NSA, DOD push Common Criteria for civilians
The security and defense community wants civilian agencies to require that all their IT products pass Common Criteria tests.
If civilian agencies join the national security community in limiting technology purchases to items that have gone through independent evaluation, it could spur vendors to submit more products for certification, officials testified today before a House subcommittee.
The national security community and the Defense Department already require any product with a security component, from a firewall to an operating system, to go through an independent evaluation that includes the Common Criteria, a set of tests to make sure that security-related products actually perform the way a vendor states.
As agencies come together to use the Common Criteria to craft protection profiles — descriptions of security characteristics an agency would like for its IT components — the number of certified products is increasing. The trend would move even faster if civilian agencies were to join in the demand, said Michael Fleming, chief of the Information Assurance Solutions Group in the National Security Agency's Information Assurance Directorate.
Fleming testified before the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee. NSA and the National Institute of Standards and Technology formed the National Information Assurance Partnership to oversee the Common Criteria evaluation.
But civilian agencies only consider the Common Criteria as a recommended rather than required factor in technology purchases, and many have said there is a shortage of products that have gone through the evaluation.
There are still many questions about the effectiveness and potential role for the Common Criteria evaluation, but increasing the market by bringing in the civilian agencies will only help, said Robert Gorrie, deputy director of the Defensewide Information Assurance Program.
"The number of systems that are being evaluated, although sufficient right now, needs to be much, much higher," he said.
The Bush administration's National Strategy to Secure Cyberspace, released in February, proposed a full review of the effectiveness of the Common Criteria requirement in the national security community and a study of the potential for expanding the requirement to the rest of government.
DOD is now conducting the initial review with the Homeland Security Department, Gorrie said. Unofficially, DOD experts have found that including the requirement in a larger information assurance policy helps to push security to the development end of a system's lifecycle so less patching is necessary, he said.
The effects save time and money. And by encouraging well-engineered products, the hope is that fewer patches will need to be issued in the future, said J. David Thompson, director of the security evaluation laboratory at CygnaCom Solutions, an Entrust company and one of the NIAP-certified labs.
Common Criteria satisfies the specific task of assuring an agency that the product does what the vendor says it will do, said Ed Roback, chief of the Computer Security Division at NIST. However, the evaluation must be paired with further testing and policies, such as system-level certification and accreditation, that check how the product works within an agency's specific network environment, he said.
NEXT STORY: DHS to spend $100M on air defense