Building a Platform for Trustworthy Computing
Microsoft’s Government Security Program
Microsoft Corporation
Published: January 2003
Abstract
National governments and international organizations face more serious security threats than other technology consumers. In matters ranging from national defense to protection of citizens’ personal data, national governments and international organizations must place security at the forefront of their information-technology requirements. One way Microsoft is working to address these security challenges is through the Government Security Program (GSP) -a global initiative that provides national governments and international organizations with access to Windows source code and other technical information they need to be confident in the security of the Microsoft Windows platform.
This paper provides customers with an overview of the GSP, the benefits of the program, and the specifics concerning the GSP Source Code License Agreement and Authorizations.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2003. Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, SQL Server, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft’s Government Security Program
Contents
Introduction
What is the Government Security Program?3
What the Government Security Program Means for
Our Government Customers
Transparency3
Partnership4
Government Security Program Code Agreement and Authorization5
The Government Security Program and Source Code Access6
Summary: Putting the GSP into Action6
Microsoft’s Government Security Program
Introduction
What is the Government Security Program?
National governments and international organizations face more serious security threats than other technology consumers. Microsoft recognizes that in matters ranging from national defense to protection of citizens’ personal data, public agencies must place security at the forefront of their information-technology requirements. The Government Security Program is one integral element in Microsoft’s efforts to address the unique security requirements of governments and international organizations throughout the world -providing program participants access to Windows source code and technical information they need to be confident in the security of the Windows platform, and fostering partnership between Microsoft and governments through increased interaction opportunities and customized guidance on projects identified by program participants. More than 60 countries and territories are eligible to enter into Government Security Program Source Code License Agreements and Authorizations with Microsoft.[1] Russiaand NATO currently participate in the GSP. Additionally,we are in discussions with 20 countries, territories and organizations about their interest in the program. There are ten governments or international organizations that have either signed a GSP agreement or where signature is imminent. It will be up to each government to announce their participation and Microsoft will honor their confidentiality.
What the Government Security Program Means for Our Government Customers
The Government Security Program is one crucial element of Microsoft’s efforts to address the unique requirements of governments and international organizations around the world. The GSP provides program participants with information they need to be confident in the security of the Microsoft Windows platform. In 2001, Microsoft launched the Shared Source Initiative, expanding its long-standing efforts to make Windows source code more transparent to trusted partners and customers. In 2002, the company announced its Trustworthy Computing Initiative, placing security at the core of all Windows development efforts. The principles of these two critical directives are embodied in the GSP, which is built upon the cornerstones of transparency and partnership.
Transparency
Through the GSP, Microsoft offers program participants zero-cost online “smart-card” access to source code for the most current versions, beta releases and service packs of Windows 2000, Windows XP, Windows Server 2003 and Windows CE. In addition, subject to requirements such as U.S. export approval, qualified GSP participants may also obtain access to cryptographic code and development tools.
Access to the source code is provided via MSDN® Code Center Premium for the Government Security Program, an online resource that enables authorized government employees to access source code from approved locations. The service provides just-in-time access and the ability to browse, search and display code through a smart-card-based, Secure Sockets Layer connection. Feedback channels enable communication and collaboration with Microsoft professionals.
In addition to source access, the GSP provides transparency through an expansive disclosure of Microsoft technical information. This engineering-level understanding of Windows architectural design as it relates to security imparts greater insight regarding the platform’s integrity and enhances the government’s ability to design and build demonstrably secure computing infrastructures.
Partnership
The GSP fosters partnership between the program participant and Microsoft based on mutual trust and fortified through ongoing interaction, collaboration and information exchange. As part of the program, representatives of participating government agencies may opt to visit Microsoft development facilities to review various aspects of Windows source-code development, testing and deployment processes, to discuss existing and potential projects with Microsoft security experts, and generally to interact with Microsoft staff. For the government participants, this represents an occasion for gaining valuable insights into Windows security. For Microsoft, the visit offers an invaluable opportunity to receive feedback from agency representatives. Visiting agencies will be asked to outline specific projects and objectives prior to arrival, so that Microsoft can best develop a customized, rewarding itinerary.
The GSP also engenders opportunities for cooperation with Microsoft on projects identified by the participating government agencies in their GSP Authorizations (discussed below). The relationship of trust cultivated in the course of GSP participation, moreover, serves as a solid foundation for future technical collaborations in furtherance of designing, developing and implementing an optimally secure government computing environment.
