Minutes of the Meeting of the Computer Systems Security and 
Privacy Advisory Board
September 16-18, 1997
National Institute of Standards and Technology
Gaithersburg, MD


Tuesday, September 16, 1997

A quorum being present, the meeting was called to order by 
Chairman Willis Ware at 9:00 a.m.  The Board Secretary, Ed 
Roback, welcomed everyone and reviewed the agenda and 
related handout materials that had been provided to the 
members.  Those members in attendance were: Genevieve Burns, 
John Davis, Addison Fischer, John Layton, Randolph Sanovic [ 
9/18 only], George Spix, George Trubow, Linda Vetter, Jim 
Wade,  and Rick Weingarten.  Members unable to attend were 
Joe Leo and Gloria Parker.

All portions of the meeting were held in open, public 
session.

The Board extended a special welcome to its newest member, 
Jim Wade, Director, Fraud Management, AirTouch Cellular, who 
is serving as an industry, non-government representative.

The minutes of the June meeting were unanimously approved by 
the membership.  An alternative method of reimbursing Board 
members expenses in accordance with applicable laws and 
regulation was presented and discussed.  The new method will 
take effect on October 1, 1997.
Computer Security Act Revision Update

Mr. Richard Russell, Staff Director, House Technology 
Subcommittee, brought the Board up-to-date on activities 
relevant to H.R. 1903, the Computer Security Enhancement Act 
of 1997, which was briefed to the Board by Congresswoman 
Connie Morella at its June meeting.  Mr. Russell stated that 
the Bill was to be introduced to the House for vote later in 
the day, and it was expected to pass.    He reviewed the few 
modifications that had been made to initial versions of the 
Bill and reiterated that the legislation still calls for the 
National Institute of Standards and Technology  (NIST) to be 
the point agency for computer security among the federal 
agencies.    Other specific points contained in the Bill 
include: encouragement of purchase of off-the-shelf 
commercial (COTS) products; development of a computer 
scientist fellowship program; the establishment of a 
national panel for digital signature; and an enhancement in 
the role of the Board with authorization to issue public 
reports and conduct public meetings.  Additional funding has 
also been requested in the DOC House Appropriations to be 
earmarked for the Board’s use in performing these new 
activities.   Russell indicated that they had received no 
response from NIST that would indicate that they would not 
be willing to support the provisions of this Bill.  In 
response to a question pertaining to the proposed Board 
funding mentioned in the legislation, Russell said that the 
authorization states that these funds cannot be absorbed 
into the main NIST program.    He said that the Board may be 
able to help federal agencies and NIST come to a resolution 
on what agencies expect NIST to do and what NIST can, will, 
and should do for them.  Expressing his personal 
observation, Mr. Russell said that federal agencies must 
start to take the issue of computer seriously and that NIST 
needs to develop criteria that matches the agencies needs.    
He again encouraged the Board to work with NIST to develop a 
framework of different opinions that could be developed.
In regards to the establishment of a panel for digital 
signature, Russell said that this group would be housed at 
the Department of Commerce under the Technology 
Administration and that they should coordinate their 
activities with the Board and with NIST.  The intention of 
the panel is to look at what needs to be done and determine 
what the priorities may be with gathering input from as many 
as possible as to what has to happen.  

Mr. Russell was asked to give an update of House activities 
regarding the various versions of the original House 
Goodlatte bill.  It will be up to the Rules Committee to 
determine which, if any of them would be forwarded on to the 
floor for vote.    He agreed to provide the Board with 
future updates and invited them to contact him at their 
convenience.
Research and Development for Critical Information Protection

