Super-secret NSA transitioning to commercial services model
- By Diane Frank
- Oct 20, 1999
The National Security Agency, the enigmatic signals intelligence arm of the Defense Department, is breaking away from its traditional role of building "black boxes" for encrypting highly classified information in favor of offering security and certification services similar to those in commercial industry.
Mike Jacobs, deputy director of information systems at NSA, said that while the agency "will always have a traditional portion of our business building 'black boxes' . . . we are an organization in transition."
The agency increasingly is offering security assessment, testing, red teams and diagnostics services to other Defense and civilian agencies, Jacobs said Wednesday at the National Information Systems Security Conference. "This is the growth area [and a] burgeoning new business," he said.
Rather than doing all the testing and validation of its own products for itself, NSA will be relying on the National Information Assurance Partnership (NIAP), a joint validation effort between NSA and the National Institute of Standards and Technology.
In the past, NSA endorsed security products and procedures, and encouraged their use by assuring members of the Defense and intelligence community that such products would be "bulletproof" solutions, said Lou Giles, a member of the NIAP from NSA.
Now, instead of products receiving NSA's endorsement, agencies will have to bring their protection profiles—the description of their information environment and security needs—to NSA, which will then certify that process as one that meets certain NSA-approved security standards. NSA also will evaluate and certify proposals from vendors.
"The customer still wants that NSA endorsement, Giles said. "But this is a new philosophical paradigm of evaluation for commercial products that we're moving to."