JOINT NIST/NSA STATEMENT SCOPE OF THE FEDERAL CRITERIA PROJECT January 13, 1992 FACTORS DRIVING THE NIST-NSA FEDERAL CRITERIA PROJECT The following four factors motivated the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to establish a joint project to develop a new Federal Criteria for Trusted Systems Technology. INTERNATIONAL COMPUTER PRODUCT MARKET TRENDS The international marketplace requires that vendors economize by developing and selling the smallest number of product versions to the largest single market. Since a growing part of the IT market will be in Europe, the new Federal Criteria must ensure the availability of products meeting U.S. Government and private sector needs which are consistent with international marketplace demands. MUTUAL RECOGNITION OF SECURITY EVALUATION RESULTS The interests of users and vendors will be served best if there are harmonized internationally accepted security criteria and an associated evaluation process that permits mutual recognition of ratings regardless of where the evaluations are performed. When vendors only have to put products through one evaluation, the savings in documentation, test development, and evaluation costs can be passed on to users through lower purchase prices or additional features. ENHANCEMENT OF EXISTING CRITERIA The TCSEC for operating systems needs to be enhanced and stabilized as a U.S. Federal Criteria which will be useful to the majority of US government and private sector multi-user computer systems. The Federal Criteria effort will restate and clarify some of the existing TCSEC requirements and will address new user requirements in the areas of access control, integrity, and availability. In addition, the Federal Criteria should be proposed as a set of security targets under the ITSEC framework. SECURITY CRITERIA FOR OPEN DISTRIBUTED COMPUTING ENVIRONMENTS New security criteria must respond to the challenges of securing open, distributed computing environment of the 90's by advancing the development, specification, and assessment of security requirements for such systems. Such environments will require criteria that can address trusted distributed applications, heterogeneous trusted networks, porting of security-related software across multi-vendor platforms, flexible access control options, use of cryptography within information systems, and resolution of composability issues. Major research efforts will be required because there is a lack of solutions and guidance in these areas. As a long-term effort, NIST and NSA will work together on the investigation and development of criteria that respond to the above challenges. PHASING AND OBJECTIVES PHASED MULTI-YEAR PROJECT APPROACH The goal of this multi-year effort is to develop a series of related Federal Information Processing Standards (FIPS) specifying new Federal Criteria (FC) for trusted systems technology. The first set of FIPS will be an enhancement and modernization of the current TCSEC coupled with an expansion of the existing product evaluation process. Subsequent FIPS will be developed over the next few years as time and knowledge permit us to deal with the more complex issues. FEDERAL CRITERIA -- VERSION 1 (NEAR-TERM OBJECTIVES) Version 1 of the FC, targeted for completion in draft by Fall 1992, is intended as an evolutionary modernization of the existing TCSEC. Version 1 and its supporting documents will: -- stabilize operating system security criteria as a first step; defer new criteria for other elements (e.g., networks, databases, applications) to subsequent versions; -- provide a vehicle for expressing Federal Criteria requirements classes as ITSEC-style security targets with appropriate assurance levels, to support compatibility with ITSEC and emerging ISO standards; -- remove ambiguity in the current TCSEC classes by clarifying requirements and stating more precisely what is actually required; -- enhance the C2 requirements class, to include additional data integrity requirements (and possibly some availability requirements if feasible); -- revise B1 through A1 requirements classes to incorporate changes made in C2, along with a moderate degree of updating as required; EXPANSION OF EXISTING PRODUCT EVALUATION PROCESS NIST and NSA are developing a Federal Government strategy for administering an updated product evaluation process directly aimed at increasing the availability of trusted products in the U.S. and achieving mutual recognition with EC nations consistent with U.S. national security interests. This approach is intended to encompass: -- a method for using NIST's National Voluntary Laboratory Accreditation Program (NVLAP) to permit approved testing laboratories to evaluate trusted products under appropriate government oversight and quality control. Laboratories could be operated by manufacturers, commercial enterprises or Federal agencies. NSA would continue to evaluate products intended for use in protecting national security information, or in response to specific customer request. -- a transition plan that allows the Federal Government to evolve into a cooperative NIST-NSA program addressing methods for handling new evaluations, evaluations in progress, and previously evaluated products. -- streamlined ratings maintenance of evaluated products. FEDERAL CRITERIA (LONGER-TERM OBJECTIVES) Subsequent versions of the FC will be issued as we are better able to address the security needs of open distributed information systems. Currently, we expect a new release in the 1994-95 time frame. Development of these later versions is to be based on a coordinated NIST/NSA program of focused R&D, consensus-building of users and manufacturers, work with EC authors on evolving the ITSEC, and work with the international community on developing ISO standards for security functionality and assurance. The intent is to address the more complex emerging IT security issues of the 90's including: -- the complexities of the Distributed Computing and Management Environments (DCE/DME); -- "systems" and composability issues; -- trusted applications development and evaluation methods, including high-integrity/availability systems; -- a wider range of access control options; -- sponsor-defined security targets that can be used in lieu of or to augment predefined functionality classes for product evaluation purposes; and -- integration of cryptographic mechanisms with COMPUSEC in trusted product criteria (e.g., for confidentiality, integrity and digital signature services).