Cryptography's Role In Securing The Information Society Appendix N Continued [N.3 commences p. 627.] __________________________________________________________________ N.3 MEMORANDUMS OF UNDERSTANDING (MOU) AND AGREEMENT (MOA) N.3.1 National Security Agency/National Institute of Standards and Technology MOU Memorandum of Understanding Between the Director of the National Institute of Standards and Technology and the Director of the National Security Agency Concerning the Implementation of Public Law 100-235 [628] Recognizing that: A. Under Section 2 of the Computer Security Act of 1987 (Public Law 100235), (the Act), the National Institute of Standards and Technology (NIST) has the responsibility within the Federal Government for: 1. Developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems as defined in the Act; and, 2. Drawing on the computer system technical security guidelines of the National Security Agency (NSA) in this regard where appropriate. B. Under Section 3 of the Act, the NIST is to coordinate closely with other agencies and offices, including the NSA, to assure: 1. Maximum use of all existing and planned programs, materials, studies, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and, 2. To the maximum extent feasible, that standards developed by the NIST under the Act are consistent and compatible with standards and procedures developed for the protection of classified information in Federal computer systems. C. Under the Act, the Secretary of Commerce has the responsibility, which he has delegated to the Director of NIST, for appointing the members of the Computer System Security and Privacy Advisory Board, at least one of whom shall be from the NSA. Therefore, in furtherance of the purposes of this MOU, the Director of the NIST and the Director of the NSA hereby agree as follows: I. The NIST will: 1. Appoint to the Computer Security and Privacy Advisory Board at least one representative nominated by the Director of the NSA. 2. Draw upon computer system technical security guidelines developed by the NSA to the extent that the NIST determines that such guidelines are consistent with the requirements for protecting sensitive information in Federal computer systems. 3. Recognize the NSA-certified rating of evaluated trusted systems under the Trusted Computer Security Evaluation Criteria Program without requiring additional evaluation. 4. Develop telecommunications security standards for protecting sensitive unclassified computer data, drawing upon the expertise and products of the National Security Agency, to the greatest extent possible, in meeting these responsibilities in a timely and cost effective manner. 5. Avoid duplication where possible in entering into mutually agreeable arrangements with the NSA for the NSA support. 6. Request the NSA's assistance on all matters related to cryptographic algorithms and cryptographic techniques including but not limited to research, development, evaluation, or endorsement. [629] II. The NSA will: 1. Provide the NIST with technical guidelines in trusted technology, telecommunications security, and personal identification that may be used in cost-effective systems for protecting sensitive computer data. 2. Conduct or initiate research and development programs in trusted technology, telecommunications security, cryptographic techniques and personal identification methods. 3. Be responsive to the NIST's requests for assistance in respect to all matters related to cryptographic algorithms and cryptographic techniques including but not limited to research, development, evaluation, or endorsement. 4. Establish the standards and endorse products for application to secure systems covered in 10 USC Section 2315 (the Warner Amendment). 5. Upon request by Federal agencies, their contractors, and other government-sponsored entities, conduct assessments of the hostile intelligence threat to federal information systems, and provide technical assistance and recommend endorsed products for application to secure systems against that threat. III. The NIST and the NSA shall: 1. Jointly review agency plans for the security and privacy of computer systems submitted to NIST and NSA pursuant to section 6(b) of the Act. 2. Exchange technical standards and guidelines as necessary to achieve the purposes of the Act. 3. Work together to achieve the purposes of this memorandum with the greatest efficiency possible, avoiding unnecessary duplication of effort. 4. Maintain an ongoing, open dialogue to ensure that each organization remains abreast of emerging technologies and issues affecting automated information system security in computer-based systems. 5. Establish a Technical Working Group to review and analyze issues of mutual interest pertinent to protection of systems that process sensitive or other unclassified information. The Group shall be composed of six federal employees, three each selected by NIST and NSA and to be augmented as necessary by representatives of other agencies. Issues may be referred to the group by either the NSA Deputy Director for Information Security or the NIST Deputy Director or may be generated and addressed by the group upon approval by the NSA DDI or NIST Deputy Director. Within days of the referral of an issue to the Group by either the NSA Deputy Director for Information Security or the NIST Deputy Director, the Group will respond with a progress report and plan for further analysis, if any. 6. Exchange work plans on an annual basis on all research and development projects pertinent to protection of systems that process sensitive or other unclassified information, including trusted technology, for protecting the integrity and availability of data, telecommunications security and personal identification methods. Project updates will be exchanged quarterly, and project reviews will be provided by either party upon request of the other party. 