NSC seeking security standard

National Information Assurance Acquisition Policy

The National Security Council wants to develop new, more user-friendly security standards to guide government's procurement of information technology products, according to a top official.

The government is looking at many ways to raise overall information security across agencies, and one such avenue is by requiring a specified level of security in the commercial products bought by agencies, said Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism at the NSC. Clarke spoke Sept. 11 at the E-Gov Information Assurance conference in Washington, D.C.

Immediately after his comments, Clarke left the conference and returned to the White House to address the physical security problems raised by the attacks on the World Trade Center towers in New York City, which occurred during his speech.

The Defense Department standards for procuring secure operating systems and software, known as the "Orange Book," are required for national security organizations. But the standards are often ignored because very few commercial products have gone through the evaluation.

The goal would be to make the new standards more user-friendly than DOD's Trusted Computer System Evaluation Criteria.

The National Institute of Standards and Technology and the National Security Agency are replacing that criteria with an international standard, called the Common Criteria. National security organizations are to use products certified under the Common Criteria Evaluation, and NIST and the Office of Management and Budget are encouraging civilian agencies to do the same. But, again, many agencies are not using CCE-certified products because there are few available that have been certified in the lengthy, in-depth evaluation process.

Now the NSC is looking to work with agencies across government to determine if there are better standards that could be developed that agencies would be able to use right away, Clarke said.

"We need to make it work, and to make it work we need to know from the departments and agencies what works and what doesn't," he said.

With such standards in place, the government—which is the largest single purchaser of commercial technology—can start influencing the vendors that government officials say will not develop more secure products because there are no market forces pushing them to provide such products, he said.

"We need to look again, not give up on the notion of the federal government leading the market just because it didn't work in the past," Clarke said.