U.S., four nations agree on security evaluation criteria

Say goodbye to the National Institute of Standards and Technology’s Federal
Information Processing Standard 140-1 and the National Security Agency’s Trusted
Computer System Evaluation Criteria.


Five countries last week signed a new international agreement covering the evaluation
of computer security products and systems that will ultimately replace NIST’s FIPS
140-1 and NSA’s Orange Book.


Canada, France, Germany, the United Kingdom and the United States signed the 44-page
agreement, Arrangement on the Mutual Recognition of Common Criteria Certificates in the
field of Information Technology Security.


The nations, gathered at the 1998 National Information Systems Security Conference in
Arlington, Va., agreed to accept the results of computer security products tested and
evaluated by each member nation using International Common Criteria Version 2.0 as the
standard methodology. 


The 700-page International Common Criteria Version 2.0 was accepted in May as an
International Standards Organization security standard.


The single standard replaces disparate standards for computer security product
evaluations used by Canada, the European Community and the United States.


“We took three distinctly different standards and tried to meld them into a single
standard, taking the best out of each and gaining agreement across the boundaries of
several borders,” said Michael Jacobs, NSA’s deputy director for information
systems security.


“We’re throwing a lot of this stuff forward into the Common Criteria,”
Jacobs said. “FIPS-140 will merge into the Common Criteria, and Orange Book
activities that are still going on in the United States will be completed, and then those
evaluations will go into the Common Criteria.”


The first commercial product certified under the Common Criteria is Oracle Corp.’s
Oracle7, said Andrew Saunders, director of the United Kingdom’s
Communications-Electronics Security Group.


Oracle7, which was tested and evaluated in a United Kingdom laboratory, is already used
by the Air Mobility Command at Scott Air Force Base, Ill., as well as the British and
Australian militaries.


“This Common Criteria arrangement gives us a common language for spelling out
precisely what we mean by security functionality and system assurance,” deputy
Commerce secretary Robert Mallett said. “It gives us a framework for building
products that meet specific protection profiles.”


The Commerce Department’s NIST and the Defense Department’s NSA last year
created the National Information Assurance Partnership (NIAP) to cooperatively promote the
testing and evaluation of commercial computer security products. NIAP has accredited and
authorized seven U.S. commercial labs to conduct Common Criteria product evaluations.


The Netherlands intends to sign the Common Criteria arrangement once it has the
national lab infrastructure to properly conduct evaluations. Australia and New Zealand
have also applied for membership in the international Common Criteria arrangement.


“By standardizing the evaluation process across borders, we will build a worldwide
market for information security products,” Mallett said. “This will give product
developers much easier access to global markets. There will be no need to get your system
evaluated in one country after another.” 

inside gcn

  • data architecture (Quardia/Shutterstock.com)

    AI adoption: Don't ignore the fundamentals

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above