In September 1990, the Computer System Security and Privacy Advisory Board established under the Computer Security Act of 1987 proposed that NIST issue guidelines on civilian agency computer security analogous to the Rainbow Series and published as Federal Information Processing Standards. However, it is not clear how or by whom such a document would be developed, in part because NIST lacks relevant funding (Danca, 1990e).


Ironically, it was a similar recognition that led to the launch of the NCSC in the first place.


Note that the federal government already has a number of vehicles for action that do not involve direct administration by federal employees, such as nonprofit federally funded research and development centers (FFRDCs), government-owned/ contractor-operated (GOCO) industrial plants, and specially chartered quasi-public organizations such as federally sponsored financing agencies that conduct activities formerly conducted by the private sector. Comsat is perhaps the most widely recognized example; it was specially chartered by Congress, but it is profit making and is funded by selling shares. More relevant is the FFRDC concept, also involving congressional charters, which in general does not, however, permit the flexibility in funding or in mission envisioned for the ISF (Musolf, 1983).


Another source of funds might eventually be sales of publications. Such sales provide about $10 million in revenue for FASB, for example (FASB, 1990).


The emergence of DES in the 1970s, its promotion by the then Institute for Computer Sciences and Technology (ICST) of the then National Bureau of Standards (NBS), and the role of the NSA in that evolution, have been well publicized (OTA, 1987b).


The MOU states that NIST will "recognize the NSA-certified rating of evaluated trusted systems under the Trusted Computer Security Evaluation Criteria Program without requiring additional evaluation," and it also makes many references to coordination with NSA to avoid duplication of effort or conflict with existing technical standards aimed at protecting classified information.


The nominal losses in a specific case are misleading. They signal a potential for greater loss through repetitions of undetected abuse.


Note that the movement toward certification among security practitioners contrasts with the ongoing heated debate among systems developers and software engineers over certification.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement