMM is based on plausibility of a common-sense model and experience in other industries. The CMM is a living document, which will be revised. Contributions are solicited from the community. (See Reference #6). Security Engineering Capability Maturity Model and Trusted Capability Maturity Model Mr. John Adams, National Security Agency, briefed the Board on a Trusted Capability Maturity Model (TCMM). The TCMM will allow organizations to use one reference model and derive from it the benefits of two models, software process improvement and increased software assurance. There are two components of the TCMM: (1) A Software Capability Maturity Model and (2) a Trusted Software Development Methodology. Mr. Adams also described the Security engineering Capability Maturity Model (SECMM). The purpose of the model is to: - Increase assurance in system trustworthiness; - Reach a point to transfer assurance from evaluation to development process; - Provide consistent maturity framework for security engineering development processes; - Provide security engineering process improvement mechanisms; and - Provide process-based assurance measurement mechanisms. The model structure is based on a maturity framework (similar to the SEI model). It tailors management and organizational processes and adds evolutionary security engineering processes. Mr. Adams said that to date the SECMM has accomplished a draft model, which includes a framework for process improvement, independent of specific organizational structure. The draft model was presented at the NIST/NSA National Computer Security Conference in October, 1994. There was a public workshop in January, 1995 and received overwhelming community endorsement. Future directions include expanding the scope of the SECMM market. It has focused only on the NSA/DoD community. As a follow-on to the workshop, there will be three working groups driven by industry: (1) a steering work group to define the key process, (2) an authoring work group for overall strategy, and (3) an application work group to define measurement techniques. (See Reference #7). Update on X/Open Branding Project Mr. Bill Whitehurst, IBM, gave a brief update of the activities of the X/Open Branding Project. Two major components exist within their branding concept: (1) the ability to implement functionality based on a minimum set of assurance functionality requirements (MSFR), and (2) the confidence in the development process for achieving the functionality. He said that the workgroup meeting, hosted by Hewlett Packard, was held early in March. The group plans to re-write their document to include some type of evaluation process prior to the vendor product getting branded. X/Open plans to have a public review of the changes this summer. Vendor Perspective Ms. Linda Vetter, Oracle Corporation, presented oracle's views of security assurance. She discussed three types of assurance issues: (1) government evaluation and certification; (2) third party evaluation and certification (government and business sponsored); and (3) vendor claims. Ms. Vetter explained Oracle s evaluation experience for two DBMS server products, Oracle7 and Trusted Oracle7, in both the US and the UK. Oracle used the US TCSEC TPEP evaluation for B1 and C2 systems. They also used the UK ITSEC evaluation for E3 systems (which is the equivalent for US B1 and C2 systems). The UK process took significantly less time and cost less money for an identical product. Ms. Vetter suggested that NIST/NSA look into developing equivalent/comparable trust levels between the two different evaluation criteria methods as well as those for other countries. This would minimize the need to have different evaluations performed (one for each country) for the same product. Oracle has on-going work in other areas (e.g., RAMP, CMM, ISO, and Audits) as well as multiple CLEFS with the UK, Sweden, France and Germany. Ms. Vetter explained the differences in criteria between the TCSEC and the ITSEC. She said that the ITSEC requirements for the content of evaluation deliverables formed a superset of the corresponding TCSEC requirements for the evaluations. However, the TCSEC creates a framework for the presentation of these requirements and there can be little deviation from this. Oracle would like to see more concentration on low-end assurance requirements and processes. This would enable various sectors like health care, banking, and financial industries to have protection for unclassified to sensitive data. Ms. Vetter encouraged NSA to continue its efforts in modeling (Common Assurance Framework, TCMM, and SE CMM) and would discourage any more efforts in product profiling. The modeling efforts encourage vendor quality improvement, promotes flexibility in meeting assurance objectives, and are transferable to other private sector domains besides DoD. (See Reference #8). Wrap-up and Restatement of Issues Dr. Katzke summarized the discussion of assurance by saying that opportunities exist to look at alternatives. He is not sure what the government's role is or which areas to concentrate on with respect to cost. He said that he could continue with the same level of effort that is going on now with community involvement. He is open to suggestions with regard to the assurance process. Discussion After a lengthy discussion on the state of the Common Criteria (CC) and assurance approaches and issues, some of the major points from individual Board members included: - Concern as to when the CC will be widely accepted and used; - Whether to adopt the ITSEC now and migrate to CC; - The need to simplify the CC; - Building assurance and quality into the new assurance framework; - Clearly define assurance needs to be universally understood; - Conduct more C2 and below evaluations in the US; - Concentrate on low-end assurance; and - Bring key industry players into the process. The meeting recessed at 5:45 p.m. Thursday, March 23, 1995 Chairman's Time Dr. Ware introduced Mr. Joseph Leo, Deputy Administrator for Management, Food and Consumer Service, U.S. Department of Agriculture. Mr. Leo is a member designate to fill a government position on the Board. After minor changes from Mr. Whitehurst, Board members voted on and unanimously approved the minutes of the December 1994 meeting. During this time, Board members continued their discussion of criteria and assurance from the previous day. Some of the major points of the discussion from Board members included the need: - for OMB to state the need for C2 level evaluation compliance for various government product purchases; - for NSA to make a statement about equivalency among all existing non-US trust levels; - to begin using components of the Common Criteria and gradually migrate to it; - to continue a wide range of assurance framework options and procedures; and - to focus on low-end assurance methods and encourage C2 level evaluation along the following Canadian AL-1 evaluation. Security In Government-wide E-Mail Mr. Jack Finley, Director, Electronic Messaging Program Management Office (E- Mail PMO) at the General Services Administration (GSA), briefed the Board on the status of security in E-Mail. He said the E-Mail PMO has three focus areas: (1) functional requirements, (2) management requirements, and (3) technical requirements. Mr. Finley said that security is an element in each one of the three focus areas. There are five PMO program functions: (1) program management to develop a two- year plan, (2) directory service support for registration services, and directory synchronization etc., (3) value added services for a centralized e- mail help desk, electronic support services, and a model service center, (4) cross cutting initiatives to implement guidance and