7. Ensure the Technical Working Group reviews prior to public disclosure all matters regarding technical systems security techniques to be developed for use in protecting sensitive information in federal computer systems to insure they are consistent with the national security of the United States. If NIST [630] and NSA are unable to resolve such an issue within 60 days, either agency may elect to raise the issue to the Secretary of Defense and the Secretary of Commerce. It is recognized that such an issue may be referred to the President through the NSC for resolution. No action shall be taken on such an issue until it is resolved. 8. Specify additional operational agreements in annexes to this MOU as they are agreed to by NSA and NIST. IV. Either party may elect to terminate this MOU upon six months written notice. This MOU is effective upon approval of both signatories. RAYMOND G. KAMMER, Acting Director, National Institute of Standards and Technology, 24 March 1989 W.O. STUDEMAN, Vice Admiral, U.S. Navy; Director, National Security Agency, 23 March 1989 [630] N.3.2 National Security Agency/ Federal Bureau of Investigation MOU Memorandum of Understanding Between Federal Bureau of Investigation and National Security Agency (u) 1. *Purpose*. This Memorandum of Understanding (MOU) implements those portions of the Department of Defense E.O. 12036 replaced by 12333 (see 12333 para. 3.6) procedures that regulate the provision by NSA of specialized equipment, technical knowledge, and expert personnel to the FBI. (The applicable procedures are attached.) (u) 2. *Background*. The National Security Agency possesses unique skills and equipment developed to support its cryptologic mission. In the past, the Federal Bureau of Investigation has requested, and NSA has provided, assistance related to these skills and equipment for both the Bureau's intelligence and law enforcement functions. Section 2-309(c) of E.O. 12036 permits NSA to continue providing such assistance. (u) 3. *Agreement*. The undersigned parties, representing their respective agencies, hereby agree to the following procedures for requesting and providing such assistance in the future: a. When the FBI determines that the assistance of NSA is needed to accomplish its lawful functions, the FBI shall: (1) determine whether the requested assistance involves the Bureau's intelligence of law enforcement missions. Since a counterintelligence or counterterrorism intelligence investigation can develop into a law enforcement investigation, the following guidelines will be used to determine which type of investigation the FBI is conducting. A counterintelligence or counterterrorism investigation which is undertaken to protect against espionage and other clandestine intelligence activities, sabotage, international terrorist activities or assassination [631] conducted for or on behalf of foreign powers does not have a law enforcement purpose until such time as the focus of the investigation shifts from intelligence gathering to prosecution. (2) coordinate with the appropriate NSA element to determine whether NSA is capable of providing the assistance; (3) notify the Office of General Counsel, NSA, that a request for assistance is being considered; and (4) if NSA is able to provide the assistance, provide a certification to the General Counsel, NSA, that the assistance is necessary to accomplish one or more of the FBI's lawful functions. In normal circumstances, this certification shall be in writing and signed by an Assistant Director or more senior official. If the assistance involves provision of expert personnel and is for a law enforcement purpose, the certification must be signed by the Director, FBI, and shall include affirmation of the facts necessary to establish the provisions of Section 4.A., Procedure 16, DoD Regulation 5240.1-R. In an emergency, the certification may be oral, but it shall be subsequently confirmed in writing. If the assistance requested is for the support of an activity that may only be conducted pursuant to court order or Attorney General authorization, the certification shall include a copy of the order or authorization. If the requested assistance is to support an intelligence investigation which subsequently develops into a law enforcement investigation, the FBI shall provide the additional supporting data required by Procedure 16. b. When the FBI requests assistance from NSA, NSA shall: (1) determine whether it is capable of providing the requested assistance; (2) determine whether the assistance is consistent with NSA policy, including protection of sources and methods; (3) agree to provide assistance within its capabilities and when consistent with NSA policy after receipt of the certification discussed in a.(4) above; and (4) if the assistance requires the detailing of expert personnel, observe the administrative requirements of Procedures 16 and 17, DoD regulation 5240.1-R. (u) 4. *Effective Date*. This MOU is effective upon signature by the parties below. It remains in effect until superseded by a new MOU or until Section 2-309(c) of E.O. 12036 is revised. Changes to this MOU may be made by joint agreement of the undersigned or their successors. WILLIAM H. WEBSTER, Director, Federal Bureau of Investigation B.R. INMAN, Vice Admiral, U.S. Navy, Director, NSA/Chief, CSS [632] N.3.3 National Security Agency/ Advanced Research Projects Agency/ Defense Information Systems Agency MOA Information Systems Security Research Joint Technology Office Memorandum of Agreement Between The Advanced Research Projects Agency, The Defense Information Systems Agency, and The National Security Agency Concerning