IP: Call for White Papers Information Technology Security

[Dave Farber <farber@central.cis.upenn.edu>]

Call for White Papers


Information Technology Security Policy Setting Process
issued by the
Cross-Industry Working Team


Thursday, September 28, 1995


Introduction


The Cross-Industry Working Team (XIWT) is seeking inputs from U.S.
industry on ways to improve the process by which public policy on
information technology systems security is developed. At the invitation
of the Information Infrastructure Task Force (IITF) of the U.S.
government, XIWT is soliciting ideas broadly from US industry, in the
form of White Papers that address this issue. XIWT will, later this
year, convene a workshop of industry experts to organize the ideas and
suggestions expressed in these White Papers into a report for use by
the IITF, and will prepare a report to be made available to the public.


XIWT
XIWT is a multi-industry coalition of organizations committed to
defining the architecture and key technical requirements for a powerful
and sustainable national information infrastructure (NII). XIWT aims to
foster the understanding, development and application of technologies
that cross industry boundaries; facilitate the conversion of the NII
vision into real-world implementations, and facilitate a dialogue among
representatives of stakeholders in the private and public sector.
Additional information about XIWT can be found on the Internet at:
http://www.xiwt.org/homepage.


Information Technology Systems Security
In the developing National Information Infrastructure (NII),
information technology will be deployed in a wide range of contexts and
systems including communications, computing, software systems, and many
different types of applications. The ability of this technology, and
the systems which employ it, to provide the requisite levels of
security and protection, are of concern to almost everyone.


Issues of central concern include: physical protection of systems and
their contents, potential vulnerabilities at various points within the
networked environments of these systems, and the ability to provide or
even guarantee reliable and/or uninterruptable service. The
infrastructure for such capabilities will need to include mechanisms
for the protection of networks, computers and other types of equipment
as well as systems that employ these elements, as well as methods for
analysis, certification and validation of technology and systems, and
for facilitating the setting of standards. It is likely that
cryptographic capabilities will need to be available throughout for
possible use in protection and authentication of information. Issues
involving the management of these capabilities will need to be
uncovered, discussed and resolved where possible. At present, the
federal government has no formal process in place, in the Congress or
in Executive Branch agencies, which adequately involves the private
sector in the determination of public policy in this area.


Responsibilities for this broad area within the federal government are
widely diffused and do not necessarily insure that all the relevant
concerns of the private sector are taken into account. Further, no
single process is used by the various parts of the federal government
and a variety of policies, reflected in laws, regulation and practice,
usually result. A methodology is required by which private sector
interests can be adequately expressed and factored into resulting
policies. The purpose of this call for white papers is to request
written inputs from interested and knowledgable parties on how the
formal process to developing information technology systems security
policies may be improved, and particularly on how private sector inputs
can be most effectively incorporated.


Specifically, industry is requested to identify those areas, domains,
and issues that are especially relevant for consideration, and to
recommend specific suggestions or approaches by which the policy
determination process in these areas may be improved. This may entail,
for example, the establishment of one or more bodies dedicated to this
purpose, within or across domains; the creation of a broad set of
principles for the government or other bodies to employ; the setting of
national goals or other specific recommendations for federal action.


Submissions
White papers are specifically solicited from U.S. industry; other
individuals who wish to contribute are welcome to do so. Submissions
may be made on paper or electronically by sending electronic mail,
document files, or via a form located on the XIWT World Wide Web server
(addresses below). Submissions made on behalf of companies will be
taken to represent the views of the firm; these will be verified if it
is not made clear in the submission that the document represents a
company position. Individual submissions will not be verified if they
do not claim to represent company positions.


Submissions should be: 1) responsive to the primary goal of this call,
(focused specifically on process improvement and not the presentation
of view on policy deficiencies or on desired policies); 2) clear in
terms of specific topics, areas or domains of policy; 3) reasonably
direct, brief and timely.


Any format may be used for the white paper, and it may be of any
length. However, submissions must include the following information, on
envelopes or headers to email and web messages, and on the submission
document, whatever its form:


1.The name of individual making the submission; 2.The name of firm on
whose behalf the submission is made; 3.The return address by which
submission may be verified, if necessary.


XIWT will convene a one or two day invitational workshop in the
Washington DC area in December, 1995, to review submissions and
organize the preparation of findings. Papers received by November 15,
1995, will be used in the workshop. The report of this effort is
intended to be made available in February, 1996.


Submissions must be made to one of the following addresses:


Conventional Mail: Security Policy Process XIWT 1895 Preston White
Drive Suite 100 Reston VA 22091-0913


Electronic Mail: secpros@cnri.reston.va.us-- Please place: "Security
Policy Process" in the "Subject:" field. Please use ASCII text in any
attachments.


World Wide Web: suggestions may be contributed via the internet at:
http://www.xiwt.org/response


The content of submissions will be used by XIWT only for the purposes
described in this call. No specific attribution to individual companies
or individuals will be made in the findings or report. We look forward
to your help in this important national effort.


For additional information, please contact Charles Brownstein or Pam
Memmott Tel: (703) 620-8990 Internet: cbrownst@cnri.reston.va.us
Internet: pmemmott@cnri.reston.va.us


Charles N. Brownstein
Executive Director
Cross-Industry Working Team
Suite 100
1895 Preston White Drive
Reston, VA 22091-8990


tel (703) 620-8990
fax (703) 620-8990
http://www.cnri.reston.va.us/xiwt