Uncle Sam gets tough on rule governing info assurance buys

Government agencies that buy computers to handle national security information have a new hurdle to jump beginning next month.

National Security Telecommunications and Information Systems Security Policy No. 11 requires that effective July 1 such systems use only approved information assurance products, said Diana Maurer, a National Security Agency official who worked on the policy.

The rule, set in 2000 by the National Security Telecommunications and Information Systems Security Committee, has since January 2001 demanded only that agencies give preference to approved products. Product evaluations are conducted by the National Institute of Standards and Technology and government-approved testing laboratories.

'The government has asked for evaluations for some period of time. The only thing different in the past is they kept granting waivers on procurements,' said Mary Ann Davidson, chief security officer for Oracle Corp. 'They really mean it now.'

According to the rule, systems that enter, process, store, display or transmit national security information must include information assurance products validated against the International Common Criteria for Information Security Technology or Federal Information Processing Standard 140-2.

The mandate moves information assurance from being an afterthought in the procurement process to becoming a primary consideration, Maurer said.

The policy has generated a buzz in industry and Defense Department quarters. The message is simple: Contractors can no longer bolt on security measures; they must be built in to systems.

'DOD is certainly a proponent of this particular policy,' a Defense spokeswoman said. 'This will ensure that whatever we use is vetted for security.'

NSTISSP 11 has been in the works for several years, but it was brought to the forefront after Sept. 11, when government leaders expected the next wave of terrorist activity to target networks.

For companies like SRA International Inc. of Arlington, Va., the mandate will make a difference in which commercial products it offers to agencies.

Figure it out

'I think people are trying to figure out what impact it's going to have and how broad-based it will be,' said Mary Ellen Condon, director of SRA's information assurance office.

Some fear the policy will mean extra work on systems that don't need high-level security.

Condon said Defense secretary Donald Rumsfeld has already said there will be no waivers. She considers such a restriction unreasonable. 'From a practical standpoint, there would have to be some,' she said.

Maurer said the affected systems would include those that handle classified information, intelligence or crytographic activities, command and control of military forces, and weapons.

'The objective of NSTISSP 11 is to ensure that commercial information-assurance-enabled products acquired by the U.S. government in national security systems perform as advertised by their respective manufacturers or satisfy the security requirements of the intended user,' Maurer said.

Oracle's Davidson said the mandate would benefit her company. She said the Oracle9i database has passed 15 security evaluations, more than any other to date.

'We changed our development processes 10 years ago,' Davidson said. 'We figured it was way cheaper to fix it up front than putting in a lot of levels of patches.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above