Cryptography's Role In Securing The Information Society

                Appendix N   Continued

[N.3 commences p. 627.]
__________________________________________________________________



        N.3 MEMORANDUMS OF UNDERSTANDING (MOU)
                 AND AGREEMENT (MOA)


N.3.1 National Security Agency/National Institute of Standards
                  and Technology MOU


Memorandum of Understanding Between the Director of the National
Institute of Standards and Technology and the Director of the
National Security Agency Concerning the Implementation of Public
Law 100-235 [628]


Recognizing that:


     A. Under Section 2 of the Computer Security Act of 1987
(Public Law 100235), (the Act), the National Institute of
Standards and Technology (NIST) has the responsibility within the
Federal Government for:

     1. Developing technical, management, physical, and
     administrative standards and guidelines for the
     cost-effective security and privacy of sensitive information
     in Federal computer systems as defined in the Act; and,

     2. Drawing on the computer system technical security
     guidelines of the National Security Agency (NSA) in this
     regard where appropriate.


     B. Under Section 3 of the Act, the NIST is to coordinate
closely with other agencies and offices, including the NSA, to
assure:

     1. Maximum use of all existing and planned programs,
     materials, studies, and reports relating to computer systems
     security and privacy, in order to avoid unnecessary and
     costly duplication of effort; and,

     2. To the maximum extent feasible, that standards developed
     by the NIST under the Act are consistent and compatible with
     standards and procedures developed for the protection of
     classified information in Federal computer systems.


     C. Under the Act, the Secretary of Commerce has the
responsibility, which he has delegated to the Director of NIST,
for appointing the members of the Computer System Security and
Privacy Advisory Board, at least one of whom shall be from the
NSA.

Therefore, in furtherance of the purposes of this MOU, the
Director of the NIST and the Director of the NSA hereby agree as
follows:

     I. The NIST will:

     1. Appoint to the Computer Security and Privacy Advisory
     Board at least one representative nominated by the Director
     of the NSA.

     2. Draw upon computer system technical security guidelines
     developed by the NSA to the extent that the NIST determines
     that such guidelines are consistent with the requirements
     for protecting sensitive information in Federal computer
     systems.

     3. Recognize the NSA-certified rating of evaluated trusted
     systems under the Trusted Computer Security Evaluation
     Criteria Program without requiring additional evaluation.

     4. Develop telecommunications security standards for
     protecting sensitive unclassified computer data, drawing
     upon the expertise and products of the National Security
     Agency, to the greatest extent possible, in meeting these
     responsibilities in a timely and cost effective manner.

     5. Avoid duplication where possible in entering into
     mutually agreeable arrangements with the NSA for the NSA
     support.

     6. Request the NSA's assistance on all matters related to
     cryptographic algorithms and cryptographic techniques
     including but not limited to research, development,
     evaluation, or endorsement. [629]


     II. The NSA will:

     1. Provide the NIST with technical guidelines in trusted
     technology, telecommunications security, and personal
     identification that may be used in cost-effective systems
     for protecting sensitive computer data.

     2. Conduct or initiate research and development programs in
     trusted technology, telecommunications security,
     cryptographic techniques and personal identification
     methods.

     3. Be responsive to the NIST's requests for assistance in
     respect to all matters related to cryptographic algorithms
     and cryptographic techniques including but not limited to
     research, development, evaluation, or endorsement.

     4. Establish the standards and endorse products for
     application to secure systems covered in 10 USC Section 2315
     (the Warner Amendment).

     5. Upon request by Federal agencies, their contractors, and
     other government-sponsored entities, conduct assessments of
     the hostile intelligence threat to federal information
     systems, and provide technical assistance and recommend
     endorsed products for application to secure systems against
     that threat.


     III. The NIST and the NSA shall:

     1. Jointly review agency plans for the security and privacy
     of computer systems submitted to NIST and NSA pursuant to
     section 6(b) of the Act.