Board member, John Davis, representing the President’s 
Commission on Critical Infrastructure Protection, presented 
an overview of the research and development issues 
identified in the Commission’s report [Reference #1].  He 
reviewed the mission of the Commission and its 
organizational structure.  The five basic areas that they 
examined were energy, banking/finance, vital human services, 
physical distribution and information/communications.   One 
of the issues investigated was the proper balance between 
the public and private sector for R&D investment, 
recognizing that R&D is only one piece of the overall 
infrastructure assurance puzzle.    The Commission 
interviewed stakeholders, conducted workshops with 
suppliers, users and others.  They developed a list of 
observations and grouped R&D needs into six topical 
categories:  (1) information assurance; (2) monitoring and 
threat detection; (3) vulnerability assessment and systems 
analysis; (4) risk management and decision support; (5) 
protection and mitigation; and (6) contingency planning, 
incident response and recovery.    It was noted that 
information assurance was the key component to the 
functioning of interdependent infrastructures and that a 
joint R&D effort involving government, industry and academia 
should be established.   They offered the following 
recommendations:
-- conduct a detailed analysis of infrastructure R&D needs 
and priorities prior to establishing a final national R&D 
program for infrastructure assurance;

-- designate appropriate government departments and agencies 
to manage infrastructure-specific R&D efforts;

-- promote the “science”  of complex, interdependent systems 
and conduct in-depth research that addresses national 
infrastructure issues;

-- establish a national repository of validated 
infrastructure-related models and data (e.g. test beds);

-- create forums that bring together researchers, 
infrastructure owners and operators, and government to 
discuss common problems, requirements, and solutions; and

-- promote education, training, and certification programs 
to ensure proper implementation and utilization of new 
technologies, methods and tools.

Additionally, they recommended R&D investments be doubled in 
FY1999 and increase by 20% per year thereafter for the next 
few years.  
Each of the five examined areas will have their own summary 
reports and implementation teams will move out after the 
full report is presented to the President.    Mr. Davis said 
that the final report will contain policy recommendations.
Encryption Legislation Updates

Mr. Lynn McNulty, RSA Data Security, presented a review of 
the current status of legislation dealing with encryption 
and discussed the political dynamics underlying recent 
developments [Reference #2].  There have been a total of 
seven different cryptographic legislations introduced in the 
105th Congress:  (1) HR695 [Goodlatte Bill] “Security and 
Freedom through Encryption Act (SAFE); (2) S.377 [Burns 
Bill], “Promotion of Commerce On-Line in the Digital Era 
(PRO-CODE); (3) S.376 [Leahy Bill], “Encrypted 
Communications Privacy Act of 1997;” (4) S.909 
[McCain/Kerrey/Hollings Bill], “The Security Public Networks 
Act;” (5) HR 1964 [Markey Bill], “Communications Privacy and 
Empowerment Act;” (6) HR1903 [Sensenbrenner Bill], “The 
Computer Security Enhancement Act of 1997;” and (7) a draft 
FBI “Technical Assistance” bill [not introduced, reference].  
He presented a copy of a table prepared by the Congressional 
Research Service that compared the Bill languages of HR695, 
S.376 and S.377.   Mr. McNulty reported that the Burns, 
Leahy and Markey Bills have been overtaken by events for 
this congressional year.    Since June, the Goodlatte Bill 
has been approved by the Judiciary and International Affairs 
Committees; referred to the National Security, Intelligence 
and Commerce Committees; and had significant amendments 
passed by the National Security and Intelligence Committees.   
Currently action is pending in the Commerce Committee.  The 
McCain/Kerrey/Hollings legislation was introduced June 16 
and approved by the Senate Commerce , Science and 
Transportation Committee June 19.  A hearing is scheduled 
for July 9 before the Senate Judiciary Committee.  The FBI 
bill has not been introduced but has been used heavily by 
the House Intelligence Committee. 

Mr. McNulty continued his review with actions taken by the 
House National Security and Intelligence Committees as well 
as the Commerce Committee.    He identified the political 
dynamics as the nature of the debate has changed from an 
industry led attack on export controls to domestic 
cryptography control legislation;  concern for the 
Administration’s promise of no domestic cryptographic 
legislation; and whether this will undercut existing 
Administration initiatives to obtain voluntary industry 
cooperation.

