NCSL BULLETIN Advising users on computer systems technology July 1990 NCSL Bulletins are published by the National Computer Systems Laboratory (NCSL) of the National Institute of Standards and Technology (NIST). Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are issued on an as-needed basis and are available from NCSL Publications, National Institute of Standards and Technology, B151, Technology Building, Gaithersburg, MD 20899, telephone (301) 975-2821 or FTS 879-2821. The following bulletins are available: Data Encryption Standard, June 1990 GUIDANCE TO FEDERAL AGENCIES ON THE USE OF TRUSTED SYSTEMS TECHNOLOGY INTRODUCTION Purpose. The purpose of this document is to provide initial guidance to federal departments and agencies on the use of trusted systems technology in computer systems which handle unclassified sensitive information. Background. The National Institute of Standards and Technology (NIST) has received many inquiries from federal agencies regarding the applicability of Department of Defense (DoD) Standard 5200.28-STD, DoD Trusted Computer Systems Evaluation Criteria (TCSEC), and National Telecommunications and Information Systems Security Policy (NTISSP) Number 200, National Policy on Controlled Access Protection, to computer systems which are used to process unclassified sensitive information and which are covered by the Computer Security Act of 1987 (Public Law 100-235). The TCSEC, often called the "Orange Book," was developed by the National Computer Security Center (NCSC) of the National Security Agency (NSA). NTISSP 200 was published under authority of National Security Decision Directive (NSDD) 145 prior to the passage of the Computer Security Act, which established new federal authorities and policy on protection of unclassified computer systems. Authority -- NIST Responsibilities under Computer Security Act. The Computer Security Act of 1987 assigns NIST the responsibility for developing security standards and guidelines for federal computer systems, with the exception of classified and a specified category of Department of Defense unclassified systems (referred to as "Warner Amendment" systems). NIST is therefore responsible for advising all federal agencies on the use of trusted systems technology in most unclassified computer systems. Objectives. Specific objectives of this document are to: o provide guidance to federal agencies on the use of trusted systems technology; o clarify the applicability of the TCSEC and NTISSP Number 200; and o describe NIST's long-range plans for the development of additional policy, guidance, and technical recommendations on the use of trusted system technology. Definition. Trusted Systems Technology - The technical methods and mechanisms that are used to develop trusted systems, are used to assure the enforcement of a security policy in such systems, and are contained within the trusted systems. Examples of trusted systems are trusted operating systems, trusted networks, trusted databases, and trusted applications. Examples of methods are modeling, software engineering, and automated evaluation. Examples of mechanisms include identification, authentication, auditing, and access control. Applicability. This guidance applies to those federal computer systems defined in the Computer Security Act of 1987. POLICY GUIDANCE Use of Trusted Systems Technology. Each agency should select computer security controls, including trusted systems technology, for its systems which are commensurate with the estimated risk and magnitude of potential loss of confidentiality, integrity or availability. The selection should be based upon an analysis of the security risks for each system within its particular environment. Trusted systems technology can be particularly useful for agencies with significant requirements for confidentiality of computer-based information. It can also provide basic access control protection to help meet information integrity requirements. Applicability of NTISSP Number 200. There is no binding national policy on the applicability and use of trusted systems technology in federal computer systems which process unclassified information. In particular, NTISSP Number 200 does not apply to unclassified systems covered by the Computer Security Act of 1987. USE OF TRUSTED SYSTEMS TECHNOLOGY Value of Trusted Systems. NIST recommends the use of trusted systems technology when such technology satisfies requirements for adequate and cost-effective access control protection. Such requirements exist when there is a need for safeguarding the confidentiality and integrity of information. In addition, the assurance process which is a part of trusted systems technology can help support system availability requirements. All these requirements should be planned for and validated by a formal risk management procedure. As an integral part of the planning process required by the Computer Security Act, the first step in risk management is the conduct of a thorough risk analysis. The second step in risk management is selection of appropriate security controls based on the analysis of the security risks for the environment involved. This risk management process should balance security and performance requirements and provide for cost-effective security and privacy of sensitive information in the system. Effective use of trusted systems technology, like any other security control, should substantially increase the protection relative to the additional acquisition, operating and maintenance costs of the security mechanisms obtained. Computer Security Planning and Protection Strategy. A security protection strategy consists of a mix of physical, administrative, and technical safeguards, including trusted systems technology. The use of trusted system technology can be an effective part of a larger computer security protection strategy for satisfying confidentiality, integrity, and availability requirements. As with other types of protection mechanisms, the benefits attainable from trusted systems technology can only be realized if these mechanisms are used properly in a complementary fashion. Use of Evaluated Products. Agencies with a need for systems with trusted technology features should select those systems from NSA's Evaluated Products List (EPL). If EPL products are not available, then agencies may select or design systems that best meet their security requirements using the TCSEC as a guide. NSA's Information Systems Security Products and Services Catalog contains the EPL, which lists evaluated products, those systems that are currently undergoing evaluation, and the current status of such evaluations. Use of Class "C2" Systems. Systems designed to meet "C2" or higher classes of the TCSEC should first be considered when acquiring multi-user computer systems with a requirement to control user access to information according to "need to know" and authorization. The "C2" and other TCSEC criteria were designed to achieve confidentiality