DOD tightening security buys

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0513/web-niap-05-16-02.asp

By Christopher J. Dorobek 
May 16, 2002

In an effort to improve the security of the commercial software it
buys, the Defense Department beginning in July will restrict its
purchase of information assurance products to those certified by the
National Information Assurance Partnership.

The initiative is essential as DOD increasingly uses commercial
software for mission-critical functions, said Eustace King, the
technology team lead for the Defense-wide Information Assurance
Program, speaking May 14 during a presentation at the Navy's
Connecting Technology conference in Virginia Beach, Va.

But the effort is even more critical as DOD moves toward
network-centricity, where data is stored on networks and is available
to those who need it, King said. Network-centric operations mean that
networks are mission-critical, and it becomes fundamental that data is
secure, he said.

Under the National Information Assurance Acquisition Policy, the
military services have been giving preference to information assurance
products that have NIAP certification. But beginning in July, services
will be required to buy NIAP-certified products, King said.

The DOD policy has received little attention despite the broad
ramifications it could have on information technology buys.

Furthermore, it is not directed just at information assurance
products, such as firewalls or intrusion-detection systems. The policy
also requires that DOD organizations buying "information
assurance-enabled products" purchase products that NIAP has certified.  
Such products could include Web browsers, operating systems and
databases.

The DOD policy requires that all systems be assessed on how
mission-critical the data is. That data will then determine the
commensurate level of security robustness — high, medium or basic,
King said.

Products purchased before July will be exempt from the policy, King
said, although the policy does require that any significant upgrades
will trigger the certification requirement.

Capt. Sheila McCoy, part of the Navy Department chief information
officer's information assurance team, said the hope is that vendors
will see the certification as an opportunity to obtain a competitive
advantage.

The National Security Agency has published the requirements for
several product categories, including firewalls and operating systems.  
Other requirements are in the works, including those for Web security,
intrusion-detection systems, virtual private networks and biometrics.

NIAP has certified about two dozen products, and others are in
process, King said.

NIAP is an initiative of NSA and the National Institute for Standards
and Technology, and its efforts are designed to meet the security
testing, evaluation and assessment needs of IT vendors and buyers.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.