
The United States is in the midst of a revolution in the way that it does
business. This revolution is driven by the explosion in information technology
and the availability and affordability of vast new information services. The
White House has recognized the information revolution and established a
National Information Infrastructure (NII) initiative to harness its energy. As
described in the Administration's National Information Infrastructure:
Agenda for Action, the NII will produce benefits to society that will
change forever the way people live, work, and interact with each other. The
vision of the NII is an advanced information infrastructure consisting of
communications networks, computers, data bases, and consumer electronics. It
will be built and operated by the private sector, evolving from networks,
information services, and applications that are in place today. These existing
networks and systems already comprise a nation-wide information infrastructure
and the issue is how the evolution will take place to realize the promise and
potential of the NII.
As the government, private sector, and general public become increasingly
dependent on information services to support the nation's economic well-being
and lifestyle, the reliability and security of these information services will
become increasingly critical. Temporary loss of service will not only be
inconvenient but could be life threatening (e.g., natural disasters or national
security situations). Wide-spread failures of the networks and services could
be catastrophic. Prolonged disruption of the commercial financial
infrastructure or denial of basic telecommunications services could result in
business failures and damage to the national economy. For these reasons, U.S.
economic security and its stability are now regarded as vital national security
concerns. Reliability and security of NII services are the keys to consumer
confidence.
In order to promote the principles of reliability and security in the NII, a
Reliability and Vulnerability Working Group (RVWG) was formed as an
inter-agency working group under the Administration's Information
Infrastructure Task Force (IITF). The RVWG was chartered to be the
government's focal point in defining the attributes of reliability for the NII.
To this end, it will identify threats, vulnerabilities, or other issues
relevant to the reliability and survivability of NII services.
To focus the efforts of the working group, the RVWG has defined a set of broad
actions as a road map for accomplishing its objectives. The recently published
document, Vision of the Reliability and Vulnerability Working Group,
describes these actions and presents the RVWG's preliminary findings. These
findings include the principle that levels of performance in the NII will be
determined by the expectations of customers and their willingness to pay for
specific features and capabilities. The government's role in this process
should be to encourage competition and ensure a level playing field among
competitors, with a minimum of oversight or regulation. As presented in the
RVWG Vision document, the emerging principles for ensuring reliability and
security in the NII are:
- Competitive forces will establish generally acceptable levels of
reliability and security for the general user community
- Additional levels of reliability and security performance will be paid for
by the user communities that need them
- In the event that competitive forces are not sufficient, some form of
joint government-industry mechanisms will be needed to ensure that critical
national needs are met
In order for the private sector to plan for the provision of capabilities and
required levels of performance for the NII, the government must identify its
reliability and security requirements. In particular, the government must work
with industry to determine what capabilities are not likely to be commercially
available through market demand and how these capabilities should be developed.
To provide the government's perspective on the attributes of reliability and
security in the NII, the RVWG has developed a set of desired NII features and
capabilities. These capabilities were identified from the points of view of
various classes of information consumers. There are requirements from general
day-to-day users of the NII, as well as users of critical services during
emergencies where public safety could be involved, and users who would perform
national security and emergency preparedness (NS/EP) functions during national
emergencies. Other capability requirements were identified from the need to
protect the networks from failure in the face of various threats. Further,
reliability in the NII is not only a product of systems and technology, it also
depends on appropriate capabilities for management of information resources and
on government leadership in the areas of policy, regulation, and
legal/legislative frameworks pertaining to information technology.
This paper supplements the previously referenced RVWG Vision document and
presents an updated summary of the RVWG's findings. The attributes for
reliability and security that are necessary to assure consumer confidence and
trust in the NII are identified as an initial blueprint for the acquisition of
future government information systems. This information is intended for use by
the Administration, government agencies, and the private sector as a guide to
assist in the design and use of networks, information services, and
applications that satisfy the reliability and security requirements of the
nation.
