Merged standard could allow governmentwide secure e-mail

In a move that could extend Defense Message System capabilities to civilian agencies at lower costs and allow governmentwide secure e-mail interoperability, the National Security Agency has committed to merging its secure messaging protocol with the de facto commercial standard.

NSA officials have tasked Bethesda, Md.-based J.G. Van Dyke & Associates Inc., the developers of the NSA-designed Message Security Protocol, to merge many of the MSP features needed to shroud top-secret e-mail communications with the S/MIME standard. S/MIME is widely used by civilian agencies and in the commercial world, but it is not compatible with MSP.

The decision to combine the two may be one of the first times the government has moved to join one of its proprietary, internal standards with a commercial standard, said Gary Van Dyke, president of J.G. Van Dyke.

"It does mean that there is one security protocol to solve commercial and military requirements...that hasn't happened before," Van Dyke said. "It takes something that is the de facto standard of the Internet world and strengthens it to meet the military requirements. DMS has always had as its objective having commercial off-the-shelf software. The real objective is to have an ease with which you can communicate with any party and not have security inhibit that."

Because the two standards are not compatible at present, if a DOD user sends a message to someone outside DOD, the message must first go through a gateway that interprets the message and strips it of security mechanisms before it can be read by the other user.

In the prototype being created by Van Dyke, MSP's ability to allow data to be labeled according to its level of sensitivity will be added to the S/MIME standard. In addition, the new standard would support various encryption algorithms, including DOD's customized algorithm or those more commonly used in the commercial world. Work on the prototype is expected to take three to four months.

These specific enhancements integrated into secure e-mail products are vital to offering civilian agencies the ability to protect sensitive documents -- but at the same time have flexibility when choosing specific encryption mechanisms -- as they move toward wholeheartedly embracing electronic commerce, said Jack Finley, director of the General Services Administration's E-Mail Program Management Office.

Offering Security at a Lower Cost

In addition, combining some of the more robust security features of the military standard with the commonly used commercial version, the security mechanisms that are core to DMS can be offered to civilian agencies at a lower cost, Van Dyke said. That is because commercial vendors traditionally are more apt to incorporate standards into products that will appeal to several markets instead of only one segment of the federal government.

John Nagengast, chief of the Network Security Group at NSA, said in a statement that Van Dyke's work to merge the two standards will allow the agency to "migrate to a more robust version of S/MIME that will achieve our goal of convergence to a common government/industry capability for secure messaging."

The move signals a major shift in the DMS program, Finley said. "They're developing a flexible architecture which parallels our [governmentwide e-mail] architecture. They are beginning to signal the acceptance of the Internet community as a business line."