National security plan calls for security standards

Federal agencies planning information technology procurements will need to incorporate information assurance products, systems and services into major purchases, according to a new national computer security plan announced by President Clinton.

The National Plan for Information Systems Protection called for incorporation of information assurance products into pending procurements while a triad of agencies work to revise procurement regulations to require incorporation of standard cyberprotection products and services. The plan, released on Jan. 12, calls for the General Services Administration, the Defense Department and the Office of Management and Budget — working in conjunction with the National Institute of Standards and the National Security Agency — to develop the information assurance standards and regulations.

NIST and the NSA have already created a framework for these standards with their National Information Assurance Partnership (NIAP). NIAP also has started to accredit commercial laboratories to conduct security evaluations and validations of existing commercial products and systems.

The plan also said the government would adopt a "practical, phased-in approach" to new security products and systems. All government agencies must adopt information assurance standards and practices in their procurements by January 2001.