Don't expect to see new federal IT standards

Top officials at the National Institute of Standards and
Technology are asking the agency's computer experts to stop devising standards and instead
become experts in conformance testing.

NIST officials said they will work more closely with industry and standards
organizations to design tests to determine whether products comply with standards. Rather
than lay down rules, agency officials said, they want to give computer users the tools to
become smarter shoppers.

"We want to establish ourselves as technology leaders and develop centers that
offer credible testing methods," said Shukri Wakid, acting director of NIST's
Computer and Applied Mathematics Laboratory (CAML). "The standard is not as
meaningful if you do not know how it works. The test is really the standard, and we want
to take a leadership role with the tests."

NIST always has been responsible for crafting civilian computer standards and helping
agencies use such tools as smart cards and firewalls. But much of that work was
accomplished by issuing best-practices guides and working with the Office of Management
and Budget to resolve common systems problems.

Wakid said his organization will continue to produce guidance documents. But any new
publications or assistance programs must have a governmentwide focus, he said.

"We still want to help with things that are cross-agency-based or generic in
nature. But a lot of systems problems are unique to a single agency, and we have to strike
a proper balance on where we focus our resources," Wakid said.

Under NIST's new strategy, CAML will create a test competency center to help agencies
and commercial firms better understand and apply Federal Information Processing Standards
and commercial and international standards. The center will devise testing methods and
tools, help certify testing labs and serve as a technical liaison between product sponsors
and the labs.

"We want to encourage agencies to use the commercial standards and give them tests
that they can use," Wakid said. "Once we establish the tests, our role would be
to assure test availability. We could have companies or consortia test their products and
accredit the labs for the National Voluntary Laboratory Accreditation Program."

But some computer experts are worried that CAML's new emphasis on tests could create a
leadership vacuum. The upshot could be that agencies lack up-to-date guidance on
information technology, some warn.

For example, members of the National Computer Systems Security and Privacy Advisory
Board expressed concern that the new testing focus might lead NIST to shirk its security
guidance duties mandated by OMB Circular A-130. if there is a vacuum, some experts said,
the National Security Agency might gain too much influence in civilian security matters.

After hearing Wakid outline CAML's strategy at their March meeting, board members
authorized chairman Willis H. Ware to discuss matters with NIST and OMB officials.

OMB officials, however, said they did not expect NIST to have any problems carrying out
its guidance obligations.

Wakid defended the new strategy as the best way to leverage CAML's dwindling budget and
staff.

Because of recent procurement reforms and the administration's push for more
off-the-shelf acquisitions, NIST must ensure that agencies know how to incorporate
security standards into commercial buys, Wakid said. Agencies needing help with specific
security problems would be better served by contractors, he said.

"I honestly don't think there is a problem. The difference now is we want to
emphasize testing methods more and more," Wakid said. "But we have to strike a
balance on where we devote our resources, and agency-specific tasks take us off our
standards mission."

Some former NIST employees said the strategy shift has been brewing for years.

Like the rest of the Commerce Department, CAML is facing a 1997 budget freeze, that is,
provided the agency survives Republican efforts to dismantle the entire department.
Commerce has been living off continuing resolutions this fiscal year, and President
Clinton has proposed holding CAML spending at $43 million next year.

Many observers trace NIST's funding problems to the late 1980s, when Congress failed to
ante up the $3 million NIST needed to finance its guidance duties prescribed by the 1987
Computer Security Act.

"NIST is in a tough budget spot. There are lots of jobs to do and not enough money
and people to do them," said Dennis Branstad, coordinator of cryptographic projects
for Trusted Information Systems Inc. and a former NIST computer science fellow.

"We're seeing a refocusing, and NIST is saying that its success will be in tests
supporting standards as opposed to getting bogged down in the bureaucracy of standards
development," Branstad said.

But several government and industry sources said every step NIST takes away from policy
guidance gives the military intelligence community another opportunity to sell the White
House on its classified security solutions.

"If NIST drops that line of business, they'll concede the policy battlefield to
NSA," said one security industry analyst who requested anonymity. "The
intelligence agencies are making a full-court press with their proposals on information
warfare and information assurance. They're looking for budget money too."