training, gateway specifications etc., and (5) common system components for standards convergence, requirements definition and X.400 address simplification. The PMO strategic plan will promote and support electronic messaging business process, increase operational quality, productivity and effectiveness of government-wide messaging, and provide professional help desk services. The government-wide e-mail vision is to produce business quality e-mail, intermediate e-mail, and basic e-mail. Mr. Finley defined business quality e- mail as having a level of security to conduct financial and regulatory business for the unclassified arena. The Board continues to be concerned about security not being adequately addressed in the PMO effort. The Board suggested that Mr. Finley add security and privacy requirements as a separate focus area and that it be number one on the list. The Board also noted that there was no mention of security policy documentation or an implementation strategy. Mr. Finley said that security policy efforts are being undertaken by the NIST Public Key Infrastructure (PKI) Steering Committee and other security infrastructure issues are addressed through the Security Infrastructure Program Management Office (SI-PMO). (See Reference #9). Mr. Al Williams, Director, Federal Information Security Infrastructure Program Management Office (SI-PMO) at GSA, gave the Board an update on the progress of the SI-PMO. The PMO is Co-chaired by GSA and DoD. The charter is due to be signed by DoD and the Government Information Technology Services (GITS) Working Group by May 1, 1995. A Program Action Plan is expected to be completed by April. The primary role of the PMO is to provide government-wide support and coordination of federal activities necessary to implement an information security infrastructure for the use of the federal government. A more specific goal is that the SI-PMO, working with individual agencies, will design pilots, coordinate implementations across agencies, promote the use of an information security infrastructure within government, and make recommendations to resolve conflicts in implementation and funding of this information security infrastructure. The PMO is not chartered, staffed, or funded to manage specific product developments, or to manage the development programs of individual government agencies. The total SI-PMO is composed of DoD, civilian agencies, financial institutions, medical/health care, and technical elements. The PMO security objectives show support for multiple technologies that include: RSA, DSS with DES encryption, FORTEZZA, and other X.509 variants. (See Reference #10). Security Policy Board Mr. Peter Saderholm, Director, Security Policy Board (SPB) Staff, briefed the Board on the proposed activities of the SPB. He said the creation of the SPB was based on a recommendation by the Joint Security Commission report of February 28, 1994. Presidential Decision Directive (PDD) 29, signed by the President on September 10, 1994, articulates the roles and responsibilities for the SPB, the Security Policy Advisory Board, and the Security Policy Forum. Board members were provided a "fact sheet" on PDD29. Some Board members expressed concern with the SPB's activities with regard to [setting policy for unclassified sensitive information in addition to classified information] in light of the national security scope of PDD29. Mr. Saderholm mentioned the need for the Board and the SPB to work together regarding privacy and security policy issues for unclassified sensitive information. He expressed his desire to continue dialogue with the Board and to build cooperative arrangements with industry representation when dealing with the protection of unclassified information. He said that the SPB is abiding by the Computer Security Act of 1987 and therefore, will not be responsible for policy surrounding unclassified information. However, he noted that the SPB will need to facilitate cross- sharing of information with those responsible for setting unclassified information protection policy. (See Reference #11). Federal Computer Security Program Managers Forum Opinion Ms. Sadie Pitcher, Department of Commerce and Forum Co-Chair, presented the views of the Forum regarding the SPB report's proposal to form a Information Systems Security Committee (ISSC). The Forum represents 75 federal government agencies. The Steering Committee of the Forum drafted a position paper to Ms. Sally Katzen of the Office of Management and Budget on January 11, 1995. The position paper articulated the following concerns: - Establishment of a national security dominated ISSC is contrary to the Computer Security Act and inconsistent with the authority of PDD- 29; - Would undercut the effort for open government; - National security related information will be viewed as imposing new government restrictions on access to information; - The proposal may serve to increase public concerns over the government s intentions in the field of ISS; - It is inappropriate for the national security/intelligence communities to participate in selecting security measures for unclassified systems at civil agencies; - The unclassified security focus is on cost-effectiveness, integrity and availability, not primarily confidentiality, which is the traditional primary concern of the classified sector; and - Concern that the SPB report is being misrepresented as Administration policy. Ms. Pitcher said that OMB was asked to restrict the SPB report implementation to only classified systems. (See Reference #12). Status of Key Escrow Initiative Mr. Steve Walker, Trusted Information Systems (TIS), briefed the Board on the status of Commercial Key Escrow (CKE). He said, with regard to application vendors, TIS is actively seeking the participation of commercial software vendors in widespread implementation of CKE enabled software products. TIS has installed a Data Recovery Center (DRC) on the Internet and is prepared to distribute sample DRC application software packages to any interested software application developer. TIS is seeking approval of the US government for export of application programs using encryption algorithms such as the Data Encryption Standard (DES) when properly bound with CKE. Mr. Walker said the advantages of CKE for government interests is that if the TIS CKE system were to become widely used throughout the private sector and government communities, law enforcement, national security and private sector interests would be preserved. Mr. Walker said that TIS has filed for patent protection for its Software Key Escrow (Clipper equivalent) and CKE systems including the DRC and application software approaches. TIS is prepared to license its CKE system and software applications technology to any software or hardware vendor under very favorable licensing terms. TIS is also prepared to license its DRC system and technology to qualified DRC operators and vendors under similarly favorable licensing terms. (See Reference #13). OMB Circular A-130, appendix III Revision and Reauthorization of the Paperwork Reduction Act Mr. Ed Springer, Office of Management and Budget (OMB), briefed the Board on the proposed revision of Appendix III of Circular A-130. Mr. Springer said that the proposal is intended to guide agencies in securing information as they increasingly rely on an open and interconnected National Information Infrastructure. It stresses management controls such as individual responsibility, awareness and training, and accountability, rather than technical controls. The Appendix proposes to re-orient the federal computer security program to better respond to a rapidly changing technological environment. It establishes government-wide responsibilities