Forum Moderator: Paul Jardetzky, Network Appliance, Inc.
Paper Presenter: Guy King, Computer Sciences Corporation, Hanover, MD
Speakers: John Stanton, DISA Center for Standards, Reston, VA
Richard McAllister, DISA CISS, Ft. George G. Meade, MD
Robert Oldach, DODIIS Engineering Review Board,
The paper presents an overview of five ongoing initiatives
of the Federal Government and its agencies: Application Portability
Profile (APP): The U.S. Government's Open System Environment
[OSE] Profile, (National Institute of Standards and
Technology (NIST)); DoD Goal Security Architecture (DGSA),
(Defense Information Systems Agency (DISA), Center for Information
System Security (CISS)); DoD Intelligence Information System (DODIIS)
Profile of the DoD Technical Reference Model (TRM) for Information
Management, (Defense Intelligence Agency (DIA)); the Multilevel
Information Systems Security Initiative (MISSI), (National Security
Agency (NSA)); and the security profiling being performed by the
NSA Center for Security Profiling.
These initiatives provide approaches for solving
the problems associated with the composition of secure systems.
The NIST APP Guide aids users to achieve an open systems environment
by identifying suitable products in seven service areas, one of
which is security, and indicating the standards that should be
adhered to by such products. The DGSA provides a generic security
architecture, identifying security services and general types
of components, and guidance for the development of DoD mission-specific
system architectures. The DODIIS community has developed a goal
configuration for systems using the standards profile in the TRM,
identifying core products that implement common application requirements
and a transition methodology. The NSA MISSI program addresses
the development of security products that should be required for
use with all defense information systems, at a minimum. Finally,
the NSA security profiling aims to improve the interfaces of security
products by describing needed interfaces in the system security
profiles and addressing the integration of such products into
secure configurations in the product security profiles.
Each of the initiatives, however, is only a partial
solution. Difficulties arise for each initiative, including the
following issues. There is a lack of standards both in the security
area and those that satisfy NIST's assessment criteria. There
is a lack of COTS products that satisfy the DGSA. The DODIIS
core products only satisfy the application software requirements
of the TRM. Most MISSI products are future products. Few security
profiles actually have been written.
The panel will discuss these issues, as well as some
additional composition issues, from the Government perspective.
Other issues may include the following: How can these initiatives
work together to solve the composition problem in the future?
Will the recommendations of the DODIIS TRM be consistent with
the Information Technology Standards Guidance (ITSG), which is
based on the NIST APP Guide, and the Adopted Information Technology
Standards (AITS)? Will the DGSA transition activities impact
the recommended standards identified in the TRM and AITS? Will
staying consistent with the DGSA be compatible with the use of
MISSI products? Are MISSI products included in the set of identified
core products of the DODIIS community? Is the security profiling
being undertaken consistent with the DGSA direction and the use
of MISSI products? Will the security profiles recommend the same
standards as the DODIIS TRM and AITS?
In his paper, Mr. King provides a snapshot of the
various Government programs and expresses composition issues from
the contractor point of view.
Mr. Stanton is from the DISA Center for Standards.
Mr. Stanton has been involved with the development of the ITSG
and AITS. The ITSG was based on the NIST APP OSE major service
area model. Mr. Stanton will address composition issues of the
APP OSE Guide profile of standards, from the perspective of the
ITSG and AITS.
Mr. McAllister is one of the primary architects of
the DGSA and a major contributor to the DGSA Overall Transition
Strategy (DOTS). Mr. McAllister is also conversant on the MISSI
program and the NSA security profiling. Mr. McAllister will address
issues related to: the DGSA, MISSI, and security profiling.
Mr. Oldach is the Navy representative on the DODIIS
Engineering Review Board (ERB). Mr. Oldach will address issues
related to the DODIIS TRM, transition methodology, and core products.