The Information Systems Security Research Joint Technology Office Purpose The Advanced Research Projects Agency (ARPA), the Defense Information Systems Agency (DISA), and the National Security Agency (NSA) agree to the establishment of the Information System Security Research Joint Technology Office (ISSR-JTO) as a joint activity. The ISSR-JTO is being established to coordinate the information systems security research programs of ARPA and NSA. The ISSR-JTO will work to optimize use of the limited research funds available, and strengthen the responsiveness of the programs to DISA, expediting delivery of technologies that meet DISA's requirements to safeguard the confidentiality, integrity, authenticity, and availability of data in Department of Defense information systems, provide a robust first line of defense for defensive information warfare, and permit electronic commerce between the Department of Defense and its contractors. Background In recent years, exponential growth in government and private sector use of networked systems to produce and communicate information has given rise to a shared interest by NSA and ARPA in focusing government R&D on information systems security technologies. NSA and its primary network security customer, DISA, have become increasingly reliant upon commercial information technologies and services to build the Defense Information Infrastructure, and the inherent security of these technologies and services has become a vital concern. From ARPA'S perspective, it has become increasingly apparent that security is critical to the success of key ARPA information technology initiatives. ARPA's role in fostering the development of advanced information technologies now requires close attention to the security of these technologies. NSA's security technology plan envisions maximum use of commercial technology for sensitive but unclassified applications, and, to the extent possible, for classified applications as well. A key element of this plan is the transfer of highly reliable government-developed technology and techniques to industry for integration into commercial off-the-shelf products, making quality-tested security components available not only to DoD but to the full spectrum of government and private sector users as well. ARPA is working with its contractor community to fully integrate security into next generation computing technologies being developed in all its programs, and working with the research community to develop strategic relationships with industry so that industry will develop modular security technologies with the capability of exchanging appropriate elements to meet various levels of required security. NSA and ARPA now share a strong interest in promoting the development [633] and integration of security technology for advanced information systems applications. The challenge at hand is to guide the efforts of the two agencies in a way that optimizes use of the limited research funds available and maximizes support to DISA in building the Defense Information Infrastructure. NSA acts as the U.S. Government's focal point for cryptography, telecommunications security, and information systems security for national security systems. It conducts, approves, or endorses research and development of techniques and equipment to secure national security systems. NSA reviews and approves all standards, techniques, systems, and equipment related to the security of national security systems. NSA's primary focus is to provide information systems security products, services, and standards in the near term to help its customers protect classified and national security-related sensitive but unclassified information. It develops and assesses new security technology in the areas of cryptography, technical security, and authentication technology; endorses cryptographic systems protecting national security information; develops infrastructure support technologies; evaluates and rates trusted computer and network products; and provides information security standards for DoD. Much of the work in these areas is conducted in a classified environment, and the balancing of national security and law enforcement equities has been a significant constraint. ARPA's mission is to perform research and development that helps the Department of Defense to maintain U.S. technological superiority over potential adversaries. At the core of the ARPA mission is the goal to develop and demonstrate revolutionary technologies that will fundamentally enhance the capability of the military. ARPA's role in fostering the development of advanced computing and communications technologies for use by the DoD requires that long term solutions to increasing the security of these systems be developed. ARPA is interested in commercial or dual-use technology, and usually technology that provides revolutionary rather than evolutionary enhancements to capabilities. ARPA is working with industry and academia to develop technologies that will enable industry to provide system design methodologies and secure computer, operating system, and networking technologies. NSA and ARPA research interests have been converging in these areas, particularly with regard to protocol development involving key, token, and certificate exchanges and processes. One of the key differences between ARPA's work and NSA's is that ARPA's is performed in unclassified environments, often in university settings. This enables ARPA to access talent and pursue research strategies normally closed to NSA due to security considerations. Another difference is that while NSA's research is generally built around developing and using specific cryptographic algorithms, ARPA's approach is to pursue solutions that are independent of the algorithm