URL: http://csrc.ncsl.nist.gov/csspab/minutes.695 [Reformatted for easier reading] MINUTES OF THE JUNE 7-8, 1995 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Wednesday, June 7, 1995 Introduction A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m. at the National Institute of Standards and Technology (NIST), Gaithersburg, Maryland. Besides Dr. Ware, the following Board members were present: Charlie Baggett Jr., Genevieve Burns, Cris Castro, Don Gangemi, Sandra Lambert, Joseph Leo, Henry Philcox, Randy Sanovic, Linda Vetter, Steve Walker, and Bill Whitehurst. Mr. Ed Roback, Board Executive Secretary and newly appointed Designated Federal Official, discussed some of the handouts provided to the Board. Most important, was a copy of a draft House bill referred to as the "Department of Commerce Dismantling Act." If enacted, part of NIST would be transferred to the National Science Foundation. The Commerce Program Resolution Agency (CPRA) would be established and attempt to sell NIST laboratories (and other specified elements of the Department of Commerce) to the private sector. If not sold within 18 months of enactment, CPRA would submit their recommendations to Congress on the appropriate disposition of the property and functions of the laboratories. OMB Circular A-130, Appendix III Update and Review of Comments and "NII Security: The Federal Role" Mr. Ed Springer of the Office of Information and Regulatory Affairs, Office of Management and Budget (OMB), updated the Board on the recently signed Paperwork Reduction Act of 1995. (Copies are available for distribution to the Board.) (ACTION - SECRETARY). Mr. Springer said that security remains a concern and is supported by strong language in the law requiring agencies to secure their systems. Mr. Springer updated the Board on Appendix III to OMB Circular A-130. Since his briefing to the Board in March, the comment period for the proposed changes to Appendix III has closed. OMB received twenty-nine written comments to date. He solicited Board members for their reactions to the draft proposal. Mr. Springer was asked how OMB will enforce the requirements of Appendix III. He said enforcement comes through oversight and the budget process. There is a sharper focus on where agencies can go for help. One Board member asked if OMB plans to develop a standard set of behaviors. Mr. Springer replied that OMB will not go that far; however, Appendix III addresses the risks for agencies to use as a guideline for security considerations. Board members noted that agency visits to senior management regarding security plans, as was conducted in the 1989-1990 timeframe, seemed successful. Mr. Springer said that the Federal Managers Financial Integrity Act provides oversight of the requirement for agencies to prepare new plans. Mr. Springer agreed to brief the Board at its September meeting to further discuss the comments received and current status. He mentioned that the final document "NII Security: The Role of Federal Government," would be out soon and Board members would receive copies. (ACTION - SECRETARY). Defensive Information Warfare & Unclassified Government and Private Sector Mr. Martin Hill, Deputy Director for Information Warfare Programs, Office of the Assistant Secretary of Defense, briefed the Board on Information Warfare (IW) from a DoD perspective. He said that commanders should not depend on information and information systems that they cannot rely on. He used the example of Desert Storm, which was a won through the use of intelligence; Iraq, in effect, lost the war before it even began. Mr. Hill said that IW is driven by daily attacks on U.S. computer networks. The national security construct is changing because DoD utilizes commercial sector security and shares their vulnerabilities. The DoD unclassified definition of IW is "Actions taken to achieve information superiority in support of national military strategy by affecting adversary information and information systems while leveraging and protecting our information and information systems." Some of the areas that need defending are: leadership; command facilities; integrated air defense and controls; computers, software, data bases, and displays; power production sources; and links to media. The U.S. IW strategy is to: - Use U.S. technological superiority to provide the right information to the right place at the right time, - Aggressively defend against attacks on our information, and - Use offensive techniques to attain and maintain information superiority. Mr. Hill also emphasized the need for and importance of training. He said they have assembled "Red Teams" made up of DoD personnel that converge on other DoD systems to determine their vulnerabilities. When asked how DoD