New hopes for a security lockdown

Beginning July 1, the Defense Department will require a broad group of commercial software suppliers to evaluate their products using a standard known as Common Criteria. Products that fail to pass Common Criteria muster, according to DOD, cannot be sold to the department.

Pentagon officials hope the criteria will give new life to their efforts to close security holes in systems that are created using commercial products. Too often, government agencies buy security problems, experts say, by purchasing commercial products with inherent or potential security flaws. The policy could have broad ramifications, because it is not directed just at information assurance products, such as firewalls or intrusion-detection systems, but at any "information assurance-enabled products" such as Web browsers, operating systems and databases.

An international group developed the Common Criteria guidelines, which provide a standard methodology for evaluating products and uncovering problems. After eight years of use around the world, the standard is being promoted by experts as one of the best ways to make agencies and companies more confident about the products they buy.

Of course, a standard is only as good as its enforcement. Earlier efforts to enforce security standards in commercial products generally failed because vendors did not see a commitment to such standards by agencies, even in security- conscious DOD.

But that appears to be changing. John Gilligan, the Air Force's chief information officer, noted that DOD is taking information assurance much more seriously. "There is no doubt about that," he said.

Government agencies outside DOD are not taking the same hard-line approach to Common Criteria. But with the increasing security consciousness in civilian agencies, the standard is starting to have the impact its creators intended.

"We think the Common Criteria, just by the nature of what it is, will take a foothold in becoming the standard for information security products," said Ron Ross, director of the National Information Assurance Partnership (NIAP), the U.S. government's lead organization for the standard. NIAP is a collaboration between the National Institute of Standards and Technology and the National Security Agency.

Marshaling Support

The international community developed Common Criteria in 1996 to improve standards efforts in Europe and the United States, including DOD's Trusted Computer System Evaluation Criteria.

That standard, more commonly known as the Orange Book, fizzled after a lack of demand within DOD eventually led to general disinterest on the part of industry leaders, which in turn extinguished any momentum there had been.

Proponents of Common Criteria believe it will avoid that fate. DOD's tough policy is a good start. With the Orange Book, DOD granted so many waivers that vendors stopped taking the process seriously, observers say. In contrast, DOD has not issued any waivers under Common Criteria.

The outlook for Common Criteria in the federal government improved in January 2000 with the National Security Telecommunications and Information Systems Security Policy 11.

The policy requires all national security organizations within the federal government to use Common Criteria to evaluate information assurance products by July 1. And top DOD officials and House Armed Services Committee members say there will be no easy waivers this time.

"This is a very, very important goal that we hope to see realized," said Robert Lentz, director of the DOD Information Assurance Directorate, at a conference for Wall Street analysts last month.

Furthermore, the provision could end up having the force of law. The House version of the Defense authorization bill, passed last month, included a provision that would require DOD to buy certified products.

The situation is different among civilian agencies. Although NIST has issued guidelines encouraging agencies to use Common Criteria, there's no mandate.

But agencies are beginning to include the standard in their own security policies. Most experts consider the Federal Aviation Administration to be at the front of the pack because of its clearly stated policy and newly completed guidelines for developing systems acquisition requirements based on Common Criteria (see "FAA puts Common Criteria to work," Page 24).

Although the FAA and other agencies will likely not duplicate the DOD model, DOD's policy could make it easier for the standard to be commonly accepted. "There could be a very positive ripple effect," NIAP's Ross said.

The international angle of Common Criteria should also help. Participating countries have agreed that certifications given by one country will be recognized by the others. Not only will this speed the availability of certified products, it will also create a broad market that should spark interest among software vendors.

Members of that arrangement include the United States, Australia, Canada, France, Germany and the United Kingdom, among others.

Earning Trust

Still, as DOD's July 1 deadline approaches, industry vendors are waiting to see how the new rule plays out.

Some vendors, having spent years and millions of dollars to get their products certified, are concerned that DOD will not follow through on its own policy.

Mary Ann Davidson, chief security officer for Oracle Corp., noted that when DOD was using the Orange Book, many vendors avoided the rigors that come with getting NIAP certification and sought waivers instead.

DOD must make security a top priority in buying decisions because it is difficult to add security later if it is not built into a product from the start, she said.

Despite the impending deadline, the DOD policy has gone almost unnoticed in some corners, even though it could have broad implications for information technology buys. Several large IT integrators, when called for comments, were unfamiliar with the policy.

John Lainhart, a partner with PwC Consulting who heads the company's information assurance sector, said that although he was not surprised, he found the lack of knowledge frightening.

And just weeks before the policy is supposed to take effect, there are still significant unanswered questions.

"This is not a new process," said Shannon Kellogg, vice president of information security programs for the Information Technology Association of America, an industry group. But he noted that ITAA and its vendors are still waiting for additional guidance from DOD about the policy.

Perhaps the preeminent concern among DOD organizations is the very real possibility that they will have a limited selection of products to choose from in some technology areas.

"In some cases, there is only one product," Gilligan said. "In other cases, there may not be any products."

DOD has formulated a process that enables Defense organizations to buy products that are not NIAP certified if they are going through the certification process, said Eustace King, technology team leader for the Defensewide Information Assurance Program.

However, one former senior government IT executive, who spoke on the condition on anonymity, warned that certification is not the be-all and end-all because it only covers a particular version of a product.

"As soon as they change the code or add new features, that all changes. Plus, it has to do with how they configure the box," the former executive said. "This is only assurance at the time it was evaluated."

Even if products are certified, it will be even more important that they are integrated correctly, Lainhart said.

"Each package by itself may have information assurance integrity," he said. "When you put them all together, you need to make sure that they maintain that integrity."

Gilligan said that the Air Force will be working to implement the policy. "We're going to try to make this work," he said. But he suggested that the model DOD is using — establishing criteria and then mandating that products meet those criteria — may not work in the long run.

