NSA emerges from the shadows

For many years, the National Security Agency has specialized in developing security solutions with ultra-secret requirements for its users, far removed from the services required by the vast majority of government applications.

But that is beginning to change. With commercial products and services drawing heightened interest from federal agencies, NSA is stepping out of the shadows to take a major role in helping those agencies understand their security requirements and evaluate the available commercial solutions.

NSA will continue to supply the ultra-secret encryption "black boxes" to the Defense Department for classified information, agency officials say. But the agency will augment that business by offering system security assessment, testing and diagnostics to defense and civilian agencies. NSA has been offering these services for several years in different capacities, but now the services are becoming one of the organization's largest lines of business. Although NSA still will set aside money for research and development of encryption products - such as the award given last month to General Dynamics Communications Systems (formerly GTE Government Systems) for a new, faster encryptor - the security services possibly could take up more of the agency's budget than the encryption products, officials said.

"We are an organization in transition," said Mike Jacobs, deputy director of information systems at NSA. "We will always have a traditional portion of our business building black boxes, but there is the burgeoning new business."

NSA's new offerings include "red team" exercises, in which NSA users attempt to hack agency systems. The agency has partnered several times with the General Accounting Office to test the system security at agencies such as the State Department and NASA.

As part of those changes, NSA no longer will spend time certifying and endorsing high-security products, even though this service still is in demand. NSA will provide such services for some specific products and services, but largely will hand off the certification business to the National Information Assurance Partnership (NIAP), a joint effort with the National Institute of Standards and Technology.

"The customer still wants that NSA endorsement," said Lou Giles, a member of NIAP from NSA. "But this is a new philosophical paradigm of evaluation for commercial products that we're moving to."

Under this new paradigm, NSA will be using NIAP to test commercial products for federal use instead of using government-built products. But the change goes even further because NIAP government employees are not doing any testing. All of the testing is done by commercial labs that have undergone NIST accreditation. NIAP's role in the evaluation process is to review the test results and make sure they are correct, Giles said.

NSA also is taking the lead on several security-related policy initiatives at DOD that likely will have lasting effects on the entire government. For example, the Pentagon has tapped NSA to oversee its use of public-key infrastructure technology to secure e-mail and other Internet-based transactions.

PKI uses digital certificates, encryption and other technologies to secure those transactions. By the end of 2001, DOD expects to issue digital certificates to more than 3 million employees. And NSA is working more closely than ever to make it happen, said Mike Green, director of the DOD PKI program management office.

For DOD, the challenge with PKI is not the technology for securing transactions but the policy defining the different levels of assurance the Pentagon requires. The Pentagon expects to sign off on that policy by Nov. 10, Green said.

DOD is working closely with civilian agencies that are developing PKI strategies, including the Federal PKI Steering Committee headed by Richard Guida from the Treasury Department. The cooperation will ensure that PKI programs across government will work together, helping agencies avoid populating the Internet with the kind of stovepipe systems they have developed in the past, Green said.

NSA also is heading up a DOD-wide project known as the Information Assurance Technology Framework, which will provide the department with the tools to analyze Internet-based attacks on DOD systems. The IATF Forum, which is putting this initiative together, is made up of more than 2,000 representatives from government and industry.