A companion document, Capability Assessments, is a supplement to the
Blueprint document. It contains preliminary assessments by the RVWG of how
well the current NII satisfies the proposed features and capabilities for
reliability and security. Although these assessments are highly subjective,
they serve to highlight potential areas of concern.
From identification of the capabilities and features as described in this
paper, the RVWG has proposed an initial set of broad reliability attributes for
the NII. These attributes support consumer confidence in the NII and are
consistent with the nation's dependence on its information services:
- Reliable services and performance levels that meet the information needs
of all classes of users
- Maximum availability of services under all circumstances, including local
emergencies and national-level crises
- Consumer trust that its information will be protected
- Capability for priority treatment in managing the allocation of
information resources
- Capability for broadcast dissemination of information to the public
- Protection of the networks from loss of service or compromise of network
information
- Mechanisms for monitoring the health of the networks and rapid restoral of
services when outages occur
- Management processes to promote government and industry cooperation in
providing seamless, reliable, and secure information services
- Consistent government policies, fair and effective regulatory structures,
and effective legal/legislative frameworks
The Reliability and Vulnerability Working Group. The National
Information Infrastructure: Agenda for Action, published September 15,
1993, describes the White House's vision for the National Information
Infrastructure (NII) and identifies its benefits for society and for the
nation. It further defines a set of goals and policy principles to guide the
government's actions in harnessing the information revolution. The Agenda for
Action establishes an Information Infrastructure Task Force (IITF) to
articulate the Administration's vision and oversee its implementation. The
task force consists of high-level representatives of federal agencies that play
a major role in the development and application of information technologies.
Working together with the private sector, the participating agencies will
develop comprehensive telecommunications and information policies that best
meet the needs of the agencies as well as the country.
In order to promote the principles of reliability and security in the NII, a
Reliability and Vulnerability Working Group (RVWG) was formed as an
inter-agency working group under the Telecommunications Policy Committee of the
IITF. The RVWG was chartered to be the government's focal point in defining
the attributes of reliability for the NII. To this end, it will identify
threats, vulnerabilities, or other issues relevant to the reliability and
survivability of NII services.
RVWG Approach. The NII will be built, owned, and operated by the
private sector. Thus, the government's role is to ensure a level playing field
for open competition and provide leadership in defining the government's
information needs. To accomplish this role, the RVWG will work with industry
and government players in the NII community to identify policy, legislative,
regulatory, or other actions that the government should take to foster
reliability and security. To focus the efforts of the working group and to set
a road map for reaching its objectives, the RVWG has identified a set of broad
actions to follow. The recently published Vision of the Reliability and
Vulnerability Working Group describes these actions and presents the
preliminary findings of the RVWG.
The RVWG has begun work in the areas of each of the prescribed actions, but the
working group itself lacks the resources and in-depth expertise that resides in
other government organizations. For this reason, the RVWG is negotiating with
various government agencies to act as Offices of Primary Responsibility (OPRs)
to lead in the execution of specific actions that have been defined. For
example, the Office of the Manager, National Communications System (OMNCS) has
a comprehensive understanding of the information needs of national security
and emergency preparedness (NS/EP) users. Similarly, the General Services
Administration (GSA) is cognizant of the day-to-day information needs of the
federal government, and the National Institute of Standards and Technology
(NIST) has expertise in defining capabilities to protect the networks against
threats that could deny the availability of information services.
Purpose of This Paper. This paper supplements the previously referenced
RVWG Vision document and presents an updated summary of the working group's
findings. It identifies the information needs of users of the NII and develops
a set of corresponding reliability capabilities and features in the NII that
are consistent with these needs. This information provides a common starting
point and a frame of reference for the government OPRs who will lead in the
execution of the RVWG's planned actions. It is also intended for use by the
Administration, government agencies, and the private sector as a guide to
assist in the design and use of networks, information services, and
applications that satisfy the reliability and security requirements of the
nation. The attributes for reliability and security that are necessary to
assure consumer confidence and trust in the NII are identified as a blueprint
for the acquisition of future government information systems.