used and allow for modularly replaceable cryptography. ARPA will, to the greatest extent possible, allow its contractor community to use cryptography developed at NSA, and needs solutions from NSA on an expedited basis so as not to hold up its research program. DISA functions as the Department of Defense's information utility. Its requirements for information systems security extend beyond confidentiality to include protection of data from tampering or destruction and assurance that data exchanges are originated and received by valid participants. DISA is the first line [634] of defense for information warfare, and needs quality technology for detecting and responding to network penetrations. The growing vulnerability of the Defense information infrastructure to unauthorized access and use, demonstrated in the penetration of hundreds of DoD computer systems during 1994, makes delivery of enabling security technologies to DISA a matter of urgency. The Information Systems Security Research Joint Technology Office This MOA authorizes the ISSR-JTO as a joint undertaking of ARPA, DISA, and NSA. It will perform those functions jointly agreed to by these agencies. Each agency shall delegate to the ISSO-JTO such authority and responsibility as is necessary to carry out its agreed functions. Participation in the joint program does not relieve ARPA, DISA, or NSA of their respective individual charter responsibilities, or diminish their respective authorities. A Joint Management Plan will be developed to provide a detailed definition of the focus, objectives, operation, and costs of the Joint Technology Office. The ISSRlTO will be jointly staffed by ARPA, DISA, and NSA, with respective staffing levels to be agreed upon by the three parties. Employees assigned to the JTO will remain on the billets of their respective agency. Personnel support for employees assigned to the JTO will be provided by their home organization. The ISSR-JTO will be housed within both ARPA and NSA, except as agreed otherwise by the three parties. To the greatest extent possible, it will function as a virtual office, using electronic connectivity to minimize the need for constant physical colocation. Physical security support will be provided by the party responsible for the specific facilities occupied. Assignment of the ISSR-JTO Director, Deputy Director, and management of other office elements will be made by mutual agreement among the Directors of ARPA, DISA, and NSA upon recommendation of their staffs. Functions By mutual agreement of ARPA, DISA, and NSA, the ISSR-JTO will perform the following joint functions: + Review and coordinate all Information System Securitv Research programs at ARPA and NSA to ensure that there is no unnecessary duplication, that the programs are technically sound, that they are focused on customer requirements where available, and that long term research is aimed at revolutionary increases in DoD security capabilities. + Support ARPA and NSA in evaluating proposals and managing projects arising from their information systems security efforts, and maintain a channel for the exchange of technical expertise to support their information systems security research programs. + Provide long range strategic planning for information systems security research. Provide concepts of future architectures which include security as an integral component and a road map for the products that need to be developed to fit the architectures, taking into account anticipated DoD information systems security research needs for command and control, intelligence, support functions, and [635] electronic commerce. The long range security program will explore technologies which extend security research boundaries. + Develop measures of the effectiveness of the information systems security research programs in reducing vulnerabilities. + Work with DISA, other defense organizations, academic, and industrial organizations to take new information systems security research concepts and apply them to selected prototype systems and testbed projects. + Encourage the U.S. industrial base to develop commercial products with built-in security to be used in DoD systems. Develop alliances with industry to raise the level of security in all U.S. systems. Bring together private sector leaders in information systems security research to advise the JTO and build consensus for the resulting programs. + Identify areas for which standards need to be developed for information systems security. + Facilitate the availability and use of NSA certified cryptography within information systems security research programs. + Proactively provide a coherent, integrated joint vision of the program in internal and public communications. Program Oversight and Revisions The Director, ISSR-JTO, has a joint reporting responsibility to the Directors of ARPA, DISA, and NSA. The Director, ISSR-JTO, will conduct a formal Program Status Review for the Directors of ARPA, DISA, and NSA on an annual basis, and will submit mid-year progress reports between formal reviews. Specific reporting procedures and practices of the JTO to ARPA, DISA, and NSA will be detailed in the Joint Technology Management Plan. This MOA will be reviewed at least annually, and may be revised at any time, based on the mutual consent of ARPA, DISA, and NSA, to assure the effective execution of the joint initiative. Any of the parties may withdraw from participation in the MOA upon six months written notice. The MOA is effective 2 April 1995. Dr. Gary L. Denman, Director, ARPA LtGen Albert J. Edmonds, Director, DISA VADM John M. McConnell, Director, NSA Dr. Anita K. Jones, Director, DDR&E Emmett Paige, Jr., Assistant Secretary of Defense for Command, Control, Communications and Intelligence [End N.3]