IDS mailing list archives

Re: [IDS] IDS Common Criteria

From: Randy Taylor <gnu () charm net>
Date: Tue, 07 Jan 2003 15:22:38 -0500

At 09:15 AM 1/7/2003 -0500, Frederick M Avolio wrote:

Outside Government and Military circles where I can see Common Criteria
Certification being extremely useful,  how valuable is it, ie within the
financial sector etc ?  More importantly what are it's failings?
CAVEAT: My direct knowledge of the CC is about 2 years old. Maybe thingsare better. I doubt it.


[snippage]

From "National Security Telecommunications and Information Systems Security
Policy (NSTISSP) No. 11, Subject: National Policy Governing the Acquisition of
Information Assurance (IA) and IA-Enabled Information Technology (IT) Products
is issued by the National Security Telecommunications and Information
Systems Security Committee (NSTISSC)"

http://niap.nist.gov/cc-scheme/nstissp_11.pdf


"Effective 1 January 2001, preference shall be given to the acquisition of
COTS IA and IA-enabled IT products (to be used on systems entering,
processing, storing, displaying, or transmitting national security information)
which have been evaluated and validated, as appropriate, in accordance with:
- The International Common Criteria for Information Security Technology
Evaluation Mutual Recognition Arrangement;
- The National Security Agency (NSA)/National Institute of Standards and
Technology (NIST) National Information Assurance Partnership (NIAP)
Evaluation and Validation Program; or
- The NIST Federal Information Processing Standard (FIPS) validation
program."

and

"By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products
to be used on the systems specified in paragraph (6), above, shall be limited
only to those which have been evaluated and validated in accordance with the
criteria, schemes, or programs specified in the three sub-bullets."

A clarification to NSTISSP No. 11 is also available at NIST:

http://niap.nist.gov/niap/library/20020215memo.pdf

Is Common Criteria useful? I don't see how it is.

Fred


If you sell IT security products into the U.S Government, like IDS, firewalls,
or crypto, or a U.S Government purchaser of same, the usefulness of
Common Criteria isn't a debatable topic anymore.

Best regards,

Randy

Current thread:

IDS Common Criteria Talisker (Jan 06)
- Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
  - Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
    - Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
    - Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
    - Re: [IDS] IDS Common Criteria Talisker (Jan 07)
    - Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
    - RE: [IDS] IDS Common Criteria Greg van der Gaast (Jan 08)
- RE: IDS Common Criteria Greg van der Gaast (Jan 07)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- <Possible follow-ups>
- RE: IDS Common Criteria Greenspan, Howard (Jan 07)
- RE: IDS Common Criteria Alan Shimel (Jan 07)
- RE: IDS Common Criteria Joseph M Hoffman (Jan 07)