Figure 3. Example of an FY 1977 Objective Suitable for COMPUTER SECURITY 1. Proposed Objective 2. The computer security objective is to produce one standard, four guidelines, and two reports to reduce threats to the integrity and confidentiality of data in computerized information systems, and assist agencies in complying with the Privacy Act of 1974. This objective, part of NBS' computer security program, will be completed in FY 1977. Justification This MBO addresses specific products of the NBS computer security program which support data confidentiality, data integrity, and privacy-related technical issues. Data confidentiality is an overall concern of the program. Congressional and public concern, coupled with existing and pending privacy legislation, has mandated an increased emphasis on this issue. OMB estimates that, of the 6723 "systems of records" of personal data reported by agencies as required by the Privacy Act, over one half of the records on individuals reside in automated systems. Other data such as proprietary production data in the computers of regulatory agencies must also be kept confidential. Data of national security importance is an obvious concern; in June a conviction was obtained for penetration of an FEA system containing data which were both classified and highly proprietary. Computers Data integrity protection is another part of the program. now process most of the Government's financial transactions and personal data. Destruction or modification of data has lead to expensive recreation or even recollection, overpayment or overordering resulting from fraud or accident, denial of benefits, interruption of services, faulty decisionmaking, misrouting of objects, and even false arrest. Cases have been documented in the press and in GAO reports, and Congressional concern in this area has greatly increased.* In fulfilling this objective, NBS is meeting its charter commitments as the only Federal agency authorized to set Government-wide standards for information processing (Brooks Act and OMB policy guidance), and its specific Privacy Act charge (OMB Circular A-108). Indeed, the milestone dealing with "nonunique identifiers" results directly from the constraints Section 7 of the Act places on agencies, and the milestone dealing with "sensitivity levels" will help the agencies prioritize the application of security safeguards for the protection of personal data. *For example, see "Problems Associated with Computer Technology in Federal Programs and Private Industry: Computer Abuse," Senate Committee on Government Operations print (June 1976). 3. Approach The milestones identified in Section 6 fall into two broad categories within the overall computer security program. The first is the development of information management practices of a procedural nature to assure control over the accuracy, completeness, confidentiality and integrity of data. The work on nonunique identifiers for data retrieval, file handling practices, and determination of sensitivity levels of personal data all fall into this category. The second category is the development of technological measures for data integrity and confidentiality and access control in computer systems and networks. Included are the milestones relating to encryption, development of secure software programs, and the automated identification of persons accessing computer systems and data. In order to define the maximum payoff technological milestones and so focus the program for effectiveness, NBS must be aware of agencies' operational security requirements and the latest developments in industry. As in any scientific organization there is information interchange through professional meetings and press, and in NBS' case, many ad hoc contacts with agencies that come to NBS seeking advice on specific computer security problems. But the computer security program has a far more effective forum for exchange with Government and industry-the Federal Information Processing Standards Task Group 15 on Computer Security, a public advisory committee. This is a dynamic, working group which has excellent representation from many Federal agencies, State and local governments, computer manufacturers, and major users such as banks and insurance companies. The standards and guidelines produced by this program provide agencies with the means for protecting valuable data and other computer assets, and assuring their management, the public and Congress that proper steps are being taken to safeguard individual privacy. Examples of use of these products include HEW, which has incorporated FIPS Publications 31 and 41 into its computer security regulations. The FAA has based its computer security manual on NBS' guidelines. GSA has developed a draft FPR which will incorporate a computer security standard, and has asked NBS to determine the advisability of revising an existing FPMR to include the relevant portions of NBS' physical security guidelines. 4. Resources In 1977, the cost of completing the objective within the overall computer security program will be $397,000, requiring 6 man-years.* 5. Responsible Office Institute for Computer Sciences and Technology, NBS, Dr. Ruth M. Davis, Director. *Several of these milestones represent activities initiated in prior fiscal years. 