could best communicate their requirements to the commercial sector, Mr. Hill said that they conduct seminars and "war games" which are both attended by industry. (See Reference #1.) X/Open Security Branding Proposal Mr. Peter Callaway, Senior Security Technologist for IBM, provided the Board with an update on the X/Open security branding proposal. Mr. Callaway was speaking from three perspectives: IBM (a member of X/Open), X/Open, and as a user. He said that X/Open feels they have the appropriate and proven experience by setting industry standards and performing conformance branding. X/Open has the commitment of vendors to build products to their specifications with regard to technical plans established with vendor cooperation and commitment to product follow-through. X/Open Branding is a certification scheme for conformance verification, not evaluation. Currently, X/Open branding requires evidence of successful execution of a test suite where appropriate test suites are available. It requires a conformance statement questionnaire and a trademark license agreement to be completed by the applicant. (See Reference # 2.) Security Policy Board (SPB) Update Ms. Vicki LaBarre, Security Policy Board (SPB) Staff, briefed the Board on the progress of the SPB. Ms. LaBarre reminded the Board of the role of the SPB as chartered by Presidential Decision Directive (PDD)-29. The SPB and Security Policy Forum are jointly chaired by DoD and intelligence community members, but their members include non-DoD and non-intelligence community representatives. Ms. LaBarre relayed that the SPB considers itself an "honest broker" to identify issues and positions from all parties on key questions. She said that the fundamental question is whether the executive branch needs a single, consolidated INFOSEC policy making mechanism. If a consolidated INFOSEC policy making mechanism is needed: Can the existing SPB structure created by PDD-29 meet that need? - If yes: how should an information systems security committee be chartered and constituted? - If not: how could/should the SPB/SPF be modified to become an effective INFOSEC policy mechanism? What other existing entity in the executive branch could act, or be modified to act as the executive branch's INFOSEC policy making apparatus? What kind of new entity could be created to meet this policy making need? If a consolidated INFOSEC policy making mechanism is not needed: - How can the existing INFOSEC policy and advisory boards, committees, forums, etc., be made to more effectively identify, prioritize, resource and act on major INFOSEC issues and vulnerabilities affecting the national interest? - Are executive branch INFOSEC resources adequate to provide for acceptable security for government information systems? - Are existing INFOSEC resources appropriately located and distributed within the executive branch? Recently the SPB staff convened a special working group to draft a resolution to call for compiling a list of major INFOSEC issues. The matter will be discussed at the Security Policy Board Forum meeting on June 23. In summary, Ms. LaBarre emphasized that we must to do a better job of INFOSEC governmentwide which is doable if everyone works together for the common good. Throughout Ms. LaBarre's presentation, some Board members expressed serious concerns about many aspects of the SPB's charter, the first SPB staff report and their present stance on the effort of a single policy making mechanism. Some Board members expressed the view that the initial report was not clear with regard to what kind of information would encompass "national interest." She said that the first report was purely a "think piece" to stimulate discussion, which it has done. (See Reference #3.) Commercial Key Escrow Update Mr. Steve Walker, President, Trusted Information Systems (TIS), presented the Board with an update of TIS' Commercial Key Escrow (CKE) activities. Mr. Walker recently met with senior management of National Semiconductor Corporation. They discussed a proposal to use CKE in an escrowing approach called Commercial Automated Key Escrow (CAKE) in which the CKE system has been modified to work with National's PersonaCard cryptographic hardware tokens. Mr. Walker believes that this approach meets the needs expressed by the Vice President. CAKE does the following: 1. It removes all very strong cryptography from software. 2. It uses these special CAKE tokens to automatically escrow an encrypted copy of every message key within the message envelope itself, in a special Data Recovery Field (DRF) consisting of the message key and Data Recovery Center (DRC) and token identifiers, encrypted with the public key of a Designated DRC. 3. It provides access to DRFs via the private key of the DRCs, and allow any user to establish their own DRC to safeguard corporate information. 