for federal computer security and requires federal agencies to adopt a minimum set of management controls. As in the previous Appendix III, agencies are still required to establish controls to assure adequate security for all information processed, transmitted, or stored in federal automated information systems. This proposal emphasizes management controls affecting individual uses of information technology. The Appendix requires that these management controls be applied in two areas of management responsibility, general support systems and major applications. The Federal Register announcement of the Appendix provides supplementary discussion to aid reviewers in understanding the changes in emphasis proposed. Mr. Springer said that agencies will phase into implementing security requirements articulated in Appendix III. (See Reference #14). Public Comment During the public comment period, Ms. Sadie Pitcher advised the Board of an effort in progress by the Federal Information Systems Security Educators Association, a subgroup of the Federal Computer Security Program Managers' Forum, to revise NIST Special Pub 500-172, Training Guidelines. This effort is in line with OMB s recommendation to the Department of Commerce, in Appendix III, to review and update guidelines for training in computer security awareness and accepted computer security practice. Board Discussion After discussion, deliberation, and debate, the Board passed three resolutions. (See Attachments 1-3.) The meeting adjourned at 6:00 p.m. Attachments #1 - Resolution 95-1 #2 - Resolution 95-2 #3 - Resolution 95-3 References Edward Roback #1 - Katzke slides Secretary #2 - Marshall slides #3 - Muolo slides /s/ #4 - Borrett slides #5 - Sachs slides #6 - Kitson slides #7 - Adams slides #8 - Vetter slides CERTIFIED as a true #9 - Finley slides and accurate summary #10 - Williams slides of the meeting #11 - Saderholm slides #12 - Pitcher slides /s/ #13 - Walker slides #14 - Springer paper Willis Ware Chairman APPENDIX E June Agenda and Minutes Meeting of the Computer System Security and Privacy Advisory Board June 7-8, 1995 National Institute of Standards and Technology Administration Building 101, Lecture Room E Gaithersburg, MD AGENDA WEDNESDAY, JUNE 7, 1995 9:00 Welcome Ed Roback, Board Secretary 9:10 Opening Remarks Dr. Willis Ware, Chairman 9:15 OMB Circular A-130, Appendix III Update and Review of Comments and The Federal Role in NII Security Ed Springer, OMB 9:45 Discussion 10:00 BREAK 10:15 Defensive Information Warfare & Unclassified Government and Private Sector Martin Hill, DoD 11:30 Discussion 12:00 LUNCH 1:30 X/Open Security Branding Proposal Peter Callaway, IBM 2:30 Security Policy Board (SPB) Update Vicki LaBarre, SPB Staff 3:00 BREAK 3:15 Discussion 4:00 Commercial Key Escrow Update Steve Walker, TIS 4:30 Discussion 5:00 RECESS THURSDAY, JUNE 8, 1995 9:00 SI-PMO Action Plan Briefing Al Williams, GSA 9:45 Discussion 10:00 BREAK 10:15 Common Criteria Update Dr. Stu Katzke, NIST 10:45 Discussion 11:00 Privacy Update Robert Gellman, Privacy & Information Consultant 11:20 Discussion 12:00 LUNCH 1:30 PKI Steering Committee Activities Robert Rosenthal, NIST 2:00 DISA/ARPA/NSA MOU Briefing John Davis, NSA 2:30 Discussion 3:00 BREAK 3:15 Public Participation (5 min. max, please sign-up with secretary in advance) 3:45 Discussion of topics for next meeting 4:00 ADJOURN ---------------- Next Meeting September 13-14, 1995 National Institute of Standards and Technology MINUTES OF THE JUNE 7-8, 1995 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Wednesday, June 7, 1995 Introduction A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m. at the National Institute of Standards and Technology (NIST), Gaithersburg, Maryland. Besides Dr. Ware, the following Board members were present: Charlie Baggett Jr., Genevieve Burns, Cris Castro, Don Gangemi, Sandra Lambert, Joseph Leo, Henry Philcox, Randy Sanovic, Linda Vetter, Steve Walker, and Bill Whitehurst. Mr. Ed Roback, Board Executive Secretary and newly appointed Designated Federal Official, discussed some of the handouts provided to the Board. Most important, was a copy of a draft House bill referred to as the "Department of Commerce Dismantling Act." If enacted, part of NIST would be transferred to the National Science Foundation. The Commerce Program Resolution Agency (CPRA) would be established and attempt to sell NIST laboratories (and other specified elements of the Department of Commerce) to the private sector. If not sold within 18 months of enactment, CPRA would submit their recommendations to Congress on the Appropriate disposition of the property and functions of the laboratories. OMB Circular A-130, Appendix III Update and Review of Comments and "NII Security: The Federal Role" Mr. Ed Springer of the Office of Information and Regulatory Affairs, Office of Management and Budget (OMB), updated the Board on the recently signed Paperwork Reduction Act of 1995. (Copies are available for distribution to the Board.) (ACTION - SECRETARY). Mr. Springer said that security remains a concern and is supported by strong language in the law requiring agencies to secure their systems. Mr. Springer updated the Board on Appendix III to OMB Circular A-130. Since his briefing to the Board in March, the comment period for the proposed changes to Appendix III has closed. OMB received twenty-nine written comments to date. He solicited Board members for their reactions to the draft proposal. Mr. Springer was asked how OMB will enforce the requirements of Appendix III. He said enforcement comes through oversight and the budget process. There is a sharper focus on where agencies can go for help. One Board member asked if OMB plans to develop a standard set of behaviors. Mr. Springer replied that OMB will not go that far; however, Appendix III addresses the risks for agencies to use as a guideline for security considerations. Board members noted that agency visits to senior management regarding security plans, as was conducted in the 1989-1990 timeframe, seemed successful. Mr. Springer said that the Federal Managers Financial Integrity Act provides oversight of the requirement for agencies to prepare new plans. Mr. Springer agreed to brief the Board at its September meeting to further discuss the comments received and current status. He mentioned that the final document "NII Security: The Role of Federal Government," would be out soon and Board members would receive copies. (ACTION - SECRETARY). Defensive Information Warfare & Unclassified Government and Private Sector Mr. Martin Hill, Deputy Director for Information Warfare Programs, Office of the Assistant Secretary of Defense, briefed the Board on Information Warfare (IW) from a DoD perspective. He said that commanders should not depend on information and information systems that they cannot rely on. He used the example of Desert Storm, which was a won through the use of intelligence; Iraq, in effect, lost the war before it even began. Mr. Hill said that IW is driven by daily attacks on U.S. computer networks. The national security construct is changing because DoD utilizes commercial sector security and shares their vulnerabilities. The DoD unclassified definition of IW is "Actions taken to achieve information superiority in support of national military strategy by affecting adversary information and information systems while leveraging and protecting our information and information systems." Some of the areas that need defending are: leadership; command facilities; integrated air defense and controls; computers, software, data bases, and displays; power production sources; and links to media. The U.S. IW strategy is to: - Use U.S. technological superiority to provide the