National Information Assurance Partnership Gets Industry Support

To encourage independent testing of information security products, the Commerce Department's National Institute of Standards and Technology, the National Security Agency and several industry supporters today provided more details about the National Information Assurance Partnership. The two federal agencies established the partnership in August as a means of enhancing the quality of information security products and increasing consumer confidence in those products that have been evaluated objectively.

During a special session at the 20th National Information Systems Security Conference at the Baltimore (Md.) Convention Center, government officials and information technology industry executives described the technical challenges involved in developing security test methods, extolled the benefits of independent testing and certification, and encouraged a robust commercial security testing industry to develop quickly.

The NIAP will serve several functions, including:

• developing tests, test methods and other tools that developers and testing laboratories may use to evaluate and improve security products;
• collaborating with industry and others on research and testing programs;
• using the Common Criteria, an emerging international standard for specifying and evaluating information technology security, to develop protection profiles and associated test sets for selected classes of security products and systems;
• cooperating with the NIST National Voluntary Laboratory Accreditation Program to develop a program to accredit private-sector laboratories for the testing of information security products using the Common Criteria; and
• working to establish a formal, international mutual recognition scheme for a Common Criteria-based evaluation.

Two of the major goals of the NIAP are to improve the efficiency of the IT security evaluation process and to transfer methodologies and techniques to private-sector laboratories. NIST and NSA have made a commitment to these goals by registering the NIAP as a National Performance Review Reinvention Lab. The lab was officially registered through the Department of Defense in September.

An agency of the Commerce Department's Technology Administration, NIST promotes economic growth by working with industry to develop and apply technology, measurements and standards. Since 1972, NIST has played a vital role in protecting the security and integrity of information in computer systems in the public and private sectors. The Computer Security Act of 1987 reaffirmed NIST's leadership role in the federal government for the protection of unclassified information. NIST assists industry and government by promoting and supporting better security planning, technology, awareness and training.

The National Security Agency's information systems security or INFOSEC mission provides leadership, products, technical advice, and services to protect classified and unclassified national security systems against exploitation through interception, unauthorized access or related technical intelligence threats.

More information about the National Security Agency and its INFOSEC mission is available on the World Wide Web at http://www.nsa.gov/.

NOTE TO EDITORS: Additional information on the National Information Assurance Partnership is available at http://niap.nist.gov/ and in the quote sheet below from information technology experts in industry.

Quotes from Information Security Experts about the National Information Assurance Partnership

Chris Byrnes
Vice President, Services & Systems Management Strategies
META Group
Reston, Va.
(703) 860-6631, chris.byrnes [at] metagroup.com (chris[dot]byrnes[at]metagroup[dot]com)

"One of the major problems in security today is that some of the security products flat out don't work. Commercial buyers don't have the resources to test every product to ensure that it does what it claims. This program has the potential to improve the quality of security products and the efficiency of the buying process. This is exactly the right role for the government to be playing now."

John Pescatore
Principal Consultant
Trusted Information Systems
Rockville, Md.
(301) 947-7153, johnp [at] tis.com (johnp[at]tis[dot]com)

"In our security consulting work with large and small businesses, Trusted Information Systems has seen a strong need for thorough security testing of software products. The NIAP initiative is an important first step to establishing a reliable, responsive and rigorous method of assuring the security of the technologies that are critical to electronic commerce."

Gail Daniels
Vice President of Marketing
Tivoli Systems
Austin, Texas
Contact Greg Wise, Tivoli Public Relations, (512) 436-8537, greg.wise [at] tivoli.com (greg[dot]wise[at]tivoli[dot]com)

"Tivoli is enthusiastic about supporting and helping to drive the NIAP initiative. We believe this program, which will provide efficient certification of products to common criteria, is an important step to improve the overall commercial security industry."

Fred Henninge, Jr.
MCI Systems Integrity Technical Security
frederick.henninge [at] mci.com (frederick[dot]henninge[at]mci[dot]com)

"MCI recognizes the value of the National Information Assurance Program and is already providing the industry opportunity to use the MCI Developers Lab for such evaluations. We presently offer customers the opportunity to test the interoperability of their hardware, software and applications on a live network."

Edward McLaughlin
Director, Government Services
National Software Testing Laboratories
Conshohocken, Pa.
(610) 941-9600, edm [at] nstl.com (edm[at]nstl[dot]com)

"NSTL is pleased to have been chosen as one of the independent testing laboratories to participate in the Trusted Technology Assessment Program. We look forward to working with NIST and NSA in the National Information Assurance Partnership initiative."

Santosh Chokhani
President and CEO
CygnaCom Solutions, Inc.
McLean, Va.
(703) 848-0883, chokhani [at] cygnacom.com (chokhani[at]cygnacom[dot]com)

"This is a step in the right direction to provide high-quality, cost-effective and timely evaluations that are aligned with the vendor product life-cycle and customer needs. But, more needs to be done to meet the expectations of IT solution providers and IT users."

Ron Knode
Executive Scientist for Information Security
Computer Sciences Corp.
Hanover, Md.
(410) 691-6580, rknode [at] csc.com (rknode[at]csc[dot]com)

"One of the biggest problems our customers face is the need for global interoperability. Many times information security needs are seen as an obstacle to achieving that interoperability. We believe that commercial evaluation programs such as the TTAP here in the U.S. (and eventually the NIAP and the CCTP), in parallel with similar overseas programs like the Australian Information Security Evaluation Programme (AISEP), will speed the deployment of security products that will support interoperability without introducing unnecessary security risks. That's a 'WIN-WIN' situation for everyone involved--the product developer, the end user and the service organization responsible for designing and deploying global, interoperable, secure system architectures. We're delighted to be blazing a trail with NSA and NIST in making this 'WIN-WIN' situation a reality for us."