Regs set for security
- By Dan Verton
- Mar 05, 2000
Commercial information security products designed to protect information
systems from cyberattacks next year will have to meet strict international
standards before government agencies can purchase them.
The new National Information Assurance Acquisition Policy will be phased
in on Jan. 1, 2001, when all agencies will be encouraged to purchase only
those products that meet the standards. The National Security Telecommunications
and Information Systems Security Committee, which establishes policy on
the security of national security information systems, approved the policy
After Jan. 1, 2002, agencies will be allowed to purchase only commercial
information assurance products evaluated by accredited national laboratories
and that meet internationally recognized assurance standards.
The policy document suggests agencies that operate non-national security
systems may want to purchase only accredited products in the future as a
means to comply with Presidential Decision Directive 63, which requires
agencies to protect critical computer systems.
Government and commercial information assurance products purchased before
the effective dates are exempt. Requests for waivers must be made through
the National Security Agency.
The standards cited by the new policy include:
* The International Common Criteria for Information Security TechnologyEvaluation
Mutual Recognition Arrangement.
* The National Security Agency/National Institute of Standards andTechnology
(NIST) National Information Assurance Partnership Evaluation and Validation
* The NIST Federal Information Processing Standard validation program.