     2. Exchange technical standards and guidelines as necessary
     to achieve the purposes of the Act.

     3. Work together to achieve the purposes of this memorandum
     with the greatest efficiency possible, avoiding unnecessary
     duplication of effort.

     4. Maintain an ongoing, open dialogue to ensure that each
     organization remains abreast of emerging technologies and
     issues affecting automated information system security in
     computer-based systems.

     5. Establish a Technical Working Group to review and analyze
     issues of mutual interest pertinent to protection of systems
     that process sensitive or other unclassified information.
     The Group shall be composed of six federal employees, three
     each selected by NIST and NSA and to be augmented as
     necessary by representatives of other agencies. Issues may
     be referred to the group by either the NSA Deputy Director
     for Information Security or the NIST Deputy Director or may
     be generated and addressed by the group upon approval by the
     NSA DDI or NIST Deputy Director. Within days of the referral
     of an issue to the Group by either the NSA Deputy Director
     for Information Security or the NIST Deputy Director, the
     Group will respond with a progress report and plan for
     further analysis, if any.

     6. Exchange work plans on an annual basis on all research
     and development projects pertinent to protection of systems
     that process sensitive or other unclassified information,
     including trusted technology, for protecting the integrity
     and availability of data, telecommunications security and
     personal identification methods. Project updates will be
     exchanged quarterly, and project reviews will be provided by
     either party upon request of the other party.

     7. Ensure the Technical Working Group reviews prior to
     public disclosure all matters regarding technical systems
     security techniques to be developed for use in protecting
     sensitive information in federal computer systems to insure
     they are consistent with the national security of the United
     States. If NIST [630] and NSA are unable to resolve such an
     issue within 60 days, either agency may elect to raise the
     issue to the Secretary of Defense and the Secretary of
     Commerce. It is recognized that such an issue may be
     referred to the President through the NSC for resolution. No
     action shall be taken on such an issue until it is resolved.

     8. Specify additional operational agreements in annexes to
     this MOU as they are agreed to by NSA and NIST.


     IV. Either party may elect to terminate this MOU upon six
months written notice. This MOU is effective upon approval of both
signatories.


RAYMOND G. KAMMER, Acting Director, National Institute of
Standards and Technology, 24 March 1989


W.O. STUDEMAN, Vice Admiral, U.S. Navy; Director, National
Security Agency, 23 March 1989


[630]

           N.3.2 National Security Agency/
         Federal Bureau of Investigation MOU


Memorandum of Understanding Between Federal Bureau of
Investigation and National Security Agency

(u) 1. *Purpose*. This Memorandum of Understanding (MOU)
implements those portions of the Department of Defense E.O. 12036
replaced by 12333 (see 12333 para. 3.6) procedures that regulate
the provision by NSA of specialized equipment, technical
knowledge, and expert personnel to the FBI. (The applicable
procedures are attached.)

(u) 2. *Background*. The National Security Agency possesses unique
skills and equipment developed to support its cryptologic mission.
In the past, the Federal Bureau of Investigation has requested,
and NSA has provided, assistance related to these skills and
equipment for both the Bureau's intelligence and law enforcement
functions. Section 2-309(c) of E.O. 12036 permits NSA to continue
providing such assistance.

(u) 3. *Agreement*. The undersigned parties, representing their
respective agencies, hereby agree to the following procedures for
requesting and providing such assistance in the future:

     a. When the FBI determines that the assistance of NSA is
needed to accomplish its lawful functions, the FBI shall:

     (1) determine whether the requested assistance involves the
     Bureau's intelligence of law enforcement missions. Since a
     counterintelligence or counterterrorism intelligence
     investigation can develop into a law enforcement
     investigation, the following guidelines will be used to
     determine which type of investigation the FBI is conducting.
     A counterintelligence or counterterrorism investigation
     which is undertaken to protect against espionage and other
     clandestine intelligence activities, sabotage, international
     terrorist activities or assassination [631] conducted for or
     on behalf of foreign powers does not have a law enforcement
     purpose until such time as the focus of the investigation
     shifts from intelligence gathering to prosecution.

