About Us Initiatives Press/News Links/Resources Contact Events Privacy Policy
Press Release

FOR IMMEDIATE RELEASE

FOR ADDITIONAL INFORMATION:
ISS: Adam Paige: 212-798-9833, [email protected]
Oracle: Michael Sperling: 703.364.2225, [email protected]
NCSP: Doug McGinn: 202-715-1558, [email protected]
TechNet: Kate Kerkstra: 415-365-0458, [email protected] Palo Alto, Ca.

National Cyber Security Partnership Makes Recommendations
on Cyber Security Technical Standards and Common Criteria

WASHINGTON, D.C., April 19, 2004– The National Cyber Security Partnership Task Force on Technical Standards and Common Criteria released a report today recommending strategies to reduce security vulnerabilities through standards-based solutions and enhancements to existing development, deployment, and testing processes.

" The security-worthiness of software is essential to the protection and operation of our nation's critical infrastructure. This report represents an unprecedented effort by vendors, academics and other experts to take a comprehensive look at the issue of technical security standards — from product configuration and documentation to deployment, vulnerability testing, certification and maintenance," said Mary Ann Davidson, Chief Security Officer, Oracle Corp., and co-chair of the Task Force on Technical Standards and Common Criteria. "It's clear that to improve the security of deployed software, vendors are going to have to step up and provide customers with 'secure by default' configurations and the tools to continuously validate and maintain security configurations. In addition, the Task Force recommendations will result in the kind of guidance and best practices geared toward making developers, buyers and users of software more security savvy."

" While vendors can and must step up and take responsibility for providing more secure products, the active support of government, user groups and consumers is critical to our success," said Chris Klaus, CTO of Internet Security Systems, and co-chair of the Task Force. "These recommendations require the contribution and action of end-users from support in testing products in ‘real world’ deployments to demanding their vendors provide more secure products and better documentation. The U.S. Government has a particular role to play by funding research on vulnerability assessment, providing needed resources to NIST, and improving the Common Criteria/NIAP evaluation to make it a viable, value-added process towards increasing security in products throughout our Nation's information infrastructure."

" Our Task Force report reflects the significant progress that can only be made when industry, government and other security experts partner together. Cyber security is a critical shared challenge and one that only shared action can address. We look forward to the community's response to our recommendations and the improvements to the nation's cyber security posture that will result," said Edward Roback, Chief of the Computer Security Division at the National Institute of Standards and Technology (NIST), who serves as the third co-chair of the Task Force.

Task Force members include a range of subject matter experts, including academics, CSOs, federal officials, and industry experts.

Task Force recommendations are targeted for both industry and government adoption and champion better ways of providing, measuring and maintaining security so that consumers can be more informed when they purchase and use software, related security devices, and hardware.

Recommendations focus on:
• Broadening recognition and adoption of existing standards and best practices;
• Furthering the use of existing capabilities through common software security configurations;
• Investing in federal research toward the development of better vulnerability analysis or "code scanning" tools that can identify software defects;
• Developing guidelines for secure equipment deployment and network architectures; and,
• Improving the "Common Criteria" process, used by vendors and customers to develop security specifications and conduct security evaluations.

About the National Cyber Security Partnership
Following the release of the White House National Strategy to Secure Cyberspace in February 2003 and the National Cyber Security Summit in December, the National Cyber Security Partnership was established to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure. The partnership is led by TechNet, the Business Software Alliance, the Information Technology Association of America and the U.S. Chamber of Commerce.

TechNet served as secretariat for the partnership’s Technical Standards and Common Criteria Task Force. A copy of task force recommendations as well as other information, including participating organizations, is available on the National Cyber Security Partnership website at www.cyberpartnership.org. Other task forces on early warning, public awareness, and corporate governance already released their recommendations, which are also available at the partnership website.
About TechNet

TechNet is a national, bipartisan network of CEOs that promotes the growth of technology industries and the economy by building long-term relationships between technology leaders and policymakers and by advocating a targeted policy agenda. TechNet, based in Silicon Valley, has offices in Boston, Austin, Seattle and Orange County (California). See www.technet.org for more information.