AGENCY:

National Institute of Standards and Technology, Commerce.

ACTION:

Notice of public meeting.

SUMMARY:

The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), partners in the National Information Assurance Partnership (NIAP), invite interested parties to attend a government-industry IT security forum to discuss potential public and private sector strategies for the development of security requirements and specifications needed for the protection of government, business and personal computing and real-time control systems.

The primary purpose of the IT security forum is to bring national attention to the concept of security requirements definition and its importance in developing a more secure information infrastructure within the United States. Leaders from government, industry, and academia will have an opportunity to share their views on the role of security requirements in the development, testing and acquisition of commercial products and systems. There will also be discussion on prospective approaches to security requirements development, the importance of national and international standards, cost-effective and timely testing strategies, and the use of state-of-the-art tools and techniques in this area.

The Government-Industry IT Security Forum will follow the First Symposium on Requirements Engineering for Information Security (SREIS) hosted by the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS) in cooperation with the North Carolina State University (NCSU) E-commerce program and the Association for Computing Machinery (ACM).

DATES:

The IT Security Forum will take place on March 7, 2001 from 9:00 a.m. until 5:00 p.m.

ADDRESSES:

University Place Conference Center and Hotel, IUPUI (Indiana University-Purdue University at Indianapolis), 850 West Michigan Street, Indianapolis, IN 46202-5198.

FOR FURTHER INFORMATION CONTACT:

Forum Coordinator, Dr. Ron Ross, Information Technology Laboratory, NIST, 100 Bureau Drive, Mailstop 8930, Gaithersburg, MD 20899-8930; Telephone: (301) 975-5390; E-mail: rross@nist.gov; World wide web: http://niap.nist.gov. Comments and suggestions on the proposed forum agenda are welcomed and appreciated.

Forum Registration: To register for the Government-Industry IT Security Forum, visit the NIAP web site at http://niap.nist.gov or the Purdue CERIAS web site at http://www.cerias.purdue.edu/​sreis.html.

Registrations must be received by February 24, 2001. For additional registration or logistics information, please contact Mr. John Wellman, Business Office, Conference Division, Purdue University; Telephone: (800) 359-2968 or (765) 494-0243; Fax: (765) 494-0567; E-mail: jmw@purdue.edu.

SUPPLEMENTARY INFORMATION:

For over a decade, NIST and NSA have worked cooperatively with government agencies, industry, and academia on the development of testing and evaluation Start Printed Page 8943programs to assess the security features in commercial information technology (IT) products. There have also been extensive efforts, both nationally and internationally, to develop IT security evaluation criteria to support these assessment programs. During that period, few products were tested and there were continuing questions about the cost and timeliness of the evaluations. Additionally, due to operational considerations, many consumers did not use the products in their evaluated configurations.

With all of the focus on criteria and testing programs, there has been very little attention paid to helping consumers define and create their IT security requirements. There has also been insufficient effort to bring consumers and producers of products and systems together to build a better understanding of what customers need in the realm of security and what industry is able to deliver in a cost-effective manner.

Consumers of IT products from a variety of public and private sector communities of interest, e.g., healthcare, banking and finance, defense, national security, insurance, legal, manufacturing, process control, telecommunications, etc., continue to express interest in obtaining better ways to convey their security requirements to industry in an effort to build more secure systems for their respective enterprises. New and innovative approaches to developing security requirements for commercial products and systems are being explored in many venues. One such effort, led by NIST, NSA, and other standards and security organizations worldwide, has been the development of the Common Criteria for Information Technology Security Evaluation.

The Common Criteria provides a mechanism for consumers to articulate their IT security requirements and a common structure by which consumers and producers can exchange perspectives on what security features are needed and what security features can be provided. The Common Criteria became an international standard (ISO/IEC 15408) in 1999 and now serves as the foundation for a formal fourteen-nation arrangement recognizing the results of security evaluations conducted in participating nations.

Consumers and producers of IT products and systems can now use the Common Criteria to produce well-defined sets of security requirements in many areas such as operating systems, database management systems, smart cards, telecommunications and networks devices, and applications. There is also an opportunity to address the “realistic configuration” and “timeliness of evaluation” problems by allowing producers and consumers of products to agree on a set of security requirements (for both features and assurances) that meet the consumer's real needs.

Without consumer involvement in helping to shape the demand for evaluated products through the security requirements definition process, the ultimate goal of improving the confidence consumers have in the products they purchase, may be more difficult to achieve. Greater confidence in the security features of the individual component products will facilitate the development of more secure systems for Federal agencies and private sector enterprises, and ultimately, result in a more secure information infrastructure for the United States.

The sponsors of the forum hope to obtain answers to the following questions:

• What are the important information technology areas for general purpose products, e.g. operating systems, database systems, firewalls, intrusion detection systems, etc., that could benefit from the development of stable sets of security requirements?
• How are the security requirements for general-purpose products best developed?
• What specific security requirements are needed to address highly reliable, real time systems?
• Are there additional needs for IT security requirements tailored to specific consumer communities (e.g., healthcare, banking, manufacturing, process control)?
• If so, how should these security requirements be developed (process and organization question) and how do they interact with the security requirements for general-purpose products (technical question)?
• What value do consumers, government security experts, and the insurance and audit industries see in third party testing and evaluation of commercial products?
• How much value do consumers place on the assurances received from IT product testing and evaluation and how much product currency are they willing to give up to get it?
• How can the results from component product testing and evaluation be used to increase the level of confidence consumers have in their systems and networks?
• What role should the U.S. Government play in the development of security requirements for key information technology areas that affect the U.S. information infrastructure?
• Should the U.S. Government mandate for Federal agencies, the use of evaluated and validated information technology products built to specific security requirements, e.g., Common Criteria Protection Profiles?

Preliminary Agenda

—Introduction and Forum Overview (NIAP Director)

—Keynote Address (U.S. IT Industry CEO)

—Panel 1: Consumer's Perspective (Invited Participants)

—Panel 2: Insurance, Audit, and Testing Industry Perspectives (Invited Participants)

—Panel 3: IT Industry's Perspective (Invited Participants)

—Panel 4: Research and Development Activities: A Perspective from Academia (Invited Participants)

—Approaches for Developing Requirements: Bringing the Communities Together (Invited Participants)

—Summary and Conclusions (NIAP Director)