Federal government's electronic initiatives have technology vendors playing compliance catchup.
The U.S. Government is going electronic but may be setting policy ahead of available technology. A series of initiatives, most of them passed during the Clinton administration, mandates that government agenciesand the hundreds of organizations that work with themjump into the 21st century. However, many vendorsbig and smallfall short in supplying products and services that will comply with the governments demands.
The umbrella term for these sweeping electronic initiatives is eGov (www.egov.gov). Within eGov are specific acts and regulations that include the Government Paper Elimination Act of 1999, the eGovernment Act of 2001, the Electronic Signatures in Global and National Commerce Act of 2000, and the Information Technology Management Reform Act of 1996.
The goal of these acts, most of which come under the jurisdiction of the White House Office of Management and Budget, is to make all relevant government resources available electronically to all citizens, including the disabled. These rules are currently limited to putting government forms on Web sites but will eventually include everything up to and including electronic voting.
This is a noble cause, but the acts have very specific and, in some cases, stringent and contradictory technology criteria. For example, the regulations for defense IT procurement may prevent the purchase of new technology that has added security features without eliminating older technology that does not have any of the new security controls.
In short, these acts have the potential to shape the future U.S. tech industry. Below, eWeek Labs examines how three of the eGov policies will affect technology vendors and the IT buyers of that technology.
NSTISSP No. 11
The single government policy with perhaps the most potential to shake up the technology industry is the National Information Assurance Acquisition Policy, or NSTISSP No. 11.
The policy has its roots in a 1990 National Security Directive that led to the creation of the National Security Telecommunications and Information Systems Security Committee, which in turn produced the policythe "P" in NSTISSPin January 2000.
At its most basic level, NSTISSP No. 11 is intended to help the U.S. Department of Defense move from government off-the-shelf software to commercial off-the-shelf software without compromising security. To do this, the governmentand, in particular, the National Security Agencyhad to produce a series of assurances that showed commercial packages performed as advertised and were at least as secure as those developed internally by the government.
Although the government has always asked for some of these assurances, it wasnt until January of last year, when the government gave preference to products that achieved an appropriate assurance level, that they actually affected software vendors. Until that time, the Defense Department had only marginally enforced the policy and had granted waivers to software vendors participating in defense contract bidding.
Beginning this July, however, the policy is mandated, and several sources said the NSA will not be granting waivers. Government-contracted vendors that dont comply will not be allowed to bid on defense contracts. (Its important to note that this policy applies to new products and does not mandate replacing older products.)
NSTISSP No. 11 has its origins in the old "rainbow" security classifications, known as the red book and orange book security evaluation criteria.
The rainbow scale was replaced in 1999 by Common Criteria, which replaces the rainbow-class levels with evaluation assurance levels ranging from EAL0 (inadequate assurance) to EAL7 (verified, designed and tested). These levels more or less correspond to the previous rainbow levels, but Common Criteria is far more complex and takes into account newer architectures, such as the Internet.
Common Criteria is so complex, in fact, that it can take more than a year for a vendor to go through NISTs evaluation process. It took Oracle Corp., for example, two years and more than $1 million to get an earlier version of its flagship database certified, according to Mary Ann Davidson, Oracles chief of security, in Redwood Shores, Calif.
The impact of this mandate could be huge, especially when considering how few evaluations have been done to date. IBM, for example, does not have any of its databases evaluated. (For a list of products currently being evaluated, see niap.nist.gov/cc-scheme/InEvaluation.html.)
In addition to the time it takes to evaluate a product, cost may inhibit or even prohibit companies from participating. Smaller database companies, for example, may be shut out of government contracts because they cant afford to get their systems certified.
It also appears that open-source products cannot be evaluated according to the guidelines, which are specific to a released commercial product. A Linux distributor could potentially freeze a distribution of Linux for the government, but if the distribution changed in any way, the software would be considered modified and would not pass the evaluation.
Theres a certain irony in this: Windows NT, for example, has a rainbow book C2 rating and can be used by the Defense Department, even though Microsoft Corp. began development before the Internet was opened to the public. Meanwhile, Windows XP and most distributions of Linux are inherently more secure than NT but havent passed the evaluation. They therefore are not "acceptable" products.
While NSTISSP No. 11 is clearly defined and has broad industry support (mandated support, that is), Section 508 covers so much ground that it may be impossible for the government to adopt its provisions to the letter of the law.
