Common Criteria: Ready for prime time?

NIAP

Officials at the Defense and Homeland Security departments are reviewing the effectiveness of a requirement to limit technology purchases to items that have gone through independent evaluation, the first step toward determining whether to extend that requirement governmentwide, officials said earlier this month.

The national security community and DOD already require that any product with a security component — from a firewall to an operating system — go through an independent evaluation that includes the Common Criteria, a set of tests to make sure that security-related products perform the way a vendor says they will.

That procedure started with National Security and Telecommunications Information Systems Security Policy 11, issued in 2000, but did not actually take effect until July 2002, so that agencies and industry would have a chance to prepare.

However, not enough products have gone through the evaluation and many agency officials do not understand how Common Criteria tests fit in with a complete security strategy, said Robert Gorrie, deputy director of the Defensewide Information Assurance Program.

DOD officials are now conducting the initial review with DHS officials, Gorrie said. Unofficially, DOD experts have found that including the requirement in a larger information assurance policy helps push security to the development end of a system's life cycle so less patching is necessary, he said.

As agencies come together to use the Common Criteria to craft protection profiles — descriptions of security characteristics an agency would like for its information technology components — the number of certified products is increasing. So far, 21 profiles are available, with 31 more under development, and "the demand trend there is encouraging," said Michael Fleming, chief of the Information Assurance Solutions Group in the National Security Agency's Information Assurance Directorate.

NSA and the National Institute of Standards and Technology formed the National Information Assurance Partnership (NIAP) to oversee the Common Criteria evaluations.

The trend would move even faster if civilian agencies joined in the demand because it would be easier for vendors to justify going through the long and expensive evaluation process, Fleming said.

One fairly easy way civilian agencies could join the demand is to get involved in writing protection profiles that multiple agencies need, said Mary Ann Davidson, chief security officer at Oracle Corp. The more agencies that say they would use products evaluated against a particular protection profile, the more likely vendors would be to aim for those specific requirements, she said.

However, agencies need to be careful not to make their protection profiles a wish list, Davidson said, because vendors are seeking to put existing products through the evaluation, not to build new ones.

The approach saves time and money. And by encouraging well-engineered products, the hope is that fewer patches will need to be issued in the future, said J. David Thompson, director of the security evaluation laboratory, an NIAP- certified lab, at CygnaCom Solutions, an Entrust company.

However, agency officials need to keep in mind that Common Criteria tests satisfy only the specific task of assuring an agency that the product does what the vendor says it will do, said Ed Roback, chief of NIST's Computer Security Division. The evaluation must be combined with further testing and policies, such as system-level certification and accreditation, that check how the product works within an agency's specific network environment, he said.

The evaluation that DOD and DHS are now performing includes an examination of how DOD officials use the Common Criteria as one measure in their information assurance policy. "This is all about making sure a security product actually is secure and is doing it's job," Gorrie said.

Secure configuration guides are also a critical part of the security equation, because even the best product could have many vulnerabilities if it is not properly placed within a network, Gorrie said.