IEEE developing standard to create baseline for more secure operating systems
Piscataway, NJ—Because enhancing information system and network security is limited by their underlying operating systems, the Institute of Electrical and Electronics Engineers’ Standards Association (IEEE-SA) has begun work on a standard to formulate consistent baseline security requirements for general-purpose (GP), commercial off-the-shelf (COTS) operating systems.
Piscataway, NJ— Because enhancing information system and network security is limited by their underlying operating systems, the Institute of Electrical and Electronics Engineers’ Standards Association (IEEE-SA) has begun work on a standard to formulate consistent baseline security requirements for general-purpose (GP), commercial off-the-shelf (COTS) operating systems. The planned IEEE P2200 standard, entitled Base Operating System Security (BOSS), will address external threats and intrinsic flaws arising from software design and engineering practices.
P2200 will build on guidance issued by the U.S. National Institute of Standards and Technology (NIST) couched in terms of protection profiles within the International Organization for Standards (ISO) Common Criteria (CC) framework. It will address essential functions for cross-platform security, including identification and authentification, access control and key cryptographic concepts.
The new standard will also incorporate recognized limitations and caveats. For example, a single standard or set of requirements may not fit all GP, COTS operating systems. Also, use of the CC framework is optional, and the final standard may not resemble the NIST base document.
Anyone with expertise in software engineering, metrics for software, cybersecurity, operating system development and related areas is invited to participate. Plans call for the standard to be completed on an accelerated schedule by the end of 2004.
'This standard will enable mass production of a class of operating systems that meet the minimum expectations of consumers for security and general reliability by establishing a floor for these characteristics,' says Jack Cole, chair of IEEE’s P2200 working group. 'This consensus standard will encompass input from all stakeholders, including operating system developers, academics, those in government and consumers in the financial, process control and other sectors. We must have as much buy-in as possible, so the standard is widely used and supported by both producers and users. We also see this fundamental standard as part of an ongoing effort that will continue to evolve so as to make operating systems more reliable and secure.'
Gary Stoneburner, BOSS working group’s vice chair, adds that the P2200 effort will return to the roots of information assurance and the need for clear, reasonable expectations for security capability. 'The standard will identify reasonable security expectations expressed, so multiple audiences can readily understand them. It also will take advantage of the ISO Common Criteria framework as a tool, not a requirement. The project provides users and industry with the‘power of the pen’ by moving OS security standards from government edict to community consensus.'
The organizers adds that P2200 is being formed within an emerging IEEE information assurance community that aims to realize the full potential of IT to deliver the information it generates, gathers and stores. Besides P2200, this community is forming the Information Assurance Standards Committee and the start of such standards as IEEE P1618, 'Public Key Infrastructure Certificate Issuing and Management Components,' and IEEE P1619, 'Architecture for Encrypted Shared Media.'
For more information, visit ieeeia.org.
Control Engineering Daily News Desk
Jim Montague, news editor