NSC seeking security standard

National Information Assurance Acquisition Policy

The National Security Council wants to develop new, more user-friendly security standards to guide government's procurement of information technology products, according to a top official.

The government is looking at many ways to raise overall information security across agencies, and one such avenue is by requiring a specified level of security in the commercial products bought by agencies, said Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism at the NSC. Clarke spoke Sept. 11 at the E-Gov Information Assurance conference in Washington, D.C.

Immediately after his comments, Clarke left the conference and returned to the White House to address the physical security problems raised by the attacks on the World Trade Center towers in New York City, which occurred during his speech.

The Defense Department standards for procuring secure operating systems and software, known as the "Orange Book," are required for national security organizations. But the standards are often ignored because very few commercial products have gone through the evaluation.

The goal would be to make the new standards more user-friendly than DOD's Trusted Computer System Evaluation Criteria.

The National Institute of Standards and Technology and the National Security Agency are replacing that criteria with an international standard, called the Common Criteria. National security organizations are to use products certified under the Common Criteria Evaluation, and NIST and the Office of Management and Budget are encouraging civilian agencies to do the same. But, again, many agencies are not using CCE-certified products because there are few available that have been certified in the lengthy, in-depth evaluation process.

Now the NSC is looking to work with agencies across government to determine if there are better standards that could be developed that agencies would be able to use right away, Clarke said.

"We need to make it work, and to make it work we need to know from the departments and agencies what works and what doesn't," he said.

With such standards in place, the government—which is the largest single purchaser of commercial technology—can start influencing the vendors that government officials say will not develop more secure products because there are no market forces pushing them to provide such products, he said.

"We need to look again, not give up on the notion of the federal government leading the market just because it didn't work in the past," Clarke said.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.