Common Criteria are good but not perfect, feds and vendors say
- By William Jackson
- Sep 26, 2003
The Common Criteria for security software evaluation are not a panacea for assuring government IT systems, government and industry officials told a House panel this month.
Most witnesses agreed the Common Criteria are a valuable tool, but 'evaluation does not guarantee security,' said Robert G. Gorrie, deputy director for the Defense Department's Defense-wide Information Assurance Program.
The House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census held hearings to consider if similar certifications should be required for all government software buys.
Most witnesses stopped short of calling for a governmentwide mandate. That could interfere with needed acquisitions, they said.
The Common Criteria are a set of standards for evaluating security software against vendor claims or user requirements. Evaluation is done by approved private laboratories and is recognized by 14 nations.
The program is overseen in the United States by the National Information Assurance Partnership, a collaboration between the National Institute of Standards and Technology and the National Security Agency. Common Criteria certification for security products is required by the Defense Department and for national security systems elsewhere in government.
Gorrie said DOD is working with the Homeland Security Department to determine whether Common Criteria certification should be more widely required.
Witnesses explained the scheme's limitations.
'It is not a measure of how much protection the claimed security specification provides, nor does it guarantee that the product is free from malicious code,' said Edward Roback, chief of NIST's Computer Science Division.
Certification means a product does what the vendor says it will do or what a purchaser has required in a protection profile, and that it does not do anything unintended. That does not mean it will do what the user needs it to do or that it will resist malicious attacks.
Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, noted that Microsoft Windows 2000 has Common Criteria certification but has repeatedly proved vulnerable to viruses. Microsoft Corp. has issued more than 100 security patches for the operating system.
No witnesses called the Common Criteria perfect, but opinions of its value varied greatly, depending on the size of the company faced with an evaluation process that can cost millions of dollars and take years to complete.
'The current evaluation process is extremely slow and bureaucratic,' said Chris Klaus, chief technology officer of Internet Security Systems Inc. of Atlanta. 'By the time a product is certified, it is out of date.'
Mary Anne Davidson, chief security officer for server technology platforms at Oracle Corp., disagreed.
'It is not too expensive and does not take too long,' she said. 'It is cheap, compared with the alternative,' which is poor quality in security software. The savings from identifying even one software flaw more than pays for the cost of evaluation, she said.
Davidson said Common Criteria evaluation should be more generally required. 'I believe it should be extended at least to entities that have a national security function,' including Homeland Security, she said.
Not everyone agreed.
'I believe on balance it should not be mandatory,' Spafford said. There is value to using the criteria where appropriate, but 'there are certified products that will not work as required' in some circumstances, and could actually weaken an agency's security.