Section 508 was born out of the Rehabilitation Act of 1973, which mandated that government agencies and academic institutions not discriminate against those with disabilities. The act eventually led to the sweeping Americans with Disabilities Act of 1990, which broadened protection to workers at any public place. Section 508 requires that all IT products be usable and accessible to the disabled. The law was slated to take effect in August 2000, but the deadline was extended to June of last year.
"All IT products" is a pretty broad categorytoo broad, perhaps, covering everything from Web sites to fax machines to printers and copiers used by the federal government and its contractors. Its not completely clear if the law covers routers, switches and other networking infrastructure gear, nor does it include provisions for extending the dates for compliance if accessibility compromises security.
Vendors including Microsoft, Oracle, Cardiff Software Inc. and Macromedia Inc. agree that the main goal of Section 508 is admirable, not to mention an excellent business opportunity: Fifty-four million Americansor about one-fifth of the populationare disabled. In fact, some have hinted that Section 508 might spur a spending and development effort like we saw with Y2K.
Others agree that Section 508 is admirable but consider it impractical. Avi Hoffer, CEO of Metastorm Inc., in Severna Park, Md., a company focused on the eGov market, said that at some point it will be less costly "to send the disabled home and pay them rather than to bring all IT products into compliance" to the full extent of the law.
Hoffer, who supports the goals of Section 508, said that its a "quagmire" because government agencies have no compliance officers or independent validating organization and that even the General Services Administration Web site (www.gsa.gov) is not compliant. Hoffer predicted that the government will overlook compliance issues and then pass a new law thats more achievable.
Section 508 deals with the acquisition of new technology, but billions of dollars have already been spent to modify existing sites. Vendors have focused mostly on altering site design so that screen readers can better interpret Web pages. Meanwhile, Xerox Corp., a company with massive government contracts, is focusing energy on the document management and copy machine market.
Sun Microsystems Inc. is leveraging the open-source GNOME (GNU Network Object Model Environment) desktop to deal with Section 508 accessibility laws. GNOME 2.0 now includes the Gnopernicus screen reader and GOKthe Gnome on-screen keyboard that allows Sun to come into compliance without doing massive amounts of development work. Meanwhile, Sun has developed the Java Access Bridge, which allows Java applications to interact with Microsoft Windows accessibility features.
According to John Leahy, Sun federal chief of staff in Vienna, Va., Sun will not stop at mere compliance. Sun is "looking beyond the requirement" and pushing into alternative interfaces, Leahy said. "Theres got to be more than one way of doing things," he said.
Cardiff, a major player in the forms processing area, has equipped its design products with facilities for connecting screen readers, screen magnifiers, on-screen keyboards and text-to-speech converters. The company also makes those technologies available to Adobe Systems Inc.s Acrobat, a de facto government standard. However, until Version 5.0, the Acrobat format did not lend itself to Section 508 compliance.
Meanwhile, the World Wide Web Consortium is working on its own Web Accessibility Initiative (www.w3.org/WAI/about.html), which follows the work done on Section 508 and applies to the international community.
One eGov act that has already made a huge impact is the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. HIPAA targets the health care and insurance industries and, at the highest level, attempts to ensure that personal data remains private.
HIPAA can be thought of as having two components. The first is the framework that ties together health care entities to reduce costs and the complexities of administering health care policies. This traditionally has been done through a series of electronic data interchange schemata, but HIPAA is moving to a more open XML framework.
Microsoft, for example, has released BizTalk Accelerator for HIPAA, a set of XML definitions that targets the health care industry. The main selling point of BizTalk for HIPAA is rapid compliance with HIPAA regulations, which is mandated by next April.
The other component of HIPAA is privacy. In this regard, HIPAA does not call for specific new technology but rather takes a common-sense approach and relies on human compliance.
For example, most health care records are paper-based and have minimal security or privacy associated with them. Any person wandering around a hospital can pick up privileged information, make copies of it or even destroy it. HIPAA focuses on ensuring that private data remains private and secure and that an audit trail is created by the health facility.
Doing this requires more than technology. John Jones, general manager of Xerox Health Care, said Xerox is focusing, for example, on re-engineering the paper process and bringing human components into conformance.
Of course, the human element will take far longer to come into compliance than any technology will. The government will probably have to extend the compliance dates or at least overlook compliance violations for some time.
eWeek Labs Director John Taschek is at firstname.lastname@example.org.
Links to other stories in this package
eGov Prompts Ambitious Agency Efforts
Grappling With Compliance
Additional eGov Web Resources