[Federal Register Volume 62, Number 33 (Wednesday, February 19, 1997)]
[Notices]
[Pages 7438-7439]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-4032]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary


Proposed Collection; Comment Request

AGENCY: National Security Agency.

ACTION: Notice.

-----------------------------------------------------------------------

    In compliance with Section 3506(c)(2)(A) of the Paperwork Reduction 
Act, the National Security Agency announces a proposal to collect 
information and seeks public comment on the provisions thereof. 
Comments are invited on: (a) whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the Agency, including whether the information shall have practical 
utility; (b) the accuracy of the Agency's estimate of the burden of the 
proposed information collection; (c) ways to enhance the quality, 
utility, and clarity of the information to be collected; and (d) ways 
to minimize the burden of the information collection on respondents, 
including through the use of automated collection techniques or other 
forms and information technology.

DATES: Consideration will be given to all comments received by April 
21, 1997.

ADDRESSES: Written comments and recommendations on the proposed 
information collection should be sent to the Director, National 
Security Agency, Attn: COTS Assistance and Evaluation Division (NCAIP 
Coordinator), 9800 Savage Road STE 6740, Fort George G. Meade, MD 
20755-6740.

FOR FURTHER INFORMATION CONTACT:
To request additional information on this proposed information 
collection or to obtain a copy of the proposal and associated 
collection instruments, please write to the above address, or call the 
NSA Commercial Advice Information Program Coordinator at (410) 859-
4458.
    Title, Associated Form, and OMB Number: NSA Commercial Advice 
Information Program, Provider Response Form, Form Number TBD, OMB 
Number TBD.
    Needs and Uses: The information collection requirement is necessary 
to obtain and record essential contact information and professional 
qualifications of individuals interested in providing technical advice 
to trusted computer product vendors or commercial evaluation facilities 
in support of the NSA Trusted Product Evaluation Program and the Trust 
Technology Assessment Program. The contact and technical capability 
information obtained from prospective providers will be published in 
one or more public venues (e.g., Federal Register, NSA computer systems 
for Internet World Wide Web and Dockmaster access, handbook or 
brochure) to provide maximum exposure to vendors and evaluation 
facilities interested in obtaining advice for commercial providers.
    Affected Public: Any individual in the private sector interested in 
providing technical advice, on a fee-for-service or other paid or 
unpaid basis, to trusted product vendors or commercial evaluation 
facilities.
    Annual Burden Hours: 25.
    Number of Respondents: 100.
    Responses per Respondent: 1.
    Average Burden per Response: 15 minutes.
    Frequency: On occasion.

SUPPLEMENTARY INFORMATION:

Summary of Information Collection

    The National Security Agency (NSA) plans to implement a commercial 
advice information program in support of its Trusted Product Evaluation 
Program (TPEP). The objective of the NSA Commercial Advice Information 
Program (NCAIP) is to provide a timely source of information to vendors 
on how to obtain technical advice for

[[Page 7439]]