In his continued dialogue with the Board, Mr. McNulty 
indicated that he does not expect anything by the end of the 
year on this issue; that there is a stalemate position at 
this time.  He expressed surprise that none of the 
recommendations from the National Research Council Report 
were being considered as a possible resolution to this 
issue.   He encouraged such a review of these 
recommendations as an opportunity to refocus and begin anew.
National Information Assurance Partnership Program

Mr. Tim Grance, Manager of the Systems and Network Security 
Division, NIST, briefed the Board on the National 
Information Assurance Partnership Program (NIAP) 
testing/evaluation initiatives [Reference #3].   NIAP 
focuses on common criteria-related activities; accredits and 
supports commercial common criteria-based test laboratories; 
supports international development and recognition of 
protection profiles; establishes mutual recognition (MR) of 
common criteria-based evaluations; and supports government-
industry partnership by developing protection profiles 
jointly with industry users and performing joint research in 
test methods and tools.    The program is located at NIST 
headquarters and is funded jointly by NIST and the National 
Security Agency (NSA) ; resources include 20 NIST, NSA and 
others by the end of FY97 with an expectation of a total of 
40 individuals by the end of FY98.   Mr. Grance’s 
presentation covered specification-based testing/evaluation; 
common criteria (CC) and the CC testing program (CCTP); the 
NIAP security testing center and the US/NIST and 
Canada/Computer Security Establishment (CSE) validation 
program.  He concluded his briefing by saying that this 
joint effort was established to encourage CC-based testing 
for security products and as a reference for international 
competitiveness and MR.    
Development of 1998 CSSPAB Work Plan/Discussion Time

Next, the Board discussed the development of a work plan for 
1998.   The following topics were presented for 
consideration:
-- establish ad hoc working groups to develop specific topic 
areas for discussion at future meeting with input of ideas 
from all members;

-- develop a privacy issues related topic area [Weingarten];

-- review of statistics of government computer systems 
[Layton];

-- review the recommendations of the “Computer Records and 
Rights of Citizens” report [Trubow];

-- review of  recommendations of the “Computers at Risk” 
report [Burns];

-- hold three- day meetings with focus of one day each on 
privacy and security followed by focus on “hot button” 
issues for the third day;

-- invite federal agency Chief Information Officers (CIO) to 
present overviews of their respective agencies computer 
systems and their computer security plans, [Layton] and then 
develop a collective report of the outcome of these 
briefings[Roback].


Feedback from the Computer Security Program Managers’ Forum 
Offsite

Board member, Rick Weingarten, represented the Board at a 
July meeting of the Computer Security Program Managers’ 
Forum to brief them on the Board’s findings as a result of 
its June meeting covering the review of the Computer 
Security Act (CSA) of 1987 [Reference #4].    He reviewed 
with the Forum members the establishment of the Board as a 
result of the CSA, its membership and mission.    Mr. 
Weingarten explained the process for the Board’s review of 
the CSA and who the invited speakers had been.    He 
described the resolutions that the Board had proposed as a 
result of their review.   The forum members expressed their 
concerns and observations to Mr. Weingarten to take back to 
the Board for consideration.  They included:
-- until the CIOs put computer security higher on their list 
of priorities, it will not matter much what NIST does with 
or without more funding;

-- they would like to see CSSPAB increase security awareness 
in the agencies;

-- would welcome more interaction between the Board and the 
Forum.

