12 October 1997
Source: http://www-tradoc.army.mil/dcsim/browser.htm

See related news story on Netscape contract with DoD: http://jya.com/cn101097.htm

                          INFORMATION PAPER

                                                       Mr. Onasch
                                                       30 October 1996

SUBJECT:  Internet Browser Security

ISSUES:  TRADOC Personnel are currently unable to adequately protect
sensitive information when using Web Browsers.


     a.  For the purpose of this paper, security will have two
categories, "classified" and "unclassified but sensitive".  Classified
is confidential and higher.  Unclassified but sensitive is anything
lower than confidential, such as For Official Use Only (FOUO).

     b.  The source of the information in this paper was obtained
primarily from the National Security Agency (NSA).  The NSA person
contributing was Mr. Rob Dobry of the Network Security Group.

     c.  Currently there are no NSA certified WWW Browsers that are
certified for either category mentioned above.

     d.  For unclassified but sensitive information, Netscape has
been working with NSA, as part of the Multilevel Information System
Security Initiative (MISSI) Program, to satisfy NSA requirements
for development of a secure web browser that NSA can certify in
this category.  The group in NSA that has been working with Netscape
is the Network Security Group.  Their proposed solution is based on
use of Fortezza card technology.  In November NSA expects to certify
Netscape Navigator 3.0 for "unclassified but sensitive" use.  Lower
level Netscape releases will not be certified.  Although Microsoft
has not been working as closely with NSA, NSA expects to certify
Microsoft Internet Explorer for "unclassified but sensitive" use
sometime in November.  Microsoft Explorer will also use Fortezza card

     e.  NSA's target data for certification of a secure web browser
is FY98.

     f.  "Fortezza" is a registered trademark held by the NSA.  In
practice, it is a term used to describe a family of security products.
This family includes PCMCIA-based cards, compatible serial port
devices, combination cards (e.g., Fortezza/Modem and Fortezza/Ethernet),
server boards, and others.  "Fortezza-enabled" or "Fortezza Certified"
are terms applied to other hardware and software products that have had
Fortezza security integrated. Examples include E-Mail, File Encryptors,
WWW browsers, databases, digital cellular telephones, and routers. 

     g.  The MISSI Program develops standards, protocols and
interfaces that define a cohesive security architecture for an
evolving set of security solutions.


Use of Fortezza cards is cost prohibitive because the majority of
PC's within TRADOC do not have the PCMCIA card readers.  Therefore,
until TRADOC PC configurations commonly support use of Fortezza cards,
recommend TRADOC installations continue to restrict information
access as appropriate. 


     a.  General information brochure on MISSI "Green Booklet" -

     b.  Fortezza specifications - Application Guide information - 
Interface Control Document - http://www.armadillo.huntsville.al.us/

     c.  Army DMS Home Page, PC Card Reader Compliance-Information -

     d.  SCC - info on SNS, MISSI, Fortezza - http://www.sctc.com/

     e.  NSA home page - http://www.nsa.gov:8080//

     f.  LJL Products - http://www.ljl.com

     g.  Rainbow Series, Common Criteria, Evaluate Products -

DCSIM Homepage search