NSA, DOD push Common Criteria for civilians

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.fcw.com/fcw/articles/2003/0915/web-secure-09-17-03.asp

By Diane Frank 
Sep. 17, 2003

If civilian agencies join the national security community in limiting 
technology purchases to items that have gone through independent 
evaluation, it could spur vendors to submit more products for 
certification, officials testified today before a House subcommittee.

The national security community and the Defense Department already 
require any product with a security component, from a firewall to an 
operating system, to go through an independent evaluation that 
includes the Common Criteria, a set of tests to make sure that 
security-related products actually perform the way a vendor states. 

As agencies come together to use the Common Criteria to craft 
protection profiles — descriptions of security characteristics an 
agency would like for its IT components — the number of certified 
products is increasing. The trend would move even faster if civilian 
agencies were to join in the demand, said Michael Fleming, chief of 
the Information Assurance Solutions Group in the National Security 
Agency's Information Assurance Directorate.

Fleming testified before the House Government Reform Committee's 
Technology, Information Policy, Intergovernmental Relations and the 
Census Subcommittee. NSA and the National Institute of Standards and 
Technology formed the National Information Assurance Partnership to 
oversee the Common Criteria evaluation. 

But civilian agencies only consider the Common Criteria as a 
recommended rather than required factor in technology purchases, and 
many have said there is a shortage of products that have gone through 
the evaluation. 

There are still many questions about the effectiveness and potential 
role for the Common Criteria evaluation, but increasing the market by 
bringing in the civilian agencies will only help, said Robert Gorrie, 
deputy director of the Defensewide Information Assurance Program.

"The number of systems that are being evaluated, although sufficient 
right now, needs to be much, much higher," he said.

The Bush administration's National Strategy to Secure Cyberspace, 
released in February, proposed a full review of the effectiveness of 
the Common Criteria requirement in the national security community and 
a study of the potential for expanding the requirement to the rest of 
government. 

DOD is now conducting the initial review with the Homeland Security 
Department, Gorrie said. Unofficially, DOD experts have found that 
including the requirement in a larger information assurance policy 
helps to push security to the development end of a system's lifecycle 
so less patching is necessary, he said. 

The effects save time and money. And by encouraging well-engineered 
products, the hope is that fewer patches will need to be issued in the 
future, said J. David Thompson, director of the security evaluation 
laboratory at CygnaCom Solutions, an Entrust company and one of the 
NIAP-certified labs.

Common Criteria satisfies the specific task of assuring an agency that 
the product does what the vendor says it will do, said Ed Roback, 
chief of the Computer Security Division at NIST. However, the 
evaluation must be paired with further testing and policies, such as 
system-level certification and accreditation, that check how the 
product works within an agency's specific network environment, he 
said.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.