RVWG Charter. The RVWG is the government's focal point for defining the
attributes of reliability, survivability, and security of the networks and
systems of the NII and their extension to global information systems. It will
identify network vulnerabilities, potential threats to the networks, and other
issues relevant to the reliability and survivability of the NII. It will
determine implications for U.S. policy and will make appropriate
recommendations for legislation, regulations, policy, or other measures that
the government should take to enhance the reliability, survivability, and
security of information systems in the NII. To this end, the RVWG will work
closely with the private sector and other committees and working groups of the
IITF.
To accomplish the objectives of a reliable, survivable, and secure NII, the
RVWG will work to ensure that:
- The NII will provide quality of service that meets essential public,
private, and commercial needs, as well as (NS/EP) requirements.
- The NII will provide safeguards for the security of its networks,
including the protection of system control, network management, and other
network-related information.
- The NII will provide protection for all users from catastrophic network
failure.
- The NII will contain mechanisms for recovery from such failures regardless
of their cause.
Terms and Definitions. Terms such as reliability, security,
availability, and privacy can be defined clearly and distinctly but, often,
their meanings are blurred in common usage. Since these terms sometimes have
ambiguous meanings, the following definitions will be used in this paper:
- Security is comprised of both Information Security
(e.g., protection of the information itself) and Network Security (e.g.,
protection of the networks that transport the information).
- Information Security is described in terms of attributes which
include, among others, confidentiality, integrity, and availability of
information.
- Confidentiality is ensuring that information is not deliberately or
inadvertently disclosed to unauthorized persons.
- Integrity is protecting the information from deliberate or
inadvertent alteration or destruction through unauthorized manipulation.
- Availability is the property that authorized users can access and
use information or telecommunications services at any time. Availability is
also an attribute of both network security and reliability.
- Network Security is focused on protection of the end-to-end
transport networks. Its objective is to guard against the loss of information
services from malicious attack, procedural error, or stressed conditions such
as natural disasters. It also involves protection of information that resides
in the network, including system control, network management, and proprietary
customer information.
- Reliability is the consistency, repeatability, or dependability
with which a system performs specified functions or operations, over time and
under specific conditions. In the broad context of this paper, the attributes
of reliability cannot be completely separated from those of security.
Reliability for the NII will include availability, as well as a quality of
service that is consistent with some performance standards. It will also
include protection from loss of service due to malicious attack or human error.
A reliable NII must not only protect its services from failure but must also
include capabilities for restorability in the event of failure. In this sense,
reliability also incorporates elements of confidentiality and integrity to
ensure that the network does not facilitate unauthorized uses such as
eavesdropping, password theft, or compromise of user information resources.
- Privacy is the right of a person, acting in his own behalf, to
determine the degree to which he will interact with his social environment,
including the degree to which he is willing to share data about himself with
others. The term "privacy" is not interchangeable with
confidentiality.
Partitioning the Problem. The NII will be expected to provide reliable
and secure services under all conditions associated with normal, day-to-day
circumstances and emergency conditions which may range from natural disasters
through national security crises and even war. The general public, commercial,
and government users will compete for services during emergencies and, in the
case of NS/EP circumstances, the needs of certain users performing designated
critical functions must also be met.
The RVWG is specifically tasked to address the security of network information
and protection from catastrophic network failure. Although there is a great
deal of overlap between the concepts for network security, information
security, and overall reliability and availability, a distinction is made
between protection of the networks and protection of the information itself.
The RVWG would be concerned, for example, with the risk of unauthorized
penetration of switches or other network elements. Other IITF groups would be
concerned with, for example, the effectiveness of end-to-end encryption
algorithms.
The partitioning in Figure 1 is used to define the reliability, survivability,
and security of
NII services from four viewpoints. These viewpoints are complementary and not
mutually exclusive.
- General User Information Needs. The essential needs of day-to-day
public, private, and commercial users which must be provided under both normal
and emergency circumstances. The general user's needs are for end-to-end
services which include both network and information resources.
