also inside—• Combined Endeavor

• DIAP Update

• Biometrics Technology

Volume 4 Number 1

EditorRobert J. Lamb

Creative DirectorChristina P. McNemar

Information ProcessingRobert F. ScruggsInquiry ServicesPeggy O’Connor

IAnewsletter is published quarterly by theInformation Assurance Technology AnalysisCenter (IATAC). IATAC is a DoD sponsoredInformation Analysis Center, administrative-ly managed by the Defense TechnicalInformation Center (DTIC), DefenseInformation Systems Agency (DISA).

Inquiries about IATAC capabilities, productsand services may be addressed to:

Robert J. LambDirector, IATAC703.289.5454

We welcome your input! To submit yourrelated articles, photos, notices, featureprograms or ideas for future issues, pleasecontact:

IATACATTN: Christina P. McNemar3190 Fairview Park DriveFalls Church, VA 22042Phone 703.289.5454Fax 703.289.5467STU-III 703.289.5462

E-mail: iatac@dtic.milURL: http://iac.dtic.mil/iatac

Cover and newsletter designed byChristina P. McNemar

Distribution Statement A:Approved for public release; distribution is unlimited.

on the coverUSSPACECOMRevising the DoD INFOCON SystemMs. Jill Sarff 3

ia initiatives Combined Endeavor ‘00Mr. Kent Waller 6

DIAP UpdateCAPT J. Katharine Burton, USN 9

CND in a Coalition Environment. Why?Major Mike Purcell 12

67th Intelligence Wing Acquires New MissionColonel James Massaro, USAF 14

Biometrics Technology—From Science Fiction to Science Fact!Mr. Jeff Dunn and Mr. Matt King 16

Information Operations in the Army ReserveMajor Greg Williams, USAR 18

CND at the Army Signal CommandMAJ Mike McNett, USA and LTC Marc Withers, USA 20

FIPS 140-2—The Next GenerationMr. Ray Snouffer 23

in each issueIATAC Chat 25Robert J. Lamb, Director

IATAC Product Order Form 26

Products 27

Calendar Back Cover

IAnewsletter • Volume 4, Number 1 http://iac.dtic.mil/iatac

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1

I n the face of an ever grow-ing and sophisticated threat

to DoD information networks,the Chairman of the JointChiefs of Staff (CJCS) directedthe implementation of the DoDInformation Operations Condi-tion (INFOCON) system(Chairman’s MemorandumCM-510-99, 10 March 1999). Inthe 18 months since the INFO-CON system was established,commanders and network ad-ministrators across DoD haveapplied this new guidance inboth exercise and real-worldenvironments. These applica-tions have generated a numberof recommendations for en-hancing the current INFOCONprocess. This article addressesthe in-work efforts of U.S.Space Command (USSPACE-COM) to formulate lessonslearned into a “new and im-proved” INFOCON system.Specifically, it will briefly de-scribe the current INFOCONsystem, and the activities andprocesses upon which US-SPACECOM has focused.

The DoD INFOCON systemprovides a structured, opera-tional approach to uniformlyheighten or reduce defensiveposture, defend against unau-thorized activity, and mitigatesustained damage to the De-fense Information Infrastruc-ture (DII). The INFOCON sys-tem is somewhat analogous toother DoD alert systems, suchas Defense Condition (DEF-CON) and Threat Condition

(THREATCON). These alertsystems are all comprised ofsystematic processes that en-sure DoD entities are synchro-nized in their defensive efforts.Commanders at various levels,depending on the alert system,have the authority to declarecondition levels that, when im-plemented, significantly en-hance the protection and de-fense of personnel, missionoperations, and equipment.The INFOCON system, by pro-viding an alert framework forinformation networks, sup-ports a commander’s opera-tional requirement to attainand maintain information anddecision superiority.

On 1 October 1999, the Com-mander, USSPACECOM (US-CINCSPACE), assumed com-mand of a brand new missionarea, DoD-Computer NetworkDefense (CND). Also effectivethe same date, the Secretary ofDefense (SECDEF) delegated toUSCINCSPACE the authority todeclare DoD INFOCON levels.Associated with this importantdeclaration authority was theresponsibility, in support of theJoint Staff, to administer thecurrent system and to initiateimprovements to the structureand/or processes. Based onfeedback from elements acrossDoD, USCINCSPACE directed athorough review of the INFO-CON system, with specific di-rection to “standardize and op-erationalize” the currentstructure. In response, US-

3

Revising the DoD System

by Ms. Jill Sarff

I n f o r m a t i o n O p e r a t i o n s C o n d i t i o n

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac

SPACECOM has initiated thetask of reviewing the currentINFOCON process and devel-oping recommendations toachieve a more comprehensive,standardized, and responsiveINFOCON system.

The current DoD INFOCONsystem is comprised of five lev-els declared in order of increas-ing defensive posture—NOR-MAL, ALPHA, BRAVO,CHARLIE, and DELTA. DoDguidance empowers comman-ders at all levels to declare IN-FOCONs for networks withintheir area of command. Theirdeclared level must remainequal to or higher than DoD’sINFOCON level. In addition,current CJCS guidance pre-sents a list of criteria that char-acterizes each INFOCON level.It also recommends defensivemeasures to be similarly con-sidered. It is each commander’sprerogative to use (or not use)the measures on this list asthey see fit in order to directthe specific implementationmeasures associated with eachchange in INFOCON level.

In an effort to better under-stand and share the processesby which commanders acrossDoD implement the INFOCONsystem, USSPACECOM hosted aworldwide INFOCON confer-ence in Colorado Springs inJune 2000. All Commanders-in-Chief (CINCs) and military Ser-vices, and most DoD Agencieswere represented at the confer-ence. Each participating organi-zation briefed their local imple-mentation procedures, pre-sented concerns over the cur-rent system, and provided rec-ommendations for improve-ments. In addition, theconference attendees dividedinto three focus groups in orderto concentrate on specific IN-

FOCON elements. The threegroups were—• Commanders’ Assessment

Criteria• Directed Actions• Operational Reporting

USSPACECOM has continuedto develop these concepts in itsrevision effort. The followingparagraphs describe each ofthese focus areas in more detail.

Commanders’ Assessment Criteria

The purpose of this focusarea in the revision process isto provide commanders withbroad guidance on determiningan “appropriate” INFOCONlevel given a combination ofoperational, threat, and net-work status factors. As men-tioned, the current INFOCONguidance lists general attribut-es of each INFOCON level.Feedback and operational ob-servations have indicated thatmore focused guidance for de-termining INFOCON levelswould be helpful. The recentLove Bug virus reflected theneed for more refined indica-tors. This worldwide incidentelicited a range of INFOCONresponses across DoD—fromINFOCON NORMAL all theway through INFOCON DELTA(the DoD INFOCON level re-mained at NORMAL). This ob-servation is not meant to implythat all commanders shouldhave necessarily come to thesame INFOCON “conclusion”given a common threat. Com-manders retain the authorityand responsibility to declarethe most appropriate level,given their specific situation.However, it did appear thatunits in generally similar oper-ational environments interpret-ed their position within the IN-FOCON guidance quite

differently. Therefore, in orderto guide commanders toward amore common application ofINFOCON levels, USSPACE-COM has developed a matrixwhich incorporates opera-tional, threat, and network en-vironment factors to help guidecommanders toward an INFO-CON declaration. It must beemphasized that the intentionof this matrix is to provide a de-cision support tool for com-manders. The tool is meant toguide commanders’ decisions,not dictate solutions to them.Only the declaring commanderhas the comprehensive situa-tional awareness to make themost appropriate INFOCON de-termination for their com-mand.

Directed ActionsA sizeable portion of recom-

mendations for improvementfocused on the fact that the cur-rent INFOCON guidance rec-ommends (versus directs) de-fensive measures to beimplemented at each INFO-CON level. While it is true thatlocal commanders must retainthe authority to direct the ac-tivities over the networks with-in their command, the fact thatthere are no required, standardmeasures makes it difficult toestablish or communicate a“minimum baseline” of mea-sures across the DII. Under thecurrent INFOCON guidance,disposition of the networkswithin one commander’s do-main at INFOCON ALPHA maylook entirely different than an-other commander’s who hasalso declared INFOCONALPHA. Commanders maycurrently take all, some, ornone of the actions recom-mended at each INFOCONlevel. The intention of the re-

4

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 5

vised INFOCON guidance is toestablish a set of mandatorymeasures for implementationat each INFOCON level. Thesemandatory measures will in noway provide all-encompassingguidance for all INFOCON sce-narios. As required, USCINC-SPACE and/or local comman-ders will direct additionalmeasures that are specific tothe current threat/situation.Rather, a standard set of actionsassociated with each INFOCONlevel will ensure a minimumlevel of uniform activity acrossthe DII when an INFOCONlevel change is declared. In ad-dition, a set of standard mea-sures promotes an efficient andcommon understanding acrossDoD of what minimum actionsare being implemented whenanother commander directs achange in INFOCON levels.

Operational Reporting

The INFOCON system is astructure that is declared andimplemented by commanders.This includes operational com-manders, as well as Servicechiefs (or directors, in the caseof DoD agencies) of informa-tion networks. Therefore, themessages declaring changes toINFOCON levels, or reportingthe status of INFOCON-relatedactivities must be reportedthrough command channels.The efforts to standardize andoperationalize the reportingprocess are focusing on defin-ing operational reporting flows,developing message formats,and identifying timelines re-quired for efficiently reportingINFOCON-related informationto the appropriate organiza-tions. The guidance currentlybeing drafted includes the useof operational reports

(OPREPs) to report changes inINFOCON levels, and situationreports (SITREPs) to provideoperational assessments andstatus of networks and activi-ties associated with changes toINFOCON levels.

USSPACECOM has recentlycompleted producing a draftversion of revised INFOCONguidance. A few issues are cur-rently being coordinated withUSCINCSPACE’s operationalarm for CND, the Joint TaskForce for Computer NetworkDefense (JTF-CND). Followingthis, USSPACECOM will forwarda draft version to the Joint Stafffor initial DoD coordination.

The task of continuing toevolve the DoD INFOCON sys-tem is a major challenge, giventhe enormous variety of mis-sions that DoD informationnetworks support, as well asthe variety of users, data, andequipment that comprise theinformation networks. Becauseof the rapidly changing envi-ronment in which these net-works operate, the INFOCONsystem must continue toevolve to effectively respond tothreats against DoD networks.USSPACECOM is working tomeet this challenge by produc-ing improved guidance for allcommanders across DoD andthe networks they commandand control.The statements in this document describework in progress within U.S. SpaceCommand/J39, and do not necessarilyrepresent the official policy of U.S. SpaceCommand, or of the Commander, U.S.Space Command.

