Hi barge,
Adding various bits of information together, here's what I think is going on. Just my speculations:
The DoD is in a rush after the Lockheed incident. They want harder protection than they had. They are pushing for as fast a timeline as they can get.
NIST is accommodating DoD by writing specs which protect the BIOS in particular - I suspect this tells you that this is how Lockheed (and other defense assets) were penetrated.
The initial BIOS security specs (I'll call them specs, but they might otherwise be called standards) issued by NIST were rather abstract and therefore a little indefinite. They talked about Roots of Trust Units but didn't really say what they meant by it - TPMs were mentioned as an example once in the paper, and that was it.
The second set of draft specs issued recently clarified the meaning of the Root of Trust and defined it to meet mostly TCG (or equivalent) standards. I'm not aware of any equivalents in the PC space.
To accommodate DoD's requirement for swift action, the review timeline on this draft was restricted. DoD was pushing for a solution by the New Year, but NIST was simply unable to make its procedures run any faster. It has given a short period for feedback to late January and then will issue a final version of its draft specs in the aftermath of that. Let's say that takes us to the end of March for final specs.
Wave meanwhile built its WEM product in line with the first set of NIST specs and produced its archetypal product on September 20, 12 days after the DoD produced its 1 January 2012 timeline. Wave said it expected to have its product released by year-end. Coincident timelines.
NIST sought Wave's help in producing the second set of draft specs. Meanwhile, Wave has been testing WEM and possibly piloting it with a government agency. Perhaps that agency is the DoD's cybercommand, which is my speculation on NW's NSA post.
Wave is also testing the product with the systems integrators and hopes to release a preliminary version by year-end, in line with the DoD's New Year timeline. This version will be tested in real world scenarios by the DoD and the SIs between January and March, following the 1 January 2012 DoD timeline. Both SKS and the NW memo suggest that SIs come first, so the first major adoption news is likely to come from the SIs.
Wave's final version of WEM will be readied in accordance with NIST's finished specs (ready by end of March) and its experience in the field with the DoD and SIs (in Q1, 12). This places the final version of WEM in the April-June period identified by NW as the target date for adoption. Once final WEM is available, adoption will be done swiftly and universally within DoD. The timeline limitation on adoption will depend upon WEM and Wave's other software playing nice with other DoD and SI systems.
In switching on TPMs, which WEM implies, the DoD will also have a need for ERAS. So I would guess Wave is (or has) testing this with DoD as well - perhaps this is what Wave's consultancies with the DoD have been about. And then I suppose that the DoD may also be using SEDs in a large chunk of its equipment going forwards as well, as this is an efficient and secure way to run encryption and to ensure machines can be run with a variety of OSs which are secured in a pristine condition.
That's the scenario I see for Wave. Other companies' participation would depend upon their being able to reproduce what Wave has in a hurried timeline. So the trust software must work with various sorts of PCs, Windows, TPMs, BIOS, SEDs, smart cards etc. and must include chip software, client software, remote administration, endpoint monitoring and suchlike, and must be market tested on a large scale (a la GM and BASF), and must be available by Q2, 2012.
Good luck to the competition. I'm placing my bet on Wave.
AI