4. It uses well known cryptographic algorithms such as DES, triple DES and RSA, instead of algorithms such as Skipjack. 5. Finally, it gives American computer and communications industries the ability to easily export strong and very strong encryption as part of their information highway products. Mr. Walker briefly discussed the software binding issue which have been put off by implementation into the PCMCIA card but, it still needs to be tried and a software vendor is being sought to do so. The card implementation is aimed at files and e-mail, not telephony. There is initial concern with regard to cost, however, it is tamper proof and cannot be distributed over the Internet. Mr. Walker said they are seeking export approval with DES and CKE and hopes for a position resolution in the near future. (See Reference #4.) The meeting recessed at 5:20 pm. Thursday, June 8, 1995 SI-PMO Action Plan Briefing Mr. Al Williams, Acting Director of the Security Infrastructure Program Management Office (SI-PMO) at GSA, updated the Board on the activities and progress of the SI-PMO. He discussed some of the near term goals: identifying and resolving critical policy issues related to support multiple technologies, developing a security architecture, defining user-to-user and user-to SI specifications, and establishing a formal liaison between the SI-PMO and the Canadian Government. Board members asked about milestones. Mr. Williams directed members to the summary of the near-term actions and milestones in the Action Plan appendix. When asked who has received the Action Plan, Mr. Williams replied that it was distributed to the Government Information Technology Services Group, the National Information Infrastructure Security Issues Forum, the Electronic Commerce Acquisition Program Management Office, the E-Mail Program Management Office, NSA, NIST, and the PKI Steering Committee. The Board commended Mr. Williams for working an issue with a real time frame. Mr. Williams was invited to come back and update the Board as he feels appropriate. (See Reference #5.) Common Criteria Update Dr. Stu Katzke, Chief, NIST Computer Security Division, updated the Board on the Common Criteria (CC) effort. He discussed the Common Criteria for Information Technology Security Evaluation workshop on May 11-12 in Ottawa, Canada. Approximately 40 people from Europe, Canada, the U.S., and Japan participated in the workshop. The workshop served to allow the CC Editorial Board to: - provide general information on the comments received and the planned changes to the document based on these comments; and - receive added clarifications on the reviewers' comments on the document so they can update the document to reflect the expert opinions. The number of assurance levels and where they are were discussed; however, that issue is not as high on the list as the six key global issues below: 1. Document Organization - understandability and usefulness; 2. Extensibility of Requirements - support of ITSEC is unclear; 3. Extensibility of CC - how to maintain the CC; 4. Protection Profile - relationship unclear; 5. Protection Profile - selection of requirements; and 6. Dependencies and Binding - completeness/correctness. Dr. Katzke said that the NCSC plans to perform evaluation trials by January of 1996. (See Reference #6.) Mr. Charlie Baggett volunteered to brief the Board in September on trial evaluations. (ACTION - SECRETARY AND MR. BAGGETT.) The discussion then turned to the Board's March resolution (95-2) which recommended to NIST and NSA that a statement be made regarding the equivalence of C2-level evaluated products. Mr. Lou Giles of NSA briefed the Board on NIST and NSA's response to that recommendation. In July, NIST and NSA will publicly clarify the relationship between TCSEC C2, ITS EC E2, and CTCPEC T1 levels to encourage federal programs with requirements for evaluated low assurance level products to use trusted products evaluated at these levels. NIST and NSA will publish a Bulletin in July 1995, which will describe a structure for the selection and acceptability of these products. The Bulletin will include an appendix listing the products evaluated and in evaluation under each criteria. (See Reference #7.) Mr. Giles used the phrase "selection preferences for C2 requirements." Some Board members said that the word preference takes away from equivalency and they are concerned that the list of requirements is a preference list rather than a menu. Selection preferences for C2 requirement are as follows: - C2 products on U.S. EPL; - Products under U.S. TCSEC Evaluation (C2); - FPC2/T1 products on Canadian EPL or FC2/E2 products on European