- NS/EP Information Needs. The essential needs of users, designated
by the government, performing critical functions during NS/EP circumstances.
The user's needs are for end-to-end services which include both network and
information resources.
- Protection of the Networks. Protection of network information;
protection against loss of service and rapid restoral of service when failures
do occur.
- Protection of the Information. Protection of the privacy,
confidentiality, and integrity of the information provided from, and
transported by, the NII.

Figure 1. Partitioning the Problem
The Unbounded NII. The Administration's Agenda for Action
describes the NII as a "seamless web of communications networks, computers data
bases, and consumer electronics that will put vast amounts of information at
users' fingertips". This vision of the NII includes people, facilities,
computers, communications, data bases, information systems, and sources that
are attached to the networks. The NII will involve unlimited numbers of
providers of information transport, services, and added value applications,
with no central ownership or management. The scope of systems, technologies,
services, and industries that are expected to comprise the NII is unbounded and
there are many government groups, industry consortia, and other members of the
NII community who are addressing issues in this broad context. Thus, the
RVWG must define a reasonable focus for its efforts and not duplicate the
efforts of others.
Scope of RVWG Efforts. The layered model of the NII is a useful
visualization of the relationships among the communications transport,
information processing, and information sources that comprise an information
infrastructure. As shown in Figure 2, for example, information consumers have
applications (e.g., entertainment) which may interface with "appliances" (e.g.,
multi-media terminals). These appliances may invoke other appliances (e.g.,
Web Servers) or may invoke network services (e.g., billing). The network
services are based on standard protocols which enable access to other
appliances or information sources through "bitways", which provide handling and
transport for information services.
From the viewpoint of the general and NS/EP users of the NII, the requirements
for reliable services from these systems are end-to-end and extend from
communications transport to information appliances and user applications.
Similarly, for policy, legislative, and regulatory issues, the entire NII as
depicted in Figure 2 is within the scope of RVWG concern. However, the major
networks or system elements that have been addressed by the RVWG to date
include the Public Switched Networks (PSN), Internet, cable TV, commercial
satellite systems, and wireless systems such as cellular telephone that access
the NII. From the viewpoint of security, the RVWG is focusing its attention on
the protection of these networks from loss of service and the security of
network information. Fortunately, there are other groups and organizations
addressing appliances, network services, and attached information systems and
other dimensions of the unbounded NII.

Figure 2. Layered View of the NII
Groups such as the IITF Security Issues Forum and the Government
Information Technology Services (GITS) Working Group are leading initiatives to
address Information Security in the NII. Additionally, the IITF Applications
and Technology Committee is leading the addressal of appliances and user
applications. In particular, the Technology Policy Working Group has published
a Framework for National Information Infrastructure (NII) Services
document that develops a framework for NII services and appliances.
Thus, the RVWG is ultimately concerned with the reliability, survivability, and
security of information services that extend from bitways to applications in
the model shown in Figure 2. To this end:
- The RVWG is focusing its initial efforts on defining the end-to-end
reliability and availability of services that are required to meet the
information needs of all classes of users.
- It will take a lead role in addressing issues concerned with
security of the networks and will coordinate and work with IITF groups that
have lead roles in the traditional areas of information security.
- Initially, the RVWG will focus on technical assessments of the
telecommunications and network services provided by the PSN, Internet, and
other NII elements, and will coordinate and work with IITF groups that have
lead roles in addressing appliances and applications.
- Reliability, security, privacy, and overall consumer trust in the NII are
cross-cutting issues that must be addressed collaboratively by the entire NII
community.
