Copyright © 2005

All rights reserved

Today, the federal government must respond to new threats and undertake new missions in Internet time. The demand for concerted, coordinated action among military, intelligence and law enforcement agencies has never been greater, placing new and unprecedented stresses on the critical infrastructure of the national security community.

It has also placed new requirements for sharing sensitive information over a new more open architecture. For instance, new Department of Homeland Security (DHS) initiatives have significantly broadened the base of agencies and non-classified personnel that require access to sensitive data. Classified information must be broadly exchanged and jointly evaluated, leading to an explosion in the quantity of restricted files that must be shared.

Under these conditions, ensuring the integrity of that information and limiting its access to authorized personnel has become a significant challenge. Traditional boundaries between agencies are being taken down, and established efforts to compartmentalize data by agency and security level are proving inadequate for new mission imperatives. Thus, two trends are driving the development of more effective ways to secure the integrity of data, sources and methods based on the principles of multi-level security (MLS):

As the complexities of ensuring data security have grown, the old approach of relying on fixed formats, rigorously controlled guards and stove-piped systems is no longer up to the task. The underlying technology has become too cumbersome to manage effectively; a new way of appropriately sharing data among larger groups of people at various levels of clearance is needed.

The traditional approach to enforcing Multiple Security Levels (MSL) is for each federal agency to operate a separate computing infrastructure for each level of security authorization in force at that agency. A discrete network with one set of servers and storage devices is deployed for top secret data; another is maintained for secret data and yet another for unclassified data (in some cases, all classifications of data are replicated on the servers with the highest security ratings). The total number of networks that must be maintained is a function of the number of security levels times the number of agencies with access to classified data. This makes for a very large number of networks and a very unwieldy infrastructure.

Although costly and complicated, the MSL framework has provided a high degree of security assurance for intra-agency operations. But as the number and variety of inter-agency operations grows, the amount of data the must be exchanged among multiple networks with different levels of authorization increases geometrically, creating an untenable management burden. To ensure that the appropriate information reaches the appropriate people with a high level of assurance requires a more streamlined approach.

The seriousness of the need to implement access controls has spawned a common criteria evaluation process to establish a product’s adherence to security standards. One set of standards is the Controlled Access Protection Profile (CAPP). CAPP specifies a set of security functions and assurance requirements. Products in compliance with CAPP support access controls that enforce limitations on individual access. Compliance also indicates a level of protection appropriate for a non-hostile user community requiring protection against inadvertent security breaches. The level of compliance is set by the evaluation assurance level (EAL) of the product.

A better architecture for inter-agency data sharing is multi-level security or MLS. This approach dates back to the 1980s, when the Department of Defense (DoD) established guidelines and requirements for maintaining data processing security at its computing installations. These were published in the Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, known more widely as TCSEC or the Orange Book, and they were applied to private companies working under government contract as well as to a broad spectrum of federal, state and local agencies.

Under these guidelines, computer systems were evaluated by the National Security Agency (NSA), and they received a designation ranging from D (least secure) to A1 (most secure), depending on the degree to which they adhered to the DoD criteria. These define a security policy that classifies data and users based on a system of hierarchical security levels. To this end, MLS has two primary goals.

From an operational standpoint MLS offers tremendous advantages over the multiple security level strategy, because it does not require separate networks with separate servers in order to enforce different levels of security clearance. Effectively implemented, MLS systems ensure that data can be consolidated onto a single infrastructure, while maintaining the highest levels of assurance that it can only be accessed by authorized users.

Therefore, in this distributed computing and communications context an MLS-compliant system must have the following characteristics:

Despite the promise of this approach, MLS has been slow to penetrate the intelligence and defense communities and has not spread beyond them to other federal agencies. There have been two major reasons for this.

These two factors have had the effect of significantly limiting the size of the MLS market for U.S. technology vendors. With only a few large government agency customers, the vendor community treated MLS as a niche or custom opportunity that was expensive to build and maintain over time.

A few developments over the past few years have significantly expanded the market opportunity for the vendor community, inducing leading companies like IBM and Oracle to expend more R&D dollars on MLS and to integrate the technology with their core product line.

The impact of these trends is documented by a joint Larstan Business Report/Government Security News survey of 214 security professionals working at federal agencies with a national security mandate. Respondents to the survey, which was conducted in late January, 2004, overwhelmingly agreed that the war on terror has increased the importance of information security (see Figure 1).

Closely related to this, the nation’s new security posture is spawning an array of new eGovernment initiatives, which are also driving new information security requirements (see Figure 2).

New security mandates and increased agency collaboration are reawakening interest in MLS. Just under two-thirds of the survey respondents indicated that their agency or department will implement MLS in order to securely share classified information with other agencies (see Figure 3).