Jill Sarff supports the ComputerNetwork Defense mission for U.S. SpaceCommand (USSPACECOM)/J39 as aSystems Engineer. She may be reached atsarffj@usspace.cas.spacecom.af.mil or719.556.889.

bellowed one of the interna-tional senior delegates. My re-action was as subdued and ca-sual as I could make it, as I hadanticipated that the subject ofinformation assurance (IA)might not go over all that well.I was addressing the Chief Del-egates from 35 nations at theCombined Endeavor 2000 (CE2000) Initial Planning Confer-ence in Tblisi—the capital cityof the former Soviet Republic ofGeorgia. My topic happened tobe the first briefing on IA thatmost of these delegates hadever heard. Speaking in a delib-erately slow and steady tonefor the interpreters, I figuredthat at least one of the dele-gates would understandenough to feel a little insecureabout U.S. representatives con-ducting vulnerability assess-ments on their networks. Thedelegate’s retort sparked a live-ly debate, and I had to retreat tomy fallback position—a menuof voluntary self evaluations,training, and demonstrations.

Despite this somewhat roughinitial briefing, I was thrilled tobe there. Combined Endeavor,after all, is the world’s largestmultinational tactical commu-nications exercise. This annualexercise is sponsored and coor-dinated by Headquarters Unit-ed States European Command’sCommand, Control, and Com-munication (C3) Directorate(ECJ6). More than 650 militarypersonnel from 35 nations par-

ticipated in Combined Endeav-or 2000 held in Lager Aulen-bach, Germany May 11-25,2000.

Participating countries in-cluded Albania, Austria, Bel-gium, Bulgaria, Canada, CzechRepublic, Denmark, Estonia,Finland, France, Georgia, Ger-many, Greece, Hungary, Ire-land, Italy, Kazakhstan, Kyr-gyzstan, Latvia, Lithuania,Macedonia (FYROM), Moldova,Norway, Poland, Romania, Slo-vak Republic, Slovenia, Spain,Sweden, Switzerland, Nether-lands, Ukraine, United King-dom, United States and Uzbek-istan. NATO also participated.

My goal during this exercisewas to educate our potential fu-ture partners about the impor-tance of IA. Additionally, Ihoped to collect data to per-form a very simplified IA eval-uation of the “coalition” net-work that we would build in theCE 2000 Information Systemstestbed. I felt this informationcould be useful to our new part-ners in understanding the im-portance of IA and to our coali-tion commanders inunderstanding what types ofvulnerabilities we might en-counter in coalition IA.

Clearly, one of the first hur-dles was the issue of trustamong the participatingnations. During that first meet-ing in Tblisi, I was looked atwith quite a bit of suspicion—regarded as though I must have

IAnews le t ter • Vo lume 4 , Numbe r 1 http://iac.dtic.mil/iatac6

“I will not allow you to access our networks!”

CombinedEndeavor ‘00

by Mr. Kent Waller

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1

some hidden agenda. But mybriefings became more palat-able and I became more familiarto the delegates throughout thecourse of three planning confer-ences. By the time the exercisefinally began, many of the dele-gation chiefs were completelyfocused on the importance of IAin coalition networks. I was nolonger “the lecturer”—instead, Iwas kept busy answering ques-tions from interested individu-als. In response to these queries,and since this was primarily acommunications interoperabili-ty exercise, I kept pitching anunderlying theme—that failureto communicate, for whateverreason, is failure to interoperate,and lack of basic system protec-tion mechanisms can lead to afailure to communicate. Ofcourse, another importantaspect of gaining trust occursoutside of the conference room.Informal discussions and afriendly handshake can do asmuch to alleviate fear and mis-trust as any good briefing.

Within the Information Sys-tems (IS) test cell area of theexercise, I was able to workclosely with the subject of IAwhile witnessing the testing ofour coalition’s ability to ex-change and conduct simplecommand and control orientedE-mails, formal message traffic,file transfer protocol (FTP)transactions, and Hyper TextTransfer Protocol (HTTP) Webtransactions. I also used thetestbed as a forum for technicalpresentations and demonstra-tions on subjects such as fire-walls, public key infrastructure(PKI), intrusion detection,viruses, and hackers.

Within this test cell we had afascinating array of partici-pants. There were severalcountries with high-end com-

mand and control sys-tems. Some countriescame with truckmounted or deploy-able tactical net-works. One countryhad workstations con-nected remotely overa secure high fre-quency (HF) link.And one country par-ticipated in the IS testcell with a singleyoung officer whocould barely speakEnglish, having onlya laptop, a networkinterface card (NIC)and an eagerness tointeroperate.

Most of the nationsin the IS test cellagreed to help in theIA evaluation by hav-ing an IA officer com-plete two self evalua-tion forms (one forworkstations and onefor servers) which Ihad put together ear-lier. The forms werevery simple in natureand were kept com-pletely anonymousso that no one coun-try would feel thatthe U.S. IA guy (thatwould be me) wasevaluating their net-works for intelligencepurposes. The resultsof these evaluationswere used to com-plete a very simpli-fied risk analysis. Iput this analysis to-gether primarily todemonstrate how asimple risk analysiscould be accom-plished, but also to help allplayers gain a limited under-standing of where our coalition

IA shortcomings may be. Theresults are provided in Tables 1and 2.

7

High

Med

ium

Low

Threat Countermeasure (CM) Planned % of WS using CM

Viruses Antivirus Software 85%

Hacker Secure Logon 87%

No Internet Access 95%

Power Disruption UPS 77%

HVAC Failure Backup Procedures 28%

Hardened System 49%

Insider Data Access Control 49%

Sabotage Screensaver Password 92%

Data Compromise Secure Logon 87%

(electronic) Access Control 49%

Hardware Backup Procedures 28%

Failure UPS 77%

Software Failure Backup Procedures 28%

Theft Restricted Access 100%

System Inventory 69%

Data Compromise Restricted Access 100%

(non-electronic) Trained Personnel 85%

Attack/Bomb Posted Procedures 41%

Fire or Smoke Posted Procedures 41%

Other Disasters Posted Procedures 41%

Table 1. Information Systems Test Cell Risk Analysison 39 Workstations (WS).

High

Med

ium

Low

Threat Countermeasure (CM) Planned % Systems using CM

Viruses Antivirus Software 71%

Hacker Secure Logon 100%

No Internet Access 100%

Power Disruption UPS 79%

HVAC Failure Backup Procedures 57%

Hardened System 57%

Insider Data Access Control 86%

Sabotage Screensaver Password 86%

Auditing Engaged 86%

Audits Reviewed 43%

Data Compromise Secure Logon 100%

(electronic) Access Control 86%

Hardware Backup Procedures 57%

Failure UPS 79%

Software Failure Backup Procedures 57%

Theft Restricted Access 100%

System Inventory 93%

Data Compromise Restricted Access 100%

(non-electronic) Trained Personnel 100%

Attack/Bomb Posted Procedures 60%

Fire or Smoke Posted Procedures 60%

Other Disasters Posted Procedures 60%

Table 2. Information Systems Test Cell Risk Analysison 14 Servers.

High Threat: ≤ 85%, 86% – 99%, =100%Medium Threat: ≤ 50%, 51%–85%, ≥86%Low Threat: ≤ 25%, 26%–50%, ≥51%

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac

Two of the statistics which Ifound striking were that only79 percent of servers had anuninterrupted power supply(UPS) in operation and only 57percent of servers utilized databackup and recovery systems.Additionally, only 77 percent ofworkstations had UPS and only28 percent of workstations haddata backup and recovery sys-tems. In deployed environ-ments such simple oversightscan have critical mission im-pact!

These results were passed tothe participating nations in theIS test cell for their own infor-mational purposes. Before theexercise concluded one foreignofficer told me that he had al-ready provided the report to hissenior commander and theywere acting to improve their IA

posture. I received another in-dicator of successful delivery ofthe IA message at the closingceremony, where German RearAdmiral Klaus-Peter Hirtzmade strong statements regard-ing the importance of IA incoalition operations.

Given this, I believe that incoming years Combined En-deavor will provide us withcontinuing opportunities to testand evaluate new IA conceptsin coalition networks. We needto continue to educate and as-sess our current capabilities,but we also need to work to-wards a common internationalsolution set for coalition net-works oriented towards han-dling a more sensitive level ofcommand and control. ColonelTreece, USA, in the Spring 1999IAnewsletter, discussed a

“Coalition Secret” level networkthat all partners could share.We need to use future Com-bined Endeavors as a stagingplatform to address the associ-ated issues of encryption, au-thentication, and verificationthat should accompany such anetwork. This initial CombinedEndeavor 2000 IA effort hassuccessfully laid a strong foun-dation for these types of futureactivities by establishing abaseline level of understandingand trust.

Mr. Kent Waller is an informationassurance program manager for HQUnited States European Command. Heearned his B.S. in engineering from theUniversity of Oklahoma in 1986 and hisMaster of Public Administration from theUniversity of Oklahoma in 1990. He maybe reached at wallerkl@eucom.mil.

8

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1

T he Defense-wide Informa-tion Assurance Program

(DIAP), established in 1998 bythe Deputy Secretary of De-fense, has continued to maturein executing its responsibilitiesas the organization responsiblefor coordinating, integrating andensuring a consistent and co-herent Information Assurance(IA) program across DoD. Sinceits inception, the staff of theDIAP has made considerableprogress in not only document-ing what the CINCs/Services/Agencies are doing in IA, butalso in providing advocacy forthese programs both within andwithout the Department. Theorganizational structure has un-dergone a few changes also, re-flecting a more in-depth under-standing of how to execute themission with minimal re-sources. Figure 1 illustrates thecurrent organizational structureof the DIAP.

There are a number of areaswhere significant progress in ad-dressing DoD IA issues havebeen made. In this article, fourof these areas will be addressed.In future articles, additionalareas will be discussed. The fourareas are: Human Resource De-velopment, Readiness Assess-ment, DoD Public Key Infra-structure (PKI) Program, andCounterintelligence/Law En-forcement.

