Wyatt Kash | Faulty criteria
Editor's Desk | Commentary: By focusing more on form than on content, Common Criteria proves too rigid to keep up with changing technology
Common Criteria isn't winning a lot of common respect these days.
Like many well-intentioned government initiatives, the Common Criteria Evaluation Scheme began as a logical way to eliminate duplicative efforts. The idea was to harmonize the standards by which the Defense Department evaluated security products with similar standards evolving in Europe and Canada.
Today, more than a dozen countries participate in the Common Criteria Recognition Arrangement, and each recognizes the evaluation results from any of the other countries' accredited labs.
The problem, perhaps not surprisingly, is that the approach focuses more on process than functionality. In the case of Common Criteria, security products are evaluated primarily on how well they match their design objectives rather than on how they actually perform. That means a product could be approved for doing what it was designed to do but not necessarily because it does it well ' or even securely.
As a result, Common Criteria is coming under increasing fire as a relevant guideline, even from once-supportive quarters, as GCN senior writer Bill Jackson details in this issue.
Some critics dismiss Common Criteria as strictly a paper exercise. Vendors in particular complain the process is too expensive and cumbersome. They also worry that it misses the mark in making government systems more secure.
But perhaps the larger concern is that by the time many security products destined for government systems are finally evaluated under Common Criteria rules, they are near the end of their life cycles, if not already obsolete, Jackson reports. That's because the information used to define a product's security target often isn't available until relatively late in the development process.
As a result, federal buyers relying on Common Criteria are increasingly faced with an unsatisfying choice: Implement a product that meets Common Criteria standards but is either practically obsolete or requires an update or go with a more current product that hasn't been tested.
That should concern federal chief information and security officers.
Common Criteria is not a bad idea. But given the pace of technology changes and the rapidly changing nature of cyberattacks on government systems, it's time to establish a new and more responsive process for sharing security evaluation standards.Wyatt Kash, Editor in chief