From URL: http://csrc.ncsl.nist.gov/csspab/minutes.395

Minutes of the March 22-23, 1995 Meeting of the Computer System Security and Privacy Advisory Board Wednesday, March 22, 1995 Introduction A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m. at the Holiday Inn, Gaithersburg, Maryland. Besides Dr. Ware, the following Board members were present: Charlie Baggett Jr., Genevieve Burns, Cris Castro, Don Gangemi, Sandra Lambert, Henry Philcox, Randy Sanovic, Stephen Trodden, Steve Walker [TIS], and Bill Whitehurst [IBM]. [Snip long section on security assurance standards and methods in US, Canada and UK.] Update on X/Open Branding Project Mr. Bill Whitehurst, IBM, gave a brief update of the activities of the X/Open Branding Project. Two major components exist within their branding concept: (1) the ability to implement functionality based on a minimum set of assurance functionality requirements (MSFR), and (2) the confidence in the development process for achieving the functionality. He said that the workgroup meeting, hosted by Hewlett Packard, was held early in March. The group plans to re-write their document to include some type of evaluation process prior to the vendor product getting branded. X/Open plans to have a public review of the changes this summer. Vendor Perspective Ms. Linda Vetter, Oracle Corporation, presented oracle's views of security assurance. She discussed three types of assurance issues: (1) governent evaluation and certification; (2) third party evaluation and certification (government and business sponsored); and (3) vendor claims. Ms. Vetter explained Oracle s evaluation experience for two DBMS server product s, Oracle7 and Trusted Oracle7, in both the US and the UK. Oracle used the US TCSEC TPEP evaluation for B1 and C2 systems. They also used the UK ITSEC evaluation for E3 systems (which is the equivalent for US B1 and C2 systems). The UK process took significantly less time and cost less money for an identical product. Ms. Vetter suggested that NIST/NSA look into developing equivalent/comparable trust levels between the two different evaluation criteria methods as well as those for other countries. This would minimize the need to have different evaluations performed (one for each country) for the same product. Oracle has on-going work in other areas (e.g., RAMP, CMM, ISO, and Audits) as well as multiple CLEFS with the UK, Sweden, France and Germany. Ms. Vetter explained the differences in criteria between the TCSEC and the ITSEC. She said that the ITSEC requirements for the content of evaluation deliverables formed a superset of the corresponding TCSEC requirements for the evaluations. However, the TCSEC creates a framework for the presentation of these requirements and there can be little deviation from this. Oracle would like to see more concentration on low-end assurance requirements and processes. This would enable various sectors like health care, banking, and financial industries to have protection for unclasified to sensitive data. Ms. Vetter encouraged NSA to continue its efforts in modeling (Common Assurance Framework, TCMM, and SE CMM) and would discourage any more efforts in product profiling. The modeling efforts encourage vendor quality improvement, promotes flexibility in meeting assurance objectives, and are transferable to other private sector domains besides DoD. (See Reference #8). Wrap-up and Restatement of Issues Dr. Katzke summarized the discussion of assurance by saying that opportunities exist to look at alternatives. He is not sure what the government's role is or which areas to concentrate on with respect to cost. He said that he could continue with the same level of effort that is going on now with community involvement. He is open to suggestions with regard to the assurance process. Discussion After a lengthy discussion on the state of the Common Criteria (CC) and assurance approaches and issues, some of the major points from individual Board members included: - Concern as to when the CC will be widely accepted and used; - Whether to adopt the ITSEC now and migrate to CC; - The need to simplify the CC; - Building assurance and quality into the new assurance framework; - Clearly define assurance needs to be universally understood; - Conduct more C2 and below evaluations in the US; - Concentrate on low-end assurance; and - Bring key industry players into the process. [Snip] Board members continued their discussion of criteria and assurance from the previous day. Some of the major points of the discussion from Board members included the need: - for OMB to state the need for C2 level evaluation compliance for various government product purchases; - for NSA to make a statement about equivalency among all existing non-US trust levels; - to begin using components of the Common Criteria and gradually migrate to it; - to continue a wide range of assurance framework options and procedures; and - to focus on low-end assurance methods and encourage C2 level evaluation along the following Canadian AL-1 evaluation. [Snip] Status of Key Escrow Initiative Mr. Steve Walker, Trusted Information Systems (TIS), briefed the Board on the status of Commercial Key Escrow (CKE). He said, with regard to application vendors, TIS is actively seeking the participation of commercial software vendors in widespread implementation of CKE enabled software products. TIS has installed a Data Recovery Center (DRC) on the Internet and is prepared to distribute sample DRC application software packages to any interested software application developer. TIS is seeking approval of the US government for export of application programs using encryption algorithms such as the Data Encryption Standard (DES) when properly bound with CKE. Mr. Walker said the advantages of CKE for government interests is that if the TIS CKE system were to become widely used throughout the private sector and government communities, law enforcement, national security and private sector interests would be preserved. Mr. Walker said that TIS has filed for patent protection for its Software Key Escrow (Clipper equivalent) and CKE systems including the DRC and application software approaches. TIS is prepared to license its CKE system and software applications technology to any software or hardware vendor under very favorable licensing terms. TIS is also prepared to license its DRC system and technology to qualified DRC operators and vendors under similarly favorable licensing terms. (See Reference #13). [Snip] ----------

