HIPAA --- Will the BOSS Come to the Code?

IEEE Begins Standard to Create Baseline for More Secure Operating Systems

PISCATAWAY, N.J. Sept. 11, 2003--The ability to enhance security in information systems and networks is limited by the operating systems that underpin them. Recognizing this, the Institute of Electrical and Electronics Engineers (IEEE) has begun work on a standard to formulate consistent baseline security requirements for general-purpose (GP), commercial, off-the-shelf (COTS) operating systems.

The standard, IEEE P2200, "Base Operating System Security (BOSS)," will address external threats and intrinsic flaws arising from software design and engineering practices. Anyone with expertise in software engineering, metrics for software, cyber security, operating system development and related areas is invited to participate. Plans call for the standard to be completed on an accelerated schedule by the end of 2004.

IEEE P2200 will build on guidance issued by the U.S. National Institute of Standards and Technology (NIST) couched in terms of protection profiles within the International Organization for Standards (ISO) Common Criteria (CC) framework. It will address essential functions for cross-platform security, including identification and authentification, access control and key cryptographic concepts.

It will incorporate a number of recognized limitations and caveats, e.g., a single standard or set of requirements may not fit all GP, COTS operating systems. In addition, the use of the CC framework is optional, and the final standard may not resemble the NIST base document.

"This standard will enable mass production of a class of operating systems that meet the minimum expectations of consumers for security and general reliability by establishing a floor for these characteristics," says Jack Cole, IEEE P2200 Working Group Chair. "This consensus standard will encompass input from all stakeholders, including operating system developers, academics, those in government and consumers in the financial, process control and other sectors.

"We must have as much buy-in as possible, so the standard is widely used and supported by both producers and users. We also see this fundamental standard as part of an ongoing effort that will continue to evolve so as to make operating systems more reliable and secure."

Gary Stoneburner, BOSS Working Group Vice Chair, notes that this standards effort will return to the roots of information assurance and the need for clear, reasonable expectations for security capability.

"The standard will identify reasonable security expectations expressed so multiple audiences can readily understand them," he continued. "It also will take advantage of the ISO Common Criteria framework as a tool, not a requirement. The project provides users and industry with the "power of the pen" by moving OS security standards from government edict to community consensus."

IEEE P2200, "Base Operating System Security," is sponsored by the IEEE Computer Society. For more information, see:

This standard is being formed within an emerging IEEE information assurance community that aims to realize the full potential of IT to deliver the information it generates, gathers and stores. In addition to IEEE 2200, the actions of this community include the formation of the Information Assurance Standards Committee and the start of such standards as IEEE P1618, "Public Key Infrastructure Certificate Issuing and Management Components," and IEEE P1619, "Architecture for Encrypted Shared Media." For more information, see:

About the IEEE Standards Association

The IEEE Standards Association, a globally recognized standards-setting body, develops consensus standards through an open process that brings diverse parts of an industry together. These standards set specifications and procedures based on current scientific consensus. The IEEE-SA has a portfolio of more than 870 completed standards and more than 400 standards in development. Over 15,000 IEEE members worldwide belong to IEEE-SA and voluntarily participate in standards activities. For further information on IEEE-SA see:

About the IEEE

The IEEE has more than 375,000 members in approximately 150 countries. Through its members, the organization is a leading authority on areas ranging from aerospace, computers and telecommunications to biomedicine, electric power and consumer electronics. The IEEE produces nearly 30 percent of the world's literature in electrical and electronics engineering and in computer science. This nonprofit organization also sponsors or cosponsors more than 300 technical conferences each year. Additional information about the IEEE can be found at


© PDA cortex. All Rights Reserved
IT's Cutting Edge