[ISN] DOD tightening security buys

From: InfoSec News (isnat_private)
Date: Fri May 17 2002 - 02:48:53 PDT

  • Next message: InfoSec News: "[ISN] Windows Media Player Exposes IE Users To Attack"

    By Christopher J. Dorobek 
    May 16, 2002
    In an effort to improve the security of the commercial software it
    buys, the Defense Department beginning in July will restrict its
    purchase of information assurance products to those certified by the
    National Information Assurance Partnership.
    The initiative is essential as DOD increasingly uses commercial
    software for mission-critical functions, said Eustace King, the
    technology team lead for the Defense-wide Information Assurance
    Program, speaking May 14 during a presentation at the Navy's
    Connecting Technology conference in Virginia Beach, Va.
    But the effort is even more critical as DOD moves toward
    network-centricity, where data is stored on networks and is available
    to those who need it, King said. Network-centric operations mean that
    networks are mission-critical, and it becomes fundamental that data is
    secure, he said.
    Under the National Information Assurance Acquisition Policy, the
    military services have been giving preference to information assurance
    products that have NIAP certification. But beginning in July, services
    will be required to buy NIAP-certified products, King said.
    The DOD policy has received little attention despite the broad
    ramifications it could have on information technology buys.
    Furthermore, it is not directed just at information assurance
    products, such as firewalls or intrusion-detection systems. The policy
    also requires that DOD organizations buying "information
    assurance-enabled products" purchase products that NIAP has certified.  
    Such products could include Web browsers, operating systems and
    The DOD policy requires that all systems be assessed on how
    mission-critical the data is. That data will then determine the
    commensurate level of security robustness  high, medium or basic,
    King said.
    Products purchased before July will be exempt from the policy, King
    said, although the policy does require that any significant upgrades
    will trigger the certification requirement.
    Capt. Sheila McCoy, part of the Navy Department chief information
    officer's information assurance team, said the hope is that vendors
    will see the certification as an opportunity to obtain a competitive
    The National Security Agency has published the requirements for
    several product categories, including firewalls and operating systems.  
    Other requirements are in the works, including those for Web security,
    intrusion-detection systems, virtual private networks and biometrics.
    NIAP has certified about two dozen products, and others are in
    process, King said.
    NIAP is an initiative of NSA and the National Institute for Standards
    and Technology, and its efforts are designed to meet the security
    testing, evaluation and assessment needs of IT vendors and buyers.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri May 17 2002 - 06:23:16 PDT