6. Milestones 1. Publish Guideline on the use of names and other nonunique identifiers for accessing files, allowing agencies to continue providing services to persons without violating Section 7 of the Privacy Act or incurring excessive costs (Oct. 1976). 2. Establish a Federal Standard Data Encryption Algorithm, to be made commercially available as a low cost hardware device to protect the data of civilian agencies (Nov. 1976). Note: This milestone was originally scheduled for May 1976. However, the Justice Department has expressed concerns over the antitrust aspects of licensing for foreign production of the device by United States companies, and requested a rewording of patent releases. The schedule change is reflected above. 3. Report on software engineering methods for the development of secure programs (Feb. 1977). 4. 5. Publish interim guidelines on good information management practices for file handling (May 1977). Publish guidelines on determination of sensitivity levels of personal data in computer files, for assessing required levels of security (May 1977). 6. Publish comprehensive guidelines on personal identification techniques for controlling access to computer systems, networks and data (Sept. 1977). 7. Joint NBS/Privacy Protection Study Commission report on the problems of privacy and data confidentiality in personnel recordkeeping (Sept. 1977). F. Program Review and Evaluation The reviews of technical programs are divided into two parts. Review of overhead activities will be arranged at a later time by the Associate Director for Administration. Part I - Base Program Review (March 1, 2, and 3) (See schedule, Figure 4). Base programs will be reviewed by Subcategory. The purpose is for the Director and Executive Board to assess strengths and weaknesses in Bureau programs. The time for each subcategory review corresponds to a time allotment of 30 minutes per subelement presentation (including 10 minutes for questions). Time allotments for individual subelements will be negotiated with the Program Office and will vary with the number and seriousness of issues involved. The total time per subcategory will be as indicated on the schedule. The Subcategory Manager will organize and conduct his reviews; he is responsible for presenting all subelements covered in his budget and for delegating the presentation on topics, Location and arrangement of facilities will be provided by the Program Office for both review parts. These will be reviewed in groups associated with individual Principal Programmatic Objectives (PPOs). The purpose is for the Executive Board to assess the relevance of the proposed work to the national needs, its suitability for the PPO package, and its fit to the Bureau mission. The time allowed for these reviews is based on a 30-minute presentation per initiative (including 10 minutes for questions). Final scheduling after selection of Bureau-wide objectives (PPOs) will be negotiated with the PPO leader, the involved Subcategory Managers, and the Program Office. The PPO leader will coordinate organization and conduct of the Reviews with appropriate Subcategory Managers. (See Figure 4.) Program Evaluation Objective: The formal program evaluation process is to provide guidance to the Director and to Bureau management and to serve as a uniform record of Executive Board perceptions of technical programs and initiatives. Program Evaluation is intended to bring out concise, effective presentations of NBS programs; to assure that program strong points are not underemphasized; and to focus the attention of the Executive Board on those characteristics that help sell the program (especially in the case of initiatives). As you see, the thrust of the checklist is to supplement emphasis on the high technical quality of your programs (usually taken for granted by reviewers of NBS) with emphasis on the character of the external demand and on the quality of the program plan. These features are key to acceptance of our programs by external reviewers. Evaluation Criteria: The evaluation criteria which were distributed for comments on September 3 to Section and Division chiefs (Program Description Outline) are the basis for FY 79 program and initiative evaluations. The criteria are defined in detail in Appendix A and abbreviated definitions are included on the individual evaluation checklists (Figure 5, Figure 6). Procedures for Use of Evaluation Forms Before Reviews: • Evaluation checklist forms will be provided for base programs (Figure 5) and for program initiative/expansions (Figure 6), The Director's Office (Program Office, Budget and M&O divisions) will prepare forms for all subelements and send them to appropriate Managers by December 17, 1976, together with blank forms for submission of program initiative/expansions. ° On the base program review forms, three resource items are to be supplied by Subcategory Managers, These are: estimated reimbursable man-years (direct) for FY 1977, requested STRS dollars for FY 1978, and requested STRS positions for FY 1979. • On the program initiative/expansion forms, the Subcategory Manager will provide information on required dollars, positions, and GPE dollars for FY 1979, the estimated totals through FY 1983, and the highest expected annual level. |