After further discussion, the Board recognized that in order 
to have a positive result, the CIO interaction with the 
Board needed to happen first.  It was also suggested that 
some of the Board members become participants in CIO Council 
activities, and the Board will be given copies of future CIO 
Council minutes to keep them abreast of their actions.
Briefing on Justice Department’s Computer Crime Initiative
Susan Kelly Koeppen, trial attorney with the Computer Crime 
and Intellectual Property Section of the U.S. Department of 
Justice, gave an overview of the activities of that office 
[Reference #5].    The unit originated in 1991 with five 
goals:  (1) determine the scope of the computer crime 
problem; (2) coordinate law enforcement efforts; (3) train 
agents and prosecutors; (4) develop an international 
response; and (5) propose and comment on legislation.  
Computer crime could include espionage, computer intrusions, 
pornography, fraud and theft or embezzlement.  She reviewed 
the scope of the problem and identified insider attacks as 
the greatest problem.    In 1996, financial losses due to 
computer crime were over $100 million.   The Department of 
Justice responded to this by increasing the number of 
attorneys in the Computer Crime Unit [which became the 
Computer Crime and Intellectual Property Section in 1996] 
from 5 to over 15.  In addition, they started the Computer 
and Telecommunications Coordinator  (CTC) Program for AUSAs; 
created the Computer Investigations and Infrastructure 
Threat Assessment (CIITA) Center at FBI headquarters; 
established three regional computer crime squads (New York, 
Washington, DC and San Francisco) with four more to be 
created in FY98 in Chicago, Los Angeles, Boston, and Dallas; 
there is one CIITA agent in each field office and there are 
CART agents in most field offices.  Ms. Koeppen also 
reported that other federal law enforcement agencies such as 
the Secret Service, IRS, Customs and ATF have begun 
intensively training agents for high tech investigations.   
The Federal Trade Commission, U. S. Postal Service, 
Securities Exchange Commission and the Food and Drug 
Administration have also begun to conduct on-line 
investigations.
The Computer Crime Unit coordinates with the private sector 
through their Industry Information Group; their Internet 
Service Provide Working Group; by conducting CTC seminars 
annually; and holding Computer Crime and Electronic Search 
and Seizure Lectures at the Federal Law Enforcement Training 
Center; efforts of the NAAG training and publications group 
and the National White Collar Crime Center Course for State 
and local prosecutors.  Training is also bought to the 
international arena through active participation in 
international law development programs as well as conducting 
computer crime and intellectual property seminars in Russia, 
Latvia, Egypt and Argentina just this year.  

Legislative efforts seen recently include the 1996 
amendments to the Computer Fraud and Abuse Act; the Economic 
Espionage Act; cryptography and various possible legislative 
“fixes” so that laws  keep pace with technology.

Ms. Koeppen ended her presentation by pointing out the new 
challenges confronting computer crime issues.  They included 
unbreakable encryption, internet gambling, intellectual 
property rights enforcement, electronic commerce and digital 
signatures and “paperless” offices.
There being no further business for the day, the meeting was 
recessed at 5:15 p.m.

Wednesday, September 17, 1997

The meeting was reconvened  at 9:05 a.m. by the chairman.   
Mr. Roback announced that HR1093 had passed the house on a 
voice vote the previous afternoon.
Administration Updates on Encryption and Federal Security 
Issues

Bruce McConnell of the Office of Management and Budget 
presented a review of the latest encryption and federal 
security issues.    Mr. McConnell noted that he also 
represented Mr. Edward DeSeve, CIO for the Office of 
Management and Budget, to whom the Board had extended an 
invitation to attend and address the activities of CIO 
Council and related security topics.  
  
The CIO Council was formed as a result of an executive order 
in August of 1996.   It has three major functions:  (1) 
information sharing; (2) policy advice; and (3) planning of 
information technology throughout the federal government.   
This is, in effect, the outcome of the Information 
Technology Management Reform Act.  The CIO Council consists 
of 28 agency members and has a subcommittee structure.   
Several of these are education and training, capital 
planning, Y2K, security, privacy and interoperability.   Mr. 
McConnell presented highlights of several of these 
subcommittees’ activities.   He was very receptive to the 
Board’s suggestion of inviting CIOs to attend future Board 
meetings and indicated that he would mention this at the CIO 
Council meeting that was scheduled for later in the day.  