Human Resource DevelopmentThe Human Resource Devel-

opment functional area of theDIAP was established to developways to improve the recruit-ment and retention of adequate-

ly trained IA personnel re-sources required to carry outthe Department’s defensive in-formation operations (DIO),and to provide oversight of im-plementation plans towards thatend. The Department conduct-ed an IA and information tech-nology (IT) Human ResourcesIntegrated Process Team (IPT)study for six months. The IPTanalysis produced major find-ings which, when implemented,will greatly improve how theDepartment manages IA/IT bil-lets and personnel. Generally, itwas found there is no Depart-ment-wide recognition of thevery real and growing threat toour warfighting capability as ev-idenced by inadequate priority,funding, training, and focus oninformation assurance. Themost significant finding wasthat IA and IT Management per-sonnel readiness is more prob-lematic than simply providingtraining opportunities and fi-nancial/career incentives to ITprofessionals. The IPT final re-

port produced 19 recommenda-tions to be implemented over afive-year period with a cost fac-tor of approximately $64 mil-lion. A memorandum to imple-ment these recommendationswas signed by the Deputy Secre-tary of Defense (DEPSECDEF)on 14 July 2000 and the imple-mentation planning process hasbegun.

Once implementation planshave been developed and pro-mulgated, members of the DoDHuman Resource DevelopmentWorking Group will provideguidance and oversight withintheir respective DoD organiza-tions. This group is composed ofIA representatives selectedunder the auspices of the Mili-tary Communications Electron-ics Board’s (MCEB) InformationAssurance Panel (MCEB ischaired by Joint Staff J6).

Future plans for the DIAPHuman Resource Developmentfunctional area include lookingat other IA professional trainingand certification requirements

9

Program DevelopmentIntegration Team

DIAP Staff Director

Deputy StaffDirector

Functional EvaluationIntegration Team

• Readiness• Human Resources• Operational Environment• Research & Technology• Security Management• Policy Integration• Architecture• Acquisition

Information AssurancePanel

Liasons

• Law EnforcementCounterintelligence

• Reserve Components• Services• Joint Staff• Intelligence Community• Agencies

DIAP Updateby CAPT J. Katharine Burton, USN

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac

not covered in the recently con-cluded IPT. Additional emphasiswill be placed on developing IAtraining for all DoD and theidentifying appropriate meth-ods of distributing that training.

Readiness AssessmentThe Readiness Assessment

Functional Area of the DIAP hascreated a team that has begundeveloping a capability to assessthe IA Readiness status of theDoD IT systems. When fully de-veloped and deployed, this ca-pability will allow the DoD tomeasure and observe their ef-fectiveness in applying IA re-sources and respective practicesand procedures to protect, de-fend and operate the Depart-ment’s vast IT resources and ca-pabilities throughout all phasesof conflict.

As conceptualized, the assess-ment capability will consist ofhigh-level, indexed metrics thatwill present a “big picture”viewof the DoD IA Readiness status.The indexed metrics will consistof aggregated lower-level met-rics, some of which will consistof lesser-level metrics. This hi-erarchical approach to metricswill provide the DoD with a ca-pability to “drill down” to levelsof detail appropriate for actionby respective levels of manage-ment. The metrics will be de-veloped collectively by IA per-sonnel, with inputs fromoperational mission owners af-fected by the metrics.

To accelerate development ofthe metrics segment of the IAReadiness assessment capabili-ty, the DIAP, in conjunctionwith the Information AssurancePanel, recently established anIA Readiness Metrics WorkingGroup. Membership and activeparticipation in the workinggroup is encouraged of all DoDComponents.

As part of its overall effort todevelop a comprehensive IAReadiness Assessment capabili-ty, the Readiness AssessmentFunctional area will identifyprocesses and methodologiesfor collecting, submitting, aggre-gating, reporting, and analyzingapplicable metrics data. In itsend-state, the IA Readiness As-sessment capability will be insti-tutionalized through DoD policyas an integrated process, andwill be iteratively reviewed andmodified as required.

The IA Readiness Assess-ment team has been busy visit-ing and briefing Components toencourage all Components toparticipate in the workinggroup, and is now expanding itsefforts to include informingother government agenciesthrough briefings, conferencesand workshops. Informationand contact information for theIA Readiness Metrics WorkingGroup is readily available fromthe DIAP.

PKI ActivityThere are a number of activi-

ties occurring in the DoD PKIprogram. This article will give aquick run-through of some ofthe most significant activities.The DoD PKI recently transi-tioned successfully to the Class3.0 Release 2 infrastructure. Al-though the process for obtaininga Release 2.0 certificate is thesame as that of Release 1.0 (alsoknown as DoD Medium Assur-ance PKI Pilot certificates), Re-lease 1.0 certificates may con-tinue to be issued until 31December 2000 to support anyongoing operational needs. If aRelease 1.0 certificate is mis-placed after 31 December 2000,it must be replaced with a Re-lease 2.0 certificate. However, auser of DoD PKI Release 1.0should be aware of a few issues

(listed below) when planning atransition to Release 2.0. Re-lease 1.0 certificates will bevalid until they expire, 3 yearsafter issue. The Release 1.0 in-frastructure will stay in placeuntil 31 December 2003 only formaintenance of Release 1.0 cer-tificates created prior to 31 De-cember 2000.

A Front End Assessment(FEA) of the DEERS/RAPIDS/Common Access Card/PKI inte-gration has been completed.The FEA permitted the DoDPKI PMO to establish revisedmilestones for DoD PKI fielding.These new milestones havebeen incorporated into a revisedDoD PKI Policy Memorandumdated 12 August 2000.

The DoD Class 3 Interoper-ability Test Facility has been re-cently established at the JointInteroperability Test Command(JITC) in Fort Huachuca, Ari-zona. The facility has been de-signed to test PKI applicationsto insure their interoperabilitywith the DoD PKI. In concertwith this activity, the NationalInstitute of Standards and Tech-nology (NIST) is developing ageneric set of test procedures totest the certificate path valida-tion process. These generic pro-cedures will be posted on aNIST web site and be madeavailable to all communities.JITC will tailor the generic pro-cedures to the specific applica-tion and perform the interoper-ability test.

The DoD PKI PMO conduct-ed a DoD PKI Users' Forum on12-13 September 2000 in LasVegas, Nevada. The forumreached a capacity of 600 plusattendees, including featuredkeynote speaker, the HonorableMr. Art Money. Presentationsincluded a DoD Smart Card In-formation Briefing, Interoper-ability Testing, DoD Target Class

10

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1

4 Briefing, Intelligence Commu-nity PKI, and PKI applications.A technical panel also led a dis-cussion about commercial appli-cations (Netscape and Outlook)currently being used in the DoDPKI.

Law Enforcement and CI Support to IA

The Law Enforcement (LE)and Counterintelligence (CI)communities provide criticalsupport to the Department’s IADefense-in-Depth strategy. TheLE/CI community is usuallygoing to be the first respondersto any criminal, terrorist orcounterintelligence attack onour DoD systems. Before seniordecision-makers can decide onthe appropriate response to anincident, attribution for the at-tack must be established. Be-cause attacks are usually routedthrough U.S. systems, law en-forcement is critical to the col-lecting of information, workingbackwards to the origin of theattack. Using search warrants,subpoenas, consensual andlegal non-consensual wiretaps,witness interviews and sources(informants), law enforcementand the counterintelligencecommunities gather informa-tion that lead back to the originof the attack. Once attributionfor an attack has been estab-lished, a course of action canthen be determined.

The information gatheredduring the intrusion investiga-tion must be gathered legally aswell as in a manner that willproperly maintain chain of cus-tody to preserve the integrity ofthe evidence, because in theoverwhelming majority ofcases, the subject of the attack,when identified, will be prose-cuted. Active and aggressive lawenforcement can also deter at-tacks by making it too risky for

the perpetrators. The DoD LawEnforcement and Counterintel-ligence communities havetaken several significant steps inFY 2000 to better provide thiscritical support for IA.

Law Enforcement & CI Center for CND

DoD Directive 8530-aa, whichis currently in coordination, cre-ated the Defense Criminal In-vestigative Organizations LawEnforcement and Counterintel-ligence Center (DCIO LE & CICenter). This organization coor-dinates LE and CI investigationsand operations supporting Com-puter Network Defense (CND)and is staffed by all DefenseCriminal Investigative andCounterintelligence Organiza-tions (DCIO). DoD Directive8530-aa formalizes and institu-tionalizes the LE/CI Cell that iscurrently co-located with theJoint Task Force for ComputerNetwork Defense (JTF-CND).

The LE and CI Center servesas the primary interface be-tween DoD and the Federal Bu-reau of Investigation’s (FBI) Na-tional Infrastructure ProtectionCenter (NIPC) for CND-relatedlaw enforcement and counterin-telligence issues. They receiveoperational direction from theDCIOs and respond to the infor-mation requirements of the U.S.Space Command and Compo-nents. They coordinate CND in-vestigations and operationsamong the DCIOs, providing an-alytical services to support CNDinvestigations and operationsand the Common Operating Pic-ture (COP). The DCIO LE andCI Center supports operationaldecision making by coordinat-ing CND related investigationsand operations that cross DoDComponent or Federal Depart-ment/ Agency bounds, and con-tributing law enforcement and

counterintelligence generatedinformation to a CND COP. Allthe DCIOs exchange CND relat-ed information with the LE & CICenter. The LE & CI Center willmaintain an information systemproviding coordinated informa-tion input to the CND COP andto support the operational needsof the DCIOs.

CND–Law Enforcement–Opera-tions Chiefs Working Group

To provide standardized di-rection, guidance, investigativetools and training among theDefense Criminal and Counter-intelligence components wehave recently established theComputer Network Defense-Operations Chiefs WorkingGroup (OCWG) composed of se-nior representatives from eachof the Department of DefenseCriminal Investigative andCounterintelligence organiza-tions. The OCWG serves to pro-vide this direction, guidanceand support to the Joint LawEnforcement and Counterintel-ligence Center at the JTF-CND.

The OCWG consists of themost senior program/policymanager or representative re-sponsible for the computer in-vestigations and operations pro-gram within each of the DCIOs(AFOSI, DCIS, NCIS, USACIDC,ODCSINT):• Air Force Office of Special

Investigations (AFOSI)• Defense Criminal Investi-

gative Service (DCIS)• Naval Criminal Investigative

Service (NCIS)• U.S. Army Criminal Investi-

gation Command (USACIDC)• U.S. Army Office of the

Deputy Chief of Staff forIntelligence (ODCSINT)Associate membership of the

OCWG will include, but not belimited to, the organizations

11

continued on page 15

CND in a Coalition Environment...