     (2) coordinate with the appropriate NSA element to determine
     whether NSA is capable of providing the assistance;

     (3) notify the Office of General Counsel, NSA, that a
     request for assistance is being considered; and

     (4) if NSA is able to provide the assistance, provide a
     certification to the General Counsel, NSA, that the
     assistance is necessary to accomplish one or more of the
     FBI's lawful functions. In normal circumstances, this
     certification shall be in writing and signed by an Assistant
     Director or more senior official. If the assistance involves
     provision of expert personnel and is for a law enforcement
     purpose, the certification must be signed by the Director,
     FBI, and shall include affirmation of the facts necessary to
     establish the provisions of Section 4.A., Procedure 16, DoD
     Regulation 5240.1-R. In an emergency, the certification may
     be oral, but it shall be subsequently confirmed in writing.
     If the assistance requested is for the support of an
     activity that may only be conducted pursuant to court order
     or Attorney General authorization, the certification shall
     include a copy of the order or authorization. If the
     requested assistance is to support an intelligence
     investigation which subsequently develops into a law
     enforcement investigation, the FBI shall provide the
     additional supporting data required by Procedure 16.


     b. When the FBI requests assistance from NSA, NSA shall:

     (1) determine whether it is capable of providing the
     requested assistance;

     (2) determine whether the assistance is consistent with NSA
     policy, including protection of sources and methods;

     (3) agree to provide assistance within its capabilities and
     when consistent with NSA policy after receipt of the
     certification discussed in a.(4) above; and

     (4) if the assistance requires the detailing of expert
     personnel, observe the administrative requirements of
     Procedures 16 and 17, DoD regulation 5240.1-R.

(u) 4. *Effective Date*. This MOU is effective upon signature by
the parties below. It remains in effect until superseded by a new
MOU or until Section 2-309(c) of E.O. 12036 is revised. Changes to
this MOU may be made by joint agreement of the undersigned or
their successors.


WILLIAM H. WEBSTER, Director, Federal Bureau of Investigation 


B.R. INMAN, Vice Admiral, U.S. Navy, Director, NSA/Chief, CSS


[632]


           N.3.3 National Security Agency/
          Advanced Research Projects Agency/
        Defense Information Systems Agency MOA


Information Systems Security Research Joint Technology Office
Memorandum of Agreement Between The Advanced Research Projects
Agency, The Defense Information Systems Agency, and The National
Security Agency Concerning The Information Systems Security
Research Joint Technology Office


Purpose

     The Advanced Research Projects Agency (ARPA), the Defense
Information Systems Agency (DISA), and the National Security
Agency (NSA) agree to the establishment of the Information System
Security Research Joint Technology Office (ISSR-JTO) as a joint
activity. The ISSR-JTO is being established to coordinate the
information systems security research programs of ARPA and NSA.
The ISSR-JTO will work to optimize use of the limited research
funds available, and strengthen the responsiveness of the programs
to DISA, expediting delivery of technologies that meet DISA's
requirements to safeguard the confidentiality, integrity,
authenticity, and availability of data in Department of Defense
information systems, provide a robust first line of defense for
defensive information warfare, and permit electronic commerce
between the Department of Defense and its contractors.


Background

     In recent years, exponential growth in government and
private sector use of networked systems to produce and communicate
information has given rise to a shared interest by NSA and ARPA in
focusing government R&D on information systems security
technologies. NSA and its primary network security customer, DISA,
have become increasingly reliant upon commercial information
technologies and services to build the Defense Information
Infrastructure, and the inherent security of these technologies
and services has become a vital concern. From ARPA'S perspective,
it has become increasingly apparent that security is critical to
the success of key ARPA information technology initiatives. ARPA's
role in fostering the development of advanced information
technologies now requires close attention to the security of these
technologies.

