- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
Network World - The government-backed Common Criteria product-testing program is getting more attention from vendors as the Department of Defense widens its marching orders to buy tested products.
However, new concerns are arising that there are not enough accredited labs to easily handle the submitted products.
The Common Criteria program started in the mid-1990s with a half-dozen countries, including the U.S., seeking to accredit independent labs to perform software and hardware evaluations for security purposes. That work would otherwise be done inside government labs. With the idea that the member countries would agree to accept the results of these accredited labs, the program took shape and product testing began about three years ago. The program now includes 15 countries, with Japan expected to join later this year.
A milestone for the U.S. was reached in July 2002 when a mandate from the National Security Agency (NSA) dictated that purchases for any "national security systems" must use Common Criteria-evaluated products when available over any other comparable products. The mandate most affected the Defense Department.
But a dearth of accredited products - there are now 93, about half of which were certified in U.S. labs - prompted a revision of the mandate in June. The Defense Department buyers can purchase non-compliant products, but must get the vendor to commit to getting the product through testing.
"We recognized there weren't enough products in the system," says Jean Schaffer, director of the National Information Assurance Partnership (NIAP), which combines staff from the NSA and the National Institute of Standards and Technology (NIST) to oversee U.S. participation in the program. Schaffer, who hails from the NSA, replaced NIST's Ron Ross as NIAP director earlier this year.
However, even as the Defense Department softened the purchasing mandate for the most security-sensitive national security systems, it broadened the Common Criteria purchasing requirement to include all the department's computer systems.
"Preference will be given to vendors meeting those guidelines," Schaffer says, alluding to two internal Defense Department directives issued last fall and spring. "This is for the entire DoD, classified or unclassified."
While it's taking time for the Common Criteria bandwagon to get rolling, more vendors are jumping on and more products are being submitted to accredited labs around the world, creating what some vendors say is lab congestion. Product testing has been known to take from three months to a year.
These products range from operating systems, databases and firewalls - the focus of the program in the beginning - to what is an expanding series of tests based on so-called protection profiles for intrusion-detection systems and directory services.
Next year, the focus will be on wireless LAN access points, e-mail security and VPNs, Schaffer says. By year-end there will be updates for older protection profiles for biometrics, firewalls and other product types.
Solaris, AIX and Windows 2000 won accreditation last year. This year it's expected that the first open source products will follow suit.
IBM is shepherding Linux SuSe through at Evaluation Assurance Level 2 (EAL2) which indicates design information and testing are "consistent with good commercial practice." EAL7 is the highest rating, but any rating above EAL4 is said to be extremely hard to achieve and requires additional government-lab review.
But vendors remain undeterred in proving their products are robust by Common Criteria standards.
NetScreen, for example, is the first firewall vendor to submit its product for so-called EAL4+ testing, which would indicate the product has "medium robustness" so it can be used for "official-use only, unclassified but sensitive," Schaffer says.
NetScreen is making this added effort because customers are asking for it, says Chris Roeckl, NetScreen director of product marketing. It's expected to cost hundreds of thousands of dollars - not unusual for Common Criteria testing - and take until year-end to complete.
Oracle, with Red Hat as a partner, wants to get Linux an EAL4 rating (described in Common Criteria literature as "the highest level at which it is likely to be economically feasible to retrofit an existing application") by adding code, which would later be put into the public domain. This would give Linux some compartmentalization features, among other security attributes.
Mary Ann Davidson, Oracle's chief security officer, says the Navy is specifically requesting this. She added that Oracle, whose database was the first to make it through testing more than a year ago, intends to do Common Criteria evaluation of Oracle products on top of Linux as well.