SECURE SYSTEM COMPOSITION

Forum Moderator: Paul Jardetzky, Network Appliance, Inc.

Paper Presenter: Guy King, Computer Sciences Corporation, Hanover, MD

Speakers: John Stanton, DISA Center for Standards, Reston, VA

Richard McAllister, DISA CISS, Ft. George G. Meade, MD

Robert Oldach, DODIIS Engineering Review Board, Washington, D.C.

Forum Theme

The paper presents an overview of five ongoing initiatives of the Federal Government and its agencies: Application Portability Profile (APP): The U.S. Government's Open System Environment [OSE] Profile, (National Institute of Standards and Technology (NIST)); DoD Goal Security Architecture (DGSA), (Defense Information Systems Agency (DISA), Center for Information System Security (CISS)); DoD Intelligence Information System (DODIIS) Profile of the DoD Technical Reference Model (TRM) for Information Management, (Defense Intelligence Agency (DIA)); the Multilevel Information Systems Security Initiative (MISSI), (National Security Agency (NSA)); and the security profiling being performed by the NSA Center for Security Profiling.

These initiatives provide approaches for solving the problems associated with the composition of secure systems. The NIST APP Guide aids users to achieve an open systems environment by identifying suitable products in seven service areas, one of which is security, and indicating the standards that should be adhered to by such products. The DGSA provides a generic security architecture, identifying security services and general types of components, and guidance for the development of DoD mission-specific system architectures. The DODIIS community has developed a goal configuration for systems using the standards profile in the TRM, identifying core products that implement common application requirements and a transition methodology. The NSA MISSI program addresses the development of security products that should be required for use with all defense information systems, at a minimum. Finally, the NSA security profiling aims to improve the interfaces of security products by describing needed interfaces in the system security profiles and addressing the integration of such products into secure configurations in the product security profiles.

Each of the initiatives, however, is only a partial solution. Difficulties arise for each initiative, including the following issues. There is a lack of standards both in the security area and those that satisfy NIST's assessment criteria. There is a lack of COTS products that satisfy the DGSA. The DODIIS core products only satisfy the application software requirements of the TRM. Most MISSI products are future products. Few security profiles actually have been written.

The panel will discuss these issues, as well as some additional composition issues, from the Government perspective. Other issues may include the following: How can these initiatives work together to solve the composition problem in the future? Will the recommendations of the DODIIS TRM be consistent with the Information Technology Standards Guidance (ITSG), which is based on the NIST APP Guide, and the Adopted Information Technology Standards (AITS)? Will the DGSA transition activities impact the recommended standards identified in the TRM and AITS? Will staying consistent with the DGSA be compatible with the use of MISSI products? Are MISSI products included in the set of identified core products of the DODIIS community? Is the security profiling being undertaken consistent with the DGSA direction and the use of MISSI products? Will the security profiles recommend the same standards as the DODIIS TRM and AITS?

Speakers

Guy King

In his paper, Mr. King provides a snapshot of the various Government programs and expresses composition issues from the contractor point of view.

John Stanton

Mr. Stanton is from the DISA Center for Standards. Mr. Stanton has been involved with the development of the ITSG and AITS. The ITSG was based on the NIST APP OSE major service area model. Mr. Stanton will address composition issues of the APP OSE Guide profile of standards, from the perspective of the ITSG and AITS.

Richard McAllister

Mr. McAllister is one of the primary architects of the DGSA and a major contributor to the DGSA Overall Transition Strategy (DOTS). Mr. McAllister is also conversant on the MISSI program and the NSA security profiling. Mr. McAllister will address issues related to: the DGSA, MISSI, and security profiling.

Robert Oldach

Mr. Oldach is the Navy representative on the DODIIS Engineering Review Board (ERB). Mr. Oldach will address issues related to the DODIIS TRM, transition methodology, and core products.