Microsoft gains government approval

Five Microsoft products last week earned security-evaluation approval granted under the software-testing program called Common Criteria, making it easier for Microsoft to sell them to government customers.

The National Information Assurance Partnership (NIAP), a collaborative effort between the National Institute of Standards and Technology and the National Security Agency, issues the Common Criteria stamp of approval. In this case, three varieties of Microsoft Windows Server 2003, plus Microsoft's Certificate Server and Windows XP earned the highest rating for commercial, off-the-shelf software, Evaluation Assurance Level 4 (EAL4). Ratings from EAL5 to EAL7 are typically reserved for custom, high-security applications the government wants.

"[Common Criteria] is about assurance that the product does what the vendor says it does," says Mario Juarez, senior product manager in Microsoft's security-technology unit.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Five Microsoft products last week earned security-evaluation approval granted under the software-testing program called Common Criteria, making it easier for Microsoft to sell them to government customers.

The National Information Assurance Partnership (NIAP), a collaborative effort between the National Institute of Standards and Technology and the National Security Agency, issues the Common Criteria stamp of approval. In this case, three varieties of Microsoft Windows Server 2003, plus Microsoft's Certificate Server and Windows XP earned the highest rating for commercial, off-the-shelf software, Evaluation Assurance Level 4 (EAL4). Ratings from EAL5 to EAL7 are typically reserved for custom, high-security applications the government wants.

"[Common Criteria] is about assurance that the product does what the vendor says it does," says Mario Juarez, senior product manager in Microsoft's security-technology unit.

It doesn't mean that any software tested under Common Criteria is impervious to vulnerabilities, he points out, simply that it functions reliably in specific load conditions that must be well documented by the vendor.

It took Microsoft more than a year to shepherd Windows Server 2003, XP and its digital certificate server through the round of testing at the NIAP-accredited lab operated by Science Applications International.

Although Microsoft has earned Common Criteria certifications in the past for other products, including Windows 2000 and Exchange Server 2004, this time the company had all the products tested as a group, all working together.

Established as an international effort in 1999, the Common Criteria security-testing program has been recognized and adopted by about 20 countries. Government agencies buying operating system, application or security-specific products often require a Common Criteria evaluation.

Read more about security in Network World's Security section.