Regs set for security

Commercial information security products designed to protect information

systems from cyberattacks next year will have to meet strict international

standards before government agencies can purchase them.

The new National Information Assurance Acquisition Policy will be phased

in on Jan. 1, 2001, when all agencies will be encouraged to purchase only

those products that meet the standards. The National Security Telecommunications

and Information Systems Security Committee, which establishes policy on

the security of national security information systems, approved the policy

last month.

After Jan. 1, 2002, agencies will be allowed to purchase only commercial

information assurance products evaluated by accredited national laboratories

and that meet internationally recognized assurance standards.

The policy document suggests agencies that operate non-national security

systems may want to purchase only accredited products in the future as a

means to comply with Presidential Decision Directive 63, which requires

agencies to protect critical computer systems.

Government and commercial information assurance products purchased before

the effective dates are exempt. Requests for waivers must be made through

the National Security Agency.

The standards cited by the new policy include:

* The International Common Criteria for Information Security TechnologyEvaluation

Mutual Recognition Arrangement.

* The National Security Agency/National Institute of Standards andTechnology

(NIST) National Information Assurance Partnership Evaluation and Validation

Program.

* The NIST Federal Information Processing Standard validation program.