Common Criteria: A Prime Factor In Information Security For The
Dod
Is your vital selective information secure. How do you know.
There ar several ways to increase confidence in the security
measures of your vital entropy. The data could be moved to a
non-accessible location. A security system firm could be hired
to install, update, and monitor the system.
But perhaps the easiest method, and one that is now mandatory
for the Department of Defense, is the manipulation of info
engineering products that rich person been independently
evaluated and certified. While this sounds like a great idea,
how does one find such IT products.
The answer is that certified products listed on the Subject
Information Assurance Partnership (NIAP) Web site at . The
Home(a) Institute of Standards and Engineering (NIST) and the
Interior(a) Security Agency (NSA) established the NIAP to
evaluate data engineering science mathematical product
conformance to international standards, namely the Park Criteria
(CC). The programme, officially known as the NIAP Commons
Criteria Evaluation and Validation Scheme (CCEVS) for IT
Security, is a partnership between the public and private
sectors.
The plan was implemented to aid consumers select commercial
off-the-shelf (COTS) IT products that meet their surety
requirements and to assist manufacturers of those products gain
acceptance in the global marketplace. One of the platform's main
objectives is to improve the availability of evaluated IT
products.
The other key element of Instruction 8500.2 is the inclusion of
definitions for generic "hardiness" levels and the assignment of
"baseline levels" of IA services to those lustiness levels,
depending on the value of the and the environment in which the
is used. Robustness horizontal surface descriptions assistance
the ISSE and DAA determine at which spirit level of CC
self-assurance a mustiness be evaluated. This is passed on to
the seller for wont in developing an rating services contract
bridge with a CCTL.
The ISSE and DAA should besides consider the following when
selecting the valuation confidence degree: the value of the
assets organism protected; the risk of those assets beingness
compromised; the resources of those who might try to compromise
the assets; and the " requirements, mission, and customer
needs."
Instruction 8500.2 too augments key points from Directive
8500.1. Products available "nether multiple-award schedule
contracts or non-Defense Department Government-Wide Acquisition
Contracts awarded before July 1, 2002, moldiness be evaluated
when and if a version release of the is made available below the
take." Simply stated, this means that products that just now
existence received by the United States Department of Defense
contracts awarded before July 1, 2002, be evaluated and
validated the CC.
The instruction likewise states that "although products that
wealthy person not satisfactorily completed may be used,
contracts shall require. be satisfactorily completed inside a
specified period of time." This statement gives abridge officers
the task of ensuring the purchase foreshorten includes
provisions requiring vendors to complete the CC . Vendors cannot
simply submit their products for and then not complete the
process.
Vendors tin can work with their CCTL and the Defense to
determine a reasonable period of time for the , which could be
any number of months depending primarily on complexity, vender
evidence preparedness, self-confidence grade elect, and the
lab's familiarity with the applied science. Finally, the
instruction states that the original abbreviate specify that "
validation will be kept current" where utilization is
anticipated for subsequent versions of that.
CC certificate maintenance is another task that requires effort
and planning on the part of the trafficker because CC
certificates apply to a specific version and configuration of a
. The requirements for maintaining that certificate across
future versions of the described in a document entitled
"Assurance Continuity: CCRA Requirements," issued in February
2004 by the international body responsible for(p) for
maintaining the Green Criteria.
You toilet obtain a copy of this document from any CCTL or the
NIAP CCEVS. shorten officers should ensure their vendors aware
of the completion and certificate maintenance clauses in their
contracts so that products do not fail to meet and maintain the
CC certification requirements for continued exercise. As with
Directive 8500.1, the heads of components entrusted with the
responsibilities to ensure systems employ solutions in
accordance with the 8500.2 sections describing evaluations.
Further emphasizing the importance the federal government and
placing on evaluations, public law includes provisions for
evaluations and the often-sought-after waivers to such policy
requirements. Subtitle F: Information Engineering science,
Section 352 of Public Law 107-314, passed in December 2002,
directs the secretary of defense to establish a policy to limit
the skill of authority products to those products that give
birth been evaluated and validated in accordance with
appropriate criteria, schemes, or programs. Such criteria or
schemes include the NIAP CCEVS and the internationally developed
CC.
While experienced vendors will state that accomplishment policy
requirements lavatory sometimes be waived, the waiver clause in
Public Law 107-314 authorizes the secretary of defense to
provide such waivers only for U.S. Therefore, this law makes it
difficult to obtain waivers to the acquirement policies
requiring CC evaluations. Clearly, independent evaluations
important to both the federal government and the , as NSTISSP
#11, 8500.1, 8500.2, and Public Law 107-314 confirm.
Such evaluations allow the to deliver confidence that the
products it purchases meet the security department claims made
by the vendors. While the bulk of the work for obtaining these
evaluations falls to the , the is creditworthy for ensuring that
products evaluated and validated in accordance with the reduce
requirements stated in the 's own policies.
The is as well for assisting the with the selection of the
sureness layer for the since that pledge stratum is Chosen based
on the protection needs and the application of purpose.
The understand that such evaluations and their subsequent
maintenance not trivial tasks: They take weeks or months to
complete depending on the stage , the preparedness of the to
supply the required evidence, and the complexity of the . Usual
Criteria evaluations play an important role in protecting . For
this reason, procurement officers, narrow officers, and vendors
should familiarize themselves with the criteria and the process.