He also encouraged the Board to consider recommending that 
NIST be made an official member of the CIO Council even 
though there is already a representative from the Department 
of Commerce.   If the Board has any advice on how the CIOs 
should monitor and gather management information, they 
should make such recommendations as well.  

In response to a question of how agencies can assess the 
quality of security in their agency, McConnell indicated 
that sometime next Spring, OMB is planning on making changes 
to A-11 to revamp the reporting system to create a numerical 
series that the CIO’s can use for their purposes.

On the topic of encryption and proposed legislation, Mr. 
McConnell said that OMB’s view recognizes the importance of 
the needs of law enforcement and national security and that 
these concerns are a significant part of the overall 
solution.   Current legislation does not have this balance 
quite right and he hopes that Congress continues to work to 
obtain an appropriate balance.

Mr. McConnell asked the Board’s opinions on how they see the 
certificate authority (CA) market developing and what 
development impediments might exist and how they might be 
resolved via any  legislation changes.  He wanted to know 
what sectors would most likely take advantage of this type 
of service and what the government should be doing in the CA 
area.   Chairman Ware answered that the Board had not yet 
addressed this issue collectively, therefore, any views 
expressed would be based on individual observations. 
PKI Activities Update

Donna Dodson, of NIST’s Computer Security Division, brought 
the Board up-to-date on the activities of the NIST public 
key infrastructure program (PKI) [Reference #6].   She 
reviewed the vision and historical perspective of the 
effort.  The PKI study is sponsored by agencies that include 
NIST, USPS, NASA, NSA, IRS, Department of State and 
Department of Treasury.    The Federal PKI Steering 
Committee (FPKI) is a part of this project, under the 
direction of the GITS Champion for Security.  There are over 
50 PKI pilot activities currently underway.     NIST chairs 
the FPKI technical working group.    Some of the technical 
contributions made by NIST included:
-- requirements for the FPKI;
-- FPKI concept of operations;
-- FPKI draft technical security policy;
-- support for multiple algorithms in the FPKI; and
-- long term archive issues for FPKI.	

Ms. Dodson’s presentation also covered the development 
activities, minimum interoperability specifications for PKI 
components, implementation projects, and initial 
implementation of a root CA.  She reviewed an in-house 
project on a purchase request system that demonstrates 
signature technology using CA modules x.509v3 certificates 
and token-based hardware.  
Others areas of interest to be pursued included:
-- testing and accreditation of CAs;
-- baseline security for FPKI components;
-- key management considerations in PKI;
-- modeling of certificate verification paths; and
-- modeling of PKI architectures.

It was also stated that the PKI area would be one of the 
Computer Security Division’s major growth areas for next 
fiscal year.
Key Recovery Activities Update
Elaine Barker of the NIST Computer Security Division 
reported on the key recovery demonstration project of the 
Key Recovery Task Group, Interagency Working Group on 
Cryptographic Policy [Reference #7]. Their objective is to 
demonstrate the viability of key recovery, as a security 
service, for federal business applications.    It began in 
August 1996 and is expected to be completed by December 
1997.      The project does not recover digital signature 
keys; create a key management infrastructure, limit 
technology uses of method of emergency access or mandate 
which cryptography is used.   Its federal business rationale 
is that if keys are not available neither is the associated 
encrypted data – a method of key recovery is required.   Ms. 
Barker covered the demonstration approach, evaluation of 
criteria, and classes of and pilot selection criteria.     
There are 13 pilot applications within organizations such as 
DOE, U.S. Customs, NTIS, SBA, PTO, and FBI.    Having 
existing customer base within federal government; 
representation of diverse products and services and ability 
to provide future products and services to support emergency 
access was the industry selection criteria.    NIST has been 
tasked to create and publish a broad agency announcement, 
install root CA and perform testing with contractor support.    
Ms. Barker said that currently there was one full-time NSA 
person working with contractors; that demonstration 
videotaping had been completed for three pilots with others 
to follow; that testing began in September and a public 
event is scheduled for early November.
FedCIRC Activities Update and Other Federal Activities

