New federal security policy on the way
- By Dan Verton
- Mar 01, 2000
Commercial information security products designed to protect information
systems from cyberattacks next year will have to meet strict international
standards before government agencies can purchase them.
The new National Information Assurance Acquisition Policy, approved
last month by the National Security Telecommunications and Information Systems
Security Committee, will be phased in on Jan. 1, 2001, when all government
agencies will be "encouraged" to purchase only those products that meet
the standards. By Jan. 1, 2002, however, agencies will only be allowed to
purchase commercial information assurance products evaluated by accredited
national laboratories and that meet internationally recognized assurance
"Information assurance (IA) shall be considered as a requirement for
all systems used to enter, process, store, display, or transmit national
security information," the policy states. "Effective 1 January 2001, preference
shall be given to the acquisition of COTS IA and IA-enabled IT products
which have been evaluated and validated."
The standards cited by the new policy include:
* The International Common Criteria for Information Security Technology
Evaluation Mutual Recognition Arrangement.
* The National Security Agency/National Institute of Standards and
(NIST) National Information Assurance Partnership Evaluation and Validation
* The NIST Federal Information Processing Standard validation program.
The National Security Telecommunications and Information Systems Security
Committee is an intergovernmental organization representing 21 agencies.
It establishes policy on the security of national security information systems
and is chaired by Arthur Money, assistant secretary of Defense for command,
control, communications, and intelligence.