Addressing the audience at the Microsoft Security Summit East on 13 October, Mr. Daniel G. Wolf, the National Security Agency's Information Assurance Director said, "I'm encouraged by the outstanding progress and future plans to enhance the security of operating systems and desktop applications. While vendors strive to do their part when it comes to the need for security, the onus is now on the users. Users have to do their part by applying the latest patches and software updates."
Mr. Wolf explained the road to information assurance is a cooperative process. Information assurance challenges that the U.S. government faces in the future will require everyone on the network to work together to improve security. In a global operating environment like that of the federal government, security risk decisions can no longer be a local prerogative. "We can't wait," Wolf said, "we need to move all of our government networks and systems to these newer operating systems and security applications to take advantage of the more robust features available. Legacy systems, without the improved security features, hold back everyone's progress."
Security is measured in two dimensions, features and assurance. Security features are tools like firewalls, encryption, and biometrics. Assurance is the trust users put into these applications. Assurance is enhanced by the rigor of the software development process. Security needs to be "baked in" at the beginning - into the requirements tracking, design documentation, configuration management, and compliance testing frameworks. Industry and worldwide governments have to work together to upgrade the Common Criteria. The current version aims at documentation and testing. The Common Criteria needs to be updated to emphasize security in the development processes. The next generation of Common Criteria will be aimed at finding and eradicating vulnerabilities during development.
Mr. Wolf emphasized that NSA looks forward to working with its industry partners via the National Information Assurance Partnership and the International Common Criteria programs in order to help industry bake security features and assurance into commercially developed products at the front end of the development cycle.
Mr. Wolf is available for interviews by contacting the NSA Public and Media Affairs Office at 301-688-6524 or by emailing nsapao@nsa.gov. For more information about NSA and Information Assurance, visit our website at NSA.gov.