Mr. Tim Grance, Manager of the NIST System and Network 
Security Group, reviewed FedCIRC status, the National 
Information Security Conference and other agency activities 
being done within the Computer Security Division [Reference 
#8].  FedCIRC was formally started in October 1996 to 
educate the federal community of the need for incident 
response to the increasing number of Internet-related 
incidents and complexity of these threats and intrusions.  
He described the deliverables and services offered by the 
FedCIRC.    Their outreach activities included: conference 
presentations/booths; information packages; and agency/forum 
briefings.   The training and awareness program has offered 
courses since June 1997 and will continue to offer courses 
through February 1998.   There is funding through September 
1998 through subscriptions and GITS-appropriated money.    
The member agencies are GSA Federal Supply Service, U.S. 
Customs, Department of Agriculture National Finance Center, 
the Department of State and the Bureau of Alcohol, Tobacco 
and Firearms.   Future plans will focus on training and 
alternative funding mechanisms, working with the CIO Council 
and OMB.

Next, Mr. Grance discussed the upcoming National Information 
Systems Security Conference to be held October 7-10, 1997 in 
Baltimore, MD.   The conference is to feature General Tom 
Marsh as the keynote speaker, Dr. Peter Neumann at the 
Closing Plenary and Bran Ferren of Walt Disney Co. as the 
banquet speaker.   

The Computer Security Division has provided agency 
assistance to the Department of Treasury, Department of 
Agriculture, Environmental Protection Agency, and Library of 
Congress, Federal Information Systems Security Educators 
Association, and the Computer Security Program Managers’ 
Forum.  They have issued Special Publications such as the 
NIST Security Handbook, Generally Accepted Principles and 
Practices for Security Information Technology Systems, 
prepared a draft Internet Security Policy Technical 
guideline and a draft Computer Security Plans document.   
They have updated Special Publication 500-172 and of the 
past 24 Information Technology Laboratory Bulletins issued, 
15 have been computer-security related. 
Draft Internet Security Policy Guide

Mr. Robert Bagwill of the NIST Systems and Network Security 
Group briefed the Board on the draft technical guide on 
Internet security policy [Reference #9].   The Board members 
received draft copies and Bagwill solicited comments from 
them before the next version is distributed in early 
December.    The topics to be covered in this guideline 
include: what is computer security policy; why you need one 
for the Internet; risk profiling; business needs; and sample 
policy areas and examples in low, medium and high risk 
environments.
NIST Computer Security Program Update

Dr. Stuart Katzke, Chief of the NIST Computer Security 
Division, gave an update on the NIST Computer Security 
Program [Reference #10].    He presented an overview of the 
history of the program and how it relates to the NIST and 
ITL missions.   The identified constants of the program were 
federal agencies as customers, collaboration with industry, 
both developers and users, acting as an “honest broker” and 
focusing on testing.  The Computer Security Division has 
been responsible for the development of more than 10 
security standards.  They include the Data Encryption 
Standard (FIPS 46-2), the Cryptographic Module Security 
Requirements Standard (FIPS 140) and the Digital Signature 
and Hash Standards  (FIPS 186/FIPS 180-1).   They have just 
established a National Information Assurance Partnership 
Program focusing on common criteria-related activities.   
Support for the CSSPAB and the Technical Advisory Committee 
for the Development of a Federal Information Processing 
Standard for a Federal Key Management Infrastructure are 
provided by the Division.    There have been multi-agency 
demonstration and support projects such as PKI pilots, key 
recovery pilots, FedCIRC, and Health Insurance Portability 
and Accountability Act Security Standards committee work 
efforts.    The Division has also provided direct agency 
assistance on projects with the Army Corp of Engineers, 
Treasury, NCS, NSA, EPA and Agriculture’s National Finance 
Center.