right information to the right place at the right time, - Aggressively defend against attacks on our information, and - Use offensive techniques to attain and maintain information superiority. Mr. Hill also emphasized the need for and importance of training. He said they have assembled "Red Teams" made up of DoD personnel that converge on other DoD systems to determine their vulnerabilities. When asked how DoD could best communicate their requirements to the commercial sector, Mr. Hill said that they conduct seminars and "war games" which are both attended by industry. (See Reference #1.) X/Open Security Branding Proposal Mr. Peter Callaway, Senior Security Technologist for IBM, provided the Board with an update on the X/Open security branding proposal. Mr. Callaway was speaking from three perspectives: IBM (a member of X/Open), X/Open, and as a user. He said that X/Open feels they have the appropriate and proven experience by setting industry standards and performing conformance branding. X/Open has the commitment of vendors to build products to their specifications with regard to technical plans established with vendor cooperation and commitment to product follow-through. X/Open Branding is a certification scheme for conformance verification, not evaluation. Currently, X/Open branding requires evidence of successful execution of a test suite where appropriate test suites are available. It requires a conformance statement questionnaire and a trademark license agreement to be completed by the applicant. (See Reference #2.) Security Policy Board (SPB) Update Ms. Vicki LaBarre, Security Policy Board (SPB) Staff, briefed the Board on the progress of the SPB. Ms. LaBarre reminded the Board of the role of the SPB as chartered by Presidential Decision Directive (PDD)-29. The SPB and Security Policy Forum are jointly chaired by DoD and intelligence community members, but their members include non-DoD and non-intelligence community representatives. Ms. LaBarre relayed that the SPB considers itself an "honest broker" to identify issues and positions from all parties on key questions. She said that the fundamental question is whether the executive branch needs a single, consolidated INFOSEC policy making mechanism. If a consolidated INFOSEC policy making mechanism is needed: Can the existing SPB structure created by PDD-29 meet that need? - If yes: how should an information systems security committee be chartered and constituted? - If not: how could/should the SPB/SPF be modified to become an effective INFOSEC policy mechanism? What other existing entity in the executive branch could act, or be modified to act as the executive branch's INFOSEC policy making apparatus? What kind of new entity could be created to meet this policy making need? If a consolidated INFOSEC policy making mechanism is not needed: - How can the existing INFOSEC policy and advisory boards, committees, forums, etc., be made to more effectively identify, prioritize, resource and act on major INFOSEC issues and vulnerabilities affecting the national interest? - Are executive branch INFOSEC resources adequate to provide for acceptable security for government information systems? - Are existing INFOSEC resources appropriately located and distributed within the executive branch? Recently the SPB staff convened a special working group to draft a resolution to call for compiling a list of major INFOSEC issues. The matter will be discussed at the Security Policy Board Forum meeting on June 23. In summary, Ms. LaBarre emphasized that we must do a better job of INFOSEC government-wide which is possible if everyone works together for the common good. Throughout Ms. LaBarre's presentation, some Board members expressed serious concerns about many aspects of the SPB's charter, the first SPB staff report and their present stance on the effort of a single policy making mechanism. Some Board members expressed the view that the initial report was not clear with regard to what kind of information would encompass "national interest." She said that the first report was purely a "think piece" to stimulate discussion, which it has done. (See Reference #3.) Commercial Key Escrow Update Mr. Steve Walker, President, Trusted Information Systems (TIS), presented the Board with an update of TIS' Commercial Key Escrow (CKE) activities. Mr. Walker recently met with senior management of National Semiconductor Corporation. They discussed a proposal to use CKE in an escrowing approach called Commercial Automated Key Escrow (CAKE) in which the CKE system has been modified to work with National's PersonaCard cryptographic hardware tokens. Mr. Walker believes that this approach meets the needs expressed by the Vice President. CAKE does the following: 1. It removes all very strong cryptography from software. 2. It uses these special CAKE tokens to automatically escrow an encrypted copy of every message key within the message envelope itself, in a special Data Recovery Field (DRF) consisting of the message key and Data Recovery Center (DRC) and token identifiers, encrypted with the public key of a Designated DRC. 3. It provides access to DRFs via the private key of the DRCs, and allow any user to establish their own DRC to safeguard corporate information. 4. It uses well known cryptographic algorithms such as DES, triple DES and RSA, instead of algorithms such as Skipjack. 5. Finally, it gives American computer and communications industries the ability to easily export strong and very strong encryption as part of their information highway products. Mr. Walker briefly discussed the software binding issue which have been put off by implementation into the PCMCIA card but, it still needs to be tried and a software vendor is being sought to do so. The card implementation is aimed at files and e-mail, not telephony. There is initial concern with regard to cost, however, it is tamper proof and cannot be distributed over the Internet. Mr. Walker said they are seeking export approval with DES and CKE and hopes for a position resolution in the near future. (See Reference #4.) The meeting recessed at 5:20 p.m. Thursday, June 8, 1995 SI-PMO Action Plan Briefing Mr. Al Williams, Acting Director of the Security Infrastructure Program Management Office (SI-PMO) at GSA, updated the Board on the activities and progress of the SI-PMO. He discussed some of the near term goals: identifying and resolving critical policy issues related to support multiple technologies, developing a security architecture, defining user-to-user and user-to SI specifications, and establishing a formal liaison between the SI-PMO and the Canadian Government. Board members asked about milestones. Mr. Williams directed members to the summary of the near-term actions and milestones in the Action Plan appendix. When asked who has received the Action Plan, Mr. Williams replied that it was distributed to the Government Information Technology Services Group, the National Information Infrastructure Security Issues Forum, the Electronic Commerce Acquisition Program Management Office, the E-Mail Program Management Office, NSA, NIST, and the PKI Steering Committee. The Board commended Mr. Williams for working an issue with a real time frame. Mr. Williams was invited to come back and update the Board as he feels appropriate. (See Reference #5.) Common Criteria Update Dr. Stu Katzke, Chief, NIST Computer Security Division, updated the Board on the Common Criteria (CC) effort. He discussed the Common Criteria for Information Technology Security Evaluation workshop on May 11-12 in Ottawa, Canada. Approximately 40 people from Europe, Canada, the U.S., and Japan participated in the workshop. The workshop served to allow the CC Editorial Board to: - provide