5 February 2001
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html

-------------------------------------------------------------------------

[Federal Register: February 5, 2001 (Volume 66, Number 24)]
[Notices]               
[Page 8942-8943]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr05fe01-27]                         

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

 
Announcement of a Government-Industry IT Security Forum To 
Discuss Strategies for the Development of Security Requirements and 
Specifications for Computing and Real-Time Control Systems

AGENCY: National Institute of Standards and Technology, Commerce.

ACTION: Notice of public meeting.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) and 
the National Security Agency (NSA), partners in the National 
Information Assurance Partnership (NIAP), invite interested parties to 
attend a government-industry IT security forum to discuss potential 
public and private sector strategies for the development of security 
requirements and specifications needed for the protection of 
government, business and personal computing and real-time control 
systems.
    The primary purpose of the IT security forum is to bring national 
attention to the concept of security requirements definition and its 
importance in developing a more secure information infrastructure 
within the United States. Leaders from government, industry, and 
academia will have an opportunity to share their views on the role of 
security requirements in the development, testing and acquisition of 
commercial products and systems. There will also be discussion on 
prospective approaches to security requirements development, the 
importance of national and international standards, cost-effective and 
timely testing strategies, and the use of state-of-the-art tools and 
techniques in this area.
    The Government-Industry IT Security Forum will follow the First 
Symposium on Requirements Engineering for Information Security (SREIS) 
hosted by the Purdue University Center for Education and Research in 
Information Assurance and Security (CERIAS) in cooperation with the 
North Carolina State University (NCSU) E-commerce program and the 
Association for Computing Machinery (ACM).

DATES: The IT Security Forum will take place on March 7, 2001 from 9:00 
a.m. until 5:00 p.m.

ADDRESSES: University Place Conference Center and Hotel, IUPUI (Indiana 
University-Purdue University at Indianapolis), 850 West Michigan 
Street, Indianapolis, IN 46202-5198.

FOR FURTHER INFORMATION CONTACT: Forum Coordinator, Dr. Ron Ross, 
Information Technology Laboratory, NIST, 100 Bureau Drive, Mailstop 
8930, Gaithersburg, MD 20899-8930; Telephone: (301) 975-5390; E-mail: 
rross@nist.gov; World wide web: http://niap.nist.gov. Comments and 
suggestions on the proposed forum agenda are welcomed and appreciated.
    Forum Registration: To register for the Government-Industry IT 
Security Forum, visit the NIAP web site at http://niap.nist.gov or the 
Purdue CERIAS web site at http://www.cerias.purdue.edu/sreis.html.
    Registrations must be received by February 24, 2001. For additional 
registration or logistics information, please contact Mr. John Wellman, 
Business Office, Conference Division, Purdue University; Telephone: 
(800) 359-2968 or (765) 494-0243; Fax: (765) 494-0567; E-mail: 
jmw@purdue.edu.

SUPPLEMENTARY INFORMATION: For over a decade, NIST and NSA have worked 
cooperatively with government agencies, industry, and academia on the 
development of testing and evaluation

[[Page 8943]]

programs to assess the security features in commercial information 
technology (IT) products. There have also been extensive efforts, both 
nationally and internationally, to develop IT security evaluation 
criteria to support these assessment programs. During that period, few 
products were tested and there were continuing questions about the cost 
and timeliness of the evaluations. Additionally, due to operational 
considerations, many consumers did not use the products in their 
evaluated configurations.
    With all of the focus on criteria and testing programs, there has 
been very little attention paid to helping consumers define and create 
their IT security requirements. There has also been insufficient effort 
to bring consumers and producers of products and systems together to 
build a better understanding of what customers need in the realm of 
security and what industry is able to deliver in a cost-effective 
manner.
    Consumers of IT products from a variety of public and private 
sector communities of interest, e.g., healthcare, banking and finance, 
defense, national security, insurance, legal, manufacturing, process 
control, telecommunications, etc., continue to express interest in 
obtaining better ways to convey their security requirements to industry 
in an effort to build more secure systems for their respective 
enterprises. New and innovative approaches to developing security 
requirements for commercial products and systems are being explored in 
many venues. One such effort, led by NIST, NSA, and other standards and 
security organizations worldwide, has been the development of the 
Common Criteria for Information Technology Security Evaluation.
    The Common Criteria provides a mechanism for consumers to 
articulate their IT security requirements and a common structure by 
which consumers and producers can exchange perspectives on what 
security features are needed and what security features can be 
provided. The Common Criteria became an international standard (ISO/IEC 
15408) in 1999 and now serves as the foundation for a formal fourteen-
nation arrangement recognizing the results of security evaluations 
conducted in participating nations.
    Consumers and producers of IT products and systems can now use the 
Common Criteria to produce well-defined sets of security requirements 
in many areas such as operating systems, database management systems, 
smart cards, telecommunications and networks devices, and applications. 
There is also an opportunity to address the ``realistic configuration'' 
and ``timeliness of evaluation'' problems by allowing producers and 
consumers of products to agree on a set of security requirements (for 
both features and assurances) that meet the consumer's real needs.
    Without consumer involvement in helping to shape the demand for 
evaluated products through the security requirements definition 
process, the ultimate goal of improving the confidence consumers have 
in the products they purchase, may be more difficult to achieve. 
Greater confidence in the security features of the individual component 
products will facilitate the development of more secure systems for 
Federal agencies and private sector enterprises, and ultimately, result 
in a more secure information infrastructure for the United States.
    The sponsors of the forum hope to obtain answers to the following 
questions:
     What are the important information technology areas for 
general purpose products, e.g. operating systems, database systems, 
firewalls, intrusion detection systems, etc., that could benefit from 
the development of stable sets of security requirements?
     How are the security requirements for general-purpose 
products best developed?
     What specific security requirements are needed to address 
highly reliable, real time systems?
     Are there additional needs for IT security requirements 
tailored to specific consumer communities (e.g., healthcare, banking, 
manufacturing, process control)?
     If so, how should these security requirements be developed 
(process and organization question) and how do they interact with the 
security requirements for general-purpose products (technical 
question)?
     What value do consumers, government security experts, and 
the insurance and audit industries see in third party testing and 
evaluation of commercial products?
     How much value do consumers place on the assurances 
received from IT product testing and evaluation and how much product 
currency are they willing to give up to get it?
     How can the results from component product testing and 
evaluation be used to increase the level of confidence consumers have 
in their systems and networks?
     What role should the U.S. Government play in the 
development of security requirements for key information technology 
areas that affect the U.S. information infrastructure?
     Should the U.S. Government mandate for Federal agencies, 
the use of evaluated and validated information technology products 
built to specific security requirements, e.g., Common Criteria 
Protection Profiles?

Preliminary Agenda

--Introduction and Forum Overview (NIAP Director)
--Keynote Address (U.S. IT Industry CEO)
--Panel 1: Consumer's Perspective (Invited Participants)
--Panel 2: Insurance, Audit, and Testing Industry Perspectives (Invited 
Participants)
--Panel 3: IT Industry's Perspective (Invited Participants)
--Panel 4: Research and Development Activities: A Perspective from 
Academia (Invited Participants)
--Approaches for Developing Requirements: Bringing the Communities 
Together (Invited Participants)
--Summary and Conclusions (NIAP Director)

    Dated: January 29, 2001.
Karen Brown,
Acting Director, NIST.
[FR Doc. 01-2977 Filed 2-2-01; 8:45 am]
BILLING CODE 3510-CN-M