Report: Agencies ignore security standard, go commercial

Fourteen civilian agencies are using a commercial security technology that is not allowed under federal standards for encryption and digital signatures, according to a report released today by the company that designed the technology.

The agencies are using cryptographic and digital signature products from RSA Data Security Inc., a supplier of software components widely used in the private sector. Available commercial products that employ RSA encryption include Netscape Communication Corp.'s Navigator browser, Microsoft Corp.'s Internet Explorer browser, Lotus Development Corp.'s Notes and Oracle Corp.'s SecureSQL.

However, two National Institute of Standards and Technology standards require agencies to use approved encryption and digital signature technology. These standards do not apply to Defense Department agencies.

According to the report, the civilian agencies using RSA technology for encryption or digital signatures include the departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Justice, Labor, Transportation and the Treasury as well as NASA, the CIA, the Environmental Protection Agency, the Small Business Administration and the U.S. Postal Service.

Jim Bidzos, president of RSA, described the agencies as "victims of a senseless policy" that have tried to find products that meet the government standard but have not been successful because of a lack of commercial acceptance.

"What the government has been trying to do is move everybody to a key-escrow or key-recovery technology," Bidzos said. "The real victims of the encryption policies are the ones who are trying to do their jobs better and can't."

Miles Smid, manager of the security technology group at NIST, said the agencies may not be obtaining waivers to use RSA technology because they are not aware of the standard or because they are unable to get management approval for a waiver. He also noted that agencies participating in key-recovery pilots do not need to obtain waivers to use RSA technology.

"We're not an enforcement agency," Smid said. "The heads of agencies are responsible for what measures they are using to protect their data."

Officials at NIST are planning to approve the use of RSA technology for digital signatures but are waiting for a national standards body to vote on an RSA standard, he said.

Only four agencies have received a waiver from the digital federal information processing standard (FIPS). Don Heffernan, the deputy chief information officer of the General Services Administration, on June 10 issued a waiver for GSA to acquire and use any commercial off-the-shelf software that meets internal requirements for information technology security.

In issuing the waiver, Heffernan noted that GSA requires secure electronic communication with private-sector vendors to perform its day-to-day functions. "The limited availability of products employing FIPS-compliant security technologies produced many incompatibilities with the vendor community," Heffernan said.

Last week the Social Security Administration announced that it had been granted a waiver to use RSA encryption technology products for secure Internet transactions with the public. In granting the waiver, John Dryer, chief information officer at the Social Security Administration, noted that 93 percent of the world's browser products do not meet federal standards.