Note: for index of full report see: http://jya.com/nrcindex.htm

---------



                              N


          Federal Information Processing Standards


   Agencies at all levels of govermnent set regulatory
standards for products and processes in order to protect
health, safety, and the environment. They also produce
specifications for public procurement of goods and services.
The *Federal Register* regularly publishes requests for
comments on standards proposed by federal agencies. Some of
these are developed by agencies, while others originate as
voluntary standards set in the private sector and are adopted
by reference within the text of regulations and
specifications.

   In 1965 the Brooks Act gave responsibility for federal
information technology procurement standards to the National
Bureau of Standards, now the National Institute of Standards
and Technology (NIST).(1) To meet this requirement, NIST
produces Federal Information Processing Standards (FIPSs). All
federal agencies are encouraged to cite FIPSs in their
procurement specifications.

   NIST has traditionally relied on private sector
standards-setting processes when developing FIPSs.(2) Many
standards-setting bodies follow consensus standards
development procedures promulgated by the American National
Standards Institute (ANSI). These include open participation
of volunteer technical experts in standards-writing
committees; consensus among committee members in support of
any proposed standard; and elements of administrative due
process, such as opportunities for comment and voting by
affected parties. These procedures increase the likelihood of
achieving a broad-based consensus and enhancing the acceptance
of the resulting standard.(3)

   NIST personnel are frequent participants in consensus
standards committees, and FIPSs generally cite or draw on
consensus and de facto industry standards.(4) This practice is
consistent with government-wide policy; Office of Management
and Budget Circular A119 requires that all federal agencies
cite existing consensus standards in regulation and
procurement wherever possible, rather than develop
government-unique standards.(5) NIST's participation also
reflects its recognition of the fact that the standards it
sets will be more likely to succeed -- in terms of reducing
procurement costs, raising quality, and influencing the
direction of information technology market development -- if
they are supported by private producers and users.(6)

   There is an additional benefit to government reliance on
industry standards that is especially relevant to information
technology. Recent economic analysis and ample experience
demonstrate that standards governing the interoperability of
information technology products pose special challenges. Such
standards control the ability of separate users, devices,
software, and services to work with each other. Examples
include computer operating systems and cryptographic
algorithms used for communication or data exchange.

   Reliance on de facto industry standards may involve
problems as well. For example, the establishment of a formal
standard based on de facto informal industry standards may
freeze technology prematurely. User commitments to the use of
that standard and a hard-to-change infrastructure can then
restrict the development and deployment of new and more useful
technologies. Moreover, a standard that is popular in the
marketplace may not necessarily be the most appropriate for
all end-user applications.

   One vexing problem with industry standards relates to the
competitive nature of the marketplace. The setting of a formal
standard that has the effect of favoring any individual
company or set of companies could be viewed as unfair and
anticompetitive if it has the effect of suppressing other,
equally useful technologies. Further problems arise if the
payment of royalties is necessary to use a particular formal
standard, and many standardssetting bodies do not adopt
patented technology unless the patent holders agree to certain
terms with regard to licensing those who wish to implement the
standards.

   The issuance of a FIPS can have enormous significance to
the private sector as well, despite the face that the
existence of a FIPS does not legally compel a private party to
adopt it. One reason has already been stated -- to the extent
that a FIPS is based on existing private sector standards, it
codifies standards of existing practice with all of the
benefits (and costs) described above. A second reason is that
a FIPS is often taken as a government endorsement of the
procedures, practices, and algorithms contained therein and
thus set a de facto "best-practices" standard for the private
sector. A third reason is related to procurements that are
FIPS-compliant as discussed in Chapter 6.

   Products such as computers and communication devices that
are intended to interoperate with other equipment are of
little value if they are based on a standard few others use --
there is no one to communicate with. For this reason,
interoperability standards often foster a sudden acceleration
in market share growth -- a bandwagon effect -- in which users
afraid of being left out rush to adopt a standard once it
appears clear that most other users will adopt that standard.
The flip side of this phenomenon is the potential for
significant delay in development of a market prior to this
takeoff point: users put off purchasing products and services
that might become "orphaned" in the future. During a period in
which more than one competing standard exists, the entire
market's growth may be adversely affected. The failure of a
consumer market for AM stereo receivers, for example, was
largely due to the lack of a dominant standard.(7)

   Competing standards developed in the private and public
sectors could be slowing the spread of cryptographic products
and services. The two cryptography-related FIPSs most recently
produced by NIST were not consistent with existing de facto
industry standards. As discussed previously, the Escrowed
Encryption Standard was adopted as FIPS 185 despite the
overwhelmingly negative response from private industry and
users to the public notice in the *Federal Register*.(8) The
Digital Signature Standard was also adopted despite both
negative public comments and the apparent emergence of a de
facto industry based on RSA's public-key algorithm.(9)

----------

   (1)  Carl Cargill, *Information Technology
Standardization*, Digital Press, Bedford, Mass., 1989, pages
212-213.

