IEEE Begins Standard to Create Baseline for
More Secure Operating Systems
PISCATAWAY, N.J. Sept. 11, 2003--The ability to
enhance security in information systems and networks is limited
by the operating systems that underpin them. Recognizing this,
the Institute of Electrical and Electronics Engineers (IEEE) has
begun work on a standard to formulate consistent baseline security
requirements for general-purpose (GP), commercial, off-the-shelf
(COTS) operating systems.
The standard, IEEE P2200, "Base Operating System
Security (BOSS)," will address external threats and intrinsic
flaws arising from software design and engineering practices.
Anyone with expertise in software engineering, metrics for software,
cyber security, operating system development and related areas
is invited to participate. Plans call for the standard to be completed
on an accelerated schedule by the end of 2004.
IEEE P2200 will build on guidance issued by the U.S. National
Institute of Standards and Technology (NIST) couched in terms
of protection profiles within the International Organization for
Standards (ISO) Common Criteria (CC) framework. It will address
essential functions for cross-platform security, including identification
and authentification, access control and key cryptographic concepts.
It will incorporate a number of recognized limitations and caveats,
e.g., a single standard or set of requirements may not fit all
GP, COTS operating systems. In addition, the use of the CC framework
is optional, and the final standard may not resemble the NIST
"This standard will enable mass production of a class of
operating systems that meet the minimum expectations of consumers
for security and general reliability by establishing a floor for
these characteristics," says Jack Cole, IEEE P2200 Working
Group Chair. "This consensus standard will encompass input
from all stakeholders, including operating system developers,
academics, those in government and consumers in the financial,
process control and other sectors.
"We must have as much buy-in as possible, so the standard
is widely used and supported by both producers and users. We also
see this fundamental standard as part of an ongoing effort that
will continue to evolve so as to make operating systems more reliable
Gary Stoneburner, BOSS Working Group Vice Chair, notes that this
standards effort will return to the roots of information assurance
and the need for clear, reasonable expectations for security capability.
"The standard will identify reasonable security expectations
expressed so multiple audiences can readily understand them,"
he continued. "It also will take advantage of the ISO Common
Criteria framework as a tool, not a requirement. The project provides
users and industry with the "power of the pen" by moving
OS security standards from government edict to community consensus."
IEEE P2200, "Base Operating System Security," is sponsored
by the IEEE Computer Society. For more information, see: http://bosswg.org.
This standard is being formed within an emerging IEEE information
assurance community that aims to realize the full potential of
IT to deliver the information it generates, gathers and stores.
In addition to IEEE 2200, the actions of this community include
the formation of the Information Assurance Standards Committee
and the start of such standards as IEEE P1618, "Public Key
Infrastructure Certificate Issuing and Management Components,"
and IEEE P1619, "Architecture for Encrypted Shared Media."
For more information, see: http://ieeeia.org.
About the IEEE Standards Association
The IEEE Standards Association, a globally recognized standards-setting
body, develops consensus standards through an open process that
brings diverse parts of an industry together. These standards
set specifications and procedures based on current scientific
consensus. The IEEE-SA has a portfolio of more than 870 completed
standards and more than 400 standards in development. Over 15,000
IEEE members worldwide belong to IEEE-SA and voluntarily participate
in standards activities. For further information on IEEE-SA see:
About the IEEE
The IEEE has more than 375,000 members in approximately 150 countries.
Through its members, the organization is a leading authority on
areas ranging from aerospace, computers and telecommunications
to biomedicine, electric power and consumer electronics. The IEEE
produces nearly 30 percent of the world's literature in electrical
and electronics engineering and in computer science. This nonprofit
organization also sponsors or cosponsors more than 300 technical
conferences each year. Additional information about the IEEE can
be found at http://www.ieee.org.