NIST clears security certification tests

The National Institute of Standards and Technology last week authorized the creation of a program that will provide a list of internationally certified commercial information security products for federal agencies.

The National Voluntary Laboratory Accreditation Program (NVLAP) for Information Technology Security Testing will evaluate laboratories nationwide for compliance with the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme. The scheme tests how security products meet certain government standards.

NIST and the National Security Agency established the scheme and NIAP to serve as a centralized, trusted source for agencies to turn to for security products and services. The IT security products tested by the labs will be evaluated by NIAP and published to the group's list of products with a certificate of validation.

Agencies then will be able to choose products from the list, knowing that the products have been tested and approved by a trusted government organization.

"It will provide a common, recognized source," said Arnold Johnson, deputy director of the Common Criteria Evaluation and Validation Scheme body at NIST. "[Agencies] will have a level of assurance."

NIAP also had begun working on an agreement - the Common Criteria Mutual Recognition Agreement - with similar organizations in five countries, including the United Kingdom, Canada and France, to ensure that the standards are recognized across the globe.

Officials hope that adding products to the validated list will push agencies to beef up security in computer systems, said Keith Rhodes, director of the Office of Computer and IT Assessment within the Accounting and Information Management Division at the General Accounting Office.

"You're able to add to the common criteria a set of tools that have been certified by an accredited federal agency," he said. "It's an important step."

But if a product is listed, agencies should not necessarily believe the product will serve their needs, he said. "The concern that I have is that people interpret certification as a blanket OK allowing them as a user and a buyer to abdicate bringing any brainpower to the procurement process," Rhodes said. "You still have to have people involved."

NIST also wants to make it clear that each agency needs to have a qualified person carefully choose from the products on the list to make sure that the product really fits the agency's environment and needs.

"No one can assure you that every product, every time, everywhere is perfect," said Jeffrey Horlick, senior program manager for the IT Security Testing LAP. "This only says that it has been through a known process."

"The end user needs to...look at the report [from the lab] and review the techniques that were used to test the product to determine if [the product meets] their needs," Johnson said. "We have reached a certain level of assurance that's defined, but if they use it in an environment that's different than the one we defined, or they use it in an environment with a different level of assurance than what we determined, then it will not meet their needs."

The labs will be evaluated periodically for re-accreditation by NVLAP. Those labs also will continually test new products and new versions of products, benefiting agencies and vendors.