IAnewsletter • Volume 4, Number 1 http://iac.dtic.mil/iatac12

That is the simple questionasked by some regarding

the conduct of Computer Net-work Defense (CND) in a coali-tion environment. Do the risksof exposing vulnerabilities notoutweigh the potential return?To a large extent, the answer tothese questions lies in the factthat, to varying degrees, mostallies of the U.S. already sharevulnerabilities through the pro-gressively increasing homo-geneity of software and hard-ware used on modernnetworks. Although the num-ber of networks currently inuse by the U.S. and its allies isstaggering. There are remark-able similarities among them.Many use similar technologies(if not identical products) toprovide intrusion detection,routing, anti-virus protectionand application layer services.Most importantly however,there is considerable common-ality between operating sys-tems. This has been recognizedin the larger governmental andcorporate networking worldthrough the establishment in1990 of the Forum of IncidentResponse and Security Teams(FIRST, www.first.org). FIRSTis an international organizationchartered to foster cooperationamong its members in theareas of prevention, detection,and recovery from security in-cidents. It also provides anopen forum for discussing cur-rent threats and sharing securi-ty related information, toolsand techniques. It is this typeof cooperation that is being

pursued between the U.S. De-partment of Defense (DoD)and the Canadian Departmentof Defence (DND).

The operational case for co-operation in the realm of CNDis strengthened by the recenthistory of coalition operations.In the past decade alone, U.S.forces have participated in alarge number of coalition oper-ations including the PersianGulf 1990-91, Provide Comfort1991, Restore Hope 1992-93,NATO Stabilization Force Koso-vo 1995-present, DeterminedForce 1998, Eagle Eye 1998, De-termined Guarantor 1999, Al-lied Force 1999, and KosovoPeacekeeping Force 1999–pre-sent. This is not a complete list;it only covers coalition opera-tions that include Canada, theUnited Kingdom and or Aus-tralia. In the context of ongoingcoalition operations with Cana-da, NORAD must also be in-cluded. Here is an example ofan integrated command withsome integrated networks thatspan international boundaries.This is clearly a case for theconduct of coalition CND.

Within the context of CND,there are different areas for co-ordination and cooperation—information sharing, doctrine,vulnerability assessments,warning, research and develop-ment, and tactics techniques,and procedures. Existing agree-ments that either need no mod-ification or need to be amendedto include the sharing of CNDinformation, already coversome of these areas. The issue

in this case is the develop-ment—by both partners—of ef-ficient mechanisms for therapid production and dissemi-nation of CND-related informa-tion.

Another area in which thereis considerable commonality isin Information Conditions (IN-FOCON). Briefly, INFOCONsare a means by which the cur-rent threat to DoD or CanadianDND information systems canbe categorized and in whichguidance on how to counter thethreat is provided. Althoughthe system is currently only inuse in the DND and DoD, asimilar system is in use in theUK. Sharing of INFOCONs willbe one of the first concrete ex-amples of information sharingbetween Canada and the U.S.This cooperation is critical—es-pecially in the NORAD theatre.As much as possible, informa-tion concerning the reasons forchanges in INFOCON levelswill be passed, however, theremay well be times where thisinformation may not be shared,depending on its source, or theimplication of it.

The formal development ofDND/DoD cooperation startedin 1999 with a Statement of In-tent between Mr. Art Money,the DoD Assistant Secretary ofDefense for Command, Con-trol, Communications and In-telligence [OASD(C3I)] and hiscounterpart in Ottawa, Mr. H.Dixon. The parties agreed inprinciple that work shouldbegin on a formal CNDarrangement between Canada

Why?by Major Mike Purcell

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 13

and the U.S. Shortly after thisletter was signed, a Canadianexchange officer was posted tothe Joint Task Force for Com-puter Network Defense (JTF-CND) in Arlington, Virginia.His counterpart, a USAF Major,had been on station in Ottawafor about one year. Since thattime, work has been progress-ing at a rapid pace. A draftMemorandum of Understand-ing is already under develop-ment. Concurrent with thiswork is the development of de-tailed Standard Operating Pro-cedures (SOP), which will de-fine exactly how DND and DoDintend to perform coalitionCND. At the fall meeting of theInformation Operations Work-ing Group (the working groupassigned by the Military Coop-eration Committee to studythis issue in detail) the draftSOP was developed to the pointthat it should be finalized byearly in 2001. The primary goalof all of these documents is toshare information between thetwo countries for the purposeof enhancing the CND effortsof both. It is expected thatsome level of initial operationswill be reached by the end ofthe year. As with all interna-tional agreements, this CNDagreement will deal with onlycertain items, all of which willbe explicitly delineated.

Depending on the degree ofsuccess achieved with thisagreement, it is likely that theconcept will be extended toother partners. Interestingly,despite the commonality ofhardware and software men-tioned earlier, the threats to theDefense Information Infra-structure (DII) of each poten-tial partner vary greatly. Thisdifference is directly related tothe implementation of the net-

works and the networks’ expo-sure to the Internet. The impli-cations of this are that eachparticipating nation must havea thorough understanding ofeach other’s structure if theyare to be effective in providingearly warning. A good exampleof this is the recent I Love You(ILY) virus. Any nation in-volved in a CND alliance musthave a good understanding ofthe vulnerabilities of its sys-tems. In the case of ILY therewere a number of nationswhose DII was virtually unaf-fected. In such a case, those un-affected countries would havehad to know that ILY couldcause significant damage toone or more of its partners andtaken steps to report appropri-ately (especially if that nationwas the first to be hit).

Mr. Timothy Bloechl has ledthis effort to date on behalf ofJTF-CND. CDR Chuck Peirsallfrom USSPACECOM, and Mr.Robert Simmerly, [OASD(C3I)]have the lead for their respec-tive organizations. In Canada,the staff in the J6 InformationOperations Group in NationalDefence Headquarters, Ottawahas also been of considerableassistance.

While there is a great deal ofwork left to be done, greatstrides have already beentaken. As with the creation ofany international agreementthere is a considerable amountof consensus building and staffwork to be done.

Major Mike Purcell is a CanadianArmy Communications Officer onexchange duty with the JTF-CND. Hehas completed 1 year of a three year tour.He may be reached atpurcellm@jtfcnd.ia.mil.

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac14

On 1 March 2000, the AirIntelligence Agency

[(AIA) an Air Force Field Oper-ating Agency headquartered atKelly Air Force Base, Texas]mandated the transfer of select-ed Air Force Information War-fare Center (AFIWC) (an AIAsubordinate unit also headquar-tered on Kelly Air Force Base)elements to other parts of AIA.

One of the elements thattransferred is the Air ForceComputer Emergency Re-sponse Team (AFCERT). TheAFCERT is the single point ofcontact for the reporting andhandling of all computer secu-rity incidents and vulnerabili-ties in the Air Force. TheAFCERT, along with other in-formation operations elements,transferred to the 67th Informa-tion Operations Wing (a co-lo-cated unit also headquarteredon Kelly Air Force Base) onMarch 1.

The AIA realignment calledfor operationalizing theAFCERT’s Computer NetworkDefense (CND) mission bycombining it with other infor-mation operations capabilitiesinto a squadron. Thus, the 33rdInformation OperationsSquadron (33IOS) was formedreporting to the 67th Informa-tion Operations Wing’s 67th In-formation Operations Group,67th Information OperationsWing.

Initially, the AFCERT and of-fensive information operationswere combined into a unit, De-tachment 10, 67th IntelligenceGroup. This detachment sup-

ports defensive and offensiveinformation operations to AirForce, Joint and Allied forcesby providing trained personnel,technical assistance and opera-tional support.

Detachment 10’s AFCERTfunction is a key component ofthe Joint Task Force for Com-puter Network Defense(JTF–CND). The JTF-CND,headquartered at Defense In-formation Systems Agency(DISA), is responsible for de-fending the DoD’s computernetworks. AFCERT is the CNDfocal point for the Air Force.

As the CND focal point, theAFCERT plans, coordinates,and conducts operations to pro-tect Air Force systems fromnetwork exploitation and de-nial-of-service activities. It de-ters or prevents an adversaryfrom exploiting or denying au-thorized users access to AirForce networks and automatedinformation systems. TheAFCERT also detects, identi-fies, and responds to suspiciousactivities and incidents thatmay impact Air Force opera-tions and capabilities. Finally,it accesses and reports on theimpact of adverse network ac-tivity in time for operationalcommanders to assess andcounter intrusions in their op-erations (see “JTF–CND andAFCERT: Allies in the Informa-tion War,” IAnewsletter, Vol. 3,No. 2, page 13).

Detachment 10 is structuredsimilarly to that of othersquadrons. It has a Comman-der, Command Section, First

Sergeant, Mission Support andOperations functions.

Although the mission didn’tchange when Detachment 10became the 33IOS, there aresome new initiatives, includ-ing—

• A virus cell for the AFCERT,• Joint Web Risk Assessment

Cell for reporting Web policycompliances,

• Educating the field about theAF Information OperationsCondition (a threat conditionfor information systems),

• Establishing an Air Forcelevel Network Operations,Security Center (NOSC),

• Implementing CommonIntrusion Detection Director(CIDD) 3.0 implementationto Major Command NOSCs.

Virus CellDue to the threat of viruses

and other forms of maliciouslogic to the security of AirForce networks, the AFCERTincorporated virus support intoits daily operations.

The virus cell is the first lineof defense for the customer.The cell coordinates counter-measures to contain virusesand restore operational capabil-ity to Air Force networks, dis-seminates virus activity andhoax information, and servesas the Air Force liaison to anti-virus commercial vendors andDISA.

67th Intelligence Wing Acquires New Mission

Colonel James Massaro, USAF

and disciplines listed in Tables1 and 2.

As a result of overwhelmingfeedback, it was decided thatthe DoD-wide Computer CrimeWorkshop should be an annualevent. The next ComputerCrime Workshop is tentativelyscheduled for late April or earlyMay 2001. Over the next year,the DIAP will provide updateson these and other programsthat are on-going and affect theentire Department. Individualswith questions are encouragedto call or E-mail.

CAPT Burton earned her B.A. inEnglish Literature from the University ofOklahoma and a M.S. in NationalSecurity Strategy with a certificate fromthe Information Strategies ConcentrationProgram at the National War College. Shealso holds a M.A. in ManagementInformation Systems from GeorgeWashington University and is a 1986graduate of the Armed Forces StaffCollege. She is the Staff Director, Defense-Wide Information Assurance Program(DIAP), in the Information AssuranceDirectorate of [OASD(C3I)]. She may bereached via E-mail atKatharine.Burton@osd.pentagon.mil.

