[Federal Register Volume 62, Number 33 (Wednesday, February 19, 1997)] [Notices] [Pages 7438-7439] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 97-4032] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE Office of the Secretary Proposed Collection; Comment Request AGENCY: National Security Agency. ACTION: Notice. ----------------------------------------------------------------------- In compliance with Section 3506(c)(2)(A) of the Paperwork Reduction Act, the National Security Agency announces a proposal to collect information and seeks public comment on the provisions thereof. Comments are invited on: (a) whether the proposed collection of information is necessary for the proper performance of the functions of the Agency, including whether the information shall have practical utility; (b) the accuracy of the Agency's estimate of the burden of the proposed information collection; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms and information technology. DATES: Consideration will be given to all comments received by April 21, 1997. ADDRESSES: Written comments and recommendations on the proposed information collection should be sent to the Director, National Security Agency, Attn: COTS Assistance and Evaluation Division (NCAIP Coordinator), 9800 Savage Road STE 6740, Fort George G. Meade, MD 20755-6740. FOR FURTHER INFORMATION CONTACT: To request additional information on this proposed information collection or to obtain a copy of the proposal and associated collection instruments, please write to the above address, or call the NSA Commercial Advice Information Program Coordinator at (410) 859- 4458. Title, Associated Form, and OMB Number: NSA Commercial Advice Information Program, Provider Response Form, Form Number TBD, OMB Number TBD. Needs and Uses: The information collection requirement is necessary to obtain and record essential contact information and professional qualifications of individuals interested in providing technical advice to trusted computer product vendors or commercial evaluation facilities in support of the NSA Trusted Product Evaluation Program and the Trust Technology Assessment Program. The contact and technical capability information obtained from prospective providers will be published in one or more public venues (e.g., Federal Register, NSA computer systems for Internet World Wide Web and Dockmaster access, handbook or brochure) to provide maximum exposure to vendors and evaluation facilities interested in obtaining advice for commercial providers. Affected Public: Any individual in the private sector interested in providing technical advice, on a fee-for-service or other paid or unpaid basis, to trusted product vendors or commercial evaluation facilities. Annual Burden Hours: 25. Number of Respondents: 100. Responses per Respondent: 1. Average Burden per Response: 15 minutes. Frequency: On occasion. SUPPLEMENTARY INFORMATION: Summary of Information Collection The National Security Agency (NSA) plans to implement a commercial advice information program in support of its Trusted Product Evaluation Program (TPEP). The objective of the NSA Commercial Advice Information Program (NCAIP) is to provide a timely source of information to vendors on how to obtain technical advice for [[Page 7439]] trusted product evaluations from commercial providers. NCAIP is a service that is intended to promote more timely and cost-effective trusted product evaluations by further decentralizing the advice process and offering commercial alternatives to vendors. A commercial advice capability exists today within the private sector and NCAIP intends to facilitate and promote this existing industry. A successful commercial advice information program will result in a cost savings for NSA and will give private industry greater ownership and involvement in trusted product evaluations. NSA has been evaluating the security features and assurances of commercially produced computer products (e.g., operating systems, networks, network components, and database management systems) against the Trusted Computer System Evaluation Criteria (TCSEC) for over a decade as part of TPEP. TPEP was created to facilitate the widespread availability of commercial off-the-shelf trusted products for use by the U.S. Government, to advance the state of the art in information systems security, and to provide for the transfer of trust technology to private industry. TPEP is unique in terms of industry and government cooperation. This cooperation places demands on both parties in terms of resource expenditures. Vendors use their own resources to develop trusted products, to establish required engineering processes, and to provide supporting evidence of product development. NSA commits government resources to review and assess product proposals, to provide technical advice during a pre-evaluation phase, to evaluate the resulting vendor products, and to staff a Technical Review Board (TRB) to maintain consistency and quality of evaluations. Upon successful evaluation, the product is awarded a trust rating and placed on a nationally recognized list of evaluated products, the Evaluated Products List (EPL). This partnership has resulted in the successful