The National Security Telecommunications and Information Systems Security Committee (NSTISSC) has issued new guidance for acquisition of commercially available security products for national security systems across the U.S. government. Commercial off-the-shelf products for information assurance (IA) will now have to meet internationally recognized evaluation standards.
The new guidance will be phased in over the next two years. Initially, effective Jan. 1, 2001, departments and agencies are encouraged to give preference to evaluated commercial IA products for use on national security systems. Effective July 1, 2002, however, only those commercial IA products evaluated by accredited national laboratories in accordance with internationally recognized assurance standards may be purchased. While not mandated, evaluated products are also preferred on other governmental information systems.
This evaluation requirement results from the proliferation of commercial IA products as well as the increasing sophistication of cyber threats. Consequently, commercial security products on the most sensitive information systems must be subject to a standardized evaluation process to ensure they work as advertised. The new phased-in approach will ease the transition to this standardized evaluation process.
The National Security Telecommunications and Information Systems Security Committee is an intergovernmental organization representing 21 agencies. It establishes policy on the security of national security information systems. Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) Arthur L. Money approved this new policy in his capacity as committee chairman.
A fact sheet, detailing the "National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products" (NSTISSP No. 11), is available on the NSTISSC website at http://www.nstissc.gov in the "library" section. [Link no longer available]
Additional questions on this matter may be directed to committee representatives via (301) 688-6524.