Army 51

Navy 26

Marines 6

Air Force 141

Joint/DoD Agency 65

Others 21

Total 310

Component Number

IA Professionals 127

Criminal Investigators 103

Attorneys 80

Total 310

Discipline Number

Table 1. Summary of disciplines repre-sented at the workshop.

Table 2. Summary of components repre-sented at the workshop.

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 15

Joint Web RiskAssessment Cell Reporting

The AFCERT is working tostreamline the reporting andcompliance process concerningJoint Web Risk Assessment CellOperational Security findingson Air Force Web sites. (TheJWRAC is a Reserve compo-nent team that monitors andevaluates DoD Web sites to en-sure they do not reveal sensi-tive defense information.) Thiswill involve working in con-junction with Air Force PublicAffairs, the Air Force Commu-nications and Information Cen-ter, and the Air Force Directorof Intelligence, Surveillance,and Reconnaissance to formal-ize procedures establishing theAFCERT as the sole Air Forcepoint of contact. Draft proce-dures are currently under coor-dination at the Action Officerlevel for eventual release as AirForce policy.

The AFCERT fosters close re-lations with Air Force PublicAffairs and Air Force Informa-tion Warfare OPSEC experts.These relationships ensureWeb sites contain useful publicinformation that does not com-promise the Air Force mission.

Information Operations Condi-tion (INFOCON) Education

Air Force Headquarters re-leased an INFOCON imple-mentation policy message inJune 1999 outlining the rolesand responsibilities of the AirForce Information Assuranceand CND communities.

Recommendations andlessons learned have beengathered and included in thedrafting of an Air Force INFO-CON instruction. The instruc-tion has been sent out for fur-ther review and comment.

Steps are being taken to en-sure the field understands theINFOCON process. TheAFCERT will work closely withUSSPACECOM, JTF-CND, andthe other services to refine theDoD INFOCON process in thecoming months.

Establishment of an Air Force Level NOSC

The Air Force is currentlylooking into establishing an AirForce-level NOSC. The purposeof the Air Force NOSC would beto provide one-stop support forall CND and IA issues for theAir Force. This will also pro-vide an improved network situ-ational awareness picture forAir Force senior leaders.

Implementing CIDDS 3.0/CDSIn the upcoming months, Air

Force Major Command NOSCswill receive CIDDS 3.0/Com-puter Security Assessment Pro-gram (CSAP) Database System(CDS). These new tools willallow major commands (MAJ-COMs) to provide real timemonitoring of their networkareas of responsibility. This inturn, will free AFCERT re-sources to concentrate onevent correlation and com-mand and control issues. Rulesof Engagement for this new re-lationship are currently underdevelopment.

The new 33IOS will continueto remain on the cutting edgeof technology as the informa-tion age unfolds. Like its prede-cessor organizations, it will belooked to for leadership andguidance in information opera-tions for years to come.

Colonel James Massoro. USAF is theCommander of the 67th InformationOperations Wing.

DIAP Update continued from page 11

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac16

You sit down in front ofyour computer and the

screen saver instantly unlocks.You touch your laptop and youare instantly logged on. Youwalk up to an ATM machine,and when you are at armslength it greets you by nameand says, “Please select thetransaction of your choice.” Youcall a toll free number to placean order and recite your ac-count number, the system ap-proves your purchase, chargesyour credit card and deliversthe product to your home ad-dress.

Does this sound like ScienceFiction? Well, all of these sce-narios are true science fact andare happening today, thanks tothe use of biometric technolo-gy.

What are biometrics?Biometrics, in the context of

automated access control, areautomated methods of recog-nizing a person based on physi-ological or behavioral charac-teristics. Examples of humantraits used for biometric recog-nition include fingerprints,speech, face, retina, iris, hand-written signature, hand geome-try, wrist veins, and others.

Most biometric systems havethree main modes of operation:enrollment mode, identifica-tion mode, or verificationmode. Every biometric systemmust have an enrollment modeand, while some biometric sys-tems support both identifica-tion and verification modes,others may only support one ofthese modes. During the En-rollment mode, a sample of thebiometric trait is captured,processed by a computer, andstored for later comparison.Biometric recognition can beused in the Identificationmode, where the biometric sys-tem identifies a person fromthe entire enrolled populationby searching a database for amatch. For example, an entiredatabase may be searched toverify that a person has not ap-plied for entitlement benefitsunder two different names.This is sometimes called “one-to-many” matching.

A system can also be used inVerification mode, where thebiometric system authenticatesa person’s claimed identityfrom their previously enrolledpattern. This is also called“one-to-one” matching.

In most computer access ornetwork access environments,verification mode would beused. A user enters an accountnumber, user name, or inserts atoken such as a smart card, butinstead of entering a password,a simple touch with a finger ora glance at a camera is enoughto authenticate the user.

Why use biometrics?Using biometrics for identi-

fying human beings offerssome unique advantages. Onlybiometrics can identify you asyou. Tokens, such as smartcards, magnetic stripe cards,photo ID cards, physical keys,and so forth, can be lost, stolen,duplicated, or left at home.Passwords can be forgotten,shared, or observed. Moreover,today's fast-paced electronicworld means people are askedto remember dozens anddozens of passwords and per-sonal identification numbers(PINs) for computer accounts,bank ATMs, E-mail accounts,wireless phones, Web sites, andso forth. Biometrics hold thepromise of fast, easy-to-use, ac-curate, reliable, and less expen-sive authentication for a vari-ety of applications.

There is no one “perfect” bio-metric that fits all needs. Allbiometric systems have theirown advantages and disadvan-tages. There are, however,some common characteristicsneeded to make a biometricsystem usable. First, the bio-metric must be based upon adistinguishable trait. For exam-ple, law enforcement has usedfingerprints to identify peoplefor nearly a century. There is agreat deal of scientific data sup-porting the idea that “no twofingerprints are alike.” Tech-nologies such as hand geome-try have been used for manyyears and technologies such asface or iris recognition havealso come into widespread use.Some newer biometric meth-

Biometrics TechnologyFrom Science Fiction to Science Fact!

by Mr. Jeff Dunn and Mr. Matt King

ods may be just as accurate, butmay require more research toestablish their uniqueness.

Another key aspect is “user-friendliness” of a system. Theprocess should be quick andeasy, such as having a picturetaken by a video camera,speaking into a microphone, ortouching a fingerprint scanner.Low cost is important, but mostimplementers understand thatit is not only the initial cost ofthe sensor or the matching soft-ware that is involved. Often,the life-cycle support cost ofproviding system administra-tion and an enrollment opera-tor can overtake the initial costof the biometric hardware.

The advantage biometric au-thentication provides is theability to require more in-stances of authentication insuch a quick and easy mannerthat users are not bothered bythe additional requirements. Asbiometric technologies matureand come into wide-scale com-mercial use, dealing with multi-ple levels or instances of au-thentication will become less ofa burden for users.

What about standards?An indication of the biomet-

ric industry’s substantialgrowth and maturity is theemergence of biometric indus-try standards and related activ-ities. Industry standards ensurethe availability of multiplesources for comparable andcompetitive products in themarketplace. A number of orga-nizations are currently in-volved in developing standardsfor biometrics. See the Biomet-ric Consortium Web site athttp://www.biometrics.org/for more information aboutthese organizations and activi-ties.

What is the Biometric Consortium?

The Biometric Consortiumwas chartered as a WorkingGroup “to serve as a Govern-ment focal point for research,development, test, evaluation,and application of biometric-based personal identification/authentication technology.”

The Biometric Consortiumnow has over 800 membersfrom government, industry,and academia including oversixty different federal agencies.The main benefit of the organi-zation is to share informationabout biometric technologyamong the members.

What do I do now?Today's biometric solutions

provide a means to achievefast, user-friendly authentica-tion with a high level of accura-cy and cost savings. Areas thatwill benefit from biometrictechnologies include networksecurity infrastructures, gov-ernment IDs, secure electronicbanking, investing and finan-cial transactions, wireless com-munications, retail, health ser-vices, and social services. Inaddition, highly secure andtrustworthy electronic com-merce, for example, will be es-sential to the healthy growth ofthe global economy. Manytechnology providers are al-ready delivering biometric au-thentication for a variety ofWeb-based and client/serverbased applications to meetthese and other needs. Whilebiometric authentication is nota magical solution that solvesall authentication concerns, itis now science fact, not sciencefiction. Biometric authentica-tion technology is an easier,less expensive, and more se-cure mechanism for accesscontrol that is now a viable so-

lution for a wide variety of ap-plications.

Jeff Dunn is Chief of the Identificationand Authentication Research Branch atthe National Security Agency. He Co-Chairs the Biometric Consortium. Mr.Dunn frequently provides technicaladvice to government policy makers andhas testified as an expert witness beforeCongressional hearings.

Matt King provides security engineer-ing support for Jeff Dunn’s work at theNational Security Agency and is the liai-son between the National SecurityAgency and the Biometric ManagementOffice and the United Kingdom’sBiometric Working Group.

ReferencesAAMVAnet, Inc. Standards

Development Web site: http://www.aamva.org/aamvanet/indexStandards.html

ANSI/NIST-CSL 1-1993, Data Formatfor the Interchange of FingerprintInformation, http://www.itl.nist.gov/iaui/894.03/fing/stand1.html

ANSI/NIST ITL 1-1999 (Draft), DataFormat for the Interchange ofFingerprint, Facial, & Scar, Mark &Tattoo (SMT) Information,http://www.itl.nist.gov/iaui/894.03/fing/stand2.html

ANSI X9, http://www.x9.orgBioAPI Consortium Web site:

http://www.bioapi.orgBiometric Consortium Web site:

http://www.biometrics.orgBreitenberg, M.A., Office of Standards

Code and Information, NIST, TheAbc's Of Standards-Related ActivitiesIn The United States, NBSIR 87-3576,May 1987.

Common Biometric Exchange FileFormat Web site: http://www.nist.gov/cbeff

International Biometric IndustryAssociation (IBIA) Web site:http://www.ibia.org

Open Group CDSA Web site:http://www.opengroup.org/securi-ty

Teletrust http://www. teletrust.deToth, Robert B., Ed., NIST, Profiles of

National Standards-Related Activities,NIST SP 912.

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 17

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac18

Army Reservists who workin the information tech-

nology (IT) industry with theircivilian employers are beingsought to become the nation’snew 21st Century informationwarriors.

The Department of Defenseand the Army are asking theArmy Reserves (USAR) to sup-port information operations(IO) at all levels on an ever-in-creasing basis. Army Reservesoldiers possessing many of the“high tech” skills associated withIO are being actively recruitedto fill newly-formed units andpositions.