"Is there a way to make this less costly to the vendors with less [DOD] oversight?" he asked. One possibility would be to establish security standards sponsored by government and industry.

It was because of concerns about how the Common Criteria policy would play out that the House Armed Services Committee decided to include the policy in legislation.

Committee members have long been concerned about DOD not adhering to its own policies, one staff member said. "When [a policy] gets 'waivered' to death, it just has no credibility," the staff member said.

In general, past DOD policies have not been implemented in a cohesive manner, the staff member said, and the committee has not seen many details about how DOD is going to implement this policy.

Generating Awareness

If awareness of Common Criteria in the Defense community is low, it is even worse in civilian agencies.

"Everyone has become sensitized to the importance of information security, but I don't think there is enough sensitivity to the Common Criteria within civilian agencies," said Craig Janus, vice president of the Center for Information Systems at Mitretek Systems, a nonprofit company that provides technical expertise to the government.

"The CIOs are not saying, 'No, we don't want to hear about it.' They're saying, 'What the hell is it?'" Janus said of the reaction when his center works with civilian agencies on the standard.

NIAP officials realize they must address this failure.

"We have not done a good enough job of doing the marketing on this whole policy, and now we're faced with kind of a catch-up situation," Ross said.

NIAP officials have done the usual circuit of conferences, meetings and talks, he said. But in the past, other concerns took agencies' attention away from information security. And even now that the focus on security is increasing, Common Criteria is "really not on their radar scope yet."

DOD's emphasis on security should help to a certain extent, but experts fear it could be short-lived, lasting only until the deadline passes, and that it could be ignored by those who believe national security concerns could never apply to them.

Common Criteria "needs to get to the point where people, by default, include it in their planning," Mitretek's Janus said.

However, according to several commercial security consultants, even when awareness is there, Common Criteria guidelines are often too complex and daunting for most users to understand.

"If they want to establish real security guidelines, they have to have clear, easily understood statements that anyone could follow," said one consultant, who asked not to be named.

One hope is that homeland security will raise awareness of Common Criteria along with the rest of information security, Janus said.

NIAP has started a new project aimed specifically at this issue, developing protection profiles — which outline user requirements for evaluating products — for many of the key technologies agencies are using, including operating systems, firewalls, biometric tools and public-key infrastructures.

NIST and NSA will develop two or three protection profiles for each technology area, defining basic, extended and advanced protection levels, Ross said. Different agency applications will need different levels of assurance, but if everyone uses the same protection profiles, it will increase the confidence that the evaluated products will satisfy their particular needs, Ross said.

The project, led by NIAP senior technical adviser Stuart Katzke, has working groups for each technology area and assurance level. The groups include people from every community in government to ensure that the protection profiles will reflect the requirements of various agency users, Ross said.

Some agencies are already interested.

Ron Miller, CIO at the Federal Emergency Management Agency, said he only recently came across Common Criteria but is very interested in seeing how the standard can help his agency and the entire government.

"Any time you have a standard to which manufacturers can build and customers can buy, you increase the probability of increasing security within the organizations," Miller said.

As the CIO Council's security liaison, "I would like to do a serious evaluation of Common Criteria," he said. "If there are merits to it, and people just haven't had the time to sit down and address them, that is a service the council could provide."

This is part of a larger effort he hopes to lead within the council to investigate existing capabilities across government for raising the level of security, he said.

Miller also said he will talk with Office of Management and Budget officials and other leaders in the federal IT management community to find out why Common Criteria has not come up more often, even though interest in security standards spiked during the past two years with the increase in widespread computer viruses and the focus on homeland security.

Within FEMA, Miller has asked his chief security officer, Steve Schmidt, to look at the standard and find potential uses for it at the agency. Schmidt is expected to finish a report on the subject by the end of June, Miller said.

NIST is also in the middle of a major project that could have a lasting impact on agencies' awareness and use of Common Criteria, fitting it into their security policies through the oversight process, Ross said. As the lead information security source for civilian agencies, NIST develops several "special publication" guides every year.

By the end of June, a new publication will be available that outlines a governmentwide security certification and accreditation process, based on Common Criteria. This new process will ensure that all systems, even those that include evaluated products, provide the appropriate level of security within an agency's network, Ross said (see related story, Page 42).

And in September, the FAA and contractor Mitre Corp., a nonprofit, federally funded research organization, will sponsor a workshop on Common Criteria, said Joe Veoni, principal information security engineer in the communications and information systems department of Mitre's Center for Advanced Aviation System Development.

At the workshop, FAA and Mitre officials will promote the idea of adopting Common Criteria across government, using the FAA template to demonstrate the benefits of the standard, Veoni said.

A better understanding of how Common Criteria can be used to further security efforts in an agency's services and mission is crucial in the coming months if the standard is going to become a useful tool for civilian agencies, said Marshall Potter, the chief scientist for IT in the FAA CIO's office.

"The difficulties that are associated with the Common Criteria from a civilian agency perspective is that our business is not only security, we have a mission requirement," and the use of Common Criteria must fit into that environment, he said.

***

Defining common ground

Common Criteria will provide a standard that will enable users to define functional requirements for security- enabled products and systems, and allow vendors to define assurance requirements for their products and development methods.

Users create protection profiles to outline requirements that vendors' products can be tested against, such as data integrity, user access and authentication.

Developers create security targets to define their products' features and the steps they take to develop a secure product, such as configuration management, guidance documents and life cycle support.

There's a caveat, experts warn: A system or network composed of evaluated products will not ensure a secure system. Under Common Criteria, each product is evaluated independently, not based on how it fits or works with other products. So all products must be used within an overarching security plan and must be evaluated again as part of the larger system or network.