NSA and NIST complete profiles for security needs

NSA and NIST complete profiles for security needs

The National Institute of Standards and Technology and the National Security Agency have completed profiles for recommended security features for five of the 10 technology areas the agencies have targeted for profile development.

The Protection Profiles, when completed, will be included in the evaluation process for Common Criteria certification of IT security products.

"There are going to be a lot of profiles coming out in the next six months," said Rex Myers, NSA security architect.

Myers made his comments today at the Federal Information Assurance Conference at the University of Maryland.

Protection Profile development began about two years ago as a cooperative program between NIST, which develops standards for nonclassified IT products, and NSA, which handles requirements for the classified and intelligence community. Because the Common Criteria program only evaluates IT products against the manufacturer's claims, without required security specifications, the Protection Profiles will give users a way to determine how robust a product's security features are.

The profiles specify three levels of security: basic, medium and high.

"We don't see a big need right now for the high level," said Stu Katzke, a senior research scientist at NIST. "We have been focusing most of our attention on the basic and medium levels."

The medium level is considered adequate for mission-critical systems handling nonclassified information.

Some Protection Profiles have been approved for operating systems, firewalls, intrusion detection systems, tokens and public-key infrastructures. Profiles are expected by the middle of 2003 for wireless systems, Web browsers, databases, virtual private networks and biometric products.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.