From URL: http://csrc.ncsl.nist.gov/csspab/csspab.txt

National Computer System Security and Privacy Advisory Board Identifying Emerging Computer Security Issues What is the Computer System Security and Privacy Advisory Board (CSSPAB)? Congress established the CSSPAB as a public advisory board in the Computer Security Act of 1987. The Board is composed of twelve members, in addition to the Chairperson, who are recognized experts in the fields of computer and telecommunications systems security and technology. What is the Board's purpose? The Computer Security Act specifies that the Board's mission is to identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy. What is the scope of the Board's authority? The Board examines those issues affecting the security and privacy of sensitive unclassified information in federal computer and telecommunications systems. The Board's authority does not extend to private-sector systems or federal systems which process classified information. What are the board's advisory and reporting functions? The Board advises the Secretary of Commerce and the Director of the National Institute of Standards and Technology (NIST) on computer security and privacy issues pertaining to sensitive unclassified information stored or processed by federal computer systems. The Board reports its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and appropriate committees of Congress. How often and where does the Board meet? The Board holds its two-day meetings twice per year; however, additional meetings may be called at the Chairperson's discretion. Board meetings are held in the Washington, DC metropolitan area as well as other areas in which there is significant federal computer security interest and activity. Are Board meetings open to the public? In accordance with the Federal Advisory Committee and Government in Sunshine acts, Board meetings are announced in the Federal Register and are normally open to the public. The Board accepts written statements from the public (see address on reverse). How is CSSPAB membership determined? The Director of NIST of the Department of Commerce appoints Board members for four-year terms. By law, the membership of the Board is distributed as follows: - Four experts from outside of federal government, one whom is representative of small- or medium-size firm; - Four non-government employees who are not employed by or a representative of a producer of computer or telecommunications equipment; and - Four members from the federal government, including one from the National Security Agency of the Department of Defense. Nominations to fill vacancies on the Board may be submitted to the Director of NIST. NIST personnel serve as the Board's Secretariat. Other federal agency personnel may also assist the Board's activities as specified in the Computer Security Act of 1987. Are Board members paid for their service? Board members do not receive a salary or stipend; however, authorized travel expenses are reimbursed as specified by Congress. ******************************************************* For further information, please contact: Computer System Security and Privacy Advisory Board Executive Secretariat National Computer Systems Laboratory Technology Building, Room B-154 National Institute of Standards and Technology Gaithersburg, MD 20899