   (2)  Many standards related to information used in private
industry are developed through voluntary consensus processes.
Among the most active information technology standards
developers are the Institute of Electrical and Electronics
Engineers (IEEE), a professional society; the Information
Technology Industry Coalition (ITIC), which administers
information processing standards development in Committee X3;
and the Alliance for Telecommunications Industry Solutions
(ATIS), coordinator of Committee T1 for telecommunication
standards. The American Banking Association sponsors Committee
X9, which is currently developing a cryptographic standard for
inter-bank transactions based on the triple-DES algorithm. The
Internet Engineering Task Force determines the protocols that
are used (in varying degrees of compliance) to communicate
between Internet sites.

   Other private sector standards result from competition in
the commercial marketplace. When one firm's product becomes so
widespread that its specifications guide the decisions of
other market participants, those specifications become a de
facto industry standard. Firms may promote their technologies
as de facto standards in pursuit of goals such as gaining
economies of scale, protecting or increasing market share, and
obtaining revenues from licensing intellectual property, among
others. The IBM-compatible personal computer architecture is
an example of a de facto industry standard. See Michael
Hergert, "Technical Standards and Competition in the
Microcomputer Industry," in H. Landis Gabel (ed.), *Product
Standardization and Competitive Strategy*, Elsevier Science
Publishers B.V., Amsterdam, 1987.

   In recent years, some firms in the information technology
industry have tried to establish de facto standards by
promoting them through industry consortia. The Open Software
Foundation's efforts to set a de facto UNIX operating system
standard are an example. See Carl Cargill and Martin Weiss,
"Consortia in the Standards Development Process," *Journal of
the American Society for Information Science*, Volume 43(8),
1992, pages 559-565.

   The decentralized nature of standard setting in the United
States can be confusing and inefficient in specific
circumstances. A recent National Research Council study of
standards and international trade in many industry sectors
concluded, however, that the existence of multiple
standard-setting processes generally serves the national
interest well, for reasons that include flexibility in
responding to changing technological and market forces and
competitive pressures placed on rival standards developers.
See National Research Council, *Standards, Conformity
Assessment, and Trade*, National Academy Press, Washington,
D.C., 1995, pages 60-61.

   (3   Ross Cheit, *Setting Safety Standards: Regulation in
the Public and Private Sectors*, University of California
Press, Berkeley, 1990, page 15.

   (4)  Cargill, *Information Technology Standardization*,
1989, pages 213-214.

   (5)  Office of Management and Budget, Circular No. A-119,
Revised, *Federal Register*, October 26, 1993, page 57644. The
Department of Defense, among others, has experienced dramatic
reductions in procurement costs by taking advantage of the
economies of scale inherent in large-volume commercial
production relative to production solely for the government
market. Purchasing commercial products also reduces
significant cost burdens on suppliers of meeting separate
commercial and military-unique standards. For further
discussion of government use of private standards, see
National Research Council, *Standards, Conformity Assessment,
and Trade*, 1995, pages 54-57.

   (6)  Cargill, *Information Technology Standardization*,
1989, page 213.

   (7)  For further discussion of the interactions between
interoperability standards and development of markets for
goods and services, see Stanley Besen and Joseph Farrell,
"Choosing How to Compete: Strategies and Tactics in
Standardization," *Journal of Economic Perspectives*, Volume
8(2), Spring 1994, pages 1-15; and Joseph Farrell and Garth
Saloner, "Competition, Compatibility and Standards," *Product
Standardization and Competitive Strategy*, H. Landis Gabel,
ed. Elsevier Science Publishers B.V., Amsterdam, 1987.

   (8)  Susan Landau et al., *Codes, Keys, and Conflicts:
Issues in U.S. Crypto Policy*, Association for Computing
Machinery Inc., New York, 1994, page 48.

   (9)  Landau et al., *Codes, Keys, and Conflicts*, 1994,
pages 41-43.

____________________________________________________________

[End NRC Report]

----------

Scanned by HP; formatted by JY and DN, May 30 - June 1, 1996.