NII Users. The nation's dependence on the telephone as a household and
business necessity has been replaced by an increasing dependence on information
services of all kinds. This dependence ranges from support to personal
lifestyles, to the day-to-day conduct of business, continuous availability for
critical functions such as hospitals, response to local emergencies, law
enforcement, public safety, and other functions associated with NS/EP
emergencies. The RVWG is chartered to address the reliability of NII services
to all of these classes of users. In order to describe the information needs
of this diverse population, three general classes of users are defined:
- General Users - Individual, commercial, government, or other
members of the general public who are performing day-to-day functions
- Essential Users - Users who have critical needs for the
availability of essential information services
- NS/EP Users - Identified government users who are performing
specified NS/EP functions during NS/EP circumstances
General and Essential Users of the NII. As shown in Table 1, the major
classes of general users include individuals with personal, household, or other
business activities. They also include commercial, government, or other public
organizations conducting functions such as electronic data interchange or
electronic commerce. Individuals are becoming more and more sophisticated
users of the new tools for personal information exchange on the Internet.
Interactive multi-media access to the NII will be in demand for entertainment,
home shopping, and the myriad of new services that are becoming available.
Organizational users are also becoming sophisticated consumers of new
technology and are developing strong dependencies on information services for
business applications. Security and dependability of information resources
will be paramount, with an emerging market for new technologies such as digital
signatures and digital cash.
Users of essential information services may be general users who also have a
specific and critical need for the immediate availability of services during
emergency circumstances. These circumstances may also involve network
congestion or stressed conditions which exacerbate the competition for
information resources. Another category of essential services includes
services that should be considered as non-interruptable, for example 911
telephone service. Table 1 summarizes user functions that categorize the
information applications of general and essential users. These applications
are not exhaustive but are useful in describing the information needs of these
users.
Table 1. Applications of General and Essential Users of the NII

NS/EP Users of the NII. Table 2 defines a range of functions that may
be performed during NS/EP circumstances.[1]
These functions would be performed by designated personnel who would depend
upon the NII for their information needs. This particular set of NS/EP
functions is derived from the efforts of both government and industry
representatives who developed the Telecommunications Services Priority (TSP)
system.
The functions in Table 2 range from critical activities supporting national
security and public safety, through maintaining the nation's economic posture.
In general, NS/EP functions demand assured availability of voice and messaging
services under conditions of stress on the infrastructure. These functions
imply the need for possible priority allocation of information resources and
define special capabilities such as emergency broadcast. More advanced
features such as imagery and collaborative computing may be desired for
specific functions, but the demand appears to be less universal than the need
for voice band and data services. These conclusions are verified by a recent
OMNCS survey of NCS member organizations regarding their perceived needs for
NS/EP NII capabilities. Among the findings of the survey were, in priority
order:
- Voice/Modem services are critical for all NS/EP functions.
- The utility of video services varies widely between agencies.
- Ubiquitous access, survivability, and interoperability are the top three
functional requirements.
- Priority treatment, greater than voice band services, international
access/egress, security/encryption, and bandwidth on demand.
Table 2. Applications of NS/EP Users of the NII

Categories of Features and Capabilities. From consideration of the
information needs of users of the NII, the RVWG has prepared an initial set of
features and capabilities that should be promoted to ensure the reliability,
survivability, and security of services. As discussed previously, the NII will
serve all classes of users who may have different information needs, depending
on the circumstances and functions being performed. The RVWG has considered
the basic classes of general day-to-day users, the users of services that are
essential during emergencies or stressed conditions, and the special
requirements for information services during NS/EP circumstances. In addition,
the capabilities needed to support the security and protection of the networks
have been considered, as well as capabilities in the management, policy,
legislative, and regulatory areas.
Capabilities for General Users. The NII should provide reliable
information services and systems to meet all information needs of commercial,
government, and general public users -- under day-to-day and stressed
conditions.
- User-friendly access to all information services that is transparent to
networks, systems, inter-network protocols, or other infrastructure elements
(i.e., like using the telephone). NII services are effectively not available
to the user who doesn't know of their existence or how to access them.
- Performance levels consistent with market demand. Reliability demands the
dependable and repeatable quality of service that the user is willing to pay
for (e.g., timeliness, intelligibility, fidelity, etc.) Availability of
service on demand (e.g., dial tone) is the most fundamental, but not the only,
measure of performance.
- Protection from unwanted information. The capability to screen offensive,
nuisance, or other forms of unwanted information.
