Debora Plunkett, director of the NSA’s Information Assurance Directorate, told the audience at the Trusted Computing Conference in Orlando that she plans to sign the advisory later this week, signaling the NSA’s endorsement of the TPM specification. The advisory will apply to commercial off-the-shelf (COTS) security software and information assurance (IA)-enabled IT products purchased by government agencies when used to protect information related to national security systems.
Reading directly from the draft advisory, Plunkett noted:
“All COTS, IA, and IA-enabled IT products acquired for the use to protect information on National Security Systems shall comply with the requirements of the NIAP [National Information Assurance Partnership] program in accordance with NSA-approved processes and where applicable the requirements of the FIPS [Federal Information Processing Standards] cryptographic validation program. In light of the fact that hardware and firmware-based security mechanisms can enhance the overall security of IA and IA-enabled IT products, TPMs should be used”.
The IAD’s advisory will not require TPMs for purchases, but is simply recommending use of the specification and providing a green light for its use by government agencies with responsibility for maintaining national security systems. What was made clear from Plunkett’s preview of the advisory was that as of January 15, 2015, all TPMs “for COTS, IA and IA-enabled IT products” must satisfy CNSSP 11 requirements, which is the evaluation process for software and related IT products purchased and used with national security systems.
The announcement dovetailed with the broader theme of Plunkett’s address, which highlighted the importance of a standards-based approach to information security. “Because security risks occur both in hardware and software platforms, we have to take a holistic approach while we devise our solutions”, she commented. “We can’t create the trusted platform in a vacuum. We need to have a community of people come together with common understanding of the purposes and uses of this technology in order to ensure our mission.”
Plunkett said that information security products and solutions should be aligned with what she described as “foundational security principles” rather than a more typical approach that seeks to solve a narrow problem. Advocating for a standards-based rather than proprietary approach to commercial security solutions, Plunkett said that aligning with these principles, newly developed products will be less likely to fall behind in the face of evolving threats.
“This is because underlying security principles and problems are not as dynamic as technologies and threats”, she continued. “Principle-based security achieves cost-effective, secure means to operate amid the technology chaos.”
The NSA’s IAD director concluded that a proprietary approach to security is a losing strategy that lacks the diversity provided by one based on a broad set of commonly accepted options from which to choose. “Standards-based approaches to deliver security solutions ensures global interoperability in an increasingly open ecosystem with fading traditional boarders”, she advised. “Standards are not an option – they are the only approach.”