CC product evaluation picks up steam


But concerns grow that accredited labs are getting 'congested' with submitted products.

The government-backed Common Criteria product-testing program is getting more attention from vendors as the Department of Defense widens its marching orders to buy tested products.

However, new concerns are arising that there are not enough accredited labs to easily handle the submitted products.

The Common Criteria program started in the mid-1990s with a half-dozen countries, including the U.S., seeking to accredit independent labs to perform software and hardware evaluations for security purposes. That work would otherwise be done inside government labs. With the idea that the member countries would agree to accept the results of these accredited labs, the program took shape and product testing began about three years ago. The program now includes 15 countries, with Japan expected to join later this year.

A milestone for the U.S. was reached in July 2002 when a mandate from the National Security Agency (NSA) dictated that purchases for any "national security systems" must use Common Criteria-evaluated products when available over any other comparable products. The mandate most affected the Defense Department.

But a dearth of accredited products - there are now 93, about half of which were certified in U.S. labs - prompted a revision of the mandate in June. The Defense Department buyers can purchase non-compliant products, but must get the vendor to commit to getting the product through testing.

"We recognized there weren't enough products in the system," says Jean Schaffer, director of the National Information Assurance Partnership (NIAP), which combines staff from the NSA and the National Institute of Standards and Technology (NIST) to oversee U.S. participation in the program. Schaffer, who hails from the NSA, replaced NIST's Ron Ross as NIAP director earlier this year.

However, even as the Defense Department softened the purchasing mandate for the most security-sensitive national security systems, it broadened the Common Criteria purchasing requirement to include all the department's computer systems.

"Preference will be given to vendors meeting those guidelines," Schaffer says, alluding to two internal Defense Department directives issued last fall and spring. "This is for the entire DoD, classified or unclassified."

While it's taking time for the Common Criteria bandwagon to get rolling, more vendors are jumping on and more products are being submitted to accredited labs around the world, creating what some vendors say is lab congestion. Product testing has been known to take from three months to a year.

These products range from operating systems, databases and firewalls - the focus of the program in the beginning - to what is an expanding series of tests based on so-called protection profiles for intrusion-detection systems and directory services.

Next year, the focus will be on wireless LAN access points, e-mail security and VPNs, Schaffer says. By year-end there will be updates for older protection profiles for biometrics, firewalls and other product types.

Solaris, AIX and Windows 2000 won accreditation last year. This year it's expected that the first open source products will follow suit.

IBM is shepherding Linux SuSe through at Evaluation Assurance Level 2 (EAL2) which indicates design information and testing are "consistent with good commercial practice." EAL7 is the highest rating, but any rating above EAL4 is said to be extremely hard to achieve and requires additional government-lab review.

But vendors remain undeterred in proving their products are robust by Common Criteria standards.

NetScreen, for example, is the first firewall vendor to submit its product for so-called EAL4+ testing, which would indicate the product has "medium robustness" so it can be used for "official-use only, unclassified but sensitive," Schaffer says.

NetScreen is making this added effort because customers are asking for it, says Chris Roeckl, NetScreen director of product marketing. It's expected to cost hundreds of thousands of dollars - not unusual for Common Criteria testing - and take until year-end to complete.

Oracle, with Red Hat as a partner, wants to get Linux an EAL4 rating (described in Common Criteria literature as "the highest level at which it is likely to be economically feasible to retrofit an existing application") by adding code, which would later be put into the public domain. This would give Linux some compartmentalization features, among other security attributes.

Mary Ann Davidson, Oracle's chief security officer, says the Navy is specifically requesting this. She added that Oracle, whose database was the first to make it through testing more than a year ago, intends to do Common Criteria evaluation of Oracle products on top of Linux as well.

"The whole reason behind Common Criteria and the federal government putting its program in place is to ensure IT products have the strongest security," says Ken King, director of technical strategy at IBM Software Group. IBM also has mainframe software, Tivoli Access manager, WebSphere, MQ Series and other products either approved or in evaluation, he says.

The NIAP site lists the status of products.

Banks back CC program

While there's interest from federal agencies outside the Defense Department in requiring compliant products, so far civilian agencies haven't made a commitment. But outside of the government, the banking industry has become the first to lend its clout for Common Criteria testing of products.

"We felt like we have the same goals," says Laura Lundin, senior director at BITS, the technical arm of the 100-member Financial Services Roundtable, a group that represents the banking industry on policy issues and performs technical product evaluations of its own. "We're one of the first user groups to back [Common Criteria]."

The growing backup in the labs has interested parties concerned.

Symantec, which already had its older Enterprise Firewall through EAL4 testing, has now submitted Symantec Gateway Security and ManHunt intrusion-detection products for lab evaluation, with costs expected to reach $300,000 to $400,000. Symantec researcher Wes Higaki says it seems to be taking longer than it did a year ago to get through the process, which might be because more products are making their way into the labs. "There just aren't enough accredited labs out there," Higaki says.

King agrees there seems to be a bottleneck with the labs.

Schaffer notes that the NIAP accredited one new lab during the last year - InfoGard Laboratories in San Luis Obispo, Calif. - making seven in the U.S. There are more than two dozen labs in all around the world.

Common Criteria might be experiencing growing pains, but Gartner analyst Greg Young sees them as minor. "It seems to have staying power, compared with some things that have come and gone before" in terms of government testing of security products, he says.

Learn more about this topic

System security finds common ground

Network World, 07/08/02

Security templates gaining favor

Network World, 03/17/03

Must read: 11 hidden tips and tweaks for Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies