Report: Feds snub NIST's standards

Fourteen civilian agencies are using a commercial security technology that is not allowed under federal standards for encryption and digital signatures, according to a report released last week by the company that designed the technology.

The agencies are using cryptographic and digital signature products from RSA Data Security Inc., a supplier of software components widely used in the private sector. Commercial products available today that employ RSA encryption include Netscape Communications Corp.'s Navigator browser, Microsoft Corp.'s Internet Explorer browser, Lotus Development Corp.'s Notes and Oracle Corp.'s SecureSQL.

However, two National Institute of Standards and Technology standards require agencies to use approved encryption and digital signature technology. These standards do not apply to Defense Department agencies.

According to the report, the civilian agencies using RSA technology for encryption or digital signatures include the departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Justice, Labor, Transportation and the Treasury as well as NASA, the CIA, the Environmental Protection Agency, the Small Business Administration and the U.S. Postal Service.

Jim Bidzos, president of RSA, described the agencies as "victims of a senseless policy" who have tried to find products that meet the government standards but have not been able to because of a lack of commercial acceptance.

"What the government has been trying to do is move everybody to a key-escrow or key-recovery technology," Bidzos said. "The real victims of the encryption policies are the ones who are trying to do their jobs better and can't."

Miles Smid, manager of the security technology group at NIST, said the agencies may not be obtaining waivers to use RSA technology because they are not aware of the standards or because they are unable to get management approval for a waiver. He also noted that agencies participating in key-recovery pilots do not need to obtain waivers to use RSA technology.

"We're not an enforcement agency," Smid said. "The heads of agencies are responsible for what measures they are using to protect their data."

Officials at NIST are planning to approve the use of RSA technology for digital signatures but are waiting for a national standards body to vote on an RSA standard, he said.

Only four agencies have received a waiver from using the digital Federal Information Processing Standard (FIPS). Last week the Social Security Administration announced that it had been granted a waiver to use RSA encryption technology products for secure Internet transactions with the public. In granting the waiver, John Dryer, chief information officer at SSA, noted that 93 percent of the world's browser products do not meet federal standards.

Donald Heffernan, the deputy CIO of the General Services Administration last week issued a waiver for GSA to acquire and use any commercial off-the-shelf software product that meets internal requirements for information technology security.

Heffernan said GSA requires secure electronic communication with private-sector vendors to perform its day-to-day functions.

"The limited availability of products employing FIPS-compliant security technologies produced many incompatibilities with the vendor community," Heffernan said.

In April 1997 the CIO of the EPA issued a waiver that allowed the agency to use RSA's cryptography features.

That same month, the USDA's marketing service issued a similar waiver that will allow the service to use RSA's digital signature technology. Both agencies cited unnecessary costs associated with purchasing hardware and software products that support the federal government standards as a primary reason for obtaining waivers.

Patricia Edfors, former champion for security and privacy with the Government Information Technology Services Board, said the inconsistencies between the federal standards and commercial technology impaired her ability to implement security in agencies. Many agencies are reluctant to ask for a waiver for fear of funding repercussions from legislators, she said.

"It's unfortunate that these people have to be exposed in some ways because they have been closet users," Edfors said. "Most federal agencies are adverse to letting the Hill know— especially appropriations committees— that they've chosen not to do something. When you notify the Hill, the domino effect occurs, and the [General Accounting Office] comes to visit the inspector general. The threat of audit is the time when most agencies consider a waiver. The reality is federal agencies have decided [complying with federal standards] just doesn't make any sense."