[ISN] NSA, DOD push Common Criteria for civilians

From: InfoSec News (isnat_private)
Date: Wed Sep 17 2003 - 22:38:45 PDT

  • Next message: InfoSec News: "[ISN] Teen Pleads Not Guilty to Cyberattack"

    Forwarded from: William Knowles <wkat_private>
    By Diane Frank 
    Sep. 17, 2003
    If civilian agencies join the national security community in limiting 
    technology purchases to items that have gone through independent 
    evaluation, it could spur vendors to submit more products for 
    certification, officials testified today before a House subcommittee.
    The national security community and the Defense Department already 
    require any product with a security component, from a firewall to an 
    operating system, to go through an independent evaluation that 
    includes the Common Criteria, a set of tests to make sure that 
    security-related products actually perform the way a vendor states. 
    As agencies come together to use the Common Criteria to craft 
    protection profiles  descriptions of security characteristics an 
    agency would like for its IT components  the number of certified 
    products is increasing. The trend would move even faster if civilian 
    agencies were to join in the demand, said Michael Fleming, chief of 
    the Information Assurance Solutions Group in the National Security 
    Agency's Information Assurance Directorate.
    Fleming testified before the House Government Reform Committee's 
    Technology, Information Policy, Intergovernmental Relations and the 
    Census Subcommittee. NSA and the National Institute of Standards and 
    Technology formed the National Information Assurance Partnership to 
    oversee the Common Criteria evaluation. 
    But civilian agencies only consider the Common Criteria as a 
    recommended rather than required factor in technology purchases, and 
    many have said there is a shortage of products that have gone through 
    the evaluation. 
    There are still many questions about the effectiveness and potential 
    role for the Common Criteria evaluation, but increasing the market by 
    bringing in the civilian agencies will only help, said Robert Gorrie, 
    deputy director of the Defensewide Information Assurance Program.
    "The number of systems that are being evaluated, although sufficient 
    right now, needs to be much, much higher," he said.
    The Bush administration's National Strategy to Secure Cyberspace, 
    released in February, proposed a full review of the effectiveness of 
    the Common Criteria requirement in the national security community and 
    a study of the potential for expanding the requirement to the rest of 
    DOD is now conducting the initial review with the Homeland Security 
    Department, Gorrie said. Unofficially, DOD experts have found that 
    including the requirement in a larger information assurance policy 
    helps to push security to the development end of a system's lifecycle 
    so less patching is necessary, he said. 
    The effects save time and money. And by encouraging well-engineered 
    products, the hope is that fewer patches will need to be issued in the 
    future, said J. David Thompson, director of the security evaluation 
    laboratory at CygnaCom Solutions, an Entrust company and one of the 
    NIAP-certified labs.
    Common Criteria satisfies the specific task of assuring an agency that 
    the product does what the vendor says it will do, said Ed Roback, 
    chief of the Computer Security Division at NIST. However, the 
    evaluation must be paired with further testing and policies, such as 
    system-level certification and accreditation, that check how the 
    product works within an agency's specific network environment, he 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 18 2003 - 01:18:23 PDT