These new units, based atmultiple locations throughoutthe United States, will drawfrom the entire IT-skilled USARpopulation, regardless of a sol-

dier's current military occupa-tional specialty.

To identify reservists with ITexperience, the civilian acquiredskills database is used. The data-

base can be accessed by any sol-dier at http://www. citizen-sol-dier-skills.com. First, reservistscomplete a resume and assesstheir individual skills. Second,the record created by the re-servist is added to a searchabledatabase that is used to identifysoldiers with needed skills.

Information Operations Defined

Information operations areused to defend our computersystems and to affect an adver-sary’s information systems.The overall objective is to gaininformation superiority. A pri-mary function of USAR IOunits is to protect and defendinformation and informationsystems by ensuring theiravailability, integrity, authen-ticity, confidentiality, and non-repudiation.

Information operations arenot limited to automated sys-tems. They include specialtiessuch as psychological opera-tions, military intelligence, sig-nal, civil affairs, and public af-fairs. Functions include allforms of operational security,electronic warfare, and com-puter network defense.

With effective IO our leadershave the information theyneed, when they need it, in aform they can use to win thefight. This allows commandersto understand complex battle-

fields, control communicationsand computers, as well as influ-ence people’s attitudes.

They can also interrupt,limit, or confuse the enemyleader’s information, affectingthe enemy’s ability to makesmart or timely decisions.

The U.S. Army has long un-derstood the importance of IO.Units with the ability to collectand analyze information aboutthe battlefield and influencethe attitudes and will of the op-position have been in the Armyand Army Reserve structuresfor a long time. The Army Re-serve provides many of theunits and soldiers that accom-plish these missions for theArmy such as Civil Affairs, Psy-chological Operations, PublicAffairs, Military Intelligence,and Signal. In fact, almost halfthe Army’s public affairs unitsare in the USAR and the bulk ofthe Army's Civil Affairs andPsychological Operations areUSAR units.

Recognition of ArmyReserve Capabilities

This recognition and newusage of Army Reserve capabil-ities has brought an ever-in-creasing number of new re-quests, requirements, andcustomers. The list of thesecustomers is growing and in-cludes—the Army’s Land Infor-mation Warfare Activity(LIWA), Office of the Directorof Information Systems for

Information Operationsin the Army Reserve

by Major Greg Williams, USARThe USAR needs soldiers with“high tech” skills to fill units andpositions nationwide.

Public Affairs Unit.

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 19

Command, Control, Communi-cations, and Computers, ArmySpace Command, Army Re-search Laboratory (ARL), ArmyCommunications–ElectronicsCommand, the NationalGround Intelligence Center,National Security Agency(NSA), Defense InformationSystems Agency (DISA), De-fense Intelligence Agency(DIA), U.S. Space Command(USSPACECOM), and the JointReserve Intelligence Program.These commands and agenciesare now utilizing USAR units,facilities, and personnel for IO.

The Army recognized thesenew requirements and has es-tablished new organizations toexploit or counter an oppo-nent’s ability to use this newtechnology. The focal point forthe Army's IO effort is LIWA.LIWA's mission is to provide IOand Information Warfare (IW)support to land component andseparate Army commands,both active and Reserve, and tofacilitate planning and execu-tion of IO.

The USAR is building addi-tional capability to reinforceArmy IO and LIWA operations.When complete, USAR soldierswill play an important role sup-porting LIWA’s critical mission.The USAR Land InformationWarfare Enhancement Center(LIWEC) has been establishedto directly support and expandLIWA capabilities. Primary ele-ments of the LIWEC includetwo computer emergency re-sponse teams, two informationoperations vulnerability assess-ment and detection teams(CERTs), two field supportteams, and two operations sup-port sections to LIWA.

The Army Reserve has alsocreated the Reserve Informa-tion Operations Structure. Acti-

vated to providesupport to theArmy’s computernetwork defenseand IA efforts, theReserve Informa-tion Operations Co-ordination Centerwill have five Infor-mation OperationCenters (IOCs) con-taining CERT Sup-port Groups thatwill identify and re-spond to virusesand intruders inArmy computernetworks. Informa-tion InfrastructureDefense AssistanceTeams will aid incorrecting weak-nesses in our net-works and ensurethe execution ofcorrective actions.The IOCs will alsohave Technical Re-search Teams to assist in infra-structure research. Currently,USAR IOCs are forming in theNational capital region, Massa-chusetts, Texas, California, andPennsylvania.

The Challenge of Re-cruiting for New IOUnits and Positions

Recruiting for these new IOunits is challenging. Army Re-serve soldiers who hold civil-ian-acquired skills in IT willplay a leading role in establish-ing this new capability. Regard-less of what military occupa-tional specialty a soldier has,that soldier can fill one of thegrowing number of technologi-cally-based IO positions in theUSAR. Commuting distance toan IO unit is also not a limita-tion, as virtual training rela-tionships will allow any quali-

fied soldier to conduct drillsand annual training at USAR in-telligence support centers orany other suitable facility.

One of the greatest resourcesin the USAR is the skill soldiershave developed in their civiliantraining and occupations. TheIO units hope to tap into theseskills and continue to meet thechallenges of warfare in the21st Century.

Major Williams, USAR is a MilitaryIntelligence Operations Officer,Department of the Army, Office of theChief of the Army Reserve, OperationsDivision. He earned his B.A. in Historyfrom West Georgia University in 1980and his M.A. in European History in1982. He may be reached atgreg.williams@ocar.army.pentagon.mil.

A Captain from the 315th Tactical PsychologicalOperations (PYSOPS) Company out of Upland, CA handlescrowd control as Humanitarian Aid (HA) items arepassed out, August 6, 2000, Koretiste, Kosovo. U.S.Army photo by Sgt. Jason Heisch.

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac20

Imagine an analytical capabili-ty and a system that would

allow proactive measures to betaken against informationthreats, rapidly react to new sit-uations, ensure the highest levelof network availability to cus-tomers, and reduce the vulnera-bilities that could be exploitedby malicious users. Striving tomeet these goals today, as wellas fulfilling the DoD's Joint Vi-sion 2020 premise of informa-tion superiority, is exactlywhere the U.S. Army SignalCommand’s (USASC) Network,Systems and Security Opera-tions Center (ANSSOC) at FortHuachuca, Arizona is moving inclose cooperation with severalother organizations. Buildingupon an impressive base, the ef-forts underway in theANSSOC—along with the effortsin USASC’s other Theater Net-work Systems Security Opera-tions Centers—provide theArmy with a program that willensure the highest levels of in-formation assurance (IA)throughout the world, while si-multaneously providing highquality service to Army cus-tomers.

The ANSSOC is composed ofa variety of highly skilled sol-diers, civilians, and contractorswho are leaders in the field ofinformation technology (IT)and IA. The center provides avariety of network and comput-er protection services to theArmy in the continental UnitedStates and worldwide 24x7—managing the Army’s DomainName Service system, providing

direct support to key StandardArmy Management InformationSystems projects, monitoringand protecting the Army’s Con-tinental/Contiguous UnitedStates (CONUS) information in-frastructure above the installa-tion level, managing the Army’sdial-in services, and now actingas the public-key infrastructure(PKI) registration authority forprivate Army Web servers anddevices.

The ANSSOC has a day-to-dayoperational mission of monitor-ing, managing, and protectingthe Army’s portion of theCONUS Defense InformationInfrastructure (DII). TheANSSOC has successfullyteamed with several differentorganizations to leverage theirskills, experience, expertise, anddata. Some of these includeUSASC’s other Theater Net-work, Systems and Security Op-eration Centers, the Army Com-puter Emergency ResponseTeam, Defense Information Sys-tems Agency (DISA) and eventhe Federal Bureau of Investiga-

tion (FBI). However, the prima-ry partner of the ANSSOC for IAis the Regional Computer Emer-gency Response Team-CONUS(RCERT-C).

In addition to close relation-ships with these organizations,the ANSSOC has ensured suc-cess by intertwining networkoperations with network andsystems security and protec-tion. The integration of thesetwo areas has ensured that theANSSOC is proactive and quickto respond to any threats to theArmy infrastructure. Thisprocess is enhanced by the co-location of the RCERT-C withthe ANSSOC. This allows eachorganization to leverage off ofthe other’s expertise on a con-tinual basis and has resulted ina partnership that not only en-sures a high availability of in-formation to our customers, buthas also led to integration of se-curity into all operations (Fig-ure 1).

As part of the Network Secu-rity Improvement Program De-fense in Depth strategy that is

Computer NetworkDefense at the ArmySignal Command by MAJ Mike McNett, USA

and LTC Marc Withers, USA

PROTECT RCERT-CANSSOC

Army SignalCommand

Land InformationWarfare Activity

Integrated management of CONUS infrastructure

• Wide area network management• Domain name service• Systems administration• Database administration• 24 hour network & system monitoring

• Network blocks• Incident handling• Bulletins/alerts• Trends correlation• Remote vulnerability assessment• On-site customer support

Figure 1. Command and Control Protect Partnership

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 21

spearheaded by the Director ofInformation Systems for Com-mand, Control, Communica-tions, and Computers, theANSSOC’s role in IA is fulfilledprimarily above the installa-tion’s infrastructure in which liethe demilitarized zones and theinstallation top level architec-ture (TLA). The perimeter secu-rity of Army installations in-cludes Army security routers(ASR) that route all traffic intoand out of each location. TheseASRs are centrally managed andmonitored at the ANSSOC to en-sure both network availabilityand network protection of theArmy’s part of the DII at alltimes.

The next two levels of de-fense-in-depth are the network-based and host-based intrusiondetection systems that theANSSOC also centrally managesand monitors. This, combinedwith the ASR status, allows onefacility to obtain a common op-erational view of the entireCONUS DII for the Army’s net-works and critical servers.These levels are closely tied toand coordinated with theRCERT-C and other agencies.

This defense-in-depth strate-gy has created a very close rela-tionship between network oper-ations and network and systemssecurity. One example of thisclose relationship is router logmanagement. Traditionally,routers have been considerednetwork management deviceswith little attention paid to theirrole in network security andprotection. However, the ASRslocated at each installation aredual purpose—they ensureproper routing of traffic and areconfigured to be “firewall-like”devices. ANSSOC routinely ana-lyzes the logs from these routersto find both network anomalies

and potential security events.This results in both highly reli-able and secure networks.