The Board discussed whether it would be possible for the 
Congress to support a financial commitment specifically for 
the computer security program at NIST to enable them to 
provide computer security assistance to the federal 
agencies.   In the past, this has been difficult to address 
because of the wording within the NIST mission.   Members 
also noted that the CSA federal responsibility did not 
appear to be reflected in NIST’s overall mission statement.
Role of Commercial Certification Authorities and Support of 
Government Needs

Mr. Stratton Sclavos, President and CEO of VeriSign, Inc. 
spoke to the Board on the role of commercial certification 
authorities and support of government needs [Reference #11].   
Verisign, Inc. was formed in April of 1995 and is a spin out 
from RSA Data Security.    It offers internet-based 
certification authority (CA) services that issue and manage 
certificates for the consumer and corporate markets.    Its 
employment base is approximately 150 employees in the United 
States, Japan and Europe.  Mr. Sclavos reviewed the criteria 
needed to be a CA.   He said that the commercial sector will 
need to work with the government on issues such as the need 
for accreditation, guidelines and the ‘good housekeeping’ 
seals of approval.  Something needs to be developed like a 
certification practice statement that must be followed to 
establish trust.   There will be many more CAs initiated, as 
there are many more uses for this technology than might have 
been previously envisioned.   Key recovery will be necessary 
for many business customers.    He strongly supports the 
separation of CA from key recovery for stored material and, 
that for secure communications needs, there must be an 
evaluation of the situation and what service will be 
provided.    In general, the holistic approach today should 
be to view the situation on a application-by-application 
basis and the value of the information and the probability 
of risk.
Mr. Scalvos said he had no specific views on the telephony 
issue but believes that everything will eventually be 
transmitted over public networks.  Government should not 
attempt to drive any legislation covering the insurance 
arena at this point in time. 

There being no further business for the day, the meeting 
recessed at 5:00 p.m.

Thursday, September 18, 1997

The meeting was reconvened at 9:10 a.m.
AES and Crypto Standards Update

Ed Roback discussed the current activities of AES and 
cryptography standards [Reference #12].     He reviewed 
NIST’s initial set of goals and past history in this area.    
A call for algorithms for an Advanced Encryption Standard 
was announced on September 12, 1997.    Some of the issues 
identified were:   key size(s), block size(s), intellectual 
property, stream vs. Block cipher, open process, tweaking 
vs. major changes and NIST activities and public evaluation.   
The development process is expected to include several AES 
conferences for review and analysis evaluation of candidate 
submissions.    It is anticipated that three months after 
the last conference is completed, NIST will make a 
selection(s) and publish the draft(s) for a three-month 
comment period.   After responding to any public comments 
received, NIST will make a recommendation to the Secretary 
of Commerce.
PEBES Briefing

Mr. John Sabo, Director of the Social Security 
Administration’s Electronic Services Staff, conducted a 
briefing on online personal earnings and benefit estimate 
service (PEBES) and lessons learned about balancing access 
and privacy [Reference #13].    The first SSA online 
services began in May 1994 and progressed to PEBES online 
request in 1996.    Sabo said that since May 1994 over 1.7M 
customers and 27M files have been served.   The overall 
public reaction to these services has been very positive.    
There is a mandate that, beginning in 1999, PEBES will be 
mailed to 120M taxpayers over the age of 25 on an annual 
basis.    In March 1997, full internet testing began with 
selected test partners.  This testing included additional 
security features of browser ‘caching’; fraud warning on 
online request forms and extra penetration testing of the 
data center.    Customer authentication requirements 
consisted of five elements to match against SSA’s own 
records.  They were: name, social security number, and date 
of birth, place of birth and mother’s maiden name.  Sabo 
said that educating the public on the use of the Internet is 
one of the bigger problems out there.   He also remarked 
that the problem goes beyond SSA-related issues.   Adding 
controversy to the PEBES issue was general public perception 
and reports of misinformation by the media.   In response to 
these criticisms, SSA conducted six nationwide forums, which 
consisted of privacy, systems security and business panels.  
Over 5,000 comments from Web users were received.  The 
resulting general consensus was:
-- access to online PEBES is important [broad access is 
important];
-- additional disclosure-authentication safeguards are 
needed to assure privacy;
-- education, informed choice and public confidence in the 
system are critical, and
-- need to partner with  private sector and other agencies 
to move to stronger systems.