development of many trusted computer products over the past decade and in a significant transfer of trust technology to the private sector. TPEP is currently organized into three phases: pre-evaluation, evaluation, and rating maintenance. The pre-evaluation phase consists of four principal activities that must be performed in preparation for an evaluation of a trusted product: proposal review, technical assessment, advice, and an intensive preliminary technical review. These activities are conducted to ensure that a product and its associated documentation evidence are ready for evaluation. The evaluation phase consists of comprehensive system-level training for the evaluation team, an in-depth analysis of the system design, detailed security testing, presentations before a TRB, and the production of a Final Evaluation Report (FER). The rating maintenance phase is a continuation of the original evaluation that provides a mechanism for a vendor to maintain the rating of the product throughout its life-cycle. The pre-evaluation phase begins with a review of a vendor's proposal to determine if the product has a high probability of meeting the appropriate TCSEC requirements, has the potential for broad market appeal, and is sufficiently mature in its design. As a result of the proposal review, a product may become a candidate for evaluation. A candidate product next goes through a technical assessment, where the vendor must show that the product design and the supporting documentation (i.e., evaluation evidence) are complete and presented in sufficient detail. The technical assessment can result in a recommendation to: (1) Schedule an Intensive Preliminary Technical Review (IPTR), (2) terminate the proposed effort due to technical deficiencies in the product, or (3) seek additional assistance in the form of advice. The specific activity in the pre-evaluation phase, called advice, occurs when a small number of evaluators (the TPEP advice team) are assigned to the vender until the vendor is ready for evaluation. The advice team usually includes at least one-senior evaluator. In the event that NSA resources are unavailable or the proposed product does not meet the established criteria for TPEP advice (i.e., unique or new technology, high priority for DoD, or substantial market impact), the vendor will be asked to seek commercial alternatives. Some of the specific areas covered under the current advice-giving process are the TPEP process, the TCSEC requirements, product design, modeling, design and test documentation, ratings maintenance requirements, implementation questions relative to product design, and user documentation coverage. Many activities are underway, nationally and internationally, to develop the next generation security evaluation criteria and associated evaluation methodologies (e.g., the Common Criteria and Common Evaluation Methodology). There are also ongoing efforts to develop and implement additional evaluation programs to populate the EPL (e.g., the Trust Technology Assessment Program) that involve greater participation by the private sector. These changes are designed to bring greater efficiencies to the evaluation process by placing more responsibility on vendors to increase their state of readiness in preparation for entering a formal evaluation. There is also interest in exploring ways to reduce government expenditures for evaluations by identifying aspects of the current TPEP process that could be accomplished by the private sector on a fee-for-service basis. The first activity in which the private sector has been participating is the rendering of technical advice to trusted product vendors. NSA has begun transferring the responsibility for providing pre-evaluation advice to private sector individuals resulting in the need for this commercial advice information program. Commercial advice providers can be used by vendors to participate in a variety of activities such as security analyses, modeling, assessment of a product's ability to meet evaluation criteria requirements, preparation for technical reviews, test development, team training, security mechanism development, and preparation of design and test documentation. Commercial advice providers can also provide information concerning criteria interpretations, ratings maintenance program actions, and the evaluation process, in general. Currently, NSA has no method for providing interested vendors with information about commercial advice providers. Prospective commercial advice providers will be asked to submit both contact information and information regarding their technical capability to the NCAIP Coordinator. Contact information includes provider name, company affiliation (optional), address, telephone number, facsimile number, and electronic mail address. A comment section will provide the opportunity to list any additional information deemed important with respect to technical capability. This information may include provider education, training, previous experience and specialized expertise. Dated: February 12, 1997. L.M. Bynum, Alternate OSD Federal Register Liaison Officer, Department of Defense. [FR Doc. 97-4032 Filed 2-18-97; 8:45 am] BILLING CODE 5000-04-M