- Privacy and confidentiality. Levels of protection consistent with
capabilities available from market demand and with the user's willingness to
pay for premium service.
- Integrity. Confidence that information is sent and received without
alteration.
- Non-repudiation. Confidence that information sent has been received by
the desired recipient and confidence in the identification of the sender of
information that has been received.
Capabilities for Users of Essential Services. This class of users
requires all of the capabilities of general users, plus:
- Maximum availability of essential services, even under conditions of
stress. Includes service for emergencies such as 911 service or notification
of firefighters and law enforcement authorities. Also, maximum availability of
services that should be non-interruptable, such as to hospitals or lifeline
services to the elderly or infirm.
- Priority treatment. Capability for emergency users to be identified and,
if necessary, given priority treatment for service under emergency conditions.
- Emergency dissemination of information. Capability to deliver essential
or emergency information to the local public.
Assured Capabilities for NS/EP Users. All of the capabilities of
general and essential users, plus the requirement to provide assured and timely
transfer of information among federal, state, and local government participants
as they respond to any emergency situation, including natural disasters,
terrorist attacks, civil disturbances, and war:
- Priority information exchange. The capability to recognize authorized
NS/EP users and provide end-to-end priority treatment for the transmission of
voice and data information. This capability would allow emergency responders
to receive special communication treatment to bypass network congestion and
damage and allow the transmission of critical information between the disaster
area and parent organizations.
- Priority service provisioning and restoration. A process that requires,
and legally authorizes, vendors to initiate, modify, and restore
telecommunications and information services for NS/EP customers on a priority
basis. Emergency responders and critical facilities in the disaster area would
have their NII service repaired, or new service installed, prior to the general
public, thus increasing their responsiveness to disaster victims' needs.
- Emergency broadcast capability. The capability to provide emergency
information to the national public via imagery, data, voice, or other means.
Similar to the existing Emergency Broadcast System, the NII will provide a
broadband, advance warning capability.
- Sustainable coordinating mechanism. An all-hazard industry/government
management mechanism to ensure NS/EP telecommunications and information
services is available to support mitigation, response, and recovery efforts.
This mechanism would provide "one-stop shopping" for critical federal, state,
and local government organizations to obtain NII services and real-time
information on the status of the network, as well as a forum for
information-sharing among NII service providers and government.
- Assured and reliable service. Quality telecommunications and information
service available for authorized NS/EP users whenever and wherever it is
needed. This is made possible by providing a durable information
infrastructure and redundant systems capable of withstanding the effects of
natural or man-made disasters.
- Interoperable services. The ability for authorized NS/EP users to
effectively exchange information independent of device and network. Joint
government/industry development of NII infrastructure, software, and data
standards will ensure that compatibility exists between emergency responders
both inside and outside of the disaster area.
- Protected information support. The capability to recognize and support
user-encrypted information. This capability will ensure that NS/EP users can
exchange classified and unclassified but sensitive information while
maintaining information integrity within the network.
- Network security. Protection against unauthorized physical or electronic
intrusions, manipulations, or attacks, preserving end-to-end integrity of the
network, and transmitted information. Joint government/industry efforts will
ensure that sensitive information (financial transactions, privacy act
information) cannot be intercepted prior to reaching its destination.
Capabilities for Protection of the Network. Security of the NII
networks, including protection of network information and measures to minimize
loss of service.
- Monitoring. Ability to monitor the health of the interconnected diverse
networks.
- Restoral. Ability to rapidly reconfigure networks and restore network
failures.
- Defense against electronic attacks.
- Defense against physical attacks. Defense which is appropriate to the
threat, vulnerability, and criticality of the network element.
- Mitigation against the consequences of procedural error.
- Robustness and resiliency against natural disasters, congestion, or other
forms of stress.
- Adoption of best practices and operating principles for reliable and
available services (e.g., automated user audit log).
- Protection of privileged network information (e.g., billing, personal
data).
