FAA puts Common Criteria to work

Officials at the Federal Aviation Administration had been aware of Common Criteria for years, but it was not until Marshall Potter joined the staff in 2000 as chief scientist for information technology in the chief information officer's office that the work really got started.

In January 2001, Potter launched an effort to apply Common Criteria to the management of the National Airspace System (NAS). Using Common Criteria, the FAA has created a template to help define the security requirements in the solicitations for each piece of this "system of systems," Potter said.

"The whole intent is to get complete and understandable requirements for the systems," said Joe Veoni, principal information security engineer in the communications and information systems department of Mitre Corp.'s Center for Advanced Aviation System Development. Mitre, a nonprofit organization that performs federally funded research, is part of the team working on the NAS protection profile template.

This approach made more sense than simply replicating the Defense Department mandate for national security organizations, Potter said.

In the national security community, priorities include maintaining confidentiality and controlling access to information. Most civilian agencies' top priorities are ensuring the integrity and availability of information. The different priorities require different approaches when it comes to defining security requirements, Potter said.

"There are those of us who need trusted systems, but we're not focused on security. We're focused on mission," he said.

Potter's team evaluated the threats to NAS and outlined the system's high-level security requirements — such as high integrity and high availability — and matched them up with the Common Criteria standard to develop the template. The team then brought in FAA program managers and acquisition officials to help make sure the template could be understood and used by the people who would actually be developing the solicitations.

The FAA released Version 1 of its template in March and is testing it on two project solicitations — the next version of the Controller Pilot Data Link wireless communications system and the En Route Automation Modernization program.