White House retreats on clipper mandate

Cementing the Clinton administration's retreat from a centrally
imposed encryption policy, a new joint defense-civilian board has pledged to accommodate a
mix of commercial and federal methods for protecting electronic transactions.


"This administration is not going to come out and say you have to use this or that
product" to conduct electronic business with the government, said Deane Erwin, a
co-chairman of the Security Infrastructure Program Management Office (SI-PMO) and director
of materiel and logistics for the Pentagon's Information Management Directorate.


The SI-PMO became an official organization in late April with a seal of approval from
Emmett Paige Jr., assistant secretary of Defense for command, control, communications and
intelligence, and Joe Thompson, commissioner of the General Services Administration's
Information Technology Service.


Thomas Burke, acting deputy ITS commissioner in charge of GSA's Office of Information
Security, is co-chairman with Erwin of the SI-PMO.


Although the SI-PMO has existed on paper since January [GCN, Jan. 23, Page
55]
, its mission still is evolving. At a briefing last week, Erwin and several GSA
officials said the SI-PMO will coordinate, monitor, implement and report on the
development of a governmentwide security infrastructure.


"We are not a policy group," Erwin said. Unlike the Security Policy Board,
created by the Clinton administration to define broad security policies, the SI-PMO will
focus on interpreting the technical implications of such policies and coordinating agency
efforts to adopt particular security techniques.


At a minimum, the SI-PMO is intended to support the security requirements generated by
GSA's Electronic Messaging and Electronic Commerce Acquisition PMOs. These organizations
are attempting to coordinate governmentwide implementation of e-mail and electronic data
interchange for procurement.


But "we will also be pulling together the management of a lot of disparate
security efforts with a view to bringing people a standard approach to solving their
security problems," said Richard Kemp, the SI-PMO's acting director.


The goal will be to prevent duplication and encourage governmentwide adoption of
interoperable security systems for the National Information Infrastructure.


Standards will be somewhat flexible, however. "We want to put in an infrastructure
that is not technology-dependent," Kemp said. "We realize that RSA is out
there," he added, referring to the widely-used public-key encryption technology sold
by RSA Data Security in Redwood City, Calif. "We're looking at ways of accommodating
the private-sector user that may be using RSA."


Digital signatures and other security capabilities based on RSA's technology have been
proposed by several companies and privacy groups as an alternative to the government's
Clipper chip and Capstone standards for encrypting voice and data communications.


Yet "even in the private sector, you're seeing multiple implementations of
RSA," Erwin said, a fact that underscores the need for flexible security product
standards both in and outside of government. Hence, the SI-PMO will explore technical
solutions such as trusted interfaces that allow different security products to exchange
data, Erwin said.


Acknowledging that the relationship between security product vendors and the government
needs improvement, the GSA officials said the SI-PMO intends to act as a liaison between
the two, in coordination with the National Institute of Standards and Technology.


The SI-PMO also will take over NIST's efforts to launch a public-key infrastructure
(PKI) pilot project. NIST had intended to test the Digital Signature Standard through a
pilot last year, but the project was nixed because of funding problems, creation of the
SI-PMO and a GSA-DOD agreement to include commercial public-key technologies in the pilot.


Kemp said the SI-PMO is working with NIST to finalize a request for proposals for a PKI
pilot that should hit the streets shortly. The SI-PMO also has signed a cooperative
research and development agreement with NIST to develop security interoperability
standards, Kemp said.


The SI-PMO consists of representatives from GSA, DOD, the National Security Agency,
NIST, the Postal Service and the Agriculture, Justice and Treasury departments. Over the
last few weeks, each of these agencies has designated a full-time staff member to work at
the SI-PMO's offices at GSA.


For more information about the SI-PMO, check out its World Wide Web site at http://www.gsa.gov/sipmo.htm


inside gcn

  • Phishing

    Phishing is still a big problem, but users can help shrink it

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above