Management Capabilities. Management mechanisms that permit and
encourage collaboration -- across industry and between industry and government
-- to ensure seamless, reliable, and secure services from a heterogeneous NII.
- A management mechanism for monitoring end-to-end service, minimizing loss
of service, and coordinating restoral of information services when widespread
failures occur.
- Forum for the exchange of information among industry and government
organizations as necessary to foster reliable and secure information services.
- Real-time response capability for security incidents.
National Policy. Consistent policy on information services technology
that both encourages competition and protects the nation's critical interests,
in the international as well as domestic arenas.
- Effective policies and international agreements to protect the security,
privacy, and intellectual property of U.S. users of the global information
infrastructure.
- Advocacy of effective and timely standards that promote reliability and
security of information in both national and international standards bodies.
- Effective policies that remove unnecessary impediments to open competition.
- Government initiatives, such as new procurement practices that encourage
open, standards-based, commercial information architectures and discourage
proprietary implementations.
Regulatory Policy. Effective and fair regulatory policies that reflect
the restructured and evolving information and telecommunications industries.
- Updated regulatory policies that are relevant to the restructured and
evolving information service industry.
- Fair and consistent performance metrics for end-to-end service that
address differing forms of multi-media services (e.g., voice, data, interactive
video).
- Balance between a policy to minimize regulatory obstacles and the need to
protect public safety, national security, and the nation's economic and
security needs.
Legal/Legislative Frameworks. Legal and legislative frameworks that
protect security and reliability of the NII.
- Language in telecommunications legislation that identifies and promotes
principles of reliability, availability, and security in information systems.
- Effective laws concerning computer crime, with mechanisms for enforcement
and punishment.
Integrated Features and Capabilities. Section III summarized the
information needs of government and private sector users of the NII, and
Section IV developed a list of features and capabilities that would promote
reliability and security in satisfying these needs. The goal features and
capabilities in Section IV can be traced to the projected applications of
users, to the threats to the security of the networks, and to the requirements
associated with management, policy, regulation, and legal/legislative
frameworks. In this section, these features and capabilities are integrated
into a broader group of capabilities that are defined here as the preliminary
set of desired attributes of reliability, survivability, and security proposed
by the RVWG. These attributes could be used as a checklist for consideration
in the acquisition of future government information systems:
- Reliable services and performance levels that meet the information needs
of all classes of users
- Maximum availability of services under all circumstances, including local
emergencies and national-level crises
- Consumer trust that its information will be protected
- Capability for priority treatment in managing the allocation of
information resources
- Capability for broadcast dissemination of information to the public
- Protection of the networks from loss of service or compromise of network
information
- Mechanisms for monitoring the health of the networks and rapid restoral of
services when outages occur
- Management processes to promote government and industry cooperation in
providing seamless, reliable, and secure information services
- Consistent government policies, fair and effective regulatory structures,
and effective legal/legislative frameworks
The substance of these broad attributes is defined in terms of the
reliability features and capabilities that were shown in Section IV.
Reliable Performance. Consistency, repeatability or dependability with
which specified services, functions, or operations are performed, over time and
under specific conditions.
- User-friendly access to all information services. Transparent access to
the user with respect to networks, systems, inter-network protocols, or other
infrastructure elements. (All users)
- Performance levels for general users, consistent with market demand.
Metrics of acceptable performance are a balance between available technology
and the quality of service that the user is willing to pay for (e.g.,
timeliness, intelligibility, fidelity, etc.). (General users)
- Performance required to support NS/EP functions. Commercially available
features whenever possible but, if necessary, requiring performance that the
general market does not support. (NS/EP users)
Available Services. The property that authorized users can access and
use information or telecommunications services at any time.
- Maximum availability of services, even under conditions of stress.
Includes essential service for emergencies such as 911 service or notification
of firefighters and law enforcement authorities. Also includes services that
should not be interrupted, such as to hospitals or lifeline services to the
elderly or infirm. (All users)
- Assured telecommunications and information services for authorized NS/EP
users whenever and wherever needed. (NS/EP users)
Trust. Confidence in the protection of information handled by the NII.
