From: <http://www.xiwt.org/secpros1.htm> Call for White Papers Information Technology Security Policy Setting Process issued by the Cross-Industry Working Team Thursday, September 28, 1995 Introduction The Cross-Industry Working Team (XIWT) is seeking inputs from U.S. industry on ways to improve the process by which public policy on information technology systems security is developed. At the invitation of the Information Infrastructure Task Force (IITF) of the U.S. government, XIWT is soliciting ideas broadly from US industry, in the form of White Papers that address this issue. XIWT will, later this year, convene a workshop of industry experts to organize the ideas and suggestions expressed in these White Papers into a report for use by the IITF, and will prepare a report to be made available to the public. XIWT is a multi-industry coalition of organizations committed to defining the architecture and key technical requirements for a powerful and sustainable national information infrastructure (NII). XIWT aims to foster the understanding, development and application of technologies that cross industry boundaries; facilitate the conversion of the NII vision into real-world implementations, and facilitate a dialogue among representatives of stakeholders in the private and public sector. Additional information about XIWT can be found on the Internet at: http://www.xiwt.org/homepage. Information Technology Systems Security In the developing National Information Infrastructure (NII), information technology will be deployed in a wide range of contexts and systems including communications, computing, software systems, and many different types of applications. The ability of this technology, and the systems which employ it, to provide the requisite levels of security and protection, are of concern to almost everyone. Issues of central concern include: physical protection of systems and their contents, potential vulnerabilities at various points within the networked environments of these systems, and the ability to provide or even guarantee reliable and/or uninterruptable service. The infrastructure for such capabilities will need to include mechanisms for the protection of networks, computers and other types of equipment as well as systems that employ these elements, as well as methods for analysis, certification and validation of technology and systems, and for facilitating the setting of standards. It is likely that cryptographic capabilities will need to be available throughout for possible use in protection and authentication of information. Issues involving the management of these capabilities will need to be uncovered, discussed and resolved where possible. At present, the federal government has no formal process in place, in the Congress or in Executive Branch agencies, which adequately involves the private sector in the determination of public policy in this area. Responsibilities for this broad area within the federal government are widely diffused and do not necessarily insure that all the relevant concerns of the private sector are taken into account. Further, no single process is used by the various parts of the federal government and a variety of policies, reflected in laws, regulation and practice, usually result. A methodology is required by which private sector interests can be adequately expressed and factored into resulting policies. The purpose of this call for white papers is to request written inputs from interested and knowledgable parties on how the formal process to developing information technology systems security policies may be improved, and particularly on how private sector inputs can be most effectively incorporated. Specifically, industry is requested to identify those areas, domains, and issues that are especially relevant for consideration, and to recommend specific suggestions or approaches by which the policy determination process in these areas may be improved. This may entail, for example, the establishment of one or more bodies dedicated to this purpose, within or across domains; the creation of a broad set of principles for the government or other bodies to employ; the setting of national goals or other specific recommendations for federal action. Submissions White papers are specifically solicited from U.S. industry; other individuals who wish to contribute are welcome to do so. Submissions may be made on paper or electronically by sending electronic mail, document files, or via a form located on the XIWT World Wide Web server (addresses below). Submissions made on behalf of companies will be taken to represent the views of the firm; these will be verified if it is not made clear in the submission that the document represents a company position. Individual submissions will not be verified if they do not claim to represent company positions. Submissions should be: 1) responsive to the primary goal of this call, (focused specifically on process improvement and not the presentation of view on policy deficiencies or on desired policies); 2) clear in terms of specific topics, areas or domains of policy; 3) reasonably direct, brief and timely. Any format may be used for the white paper, and it may be of any length. However, submissions must include the following information, on envelopes or headers to email and web messages, and on the submission document, whatever its form: 1. The name of individual making the submission; 2. The name of firm on whose behalf the submission is made; 3. The return address by which submission may be verified, if necessary. XIWT will convene a one or two day invitational workshop in the Washington DC area in December, 1995, to review submissions and organize the preparation of findings. Papers received by November 15, 1995, will be used in the workshop. The report of this effort is intended to be made available in February, 1996. Submissions must be made to one of the following addresses: Conventional Mail: Security Policy Process XIWT 1895 Preston White Drive Suite 100 Reston VA 22091-0913 Electronic Mail: secpros@cnri.reston.va.us Please place: "Security Policy Process" in the "Subject:" field. Please use ASCII text in any attachments. World Wide Web: suggestions may be contributed via the internet at: http://www.xiwt.org/response The content of submissions will be used by XIWT only for the purposes described in this call. No specific attribution to individual companies or individuals will be made in the findings or report. We look forward to your help in this important national effort. For additional information, please contact Charles Brownstein or Pam Memmott Tel: (703) 620-8990 Internet: cbrownst@cnri.reston.va.us Internet: pmemmott@cnri.reston.va.us 9/22/95; PJM