EPL; and - Products under CTCPEC (FPC2/T1) or ITSEC (FC2/E2) Evaluation. Some Board members are concerned that the list suggests that U.S. products be used first, thereby implying that they are better than other products. In discussion, most Board members recommended they order the products in rank of completed vs non-completed. Mr. Giles updated TTAP accomplishments. To date the work group has performed the following: - Drafted an SOW for TTAP Developmental Commercial Evaluation (Feb. 95); - Annotated outline for document on what it takes to be accredited under NVLAP (Mar. 95); - Drafted first suggested evaluator actions for TCSEC Class C2 provided to NVLAP for review (Apr. 95); - Drafted second suggested evaluator actions for TCSEC Class C2 (May 95); and - Drafted first Technical Review Board expectations of a team (May 95). Future activities for TTAP include: - Contract for TTAP Developmental Commercial Evaluation (Jun/Jul 95); - Start TTAP Developmental Commercial Evaluation (Aug. 95); - Conduct lessons learned from contracted effort (May 96); and - Expect NVLAP to accredit several Labs (NLT Aug. 96). (See Reference #8.) Privacy Update [Statement by Mr. Robert Gellman omitted] Discussion During discussion time, Board members voted on and unanimously approved the minutes of the March, 1995 meeting. The Board engaged in a lengthy discussion concerning PDD-29 and the intent of the charter of the SPB. Board members debated the idea of a single policy focal point. They also debated the phrase in PDD-29 "National Security." One Board member reminded the Board of a Government Computer News article that PDD-29 appears to be clouded as to whether the PDD intended to include sensitive unclassified information in addition to national security (i.e., classified/Warner Amendment) information. A motion was moved and seconded directing the chairman to draft a letter to the Co-Chairs of the SPB and the SPF, articulating the need for clarification of PDD-29 and the SPB charter. (ACTION-CHAIRMAN AND SECRETARY.) PKI Steering Committee Activities Mr. Robert Rosenthal, Manager, NIST Protocol Security Group, briefed the Board on the activities of the Public Key Infrastructure (PKI) Steering Committee. Three working groups reside under the Committee: technical (chaired by IRS), business and legal (chaired by Treasury), and users (chaired by the SI-PMO). The Steering Committee continues to liaise with the Canadian and Swedish governments, the Internet community, the American Bankers and American Bar Associations and the U. S. Council for International Business. The Steering Committee is exploring the establishment of a Cooperative Research and Development Agreement (CRDA) with industry organizations to: - Research and Develop a PKI Interoperability Test Plan and a NIST PKI Test Facility; - Publish test procedures and lessons learned; and - Develop and Demonstrate Interoperable Certificate Services on a wide variety of Internetworked Communications Facilities. Mr. Rosenthal said there are workshops and special projects slated for the future to include a tri-sponsored PKI Invitational Workshop Series by NIST, the Security Infrastructure Program Management Office and MITRE. Also planned, are some interdivision projects such as: PKI, time and attendance, travel, procurement, and others that will be available on the "NISTNET." NISTNET is a campus-wide local area network for NIST. (See Reference #9.) DISA/ARPA/NSA Memorandum Of Understanding Briefing Mr. John Davis, Director, NSA's National Computer Security Center, briefed the Board on the Memorandum Of Understanding (MOU) between the Defense Information Systems Agency (DISA), the Advanced Research Projects Agency (ARPA), and the National Security Agency (NSA). He said that ARPA and NSA are the major INFOSEC research programs in government and the major user of INFOSEC is DISA. The Information Systems Security Research Joint Technology Office was established by a Memorandum Of Agreement (MOA) in March of 1995 and signed by the Directors of ARPA/DISA/NSA to coordinate security research efforts with a heavy reliance upon commercial technology. The following nine items were called out in the agreement: 1) Strategic Planning, 2) Review and Coordinate, 3) Evaluate Proposals, 4) Metrics, 5) Prototypes, 6) COTS, 7) Standards, 8) Crypto and 9) Public. Mr. Davis said this is work in progress and they are looking for useful results. Vendors will show their products at the NIST/NCSC National Information Systems Security Conference (NISSC) in Baltimore in October. Mr. Davis stated that the intent is not to focus only on DoD. A Defense solution would be costly, therefore, commercial products with built in security are needed. (See Reference #10.) Public Comment [Omitted]