     NSA's security technology plan envisions maximum use of
commercial technology for sensitive but unclassified applications,
and, to the extent possible, for classified applications as well.
A key element of this plan is the transfer of highly reliable
government-developed technology and techniques to industry for
integration into commercial off-the-shelf products, making
quality-tested security components available not only to DoD but
to the full spectrum of government and private sector users as
well. ARPA is working with its contractor community to fully
integrate security into next generation computing technologies
being developed in all its programs, and working with the research
community to develop strategic relationships with industry so that
industry will develop modular security technologies with the
capability of exchanging appropriate elements to meet various
levels of required security.

     NSA and ARPA now share a strong interest in promoting the
development [633] and integration of security technology for
advanced information systems applications. The challenge at hand
is to guide the efforts of the two agencies in a way that
optimizes use of the limited research funds available and
maximizes support to DISA in building the Defense Information
Infrastructure.

     NSA acts as the U.S. Government's focal point for
cryptography, telecommunications security, and information systems
security for national security systems. It conducts, approves, or
endorses research and development of techniques and equipment to
secure national security systems. NSA reviews and approves all
standards, techniques, systems, and equipment related to the
security of national security systems. NSA's primary focus is to
provide information systems security products, services, and
standards in the near term to help its customers protect
classified and national security-related sensitive but
unclassified information. It develops and assesses new security
technology in the areas of cryptography, technical security, and
authentication technology; endorses cryptographic systems
protecting national security information; develops infrastructure
support technologies; evaluates and rates trusted computer and
network products; and provides information security standards for
DoD. Much of the work in these areas is conducted in a classified
environment, and the balancing of national security and law
enforcement equities has been a significant constraint.

     ARPA's mission is to perform research and development that
helps the Department of Defense to maintain U.S. technological
superiority over potential adversaries. At the core of the ARPA
mission is the goal to develop and demonstrate revolutionary
technologies that will fundamentally enhance the capability of the
military. ARPA's role in fostering the development of advanced
computing and communications technologies for use by the DoD
requires that long term solutions to increasing the security of
these systems be developed. ARPA is interested in commercial or
dual-use technology, and usually technology that provides
revolutionary rather than evolutionary enhancements to
capabilities. ARPA is working with industry and academia to
develop technologies that will enable industry to provide system
design methodologies and secure computer, operating system, and
networking technologies. NSA and ARPA research interests have been
converging in these areas, particularly with regard to protocol
development involving key, token, and certificate exchanges and
processes.

     One of the key differences between ARPA's work and NSA's is
that ARPA's is performed in unclassified environments, often in
university settings. This enables ARPA to access talent and pursue
research strategies normally closed to NSA due to security
considerations. Another difference is that while NSA's research is
generally built around developing and using specific cryptographic
algorithms, ARPA's approach is to pursue solutions that are
independent of the algorithm used and allow for modularly
replaceable cryptography. ARPA will, to the greatest extent
possible, allow its contractor community to use cryptography
developed at NSA, and needs solutions from NSA on an expedited
basis so as not to hold up its research program.

     DISA functions as the Department of Defense's information
utility. Its requirements for information systems security extend
beyond confidentiality to include protection of data from
tampering or destruction and assurance that data exchanges are
originated and received by valid participants. DISA is the first
line [634] of defense for information warfare, and needs quality
technology for detecting and responding to network penetrations.
The growing vulnerability of the Defense information
infrastructure to unauthorized access and use, demonstrated in the
penetration of hundreds of DoD computer systems during 1994, makes
delivery of enabling security technologies to DISA a matter of
urgency.