general information on the comments received and the planned changes to the document based on these comments; and - receive added clarifications on the reviewers' comments on the document so they can update the document to reflect the expert opinions. The number of assurance levels and where they are were discussed; however, that issue is not as high on the list as the six key global issues below: 1. Document Organization - understandability and usefulness; 2. Extensibility of Requirements - support of ITSEC is unclear; 3. Extensibility of CC - how to maintain the CC; 4. Protection Profile - relationship unclear; 5. Protection Profile - selection of requirements; and 6. Dependencies and Binding - completeness/correctness. Dr. Katzke said that the NCSC plans to perform evaluation trials by January of 1996. (See Reference #6.) Mr. Charlie Baggett volunteered to brief the Board in September on trial evaluations. (ACTION - SECRETARY AND MR. BAGGETT.) The discussion then turned to the Board's March resolution (95-2) which recommended to NIST and NSA that a statement be made regarding the equivalence of C2-level evaluated products. Mr. Lou Giles of NSA briefed the Board on NIST and NSA's response to that recommendation. In July, NIST and NSA will publicly clarify the relationship between TCSEC C2, ITSEC E2, and CTCPEC T1 levels to encourage federal programs with requirements for evaluated low assurance level products to use trusted products evaluated at these levels. NIST and NSA will publish a Bulletin in July 1995, which will describe a structure for the selection and acceptability of these products. The Bulletin will include an appendix listing the products evaluated and in evaluation under each criteria. (See Reference #7.) Mr. Giles used the phrase "selection preferences for C2 requirements." Some Board members said that the word preference takes away from equivalency and they are concerned that the list of requirements is a preference list rather than a menu. Selection preferences for C2 requirement are as follows: - C2 products on U.S. EPL; - Products under U.S. TCSEC Evaluation (C2); - FPC2/T1 products on Canadian EPL or FC2/E2 products on European EPL; and - Products under CTCPEC (FPC2/T1) or ITSEC (FC2/E2) Evaluation. Some Board members are concerned that the list suggests that U.S. products be used first, thereby implying that they are better than other products. In discussion, most Board members recommended they order the products in rank of completed vs non-completed. Mr. Giles updated TTAP accomplishments. To date the work group has performed the following: - Drafted an SOW for TTAP Developmental Commercial Evaluation (Feb. 95); - Annotated outline for document on what it takes to be accredited under NVLAP (Mar. 95); - Drafted first suggested evaluator actions for TCSEC Class C2 provided to NVLAP for review (Apr. 95); - Drafted second suggested evaluator actions for TCSEC Class C2 (May 95); and - Drafted first Technical Review Board expectations of a team (May 95). Future activities for TTAP include: - Contract for TTAP Developmental Commercial Evaluation (Jun/Jul 95); - Start TTAP Developmental Commercial Evaluation (Aug. 95); - Conduct lessons learned from contracted effort (May 96); and - Expect NVLAP to accredit several Labs (NLT Aug. 96). (See Reference #8.) Privacy Update Mr. Robert Gellman, a Privacy and Information Consultant, briefed the Board on legislative activities with regard to privacy. He said that there is little proposed privacy legislation at present, except for HR 1271, the Family Privacy Act, which would restrict the ability of government agencies from conducting surveys of minors. Other issues involve child support enforcement. Newly hired males are reported to see if they are fathers who have neglected their child support payments. Mr. Gellman said the Administration, under the National Information Infrastructure (NII), has a working group on privacy. There are three efforts in progress by the NII at a high level, an Information Infrastructure Task Force privacy guideline, and a related effort by the National Telecommunications and Information Administration. Discussion During discussion time, Board members voted on and unanimously approved the minutes of the March, 1995 meeting. The Board engaged in a lengthy discussion concerning PDD-29 and the intent of the charter of the SPB. Board members debated the idea of a single policy focal point. They also debated the phrase in PDD-29 "National Security." One Board member reminded the Board of a Government Computer News article that PDD-29 appears to be clouded as to whether the PDD intended to include sensitive unclassified information in addition to national security (i.e., classified/Warner Amendment) information. A motion was moved and seconded directing the chairman to draft a letter to the Co-Chairs of the SPB and the SPF, articulating the need for clarification of PDD-29 and the SPB charter. (ACTION-CHAIRMAN AND SECRETARY.) Dr. Ware presented Mr. Henry Philcox with a certificate of appreciation for his four years of service on the Board. Mr. Philcox is retiring from federal service in July. PKI Steering Committee Activities Mr. Robert Rosenthal, Manager, NIST Protocol Security Group, briefed the Board on the activities of the Public Key Infrastructure (PKI) Steering Committee. Three working groups reside under the Committee: technical (chaired by IRS), business and legal (chaired by Treasury), and users (chaired by the SI-PMO). The Steering Committee continues to liaise with the Canadian and Swedish governments, the Internet community, the American Bankers and American Bar Associations and the U. S. Council for International Business. The Steering Committee is exploring the establishment of a Cooperative Research and Development Agreement (CRDA) with industry organizations to: - Research and Develop a PKI Interoperability Test Plan and a NIST PKI Test Facility; - Publish test procedures and lessons learned; and - Develop and Demonstrate Interoperable Certificate Services on a wide variety of Internetworked Communications Facilities. Mr. Rosenthal said there are workshops and special projects slated for the future to include a tri-sponsored PKI Invitational Workshop Series by NIST, the Security Infrastructure Program Management Office and MITRE. Also planned, are some interdivision projects such as: PKI, time and attendance, travel, procurement, and others that will be available on the "NISTNET." NISTNET is a campus-wide local area network for NIST. (See Reference #9.) DISA/ARPA/NSA Memorandum of Understanding Briefing Mr. John Davis, Director, NSA's National Computer Security Center, briefed the Board on the Memorandum Of Understanding (MOU) between the Defense Information Systems Agency (DISA), the Advanced Research Projects Agency (ARPA), and the National Security Agency (NSA). He said that ARPA and NSA are the major INFOSEC research programs in government and the major user of INFOSEC is DISA. The Information Systems Security Research Joint Technology Office was established by a Memorandum Of Agreement (MOA) in March of 1995 and signed by the Directors of ARPA/DISA/NSA to coordinate security research efforts with a heavy reliance upon commercial technology. The following nine items were called out in the agreement: 1) Strategic Planning, 2) Review and Coordinate, 3) Evaluate Proposals, 4) Metrics, 5) Prototypes, 6) COTS, 7) Standards, 8) Crypto and 9) Public. Mr. Davis said this is work in progress and they are looking for useful results. Vendors will show their products at the NIST/NCSC National Information Systems Security Conference (NISSC) in Baltimore in October. Mr. Davis stated that the intent is not to focus only on DoD. A