through improved access control. The same access control mechanisms can also be beneficial for helping to maintain information integrity. While it should be recognized that access controls are a necessary part of achieving integrity and availability, there are other requirements for integrity and availability not covered by the TCSEC. NIST recommends that federal departments and agencies consider using "C2" functionality as a minimum to help protect their multi-user systems having confidentiality or integrity control requirements. Use of Division "B" Systems. When acquiring multi-user computer systems with a requirement for mandatory separation of sensitive information and for which security labels can be established, systems designed to meet the criteria of the "B" division of the TCSEC can be useful. Systems in that division are designed to enforce a mandatory access control or multi-level security policy. However, the cost benefit considerations discussed earlier are of particular importance when considering the use of "B" division level systems. In the context of this guidance document, the term "security label" is used to denote confidentiality, integrity, or availability categories established pursuant to a larger organizational information security policy. Security labels are a generalization of the "sensitivity labels" used in the TCSEC. NIST PLANS FOR DEVELOPMENT OF TRUSTED SYSTEMS GUIDANCE NIST recognizes that federal agencies in their unclassified computer security programs will require additional guidance on the use of trusted systems technology as it evolves. NIST has an active program to develop such guidance. This section describes some of the current activities designed to provide this guidance over the next few years. National Evaluation Criteria. NIST plans to publish guidance on information and system integrity, focusing first on technical methods of achieving effective integrity controls in computer and telecommunications systems. NIST recognizes the benefits of TCSEC evaluated products and will work closely with NSA and other private and public sector organizations to create a set of national evaluation criteria that will emphasize integrity and availability to complement the TCSEC. NIST will work with NSA to extend NSA's evaluation program to incorporate these methods into trusted systems. Security Criteria for Distributed Systems. NIST and NSA are studying the need for security criteria in distributed computer systems to address integrity, availability and confidentiality of unclassified information. Security Labels. NIST also plans to work with government organizations and industry in developing suggested standard categories of data to which security labels, which would control the handling of that data, can be applied. The labels can be applied to categories of unclassified government and commercial information that require protection for confidentiality, integrity and availability purposes. These labels can then be used with "B" division trusted systems. Note that any security labeling scheme should complement an organization's information protection policy. Guide to Use of Trusted Systems Technology. NIST is preparing additional guidance to assist federal agencies in deciding how to use trusted systems technology to protect computer systems containing unclassified sensitive information. This guide will include more detailed information on the extent to which that technology provides system-level confidentiality, integrity and availability protection for unclassified systems. The guide will stress the key point that the risk analysis-based process of identifying valid information protection requirements is an essential prerequisite for determining the full set of protection mechanisms (trusted systems included) to be effectively applied to computer systems. This guide can be viewed as complementing the NSA's "Yellow Book" (CSC-STD-004- 85, Guidance for Applying the DoD Trusted Computer System Evaluation Criteria in Specific Environments, June 25, 1985), which addresses the use of trusted technology in systems processing classified information. International Evaluation Criteria. NIST is participating in international computer security standards activities that are specifying a wide range of security services and mechanisms in information technology. NIST recognizes the efforts and contributions of numerous international organizations presently developing security architectures, profiles, and criteria. Specifically, NIST is reviewing the Information Technology Security Evaluation Criteria (ITSEC) that have been proposed for European Community use and is preparing comments on their utility for U.S. Government unclassified applications. REFERENCE DOCUMENTS Computer Security Act. The Computer Security Act of 1987 was signed into law on January 8, 1988, therefore superseding NTISSP Number 200 for systems processing sensitive unclassified information. It established NIST's authority to develop uniform technical, management, physical, and administrative standards and guidelines for the cost- effective security and privacy of sensitive information in federal computer systems, except those systems processing classified or Warner Amendment information. The Act also prescribed a process whereby agencies are required to prepare plans for the security and privacy of federal computer systems containing sensitive information. NSDD-145. National Security Decision Directive (NSDD) 145, National Policy on Telecommunications and Automated Information Systems Security, was issued on September 17, 1984. NSDD-145 required federal agencies to establish policies, procedures, and practices to protect national security related information in computer systems. NSDD-145 established the National Telecommunications and Information Systems Security Committee (NTISSC) to develop and issue national system security operating policies. NTISSP Number 200. The NTISSC issued NTISSP Number 200 on July 15, 1987. NTISSP 200 required multi-user computer systems containing classified or unclassified sensitive information operated by federal agencies and their contractors to have "controlled access protection" as a minimum level of security protection. Controlled access protection is technically defined in the TCSEC as the "C2" class of trust. Further, NTISSP 200 required federal agencies and contractors to provide this controlled access protection in automated information systems containing sensitive information within five years (hence the well-known phrase "C2 by '92"). NIST'S COMPUTER SECURITY PROGRAM For further information regarding other aspects of NIST's computer security program, including NIST's federal agency assistance program, please contact: Computer Security Division National Computer Systems Laboratory Building 225, Room A216 National Institute of Standards and Technology Gaithersburg, MD 20899 Telephone (301) 975-2934 Downloaded From P-80 International Information Systems 304-744-2253