trusted product evaluations from commercial providers. NCAIP is a 
service that is intended to promote more timely and cost-effective 
trusted product evaluations by further decentralizing the advice 
process and offering commercial alternatives to vendors. A commercial 
advice capability exists today within the private sector and NCAIP 
intends to facilitate and promote this existing industry. A successful 
commercial advice information program will result in a cost savings for 
NSA and will give private industry greater ownership and involvement in 
trusted product evaluations.
    NSA has been evaluating the security features and assurances of 
commercially produced computer products (e.g., operating systems, 
networks, network components, and database management systems) against 
the Trusted Computer System Evaluation Criteria (TCSEC) for over a 
decade as part of TPEP. TPEP was created to facilitate the widespread 
availability of commercial off-the-shelf trusted products for use by 
the U.S. Government, to advance the state of the art in information 
systems security, and to provide for the transfer of trust technology 
to private industry.
    TPEP is unique in terms of industry and government cooperation. 
This cooperation places demands on both parties in terms of resource 
expenditures. Vendors use their own resources to develop trusted 
products, to establish required engineering processes, and to provide 
supporting evidence of product development. NSA commits government 
resources to review and assess product proposals, to provide technical 
advice during a pre-evaluation phase, to evaluate the resulting vendor 
products, and to staff a Technical Review Board (TRB) to maintain 
consistency and quality of evaluations. Upon successful evaluation, the 
product is awarded a trust rating and placed on a nationally recognized 
list of evaluated products, the Evaluated Products List (EPL). This 
partnership has resulted in the successful development of many trusted 
computer products over the past decade and in a significant transfer of 
trust technology to the private sector.
    TPEP is currently organized into three phases: pre-evaluation, 
evaluation, and rating maintenance. The pre-evaluation phase consists 
of four principal activities that must be performed in preparation for 
an evaluation of a trusted product: proposal review, technical 
assessment, advice, and an intensive preliminary technical review. 
These activities are conducted to ensure that a product and its 
associated documentation evidence are ready for evaluation. The 
evaluation phase consists of comprehensive system-level training for 
the evaluation team, an in-depth analysis of the system design, 
detailed security testing, presentations before a TRB, and the 
production of a Final Evaluation Report (FER). The rating maintenance 
phase is a continuation of the original evaluation that provides a 
mechanism for a vendor to maintain the rating of the product throughout 
its life-cycle.
    The pre-evaluation phase begins with a review of a vendor's 
proposal to determine if the product has a high probability of meeting 
the appropriate TCSEC requirements, has the potential for broad market 
appeal, and is sufficiently mature in its design. As a result of the 
proposal review, a product may become a candidate for evaluation. A 
candidate product next goes through a technical assessment, where the 
vendor must show that the product design and the supporting 
documentation (i.e., evaluation evidence) are complete and presented in 
sufficient detail. The technical assessment can result in a 
recommendation to: (1) Schedule an Intensive Preliminary Technical 
Review (IPTR), (2) terminate the proposed effort due to technical 
deficiencies in the product, or (3) seek additional assistance in the 
form of advice.
    The specific activity in the pre-evaluation phase, called advice, 
occurs when a small number of evaluators (the TPEP advice team) are 
assigned to the vender until the vendor is ready for evaluation. The 
advice team usually includes at least one-senior evaluator. In the 
event that NSA resources are unavailable or the proposed product does 
not meet the established criteria for TPEP advice (i.e., unique or new 
technology, high priority for DoD, or substantial market impact), the 
vendor will be asked to seek commercial alternatives. Some of the 
specific areas covered under the current advice-giving process are the 
TPEP process, the TCSEC requirements, product design, modeling, design 
and test documentation, ratings maintenance requirements, 
implementation questions relative to product design, and user 
documentation coverage.
    Many activities are underway, nationally and internationally, to 
develop the next generation security evaluation criteria and associated 
evaluation methodologies (e.g., the Common Criteria and Common 
Evaluation Methodology). There are also ongoing efforts to develop and 
implement additional evaluation programs to populate the EPL (e.g., the 
Trust Technology Assessment Program) that involve greater participation 
by the private sector. These changes are designed to bring greater 
efficiencies to the evaluation process by placing more responsibility 
on vendors to increase their state of readiness in preparation for 
entering a formal evaluation. There is also interest in exploring ways 
to reduce government expenditures for evaluations by identifying 
aspects of the current TPEP process that could be accomplished by the 
private sector on a fee-for-service basis.
    The first activity in which the private sector has been 
participating is the rendering of technical advice to trusted product 
vendors. NSA has begun transferring the responsibility for providing 
pre-evaluation advice to private sector individuals resulting in the 
need for this commercial advice information program. Commercial advice 
providers can be used by vendors to participate in a variety of 
activities such as security analyses, modeling, assessment of a 
product's ability to meet evaluation criteria requirements, preparation 
for technical reviews, test development, team training, security 
mechanism development, and preparation of design and test 
documentation. Commercial advice providers can also provide information 
concerning criteria interpretations, ratings maintenance program 
actions, and the evaluation process, in general. Currently, NSA has no 
method for providing interested vendors with information about 
commercial advice providers.
    Prospective commercial advice providers will be asked to submit 
both contact information and information regarding their technical 
capability to the NCAIP Coordinator. Contact information includes 
provider name, company affiliation (optional), address, telephone 
number, facsimile number, and electronic mail address. A comment 
section will provide the opportunity to list any additional information 
deemed important with respect to technical capability. This information 
may include provider education, training, previous experience and 
specialized expertise.

    Dated: February 12, 1997.
L.M. Bynum,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 97-4032 Filed 2-18-97; 8:45 am]
BILLING CODE 5000-04-M