NSA expands Fortezza

The National Security Agency has backed off its hard-line approach and has expanded the Fortezza card program to cover software and smart card applications in hopes that more federal agencies will consider using the technology.

NSA officials who previously had insisted on Fortezza encryption to be used only in hardware began last month to brief the commercial sector on the new design requirements which will allow different levels of security depending on the value of the information.

Fortezza is a credit-card-size security device that authenticates users and encrypts electronic mail. Fortezza-based encryption which is one of the core components of NSA's Multilevel Information Systems Security Initiative eventually will be used to secure e-mail communications for 2 million Defense Department PCs as part of the Defense Message System.

NSA last week declined to comment on its Fortezza strategy.

A spokesman for the Defense Information Systems Agency which is managing the development of DMS said NSA's move is positive because it would expand the variety and flexibility of security products that support DMS. DISA officials will ensure that these new components will be integrated seamlessly with existing DMS components he said.

"Integrating these new security products will help to clarify to the user community that DMS provides a very powerful system with the flexibility to support a variety of security solutions " the spokesman said. "It will demonstrate that DMS can easily be tailored to meet any organization's secure messaging and directory needs."

NSA's decision to expand Fortezza may have been prompted in part by the high cost of the hardware-based Fortezza card which requires a separate card reader for it to work according to Santosh Chokhani president of Cygnacom Solutions Inc. a security consulting firm based in McLean Va. Software implementations although less expensive to use provide much less robust security than Fortezza cards. Smart cards provide more security than software implementations and cost less than Fortezza cards.

"Some of the law enforcement agencies were looking at [Fortezza] very favorably as far as security goes but they weren't able to come up with the funds " he said. "The money is tight. Agencies were finding better uses for the money. It came down to money and [NSA] had to sort of bite the bullet and say `We can't do it.' "

The expansion also may prompt more civilian agencies to buy into the Fortezza solution for secure messaging.

Neil Stillman deputy assistant secretary for information resources management at the Department of Health and Human Services said he had not heard of NSA's decision but he said encryption embedded in software would be a less expensive solution and perhaps more attractive to civilian agencies that needed a level of security below that of the military.

The expansion also reflects a growing tendency of NSA to relax its aversion to the commercial marketplace Chokhani said.

In February DOD announced plans to remove the controversial government key-escrow software from Fortezza cards. Key escrow also designed by NSA provides a built-in mechanism that allows law enforcement officials to access encrypted data without the knowledge of the user. It will most likely be replaced with emerging key-recovery technology which does not have the built-in access feature.