Defense solution would be costly, therefore, commercial products with built in security are needed. (See Reference #10.) Public Comment During the public comment period, Mr. Keith Weinberger, KPMG Pete Marwick, said he is disappointed with the lack of progress of the SPB. He would like the Board to continue to push secure networks not individual systems. Dr. Sarah Comley, of North American Biolegal Information, noted that only two people showed up at the recent NAS public meeting on cryptography. Also, she stated her concerns about the emerging privacy issues prominent in information. Mr. Wilson Baxter, Lockheed Martin, had two comments: 1) with regard to OMB A- 130, he would like implementation details left to be determined at the field office level, and 2) X/Open testing may not be robust enough to know whether a product does not do what it is not supposed to do; determining this is impossible in a UNIX environment. The meeting adjourned at 2:50 p.m. Attachments Letter to the Co-Chairs of the Security Policy Board (SPB) and Security Policy Forum (SPF) requesting clarification of PDD-29 and the SPB charter. References Edward Roback #1 - Hill slides Secretary #2 - Callaway slides #3 - LaBarre slides /s/ #4 - Walker slides #5 - Williams slides CERTIFIED as a true #6 - Katzke slides and accurate summary #7 - Giles Handout of the meeting #8 - Giles slides #9 - Rosenthal slides /s/ #10 - Davis slides Willis H. Ware, PhD Chairman APPENDIX F September Agenda and Minutes Meeting of the Computer System Security and Privacy Advisory Board September 13-14, 1995 7900 Westpark Drive McLean, Virginia AGENDA WEDNESDAY, SEPTEMBER 13, 1995 9:00 Welcome Ed Roback, Board Secretary 9:10 Opening Remarks and Passing of June Minutes Dr. Willis Ware, Chairman 9:15 Issues Update: IT Laboratory, Budget, and Key Escrow Raymond G. Kammer, Deputy Director, NIST 9:35 Questions 10:00 BREAK 10:15 Discussion 11:00 Security Policy Board (SPB) Update & DOEDODCID (Combined Policy) Vicki LaBarre, SPB Staff 11:40 Discussion 12:00 LUNCH 1:30 OMB Circular A-130, Appendix III - Resolution of Comments/Current Status and Coordination of How Rules/NIST Handbook/Policy Fit Together Ed Springer, OMB 1:40 Discussion 2:00 Computer Security: Lessons Learned from GAO Financial Audits Greg Holloway, GAO 2:45 Discussion 3:00 BREAK 3:15 Update on Bankers Trust Proposed Key Escrow Approach Nanette Di Tosto, Bankers Trust 4:00 Discussion 4:30 European Union Data Protection Bill Whitehurst, IBM (Board member) 4:45 Discussion 5:00 RECESS THURSDAY, SEPTEMBER 14, 1995 9:00 Discussion 10:00 BREAK 10:15 NIST's Plans to Implement A-130, Appendix III Tim Grance, NIST 11:00 Discussion 11:15 Government Information Technology Services (GITS) Update Patty Edfors, DoJ 11:45 Chairman's Time Recognition of Member's Service 12:00 LUNCH 1:30 Issue Update On: Information Security & Privacy in Network Environments Joan Winston, OTA 2:15 Discussion 2:30 Update on Trial Evaluations Charlie Baggett, NSA (Board member) 3:00 BREAK 3:15 Public Participation (5 min. max, please sign-up with secretary in advance) 3:45 Discussion of Topics for Next Meeting 4:00 ADJOURN ------------------------- Next Meeting December 6-7, 1995 NIST Lecture Room E Gaithersburg, Maryland MINUTES OF THE SEPTEMBER 13-14, 1995 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Wednesday, September 13, 1995 Introduction A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m. at Wang Federal, Inc., McLean, Virginia. Besides Dr. Ware, the following Board members were present: Charlie Baggett Jr., Genevieve Burns, Cris Castro, Don Gangemi, Sandra Lambert, Joseph Leo, Gloria Parker, Randy Sanovic, Stephen Trodden, Linda Vetter, Steve Walker, and Bill Whitehurst. Through the efforts of Board member Don Gangemi, Wang provided use of its facility at no cost to the U.S. government. Mr. Ed Roback, Board Executive Secretary, discussed the agenda and some of the handouts provided to the Board. He introduced a new Board member, Ms. Gloria Parker, Director, Information Resources Group of the Office of Management at the Department of Education. Ms. Parker fills the recent government vacancy. As of this meeting, three members terms have expired. Mr. Roback expressed his hope to have three replacement members by the December meeting. Dr. Ware told the Board he hopes to have Mr. Keith Hall, Executive Director for Intelligence Community Affairs, at the December meeting to discuss the role of the Security Policy Board. Issues Update: IT Laboratory, Budget, and Key Escrow Mr. Raymond Kammer, Deputy Director of NIST, briefed the Board on the vision and mission of the proposed NIST Information Technology Laboratory (ITL). ITL will result from the merge of the current Computer Systems Laboratory (CSL) and the Computer and Applied Mathematics Laboratory (CAML). Board members remarked that there is no mention of security or privacy in either the vision or mission statements. Mr. Kammer said he would see that the statement(s) are changed to reflect security and privacy. He said that the technology cycle in CAML is short and the standards cycle in CSL is long. Therefore, the ITL would be an enabler to ease the use of information services. Some areas where other agencies would like more support from NIST are: 1) advanced networks and security, 2) user interface and information access 3) applied math and statistics, and 4) technology integration and use. With regard to NIST's FY96 budget, Mr. Kammer said that funding is expected to be reduced. If this happens, he would not object to a 10% Reduction in Force across NIST. He mentioned that the House bill does not want NIST to do anything with regard to pollution, the NII, or international standards. He said that the President strongly supports what NIST does and will most likely veto any bill with regard to NIST programs and funding being severely reduced or cut. Mr. Kammer said that, for now, NIST will proceed as usual. Mr. Kammer discussed the September 6-7, 1995 meeting on Key Escrow. One principal objective was to understand industry's reaction to the draft export criteria. He said that, based upon industry's comments, it is likely that some requirements will be able to be consolidated. A revised draft list of criteria is expected to be published in the Federal Register for public comment. Proceedings from the meetings are being prepared to be published sometime in mid-November, and copies will be sent to the Board. (ACTION-SECRETARY). Mr. Kammer also discussed the tentative agenda for the upcoming exploratory workshop on developing FIPS for key escrow encryption on September 15, 1995. The goal is to initiate a process to develop a FIPS for key escrow encryption, implementable in software. (See Reference #1.) During the discussion period, the Board continued to address the outcome of the September 6-7, 1995 meetings. Some of the Board members were present at those meetings which included discussion to clarify the proposed export criteria. Mr. Steve Walker commented on discussion that focused on Data Recovery Centers and said that users will be able to buy third-party trusted systems. Details need to be worked out as in the September 6-7, 1995 meetings. He said that each country needs to decide who would hold the escrowed keys, the U.S. or each country. Mr. Walker said that an interim agreement with a few countries should be forthcoming by the end of 1995. Security Policy Board (SPB) Update & DOEDODCID (Combined Policy) Ms. Vicki LaBarre, Security Policy Board (SPB) Staff, updated the Board on the activities of the SPB. She said there was a series of meetings between July 20 and August 17, 1995 with discussions on a statement of the problem and security issues in general. Congress is concerned