Summarizing, the GSP affords national governments and international organizations the following benefits:
Online access to source code for the most current versions, beta releases and service packs of Windows 2000, Windows XP, Windows Server 2003 and Windows CE;
Engineering-level understanding of Windows architecture through expansive disclosure of Microsoft technical information;
Enhanced ability to conduct security and privacy audits and to design, build and maintain demonstrably secure computing environments;
Improved troubleshooting and systems-optimization capabilities;
Access to cryptographic code and development tools, subject to U.S. export regulations;
Communication and collaboration with Microsoft security professionals; and
Opportunities for visits by agency representatives to Microsoft development facilities in Redmond, Washington.
Government Security Program Code Agreement and Authorization
The GSP Source Code License Agreement (or, simply, the GSP Agreement) establishes the legal framework for participation in the Government Security Program. It is the means by which Microsoft extends source-code access and other GSP benefits to the participating country or territory, while protecting the valuable intellectual property rights that have fostered innovation throughout the software industry for more than a quarter-century. The GSP Agreement’s terms are straightforward, deliberately avoiding endless pages of complex, legalese provisions. They are also uniformly applied among participating nations.
The GSP Agreement establishes a standard three-year relationship, and sets forth all the basic elements of program participation. It describes the available types of license grants to access and use Microsoft source code, and establishes certain limitations to those grants. It defines the process of smart-card access via MSDN Code Center Premium for the Government Security Program. It also provides for protection of government information and Microsoft intellectual property, and invites feedback and communication. The GSP Agreement’s terms apply both to employees and to approved agency contractors, and the document takes effect upon the signing of at least one project-oriented GSP Authorization.
To facilitate coordination of the government security review, where convenient for the participating government or international organizationthe GSP Code Agreement envisions a single national government division or authority as the sponsoring agency within each participating nation. This agency executes the three-year GSP Code Agreement and may conduct the security review on behalf of the national government. The sponsoring agency has direct access to MSDN Code Center Premium for the Government Security Program, and may authorize other government agencies for annual, project-specific source-code access during the term of the GSP Agreement. Within such project-specific authorizations, Microsoft-approved contractors of sponsored agencies may be afforded code-access privileges identical to those of authorized agency employees.
The GSP Authorization establishes the license grant and more specifically defines each security project launched under the GSP by the sponsoring agency or any agency it has authorized. It is executed by the agency undertaking the project. The term of a GSP Authorization is one year, and is renewable. There is no fee associated with an Authorization unless it is warranted by the particular requirements and circumstances of the project. The GSP Authorization defines thespecific purpose for the agency’s license to access and use Microsoft source code, and identifies the products and government facilities that will be involved in the project.
The Government Security Program and Source Code Access
The IT security needs of national governments and international organizations are pronounced. They demand IT productsand systems that are secure, and can protect data against loss or unauthorized use, disclosure, or modification. When making their IT purchase decisions, security considerations must necessarily be at the forefront of their information-technology requirements. In talking with these customers we were told that a program providing both access to source code and other technical information about the Windows Platform as well as increased opportunities to collaborate on IT security issues with a company like Microsoft would help them address that concern. It’s because of this customer feedback that we created the Government Security program, and in doing so demonstrated our commitment to making Windows source code more transparent to customers and increasing customer trust in the security both of our products and the IT industry generally.
Summary: Putting the GSP into Action
To reiterate, one of the key tangible benefits of the Government Security Program is that it provides both source access and technical information to national governments and international organizations about the Microsoft Windows Platform, better enabling participating governments to design, build, deploy and maintain secure computing environments. It is this, as well as the opportunity to partner closely with Microsoft to conduct deep security reviews of our products, that is driving interest in the program.
Microsoft looks forward to helping governments and international organizations respond to today’s unprecedented security challenges. Through the GSP, key public agencies have specific resources available to them, resources that facilitate the development and implementation of secure computer systems.
Additional questions concerning the Government Security Program should be directed to the Microsoft GSP Team at .
See the following resources for further information
Microsoft’s Government Security Program1
[1] GSP eligible countries include Argentina, Australia, Austria, Belgium, Bulgaria, Brazil, Canada, Chile, China, Colombia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Jordan, Korea, Kuwait, Latvia, Lebanon, Lithuania, Luxembourg, Malaysia, Malta, Mexico, Netherlands, New Zealand, Norway, Peru, Philippines, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, United Arab Emirates, the UK, US, and Venezuela. This eligibility list is dynamic and continuing to expand. Countries not currently on the eligibility list that are interested in participating in the program may contact their local Microsoft office. A small number of countries, including Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria, are subject to U.S. trade embargoes, and necessarily are not eligible.