At 4:37 PM 10/7/96, Rick Smith wrote:
>In our experience, high end customers who are willing to pay extra for
>assurance and *real* seals of approval are happiest to go to some
>independent tester and have them "certify" their Sidewinder after
>installation. We've had numerous customers do this, including, of course,
>I wish they'd publicly release their reports on Sidewinder, too.
Doubt it will happen during your career Rick. Unless Congress and the DoD
rewrite the rules, NCSC's refusal to endorse Sidewinder is a good business
lesson for those who might be thinking about looking to the Department of
Defense for financial support in commercial product development and then
looks again to the DoD to endorse what it funded. If you guys had stayed
in the TYPE ONE cryptosystem business the endorsement problem would have
gone away. Of course no one other than the U.S. Government user community
would be allowed to by your products.
Although SCC has done about as well as anyone and better than most,
transcending market boundaries in the information security business by
attempting to leverage a "position" with government can be a very tricky.
Most attempts are not tremendously successful.
Don't know if you've heard this but...The National Security
Telecommunications Advisory Committee (NSTAC) has recently explored the
notion of establishing an industry driven, government supported
organization to get a grip on rules, standards, criteria, etc., for test,
approval, and certification of commercially developed information security
systems, products and services, and the centers of excellence that handle
the process. While some of you who are interested might want to keep your
ear to the ground, I wouldn't spend alot of time on it. The proposed
organization, called the ISSB or Information Systems Security Board already
is in trouble on two primary issues:
First, coming up with an acceptable business model to fund and manage the
organization will be a real exercise...as is the case whenever you attempt
to get a consensus of a number of powerful agendas not the least of which
is the USG.
Secondly,(and this will bring some of you out of your chairs), apparently
the biggest impediment to getting the ISSB off the ground is that some
influential folks feel that puting up the effort and expense is not
justified by the size and nature of the threat.
You won't find this in this morning's Washington Post...but, the White
House's healded pronoucements regarding security and the National
Information Infrastructure aside...apparently, a significant number of
Fortune 500 CEO's, and, some well placed information security specialists
within the Defense and Intelligence community simply do not believe that
the real or preceived threats to their information infrastructures supports
placing that target on their radar screens. Hummmmmm. Pretty difficult to
launch a major information security initiative given that thinking.
Cypress Systems Corporation
804 Vanderbilt Ave.
Virginia Beach, VA 23451
(757) 425-4195 Voice
(757) 425-4196 FAX
(757) 442-0888 STU-III