Mr. Sabo reviewed SSA’s short term and long term commitments 
to this effort.    Actions will include emphasis on systems 
security, electronic auditing, investigations and pursuit of 
prosecutions.    Lessons learned pointed out that privacy 
and stakeholder input was very important and that there need 
to be revisions to the privacy regulations to address online 
services.  There is a need for public education to build 
customer confidence and industry should accept the 
responsibility of debugging their products before they put 
them on the market.    Mr. Sabo concluded his remarks by 
inviting the Board’s opinion on how to establish a mechanism 
for stakeholder input on privacy and systems.
Update on Postal Service Activities with Certificate 
Authorities

Mr. Joseph Wackerman, Attorney in the Corporate Law Section 
of the U.S. Postal Service (USPS), discussed their views and 
plans for using CAs.    Resources have been committed to 
evaluate the market as well as evaluate the role the USPS 
should play.  They plan to use CAs for a variety of 
applications, first deciding functionality than 
marketability, followed by testing against marketplace 
applications.

Mr. Wackerman described the Postal Service programs that 
will require CAs.  They included: the Information-Based 
Indicium Program (IBIP); stamps-on-line for people who want 
to purchase stamps over the Internet; the electronic 
postmark test; WINGS, a system to provide one-stop shopping 
for various government services; and the desktop post office 
for small businesses initiative.   Also, the Postal Service 
needs to ensure a secure change-of-address system and a 
secure messaging system for procurement and human resources.    
He sees the CA service as applications specific and said 
that there is interest to show commercially useful 
applications inside the Postal Service.
Unfinished Business and Planning for December 1997 Meeting

Mr. Davis provided the Board with copies of the response NSA 
prepared to a question presented to the Board at its June 
1997 meeting (via e-mail) by Mr. Jeff deMello of the Oracle 
Corporation [Reference #14]. 

Board member, Jim Wade, introduced a draft resolution.    
After discussion and deliberation, the Board passed 
Resolution 97-4 [Attachment #1] which commended NIST’s 
FedCIRC activity and recommended that NIST, DOC, GITS, OMB, 
the CIO Council and other interested federal agencies 
identify and provide a source of funding for this effort to 
be continued.

Action item discussed for the focus of the December meeting 
agenda included:
-- update on the Sensenbrenner legislation and discussion of 
the Board’s reaction if it passes;

-- use of a Federal Register notice to solicit comments from 
the public on what issues the Board should address in the 
future;

-- invite CIOs to the meeting to ascertain the computer 
security efforts within their respective agencies and 
prepare a set of questions for them to answer on this topic;

-- look into the process of how the national security arena 
developed its annual report on the state of security;

-- invite a CIO from a commercial company to address a 
similar set of questions as posed to the federal agencies to 
have as a benchmark; and

-- invite a presentation by a representative from Ernst and 
Young to overview a recent survey that they prepared on top 
private sector CIOs.

There being no public participation or further business, the 
meeting was adjourned at 12 noon.
Attachments
Resolution 97-4					


References:
#1	Davis  presentation
#2	McNulty presentation
#3	Grance presentation
#4	Weingarten presentation
#5	Koeppen presentation
#6	Dodson presentation			
#7	Barker presentation			
#8	Grance presentation
#9	Bagwill presentation
#10	Katzke presentation
#11	Sclavos presentation
#12	Roback presentation
#13	Sabo presentation
#14	Davis handout