The Information Systems Security Research Joint Technology Office

     This MOA authorizes the ISSR-JTO as a joint undertaking of
ARPA, DISA, and NSA. It will perform those functions jointly
agreed to by these agencies. Each agency shall delegate to the
ISSO-JTO such authority and responsibility as is necessary to
carry out its agreed functions. Participation in the joint program
does not relieve ARPA, DISA, or NSA of their respective individual
charter responsibilities, or diminish their respective
authorities.

     A Joint Management Plan will be developed to provide a
detailed definition of the focus, objectives, operation, and costs
of the Joint Technology Office. The ISSRlTO will be jointly
staffed by ARPA, DISA, and NSA, with respective staffing levels to
be agreed upon by the three parties. Employees assigned to the JTO
will remain on the billets of their respective agency. Personnel
support for employees assigned to the JTO will be provided by
their home organization. The ISSR-JTO will be housed within both
ARPA and NSA, except as agreed otherwise by the three parties. To
the greatest extent possible, it will function as a virtual
office, using electronic connectivity to minimize the need for
constant physical colocation. Physical security support will be
provided by the party responsible for the specific facilities
occupied. Assignment of the ISSR-JTO Director, Deputy Director,
and management of other office elements will be made by mutual
agreement among the Directors of ARPA, DISA, and NSA upon
recommendation of their staffs.


Functions

     By mutual agreement of ARPA, DISA, and NSA, the ISSR-JTO
will perform the following joint functions:

     + Review and coordinate all Information System Securitv
Research programs at ARPA and NSA to ensure that there is no
unnecessary duplication, that the programs are technically sound,
that they are focused on customer requirements where available,
and that long term research is aimed at revolutionary increases in
DoD security capabilities.

     + Support ARPA and NSA in evaluating proposals and managing
projects arising from their information systems security efforts,
and maintain a channel for the exchange of technical expertise to
support their information systems security research programs.

     + Provide long range strategic planning for information
systems security research. Provide concepts of future
architectures which include security as an integral component and
a road map for the products that need to be developed to fit the
architectures, taking into account anticipated DoD information
systems security research needs for command and control,
intelligence, support functions, and [635] electronic commerce.
The long range security program will explore technologies which
extend security research boundaries.

     + Develop measures of the effectiveness of the information
systems security research programs in reducing vulnerabilities.

     + Work with DISA, other defense organizations, academic, and
industrial organizations to take new information systems security
research concepts and apply them to selected prototype systems and
testbed projects.

     + Encourage the U.S. industrial base to develop commercial
products with built-in security to be used in DoD systems. Develop
alliances with industry to raise the level of security in all U.S.
systems. Bring together private sector leaders in information
systems security research to advise the JTO and build consensus
for the resulting programs.

     + Identify areas for which standards need to be developed
for information systems security.

     + Facilitate the availability and use of NSA certified
cryptography within information systems security research
programs.

     + Proactively provide a coherent, integrated joint vision of
the program in internal and public communications.


Program Oversight and Revisions

     The Director, ISSR-JTO, has a joint reporting responsibility
to the Directors of ARPA, DISA, and NSA. The Director, ISSR-JTO,
will conduct a formal Program Status Review for the Directors of
ARPA, DISA, and NSA on an annual basis, and will submit mid-year
progress reports between formal reviews. Specific reporting
procedures and practices of the JTO to ARPA, DISA, and NSA will be
detailed in the Joint Technology Management Plan. This MOA will be
reviewed at least annually, and may be revised at any time, based
on the mutual consent of ARPA, DISA, and NSA, to assure the
effective execution of the joint initiative. Any of the parties
may withdraw from participation in the MOA upon six months written
notice. The MOA is effective 2 April 1995.


Dr. Gary L. Denman, Director, ARPA 
LtGen Albert J. Edmonds, Director, DISA 
VADM John M. McConnell, Director, NSA 
Dr. Anita K. Jones, Director, DDR&E 
Emmett Paige, Jr., Assistant Secretary of Defense for Command,
Control, Communications and Intelligence


[End N.3]
