[Federal Register Volume 62, Number 33 (Wednesday, February 19, 1997)]
[Notices]
[Pages 7438-7439]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-4032]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
Proposed Collection; Comment Request
AGENCY: National Security Agency.
ACTION: Notice.
-----------------------------------------------------------------------
In compliance with Section 3506(c)(2)(A) of the Paperwork Reduction
Act, the National Security Agency announces a proposal to collect
information and seeks public comment on the provisions thereof.
Comments are invited on: (a) whether the proposed collection of
information is necessary for the proper performance of the functions of
the Agency, including whether the information shall have practical
utility; (b) the accuracy of the Agency's estimate of the burden of the
proposed information collection; (c) ways to enhance the quality,
utility, and clarity of the information to be collected; and (d) ways
to minimize the burden of the information collection on respondents,
including through the use of automated collection techniques or other
forms and information technology.
DATES: Consideration will be given to all comments received by April
21, 1997.
ADDRESSES: Written comments and recommendations on the proposed
information collection should be sent to the Director, National
Security Agency, Attn: COTS Assistance and Evaluation Division (NCAIP
Coordinator), 9800 Savage Road STE 6740, Fort George G. Meade, MD
20755-6740.
FOR FURTHER INFORMATION CONTACT:
To request additional information on this proposed information
collection or to obtain a copy of the proposal and associated
collection instruments, please write to the above address, or call the
NSA Commercial Advice Information Program Coordinator at (410) 859-
4458.
Title, Associated Form, and OMB Number: NSA Commercial Advice
Information Program, Provider Response Form, Form Number TBD, OMB
Number TBD.
Needs and Uses: The information collection requirement is necessary
to obtain and record essential contact information and professional
qualifications of individuals interested in providing technical advice
to trusted computer product vendors or commercial evaluation facilities
in support of the NSA Trusted Product Evaluation Program and the Trust
Technology Assessment Program. The contact and technical capability
information obtained from prospective providers will be published in
one or more public venues (e.g., Federal Register, NSA computer systems
for Internet World Wide Web and Dockmaster access, handbook or
brochure) to provide maximum exposure to vendors and evaluation
facilities interested in obtaining advice for commercial providers.
Affected Public: Any individual in the private sector interested in
providing technical advice, on a fee-for-service or other paid or
unpaid basis, to trusted product vendors or commercial evaluation
facilities.
Annual Burden Hours: 25.
Number of Respondents: 100.
Responses per Respondent: 1.
Average Burden per Response: 15 minutes.
Frequency: On occasion.
SUPPLEMENTARY INFORMATION:
Summary of Information Collection
The National Security Agency (NSA) plans to implement a commercial
advice information program in support of its Trusted Product Evaluation
Program (TPEP). The objective of the NSA Commercial Advice Information
Program (NCAIP) is to provide a timely source of information to vendors
on how to obtain technical advice for
[[Page 7439]]
trusted product evaluations from commercial providers. NCAIP is a
service that is intended to promote more timely and cost-effective
trusted product evaluations by further decentralizing the advice
process and offering commercial alternatives to vendors. A commercial
advice capability exists today within the private sector and NCAIP
intends to facilitate and promote this existing industry. A successful
commercial advice information program will result in a cost savings for
NSA and will give private industry greater ownership and involvement in
trusted product evaluations.
NSA has been evaluating the security features and assurances of
commercially produced computer products (e.g., operating systems,
networks, network components, and database management systems) against
the Trusted Computer System Evaluation Criteria (TCSEC) for over a
decade as part of TPEP. TPEP was created to facilitate the widespread
availability of commercial off-the-shelf trusted products for use by
the U.S. Government, to advance the state of the art in information
systems security, and to provide for the transfer of trust technology
to private industry.
TPEP is unique in terms of industry and government cooperation.
This cooperation places demands on both parties in terms of resource
expenditures. Vendors use their own resources to develop trusted
products, to establish required engineering processes, and to provide
supporting evidence of product development. NSA commits government
resources to review and assess product proposals, to provide technical
advice during a pre-evaluation phase, to evaluate the resulting vendor
products, and to staff a Technical Review Board (TRB) to maintain
consistency and quality of evaluations. Upon successful evaluation, the
product is awarded a trust rating and placed on a nationally recognized
list of evaluated products, the Evaluated Products List (EPL). This
partnership has resulted in the successful development of many trusted
computer products over the past decade and in a significant transfer of
trust technology to the private sector.
