[ISN] NIAP chief touts Common Criteria

InfoSec News isn at c4i.org
Thu Oct 28 04:36:10 EDT 2004


By Rutrell Yasin 
Oct. 27, 2004

Officials at the National Information Assurance Partnership have
effectively raised the level of security in many information
technology products used by the government, the security group's
director said today.

The aim of NIAP, an initiative of the National Institute of Standards
and Technology and the National Security Agency, is to increase the
level of trust users have in their information systems through the use
of security testing, evaluation and validation programs. To that end,
NIAP officials are responsible for implementing the Common Criteria
Evaluation and Validation Scheme, a rigorous set of security tests
that adhere to international standards. NIAP officials provide
technical guidelines to eight commercial laboratories which conduct
the tests.

Statistics gleaned from the labs' Common Criteria work indicates that
the testing is improving security, said Jean Schaffer, director of
NIAP. Schaffer spoke during a session at a Federal Information
Assurance Conference held this week at the University of Maryland.

So far, 100 percent of the products evaluated have been approved, she
said. The testing directly improved 30 percent of the products tested
by eliminating security flaws that could have been exploited by
attackers. About 40 percent of the products evaluated were improved by
the addition or extension of security features, Schaffer said.

Critics say Common Criteria testing costs too much and takes too long,
but Schaffer argued that these claims are made by those who do not
have firsthand knowledge about the testing. Feedback from the labs
shows that testing for Evaluation Assurance Level (EAL) 2 — the
minimum level of security, which includes products such as firewalls,
intrusion-detection systems, routers and switches — costs $100,000 to
$170,000 and takes four to six months. The highest level of security —
EAL 4, which includes operating systems that support peer-to-peer
communications — costs $300,000 to $750,000 and takes one year to two

The time and cost is driven not so much by the process, but by the
commercial market, she said.

NIAP officials want to develop protection profiles for a range of
environments, but they lack the resources. For now, they are focused
on Defense Department and intelligence agencies, Schaffer said. NIAP
officials also want to develop a curriculum that would help software
developers better understand security design principles and apply them
within the vendor community.

The Common Criteria evaluation program continues to grow with 126
products in evaluation as of September 2004 compared with about 60
products at this time last year. "We're taking in six new products or
more per month," she said.

NIAP has an important role to play but is not the only player. There
are some things Common Criteria does not address, such as testing
software code that might have been developed in foreign countries, she

More information about the ISN mailing list