with how the Executive Branch plans to deal with information security. Therefore, they have requested a comprehensive plan, to address their concerns, by March 1, 1996. Ms. LaBarre brought some extensive wall charts used to document who is doing what in security, how various activities fit together, and if there are any benefits to the private sector. The charts show who the players are, which organizations have lead responsibilities in information security and policy, what the overlap is, associations and societies with information security activities, etc. Ms. LaBarre said she would send a slide that lists industry participation to pass on to the Board. (ACTION-Ms. LABARRE and SECRETARY). (See Reference #2.) With regard to the DOEDODCID (combined policy) initiative, Ms. LaBarre reported that only the policy is on track. After lunch, the Board unanimously approved the minutes of the June meeting. There was some discussion as to whether the Board should take action with regard to changes to the export criteria and whether it would be too late for the Board to respond by their December meeting. OMB Circular A-130, Appendix III - Resolution of Comments/Current Status, Coordination of How Rules/NIST Handbook/Policy Fit Together, and the Proposed Cohen Bill. Mr. Ed Springer, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB), discussed the comments to and current status of A- 130, Appendix III since his update to the Board at its June meeting. He said there is not much to report. There were no major concerns raised except for the renewed focus on training and awareness. Mr. Springer discussed the relationship of rules to policy. He said that the NIST handbook addresses operations policy, which are the same as rules of behavior in A-130. The distinction being that the handbook address security people, and A-130 rules of behavior addresses everyone. Mr. Whitehurst asked if the differences would be clear to readers. Mr. Springer responded that the clarity would be in the preamble to A-130. Mr. Springer remarked that the Cohen bill is currently attached to the DoD Authorization Act. The intent of the bill is to reform today's complex acquisition process. To start, Congress wants to revise the Brooks Act, which is the underlying base authority for the Computer Security Act of 1987 and the Department of Commerce to address standards. The Administration is working with Congress on the bill; however, the entire bill is under a veto threat. Ms. Lambert asked Mr Springer the status of the Grassley Bill. He said that it is inactive, but to continue seeking updates on it. He conveyed the need for a coherent paper on security technology and a strategic way to approach this widespread problem. During discussion time, Chairman Ware asked Mr. Springer if he could give the Board his opinion of the September 6-7, 1995 meeting. Mr. Springer said that he thought the meeting was generally successful, however, he heard three different view points: 1) some understood the concerns of the Administration, 2) some were new to the issue and were confused because the meeting had no background information, and 3) some philosophically disagreed with the proposal. Computer Security: Lessons Learned from GAO Financial Audits Mr. Greg Holloway, Director of Civil Audits Oversight at the General Accounting Office (GAO), discussed some of the security lessons learned while conducting GAO audits of systems. GAO not only looks at computer security in individual agencies, but also across the entire government. During his audits, he has discovered two overriding points: 1) failure to plan for security when developing a system, and 2) denial of any problem, which leaves a false sense of security that no one can break into a system. Most agencies consider security after system development, and none audits vulnerabilities to a system. GAO uses penetration testing, which was accomplished every time. Mr. Holloway stated that he has not seen anyplace where security was integrated. In fact, security gets deferred in most cases. He cited the Minnesota State Sales Tax System as a good example of a program which integrated security at all stages of the development. Update on Bankers Trust Proposed Key Escrow Approach Ms. Nanette Di Tosto, Bankers Trust, briefed the Board on their approach to Key Escrow. Ms. Di Tosto emphasized that key escrow is critical tto the Government Information Infrastructure and that businesses need to protect and secure their communications and electronic records. She explained that encryption is becoming increasingly risky. Individuals would not be able to decrypt if keys are lost, and fear corporations want assurances of access to employee keys. Ms. Di Tosto said that private key escrow is a solution and also would help meet the needs of law enforcement. She believes Bankers Trust's solution of a private key escrow system will address the interests of individuals, corporations, and government. It also enables authorized access by owners, employers, and law enforcement with proper authorization. She went on to describe the main features of the private key system: it includes a hardware solution, user options and protections, authorized access model, and international viability. (See Reference #3.) During the discussion period, Mr. Steve Walker stated that during the August 17, 1995 key escrow workshop, briefing slides addressing legislation were presented with regard to the ten criteria and current requirements. Mr. Walker noted that it is not necessary to have legislation to activate a system like Trusted Information Systems' (TIS) or Bankers Trust's. (See Reference #4.) European Union Data Protection Mr. Bill Whitehurst briefed the Board on the renewed focus on privacy and data protection as announced by the European Union (EU) Data Protection Council. He presented some legislative history, by other countries and the U.S., from the early 1970s to the present. The most recent document issued is the EU Data Protection directive proposal, which was passed this year. He discussed many aspects of the directive from the parties involved to the impact of the directive. (See Reference #5.) The meeting recessed at 5:00 p.m. Thursday, September 14, 1995 During the discussion time, Ms. Sandra Lambert presented the Board with a draft resolution encouraging the government to have additional interaction with the private sector. After several modifications to the draft document, the Board unanimously passed resolution 95-4. (See Attachment #1.) NIST's Plans to Implement A-130, Appendix III Ms. Barbara Guttman, Computer Specialist with NIST's Computer Security Division, briefed the Board on NIST's plans to implement the requirements of A-130, Appendix III. Ms. Guttman reviewed A-130 assignments and responsibilities for NIST in six areas. Implementation plans for each are as follows: 1. Develop and issue appropriate standards and guidance for the security of sensitive information in federal computer systems, as mandated by the Computer Security Act of 1987. Several Computer Systems Laboratory (CSL) Bulletins have been issued to date. 2. Review and update guidelines for training in computer security awareness and accepted computer security practice, with assistance from OPM. NIST has developed several documents, relating to training and awareness, and developed a general computer security class. These efforts are currently being updated. 3. Provide agencies guidance for security planning to assist in their development of application and security plan. Agencies currently use OMB Bulletin 90-08 for security planning. However, that Bulletin is designated to be re-written. NIST has an A-130 security working plan in house for internal systems. A publication on planning is proposed. 