In fact, approximately 25 per-cent of the network securityblocks issued are the direct re-sult of router log analysis. Theseblocks represent malicious ac-tivities that occur as low-levelattacks, that do not necessarilymeet the detection thresholdsfor the network intrusion detec-tion systems (IDS). If therouters were only viewed withrespect to network availabilityproblems, the Army would loseits fight against malicious userssince much of this low-level ac-tivity would be missed.

Another example of the syn-ergy resulting from integratednetwork operations and securityoccurs during distributed denialof service attacks against Armysystems. During such an attack,the network operations portionwould see degradation of thenetwork and monitored sys-tems, while the security side ofnetwork operations would sim-ply see a large number of eventsbeing triggered on the securitymonitoring devices. By havingan integrated network and secu-rity operation, the Army obtainsa very rapid response to activi-ties such as this by leveragingeveryone’s skills and abilities.

The structure set up to pro-tect the Army’s networks, al-though successful, is best char-acterized as a “hasty defense.”The Army can now defend itselfagainst frontal attacks (e.g.,from “script kiddies”). We canalso defend our flanks throughexisting security mechanisms,policies, procedures, the Infor-mation Assurance VulnerabilityAssessment (IAVA) process, etc.

However, we are still vulnera-ble to two types of attacks— therear battle (backdoors) and the

snipers and stealthy individualfoot soldiers with lots of camou-flage and expertise who arealong our perimeter (e.g., so-phisticated hackers). They arewilling to wait long periods oftime to conduct reconnaissancein order to find our exploitablevulnerabilities. To protectagainst these folks we must ex-pand our defense-in-depth andestablish a “deliberate de-fense”—a more robust top levelarchitecture that has better toolsand a more sophisticated archi-tecture able to detect the enemyby looking at all data sources ina coordinated fashion.

This coordination is requiredbecause of the multiple sensordevices and information thatcomes into the ANSSOC—host-based IDS logs for Army criticalservers, server logs, firewalllogs, network managementdata, external reports, network-based IDS logs, and router logs.While all of these data sourcesare valuable when viewed inde-pendently, we have found that agreat deal of synergy can begained when we look at thisdata as a whole. This informa-tion would do us little good if wedid not have highly qualifiedand skilled analysts, system ad-ministrators, and network man-agers. However, even the besthuman cannot correlate allevents from all these systems.We need the systems to usetheir “intelligence” and to helpthe human.

Event correlation is the tech-nique we are starting to use forthis purpose. The ability to cor-relate between events withinone data source is greatly en-hanced when you can cross cor-relate between different typesof data sources such as routerlogs, IDS logs, incident reports,etc. The ANSSOC is currently

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac22

correlating data from variousdata sources to determine whenmultiple sites are being at-tacked from the same or multi-ple sources. This correlation ca-pability has already resulted inan increase in protection acrossthe Army’s portion of the DII.

Impressive gains have beenmade by the ANSSOC (andmany other Army organiza-tions) in improving the Army’sIA posture and providing secu-rity to Army networks. Whathas been done, however, is justthe beginning. We are nowmoving past the “hasty defense”and making initial changes toimplement a “deliberate de-fense” that takes advantage bothof new technologies and newprocedures learned over the lastfew years. The threat continuesto evolve, and so must ourcountermeasures. The ANSSOCis deploying an impressivearray of systems to stay at theforefront of the IA battle and in-tegrating network operationswith network security. All theArmy must strive to do thesame.

Major Mike McNett is the director ofthe Army Network Systems and SecurityOperation Center for the U.S. ArmySignal Command at Fort Huachuca,Ariz. He holds a B.S. in Computer Sciencefrom Illinois State University and a M.S.in Computer Science from the Universityof Illinois. He may be reached atmcnettm@hqasc.army.mil.

LTC Marc Withers is chief of theNetwork, Systems and SecurityManagement Division for the U.S. ArmySignal Command at Fort Huachuca,Ariz. He holds a B.A. in Mathematicsand History from the Virginia MilitaryInstitute and a M.S. in Computer Sciencefrom the Georgia Institute of Technology.He may be reached at withersj@hqasc.army.mil.

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1

F ederal agencies, industry,and the public now rely

on cryptography to protect in-formation and communicationsused in critical infrastructures,electronic commerce, andother application areas. Crypto-graphic modules are imple-mented in these products andsystems to provide such ser-vices as confidentiality, integri-ty, non-repudiation and identi-fication and authentication.Adequate testing and validationof the cryptographic moduleagainst established standards isessential for information assur-ance (IA). Both Federal agen-cies and the public benefit fromthe use of tested and validatedproducts. Without adequatetesting, weaknesses such aspoor design, weak algorithms,or incorrect implementation ofthe cryptographic modulecould result in insecure prod-ucts.

On July 17, 1995, NIST es-tablished the CryptographicModule Validation Program(CMVP) that validates crypto-graphic modules to Federal In-formation Processing StandardFIPS 140-1 (Security Require-ments for Cryptographic Mod-ules), and other FIPS cryptogra-phy based standards. TheCMVP is a joint effort betweenNIST and the CommunicationsSecurity Establishment (CSE)of the Government of Canada.Products validated as conform-ing to FIPS 140-1 are acceptedby the Federal agencies of bothcountries for the protection ofsensitive information. Vendors

of cryptographic modules useindependent, accredited testinglaboratories to test their mod-ules. NIST’s Computer SecurityDivision and CSE jointly serveas the validation authorities forthe program, validating the testresults. Currently, there arefour National Voluntary Labora-tory Accreditation Program(NVLAP) accredited laborato-ries that perform FIPS 140-1compliance testing; three inthe U.S. and one in Canada. ByAugust 2000 over 100 crypto-graphic modules from morethan forty separate vendorswere validated through the pro-gram. The number of validatedmodules has nearly doubledeach year of the program’s exis-tence.

The underlying philosophyof the CMVP is that the usercommunity needs strong inde-pendently tested and commer-cially available cryptographicproducts. The CMVP must alsowork with the commercial sec-tor and the cryptographic com-munity to achieve security, in-teroperability and assurance.Directly associated with thisphilosophy is CMVP’s goal ofpromoting the use of validatedproducts and providing Federalagencies with a security metricto use in procuring crypto-graphic modules. The testingperformed by accredited labo-ratories provides this metric.Federal agencies, industry, andthe public can choose productsfrom the CMVP Validated Mod-ules List and can have confi-dence that the products meet

the claimed level of security.The program validates a widevariety of modules includinggeneral encryption products,secure radios, virtual privatenetwork (VPN) devices, Inter-net browsers, cryptographic to-kens and modules that supportpublic key infrastructure (PKI).Currently, validation servicesare provided for FIPS 140-1 & 2,the Data Encryption Standard(DES and Triple DES), the Digi-tal Signature Standard, the Se-cure Hash Standard, and theSkipjack Algorithm.

The CMVP offers a docu-mented methodology for con-formance testing through a de-fined set of securityrequirements in FIPS 140-1 & 2and other cryptographic stan-dards. NIST developed the stan-dard and an associated metric(the Derived Test Require-ments for FIPS 140-1) to ensurerepeatability of tests and equiv-alency in results across thetesting laboratories. The fourcommercial laboratories pro-vide vendors of cryptographicmodules a choice of testing fa-cilities and promotes healthycompetition. (Note, there is nolimit to the number of testinglaboratories, and additionaltesting laboratories may beadded to the program.)

A government and industryworking group composed ofboth users and vendors devel-oped FIPS 140-1. The workinggroup identified 11 areas of se-curity requirements with fourincreasing levels of security forcryptographic modules. The se-

23

FIPS 140-2The Next GenerationThe Cryptographic Module Validation Program

by Mr. Ray Snouffer

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac

curity levels allow for a widespectrum of data sensitivity(e.g., low value administrativedata, million dollar funds trans-fers, and health data), and a di-versity of application environ-ments (e.g., a guarded facility,an office, and a completely un-protected location). Each secu-rity level offers an increase insecurity over the precedinglevel. These four security lev-els allow cost-effective solu-tions that are appropriate fordifferent degrees of data sensi-tivity and different applicationenvironments. This structurealso allows great flexibilitywhen specifying or identifyingusers needs. Modules maymeet different levels in the se-curity requirements areas (e.g.,a module meets level 2 overall,level 3 physical security withadditional level 4 require-ments). The Validated ModulesList now contains modules rep-resenting all four security lev-els.

FIPS 140-1 &2 define aframework and methodologyfor NIST's current and futurecryptographic standards. Thestandard provides users with: • a specification of security

features that are required ateach of four security levels

• flexibility in choosing securi-ty requirements

• a guide to ensuring the cryp-tographic modules incorpo-rate necessary security fea-tures

• the assurance that the mod-ules are compliant with cryp-tography based standards

The Secretary of Commercehas made FIPS 140-1 mandato-ry and binding for U.S. Federalagencies and organizations.The standard is specifically ap-plicable when a Federal agency

determines that cryptographyis necessary for protecting sen-sitive information. This protec-tion involves situations whereproducts containing a crypto-graphic module are used whendesigning, acquiring, and im-plementing cryptographic-based security systems. FIPS140-1 is applicable if the mod-ule is incorporated in a prod-uct, application or functions asa standalone device. The Na-tional Security Telecommuni-cations and Information Sys-tems Security Committee(NSTISSC) recently releasedboth an NSTISS Policy and anNSTISS Advisory Memorandumrelated to FIPS 140-1. NSTISSP11: National Policy Governingthe Acquisition of InformationAssurance (IA) and IA-EnabledInformation Technology (IT)Products, dated January 2000establishes a schedule for im-plementing evaluated and vali-dated IA-enabled IT productsused in national security sys-tems. FIPS 140-1 validation isspecified as one of the three ac-cepted methods for evaluationand validation. NSTISSAM IN-FOSEC/1-00: Advisory Memo-randum For the Use of the Fed-eral Information ProcessingStandards (FIPS) 140-1 Validat-ed Cryptographic Modules inProtecting Unclassified Nation-al Security Systems, dated Feb-ruary 2000 further discussesthe use of FIPS 140-1 validatedmodules. The advisory statesthat, “While NSA [National Se-curity Agency] recommendsthe acquisition of securityproducts which have been eval-uated to determine the robust-ness of their complete securityfunctionality (preferablyagainst NSA or NIST sponsoredCommon Criteria (CC) Protec-tion Profiles), products which

contain FIPS 140-1 validatedencryption modules may beused for the cryptographic pro-tection of unclassified informa-tion in national security sys-tems.” Additional informationon these two documents maybe obtained from the NSTISSCSecretariat at NSA.

