| 7. |
Considerations Associated with NN-50 Implementation of MISSI Technology
|
 |
7.1 |
MISSI Components Designed for the DoD Environment |
|
7.2 |
Fortezza Infrastructure Required for DOE |
|
7.3 |
DOE—First User of Beta Secure Network Server/Mail Guard Version 2B |
|
7.4 |
Dissimilarities of MISSI Components |
|
7.5 |
Multiplicity of MISSI Component Sources and Delivery Schedules |
|
7.6 |
Doctrinal and Implementation Guidance Required for MISSI |
The primary focus of MISSI is the DoD community, particularly the activities and requirements associated with the Defense Information Infrastructure. The Defense Message System, Global Command and Control System, Defense Information System Network, and Integrated Tactical and Strategic Digital Network are the initial targets for implementation. As such, the components currently being developed are designed with the DoD environment in mind. This focus on DoD users is not bad, but it does mean that additional work and testing may be required prior to the implementation of MISSI components by DOE.
 |
to Sect. 7 menu |
The Fortezza card is the cornerstone of all the MLS tools being implemented or considered in the MISSI program. The Fortezza Plus card will provide these same services for SECRET Restricted Data and TOP SECRET information. But a crucial element of the implementation of the Fortezza card in the DOE environment has not been established to the level required for implementation and use of the Fortezza card outside of the Oak Ridge MLS Testbed. This element is the DOE Security Certificate Management Hierarchy. While the Fortezza card is not required for Phase 2 test activities in the MLS Testbed, the Fortezza card is required for Phase 3 test activities, for identification and authentication, digital signature, and nonrepudiation.
GSA is the CA for the civilian agencies. Initially, about 400 Fortezza cards will be required for NN-50. Later, depending on the number of Fortezza card users within DOE, multiple trusted CAs and CAWs may be needed. It is anticipated, but not tested, that each CA can administer and maintain database tables on 3,000 Fortezza cards loaded with User Certificates (Public and Private Keys). Depending on the number of DOE users and the changing responsibilities of those users, a significant hierarchy may need to be established. The individual responsible for DOE communication security (COMSEC) equipment has been identified as the DOE CA and the Organization Registration Authority. However, that one individual may not be enough in the future. The Department may need multiple positions at different levels, including Agency Sub-Registration Authority, Designated Agency Representative, and Directory Registration Official. In addition, the logistics associated with User Certificates assignment, as well as inventory control and updating, can be complicated, and there is also a training requirement to become a CA or Subordinate CA. Additional coordination with GSA will have to be conducted in the near future to establish the required hierarchy and positions in accordance with FIPS PUB 95-1.
Also, existing COMSEC implementation guidance must be modified to include details on distribution, handling, inventory control, and reporting of lost cards.
|
to Sect. 7 menu |
The Oak Ridge MLS Testbed team was the first Beta test site trained [at the vendor, SCC, in January 1996] in Version 2B of the SNS Mail Guard and is the first test site performing testing on the new version. Delays in the installation and testing activities have occurred because of hardware and software failures with the equipment. Some difficulties with a Beta version are to be expected, and Secure Computing Corporation has been very helpful in resolving issues as they arise.
|
to Sect. 7 menu |
Because some of the MISSI components were developed early in the initiative, from 1993 to the present, some items are no longer available or have had hardware, software, name, or supplier changes. However, the Beta Test Sites factor this challenge into their testing plans and continue their efforts.
|
to Sect. 7 menu |
MISSI components are being developed by different organizations and have varying delivery schedules and functionality. Multiple sources are beneficical in terms of resource availability and reduced costs (competition). However, the implementation of MISSI components in a production environment requires availability in sufficient quantities and complete functionality.
Several MISSI components necessary for the implementation of Phase 3 (bidirectional information flow between the NN-50 unclassified and classified LANs) are still being developed: Directory System Agent, Mail List Agent, and Audit Manager. The Oak Ridge MLS Testbed team is working with the DOE MISSI Point of Contact to remain current on the status of these and other components and to determine alternatives (if available) to maintain the schedule established by NN-50 for MLS implementation.
|
to Sect. 7 menu |
Organizational policies, structure, and procedures will have to be defined prior to the implementation of some of the MISSI technology in the NN-50 environment. The identification of the appropriate hierarchy, delegation of responsibilities, and development of procedures associated with the certification of Fortezza cards is one example of the need for implementation guidance prior to the installation within DOE. Physical security, accountability, key management, and recertification are some of the issues that will have to be resolved for the implementation of Fortezza cards within DOE.
Documentation, training, and maintenance support for the MISSI products also has to be created and established for the users in the field, and more of these items are being developed on a regular basis. For example, SCC provides training and field support for the SNS Mail Guard. Training courses and field support are also available for the CAW. While some of these activities are under way, additional work has to be done to enable organizations to implement MISSI technology. Whereas the MLS products can definitely enhance network security, they do not come without costs.
 |
for Article |
|
to Conference Proceedings Page |