Federal Government Compliance and Directives

DITSCAP

DoD Information Technology Security Certification and Accreditation Process requires Interoperability Certification and Information Assurance (IA) accreditation of all telecommunications products connected to the DSN.

NSTISSP # 11

National Security Telecommunications and Information Systems Security Policy No. 11 http://niap.nist.gov/cc-scheme/nstissp-faqs.html is a National Information Assurance Directorate which requires that systems that enter, process, store, display or transmit national security information must include information assurance products validated against the International Common Criteria for Information Security Technology (NIAP Common Criteria) http://www.niap.nist.gov/cc-scheme/in_evaluation.html#f, and or Federal Information processing Standard 140-2 (FIPS). http://csrc.nist.gov/cryptval/140-1/1401vend.htm.

CNSS Policy # 15

U.S. Government Departments or Agencies desiring to use security products implementing AES to protect national security systems and/or information (i.e., to provide confidentiality, authentication, non-repudiation, integrity, or to ensure system availability) or other mission critical information related to national security, are subject to review and approval by the National Institute of Standards and Technology (NIST) in accordance with the requirements of Federal Information Processing Standard (FIPS) 140-2. http://csrc.nist.gov/cryptval/CNSS15FS.pdf

NCES

Net-Centric Enterprise Services program will provide a secure, collaborative information-sharing which enables systems to provide the right information to the right person at the right time. http://www.disa.mil/main/nces.html

EGA

(E-Government Act) The E-Government Act of 2002 and the Federal Information Security Management Act (FISMA) permanently establishes the guidelines set forth in the original Gov. Information Security Reform Act (GISRA) that provides significant privacy and security responsibilities for federal information technology system operators, and provides the framework for securing the Federal government’s information technology. http://www.whitehouse.gov/omb/egov/b-1-information.html

FISMA

Mandatory under the Federal Information Security Act of 2002, All applications and content, should be protected against unauthorized access, use, disclosure, disruption, modification or destruction of information collected or maintained by the agency. Federal agencies have until December 2006 to apply requirements to their existing systems. A recent survey of about 70 federal chief information security officers found that only about 40 percent of them had begun the now-mandatory process of categorizing their major applications and general support systems according to the impact that a serious breach in those systems could have on their agencies’ ability to operate. (Federal Computer Weekly, March 2005) Federal Information Security Management Act of 2002 (Title III of E-Gov)

NSTISSP #11

NSTISSP #11 is a national security community policy governing the acquisition of information assurance (IA) and IA-enabled information technology products. The policy was issued by the Chairman of the National Security Telecommunications and Information Systems Security Committee (NSTISSC), 2/1/00. The policy mandates, effective 1 July 2002, that departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or crypto modules that have been validated in accordance with the International Common Criteria for Information Technology Security Evaluation, National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Crypto module Validation Program (CMVP). Additionally, subject to policy and guidance for non-national security systems, NSTISSP # 11 notes that departments and agencies may wish to consider the acquisition of validated COTS products for use in information systems that may be associated with the operation of critical infrastructures as defined in the Presidential Decision Directive on Critical Infrastructure Protection (PDD-63).