'Guinea pigs' try top-level Common Criteria tests
Still needed is an international methodology for evaluation at even higher levels
- By William Jackson
- Nov 19, 2003
The National Information Assurance Partnership has OK'd the first product evaluations at the highest level of the international Common Criteria IT security standards.
Tenix Datagate Inc. of Arlington, Va., is seeking Evaluation Assurance Level 7 certification for its Interactive Link product line. Interactive Link uses diodes as one-way gateways to keep information from flowing out of secure networks to nonsecure networks.
EAL7, the top of the Common Criteria pyramid, would permit product use in the most secure government networks.
'There is a great window of opportunity' in the United States for tools to interconnect networks securely, Tenix vice president Terry Whelan said.
NIAP, a joint program of the National Security Agency and the National Institute of Standards and Technology, runs the Common Criteria Evaluation and Validation Scheme in this country.
All 14 participating nations have agreed to recognize product evaluations by approved commercial laboratories in the other nations.
To date, no product has received validation above EAL4. Only one, a secure operating system from DigitalNet Inc. of Herndon, Va., is undergoing evaluation for EAL5. That is because there is not yet an internationally recognized methodology for evaluating the higher levels, said Arnold Johnson, senior IT specialist in NIST's Computer Security Division.
'Mutual recognition between countries only goes up to EAL4,' Johnson said. That means a higher certification from one country will not necessarily be acceptable to another.
Evaluation methodology was worked out first for EAL1 through 4. 'The majority of people would be looking for assurances at those levels,' Johnson said.
The evaluations become complex for higher levels. Testing for EAL4 involves low-level design specifications, but the higher levels call for examination of source code and design methodology.Clear for Europe
'The resources required at the higher levels are considerable,' Johnson said, and few companies are interested in a single-country certification.
That is not a problem for Tenix. Interactive Link already has an E6 certification under the older European IT Security Evaluation and Certification scheme, so it is cleared for government use in the United Kingdom and much of Europe.
Whelan said the U.S. government's blessing is valuable enough to warrant the expense of going for the first EAL7. He said he believes Canada and Japan are willing to accept an EAL7 certification from the United States.
Interactive Link products include:
Saves money, space
- A gateway for a secure network to access information from outside while blocking data from leaving
- A keyboard-mouse-video switch that securely alternates between PCs on secure and nonsecure networks
- A device that lets a user switch between a PC on a secure network and a thin client on a nonsecure net.
The products reduce the number of workstations needed by users on secure networks, saving money while freeing desktop space.
Tenix Datagate is part of the Tenix Group based in Sydney, Australia.
'I've been coming to the U.S. for more than two years,' Whelan said. 'It's taken that long to set up the business and overcome reluctance to connect sensitive networks.'
COACT Inc. of Columbia, Md., is doing the EAL7 testing by a NIAP-approved process.
'Yes, we're the guinea pigs,' Whelan said. 'Being the first, they will be making sure all our t's are crossed and i's dotted. We'd like it to be quicker, but we don't want it to be quick and nasty. We don't want questions to be raised afterward.'
William Jackson is freelance writer and the author of the CyberEye blog.