- Privacy and confidentiality -- levels of protection consistent with
capabilities available from market demand and with the user's willingness to
pay for premium service. (All users)
- Integrity -- confidence that information is sent and received without
alteration. (All users)
- Non-repudiation -- confidence that information sent has been received
by the desired recipient and confidence in the identification of the sender of
information that has been received. (All users)
- Protection from unwanted information -- the capability to screen
offensive, nuisance, or other forms of unwanted information. (All
users)
Priority Treatment. The capability to manage the allocation of
information resources.
- Priority for essential services -- capability for emergency users to be
identified and given priority for service under emergency conditions.
(Essential users)
- Priority for NS/EP users -- capability to recognize authorized NS/EP users
and provide end-to-end priority treatment for the transmission of voice and
data information. (NS/EP users)
- Priority service provisioning and restoration -- process that requires
and legally authorizes vendors to initiate, modify, and restore
telecommunications and information services for NS/EP customers on a priority
basis. (NS/EP users)
Broadcast Information Dissemination.
- Emergency dissemination of information -- capability to deliver essential
or emergency information to the local public. (Local emergencies)
- Emergency broadcast capability -- capability to provide emergency
information to the nation via imagery, data, voice, or other means. (National
emergencies)
Protection of the Networks. Protection of the networks from threats to
loss of service and protection of network information.
- Defense against electronic attacks. (Protection of the networks)
- Defense against physical attacks -- appropriate to the threat,
vulnerability, and criticality of the network element. (Protection of the
networks)
- Mitigation against the consequences of procedural or human error.
(Protection of the networks)
- Protection of privileged network information (e.g., billing, personal
data). (Protection of the networks)
- Protected information support -- the capability to recognize and support
user-encrypted information. (Protection of the networks)
- Interoperable services -- the ability for users to effectively exchange
information independent of device and network. (Protection of the networks)
- Adoption of best practices and operating principles for reliable and
available services (e.g., automated user audit log). (Protection of the
networks)
Monitoring and Restoral. Capability to monitor the networks, rapidly
reconfigure the networks, and restore network failures.
- Monitoring. Ability to monitor the health of the interconnected diverse
networks. (Protection of the networks)
- Sustainable coordinating mechanism. An all-hazard industry/government
management mechanism to coordinate reconfiguration of networks or restoral of
information services in the event of failure. (Protection of the networks)
- Forum for the exchange of information among industry and government
organizations as necessary to foster reliable and secure information services.
(Protection of the networks)
- Real-time response capability for network failure or security incidents.
(Protection of the networks)
Management Mechanisms. Management mechanisms that permit and encourage
collaboration -- across industry and between industry and government -- to
ensure seamless, reliable, and secure services from a heterogeneous NII.
Government Leadership
- National Policy. Consistent policy on information services
technology that both encourages competition and protects the nation's critical
interests -- in the international as well as domestic arenas.
- Effective policies and international agreements to protect the security,
privacy, and intellectual property of U.S. users of the global information
infrastructure.
- Effective policies that remove unnecessary impediments to open competition.
- Government initiatives, such as new procurement practices, which encourage
open, standards-based commercial information architectures and discourage
proprietary implementations.
- Advocacy of effective and timely standards that promote reliability and
security of information -- in both national and international standards
bodies.
Regulatory Policy. Effective and fair regulatory policies.
- Updated regulatory policies that are relevant to the restructured and
evolving information service industry.
- Fair and consistent performance metrics for end-to-end service that
address differing forms of multi-media services (e.g., voice, data, interactive
video).
- Balance between a policy to minimize regulatory obstacles and the need to
protect public safety, national security, and the nation's economic and
security needs.
Legal/Legislative Frameworks. Legal and legislative frameworks that
protect security and reliability of the NII.
- Language in telecommunications legislation that identifies and promotes
principles of reliability, availability, and security in information systems.
- Effective laws concerning computer crime, with mechanisms for enforcement
and punishment.