TPEP is currently organized into three phases: pre-evaluation,
evaluation, and rating maintenance. The pre-evaluation phase consists
of four principal activities that must be performed in preparation for
an evaluation of a trusted product: proposal review, technical
assessment, advice, and an intensive preliminary technical review.
These activities are conducted to ensure that a product and its
associated documentation evidence are ready for evaluation. The
evaluation phase consists of comprehensive system-level training for
the evaluation team, an in-depth analysis of the system design,
detailed security testing, presentations before a TRB, and the
production of a Final Evaluation Report (FER). The rating maintenance
phase is a continuation of the original evaluation that provides a
mechanism for a vendor to maintain the rating of the product throughout
its life-cycle.
The pre-evaluation phase begins with a review of a vendor's
proposal to determine if the product has a high probability of meeting
the appropriate TCSEC requirements, has the potential for broad market
appeal, and is sufficiently mature in its design. As a result of the
proposal review, a product may become a candidate for evaluation. A
candidate product next goes through a technical assessment, where the
vendor must show that the product design and the supporting
documentation (i.e., evaluation evidence) are complete and presented in
sufficient detail. The technical assessment can result in a
recommendation to: (1) Schedule an Intensive Preliminary Technical
Review (IPTR), (2) terminate the proposed effort due to technical
deficiencies in the product, or (3) seek additional assistance in the
form of advice.
The specific activity in the pre-evaluation phase, called advice,
occurs when a small number of evaluators (the TPEP advice team) are
assigned to the vender until the vendor is ready for evaluation. The
advice team usually includes at least one-senior evaluator. In the
event that NSA resources are unavailable or the proposed product does
not meet the established criteria for TPEP advice (i.e., unique or new
technology, high priority for DoD, or substantial market impact), the
vendor will be asked to seek commercial alternatives. Some of the
specific areas covered under the current advice-giving process are the
TPEP process, the TCSEC requirements, product design, modeling, design
and test documentation, ratings maintenance requirements,
implementation questions relative to product design, and user
documentation coverage.
Many activities are underway, nationally and internationally, to
develop the next generation security evaluation criteria and associated
evaluation methodologies (e.g., the Common Criteria and Common
Evaluation Methodology). There are also ongoing efforts to develop and
implement additional evaluation programs to populate the EPL (e.g., the
Trust Technology Assessment Program) that involve greater participation
by the private sector. These changes are designed to bring greater
efficiencies to the evaluation process by placing more responsibility
on vendors to increase their state of readiness in preparation for
entering a formal evaluation. There is also interest in exploring ways
to reduce government expenditures for evaluations by identifying
aspects of the current TPEP process that could be accomplished by the
private sector on a fee-for-service basis.
The first activity in which the private sector has been
participating is the rendering of technical advice to trusted product
vendors. NSA has begun transferring the responsibility for providing
pre-evaluation advice to private sector individuals resulting in the
need for this commercial advice information program. Commercial advice
providers can be used by vendors to participate in a variety of
activities such as security analyses, modeling, assessment of a
product's ability to meet evaluation criteria requirements, preparation
for technical reviews, test development, team training, security
mechanism development, and preparation of design and test
documentation. Commercial advice providers can also provide information
concerning criteria interpretations, ratings maintenance program
actions, and the evaluation process, in general. Currently, NSA has no
method for providing interested vendors with information about
commercial advice providers.
Prospective commercial advice providers will be asked to submit
both contact information and information regarding their technical
capability to the NCAIP Coordinator. Contact information includes
provider name, company affiliation (optional), address, telephone
number, facsimile number, and electronic mail address. A comment
section will provide the opportunity to list any additional information
deemed important with respect to technical capability. This information
may include provider education, training, previous experience and
specialized expertise.
Dated: February 12, 1997.
L.M. Bynum,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 97-4032 Filed 2-18-97; 8:45 am]
BILLING CODE 5000-04-M
