National Cyber Leap Year follow-up
Last year, the US government held the National Cyber Leap Year Summit. Lots of smart people got together and made a series of recommendations to the government. You can read their recommendations here.
This report came out last September. Some of its recommendations were things like this:
6.8 Idea - Removing Barriers to Entry for Crypto Products into Federal Use
Streamline and expedite the approval process for Federal use of new security technologies.
6.8.1 Description
Many commercial security technologies are unavailable for Federal use even though they are well accepted and widely deployed in the private sector. These technologies often allow dramatic cost savings and efficiency gains over older technologies, but Federal agencies are unable to use them because the technologies have not received the necessary certifications and approvals. In some cases, the existence of rigorous, formal proofs of security should eliminate the need for the long certification and review process and allow Federal agencies to receive the same benefits that the private sector is now realizing. A decade or more is too long for Federal agencies to wait to realize the benefits of new security technologies. Let's find a way to get new technologies used more rapidly.
6.8.2 Inertia
This has not been done yet because the Federal agencies involved in approving new security technologies have relied on the "wait and see if it's secure" model so far. This approach usually determines which technologies are sound and which ones are not, but takes many years and leaves Federal agencies unable to use the innovative security technologies that are being invented today.
6.8.3 Progress
Provable security has made the "wait and see" model unnecessary in many cases. If there is a peer-reviewed formal proof of the security of a technology, that should be enough to get approval for Federal use. If the proof is correct then the technology is secure. Why wait ten years or more if that's the case?
6.8.4 Action Plan
NIST should determine a way to quickly approve provably-secure technologies for Federal use and should review existing regulations and identify ways to allow provably secure technologies within them. This should involve, as a minimum, granting a blanket IATO to new encryption technologies with peer-reviewed proofs of security, and adding provably-secure public-key encryption technologies to the list of techniques that are allowed by FIPS 140-2. In the long run, standards and policies should be changed to allow the rapid adoption of new technologies that are provably secure.
6.8.5 Jumpstart Plan
Within 90 days, NIST should define and implement a way to approve provably secure technologies for Federal use. Within 180 days, a pilot of one of these technologies should be started at a Federal agency.
I haven't heard of any progress in the government on this particular issue. I'm fairly sure that NIST hasn't developed a plan to approve provably-secure technologies for government use and that no government pilot projects of provably-secure technologies have started.
Has there been progress in any of the other areas that the summit participants recommended?
Comments