4. Provide guidance and assistance, as appropriate, to agencies concerning effective controls when interconnecting with other systems. Several documents have been produced relating to interconnecting with other systems, as well as a training course on Internet security. Other publications are being developed or updated and there is a continuing effort to offer more Internet security courses. 5. Coordinate agency incident response activities to promote sharing of incident response information and related vulnerabilities. Spec. Pub. 800-3, Establishing a Computer Security Incident Response Capability, was developed in 1991. NIST is the secretariat and a founding member of the Forum of Incident Response and Security Teams (FIRST), and runs a Computer Security Clearinghouse. Work in progress includes, but is not limited to, updating and maintaining the Clearinghouse, and preparing a course on setting up a center for incident response. 6. Evaluate new information technologies to assess their security vulnerabilities, with technical assistance from the Department of Defense, and apprise federal agencies of such vulnerabilities as soon as they are known. NIST continues to evaluate new information and technologies in order to bring federal agencies up-to-date information concerning all security issues. (See Reference #6.) Government Information Technology Services (GITS) Update Ms. Patricia Edfors, Director, Computer and Telecommunications Security Staff at the Department of Justice, presented the Board with an overview of the Government Information Technology Services (GITS) Working Group's IT10 initiatives. The GITS Working Group was created and endorsed by Vice President Gore as part of the National Performance Review (NPR). The Working Group's mission is to promote the improvement of agency performance through the use of information technology, among other things. The Working Group is also responsible for implementation of the recommendations in the NPR Accompanying Report, titled Reengineering Through Information Technology. Ms. Edfors said that the GITS Working Group is comprised of senior managers from several government agencies, based on the value they can contribute. IT10 is designed to develop systems and mechanisms to ensure privacy and security. There are eleven initiatives, each having a champion and office of primary responsibility identified. Mr. Bruce McConnell, OMB, is the champion for IT10.01, which was designed to establish a privacy organization. A Privacy Working Group has been organized and a set of privacy principles established. Mr. John Cavallini, DOE, is the champion for IT10.10 to develop a comprehensive Internet security plan. Ms. Edfors said that a copy of the Internet security plan draft report is available to the Board. (ACTION-SECRETARY). The Board asked Ms. Edfors if she or Mr. McConnell could update them at either the December 1995 or March 1996 meeting. (See Reference #7.) Issue Update On: Information Security & Privacy in Network Environments Ms. Joan Winston, Office of Technology Assessment (OTA), briefed the Board on their latest document, Information Security and Privacy in Network Environments. Ms. Winston announced that "the views expressed herein are not necessarily those of the Technology Assessment Board or the Congress." She reviewed the three sets of policy issues that were addressed in the September 1994 OTA report. The three policy issues are: 1) National cryptography policy, including federal information processing standards and export control; 2) guidance on safeguarding unclassified information in federal agencies; and 3) legal issues and information security, including electronic commerce, privacy, and intellectual property. Senators Roth and Glenn, of the Governmental Affairs Committee, requested that the report be updated. The motivation for the update is the increasing importance of information security and privacy in the public and private sectors. Other motivations were prompted by cryptography activities, developments in federal security guidance for information technology (IT) management, and preparations for hearings and legislation on information security and IT management. One overarching issue that needs to be resolved by Congress is where federal authority for safeguarding unclassified information in civilian agencies should reside. The question remains, what needs to be done concerning the substance and implementation of P.L. 100-235, the Computer Security Act of 1987. She said that there are plans to take another look at security in this Congress. Ms. Winston went on to say that many questions regarding escrowed encryption and export control initiatives still remain. (See Reference #8.) During the Chairman's time, Dr. Ware presented certificates of appreciation for years of service on the Board to Messrs. Steve Walker, Cris Castro, and Don Gangemi. Each of their four year terms has expired. They all urged the Board to continue their good efforts. Update on Trial Evaluations Mr. Charlie Baggett, National Security Agency, introduced Mr. Tom Anderson, of his staff, to present an update on trial evaluations. Mr. Anderson is co-chair of the Trust Technology Assessment Program (TTAP) Working Group with Ms. Pat Toth of NIST. Mr. Anderson discussed additional accomplishments since the June Board meeting. A product was accepted from Hewlett-Packard for evaluation, in July 1995. In August 1995, a TTAP proof of concept evaluation contract was awarded and is expected to be completed in May/June 1996. A draft of DVT for C2 was finalized, and Hewlett-Packard provided a technical assessment. NVLAP coordination meetings were held in September 1995. Some future activities have been planned to develop NVLAP documents for overall policy for TTAP and begin NVLAP accrediting labs in the fourth quarter of calendar year 1996. Mr. Anderson noted that in Resolution 95-2 of March 1995, "T3" needs to be changed to "T1." (ACTION-SECRETARY) He discussed a joint NIST/NSA draft guidance publication as a Computer Systems Laboratory (CSL) bulletin, describing a structure for the selection and acceptability of products. The bulletin will include an appendix, listing the products evaluated. (See Reference #9.) Public Participation During the public comment time, Mr. Michael Papillo with Houston Associates, Inc., in support of ARPA, briefed the Board on the activities of the Technology Policy Working Group (TPWG) of the IITF (Information Infrastructure Task Force). The TPWG's task is to review technology policy for the NII (National Information Infrastructure) to ensure support for cooperative federal-industry approaches in the development of security technology. Mr. Papillo wanted to bring to the Board's attention that a call for white papers was sent out in September 1995, seeking inputs from U.S. industry on ways to improve the process by which public policy on information technology and systems security is developed. A workshop is planned for December 1995. Mr. Whitehurst noted that September 19, 1995 is the closing date for comments on the Office of Management and Budget's NII security paper; therefore, Mr. Papillo's conference may be premature. (See Reference #10.) The meeting adjourned at 3:00 p.m. Attachments #1 - Resolution 95-4 References Edward Roback #1 - Kammer slides Executive Secretary #2 - LaBarre slides /s/ #3 - Di Tosto slides #4 - Walker handout #5 - Whitehurst handout CERTIFIED as a true #6 - Guttman slides and accurate summary #7 - Edfors slides of the meeting #8 - Winston slides #9 - Anderson slides /s/ #10 - Papillo handout Willis H. Ware, Ph.D. Chairman APPENDIX G Federal Register Notices See Separate text on the Computer Security Resource Clearinghouse