From the beginning, theCMVP has been dynamic—con-stantly reexamining the under-lying standard, test methodolo-gy, reporting structure, andassociated documentation. Inaddition, questions from thevendor and user communitieshave provided valuable inputand an implementation per-spective. NIST and CSE havecontinually kept pace with newsecurity methods, changes intechnology, and required inter-pretations of the standard by is-suing official ImplementationGuidance and Policy for FIPS140-1 and associated DerivedTest Requirements. The Imple-mentation Guidance coversprogram policy, technical ques-tions, and general guidanceneeded for module validation.

In addition to constant reex-amination, the standard is offi-cially reexamined and reaf-firmed every five yearsbeginning in the Fall of 1998.

For more information onFIPS 140-2 visit our Web site athttp://csrc.nist.gov/cryptval.

Mr. Snouffer earned his B.A. in math-ematics from Western Maryland Collegein 1986. Since January 1997, he hasserved as the Program Manager for theCryptographic Module ValidationProgram and now also serves as thesupervisor of the Cryptographic SecurityTesting Program Area of NIST’sComputer Security Division. He may bereached by E-mail at ray.snouffer@nist.gov.

24

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1

Robert P. ThompsonDuring the past quarter

IATAC has undergone a changein directorship. Bob Thompsonhas assumed new responsibili-ties overseeing the 80+ IATACTechnical Area Tasks (TATs)currently in operation and es-tablishing the first IATAC Satel-lite Office in Tampa, Florida.His additional responsibilitieswill include representingSURVIAC and HSIAC in provid-ing scientific and technical sup-port to the warfighter.

I’d like to publicly thank Bobfor his outstanding leadershipas the Director over the pasttwo and a half years. He hasbeen the guiding force in build-ing IATAC from its very founda-tion as a “virtual InformationAnalysis Center (IAC)” to its po-sition today as a major contrib-utor to the IA community.

Among his many contribu-tions are this publication. It hasbecome a first class forum forpresenting topics of interest tothe entire IA community—fromthe foxhole to OSD. Similarly,our many Critical Review Tech-nology Assessments (CR/TA)and State of the Art Reports(SOAR) have proven timely andwell received by IA profession-als and leaders, system admin-istrators and commanders alike.

One of Bob’s many initiativeshas been the IATAC Satellite Of-fice and it is with great pleasurethat IATAC announces theopening of its first Satellite Of-fice in Tampa, Florida on 15 No-vember 2000. Working closelywith the DISA Field Office, thisfirst IATAC Satellite Office will

support Special OperationsCommand (SOCOM) and Cen-tral Command (CENTCOM). Itwill provide liaison support forIATAC and IAC program initia-tives and is an extension ofIATAC core operations. As such,the Satellite Office will serve asthe initial point-of-contact forlocally generated inquiries(technical and bibliographic),maintain and distribute IATACand IAC products, promote cur-rent awareness activities, andprovide management and over-sight of local IATAC TAT execu-tion.

Steering Committee This past June, IATAC held

its annual Steering CommitteeMeeting. The Steering Commit-tee consists of IA professionalsfrom across the community andis chartered to review IATAC ac-tivities and provide advice andguidance on future IATAC oper-ations. The Steering Committeeidentified four critical subjectareas for this year’s reports.

The Malicious Code SOARwill update the previous SOARof the same name, providing abackground on the nature ofthe malicious software problemand the threat that it poses toDoD systems. The goal for thisreport is to address the problemof malicious code detectionfrom a pragmatic perspective.

The Information Assurance(IA) Modeling and Simulation(M&S) SOAR (jointly writtenwith MSIAC) will provide a fullrepresentation of IA M&S toolssupporting today's warfighter tomeet the challenges described

in Joint Vision 2020 (JV2020).This includes tools used forbudgetary tradeoff analyses(availability of proper systems),systems acquisition designanalyses (designed to meettheir intended requirements),and training and exercise sup-port (so the warfighter knowshow to employ them properly).

The Configuration Manage-ment Compliance CR/TA willexamine compliance with Infor-mation Assurance VulnerabilityAlerts (IAVA) and the toolsavailable for ensuring compli-ance.

The final CR/TA will summa-rize Applied IA DevelopmentInitiatives in DoD Labs and ex-amine those efforts, which areeither being conducted or fund-ed by DoD.

SPACECOM PKI SeminarFinally I would like to men-

tion that IATAC will be sponsor-ing a one day Public Key Infra-structure (PKI) seminar on 20February 2001 in conjunctionwith and preceding the SPACE-COM 2001 Conference to beheld in Colorado Springs, Col-orado 20–23 February 2001.This one-day seminar will ad-dress the current state of PKItechnology, the complexities ofimplementing and managingPKI, future directions, and therelevance of PKI to DoD SpacePrograms.

For more information on thisseminar or IATAC’s upcomingCR/TAs and SOARs, contactIATAC at 703.289.5454 or via E-mail at iatac@dtic.mil.

25

by Robert J. Lamb, IATAC Director

I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 http://iac.dtic.mil/iatac26

oorrddeerr ffoorrmmIMPORTANT NOTE: All IATAC Products are distributed through DTIC. If you are NOT a registered DTIC user,you must do so PRIOR to ordering any IATAC products (unless you are DoD or Government personnel). TO REGISTER ON-LINE: http://www.dtic.mil/dtic/regprocess.html.

Name _______________________________________________________DTIC User Code ________________________

Organization ______________________________________________________Ofc. Symbol ________________________

Address ________________________________________ Phone _________________________________________

______________________________________________ E-mail _________________________________________

______________________________________________ Fax ___________________________________________

LIMITED DISTRIBUTIONIA Collection Acquisitions CD-ROM

❏ June 2000

Critical Review and Technology Assessment (CR/TA) Reports❏ Biometrics ❏ Computer Forensics* ❏ Defense in Depth ❏ Data Mining❏ IA Metrics ❏ Modeling & Simulation*

IA Tools Report❏ Firewalls (2nd Ed.) ❏ Intrusion Detection ( 2nd Ed.) ❏ Vulnerability Analysis (2nd Ed.)

State-of-the-Art Reports (SOARs)❏ Data Embedding for Information Assurance ❏ IO/IA Visualization Technologies

❏ Malicious Code Detection* [ ❏ TOP SECRET ❏ SECRET]

Security POC Security Phone

* You MUST supply your DTIC user code before these reports will be shipped to you.

UNLIMITED DISTRIBUTION

Newsletters (Limited number of back issues available)

❏ Vol. 1, No. 1 ❏ Vol. 1, No. 2 ❏ Vol. 1, No. 3

❏ Vol. 2, No. 1 ❏ Vol. 2, No. 2 (soft copy only) ❏ Vol. 2, No. 3 ❏ Vol. 2, No. 4

❏ Vol. 3, No. 1 ❏ Vol. 3, No. 2 ❏ Vol. 3, No. 3 ❏ Vol. 3, No. 4

❏ Vol. 4, No. 1

Please list the Government Program(s)/Project(s) that the product(s) will be used to support: _________________________

___________________________________________________________________________________________________

Once completed, fax to IATAC at 703.289.5467

http://iac.dtic.mil/iatac I A n ews l e t t e r • Vo l ume 4 , Numbe r 1 27

IO/IA VisualizationTechnologiesState-of-the-ArtReport (SOAR)

This report provides a synop-sis of the information visualiza-tion industry, the industry’s as-sociated technologies, andvisualization methodologies. Itis written for a broad audience,principally for those unfamiliarwith this technology, new tothe industry, or seeking visual-ization capabilities for the firsttime. This report is written forsystem users. Visualization is,by nature, user-centric. Visual-ization technologies, for exam-ple, allow users to interact withinformation systems. There-fore, users must first under-stand what visualization is,what its capabilities and restric-tions are, and what ideas factorinto its use.

This SOAR should help read-ers decide whether visualiza-tion is appropriate to theirneeds, determine what types ofvisualization technologies areavailable and relevant, and for-mulate possible strategies forimplementing a visualizationsolution.

BiometricsFingerprint Identifica-tion Systems

Focuses on fingerprint bio-metric systems used in the veri-fication mode. Such systems,often used to control physical ac-cess to secure areas, also allowsystem administrators accesscontrol to computer resourcesand applications. Informationprovided in this document is ofvalue to anyone desiring to learnabout biometric systems. Thecontents are primarily intendedto assist individuals responsiblefor effectively integrating finger-print identification products intotheir network environments tosupport the existing securitypolicies of their respective orga-nizations.

pprroodduuccttssproductsFirewalls 2nd Edition

Responding to a need to provide information to cus-tomers so they can make informed decisions about how tosafeguard their Internet transactions, the Firewalls ToolReport contains descriptions of 47 tools. This newly updat-ed report provides an index of the firewall tools, which arealso described in the IATAC Firewalls Tools Database. Forthis report a firewall is a component or set of componentsthat restricts access between a protected network and anunprotected network. It summarizes pertinent informa-tion, providing users with a brief description of availablefirewall tools and contact information. The tools are classi-fied by the following categories: Internet Protocol (IP)packet filtering, application gateways, packet inspection,hybrid firewalls, and virtual private networks. The writtendescriptions highlight the capabilities and features of eachfirewall product. New in this edition of the report, aresources of product evaluations. As a living document, thisreport will be updated periodically.

WEST 2001San Diego Marriott San Diego, CAhttp://www.west2001.org/ travel.htmCOME VISIT US ATBOOTH #1250

Information AssuranceTechnical Framework ForumMaritime Institute of Technologyand Graduate StudiesLinthicum, MarylandPOC: Mr. John Niemczuk

410.684.6246niemczuk_john@bah.comhttp://www.iatf.net

5th Annual InformationAssurance (IA) WorkshopJointly sponsored by the DISA,USSPACECOM and NSASheraton Norfolk (Waterside)Hotel, Norfolk, Virginia. "Information Assurance—Enabling Joint Vision 2020" http://iase.disa.mil

SPACECOM 2000—ASpaceCOMM OdysseySheraton Hotel, ColoradoSprings, Coloradohttp://www.rockymtn-afcea.org/2001/2001home.htmIATAC will be presenting a PKI Seminar on the 20th! VISIT US AT BOOTH #69

TechNet Tampa 2001“Preparing for and Respondingto Asymmetric Threats”Tampa Convention Centerhttp://www.afcea.org/tampa/COME VISIT US AT BOOTH #312

January23–25

25

February6–8

Information Assurance Technology Analysis Center3190 Fairview Park DriveFalls Church, VA 22042

March13–14

20–23