'Guinea pigs' try top-level Common Criteria tests

Still needed is an international methodology for evaluation at even higher levels

The National Information Assurance Partnership has OK'd the first product evaluations at the highest level of the international Common Criteria IT security standards.

Tenix Datagate Inc. of Arlington, Va., is seeking Evaluation Assurance Level 7 certification for its Interactive Link product line. Interactive Link uses diodes as one-way gateways to keep information from flowing out of secure networks to nonsecure networks.

EAL7, the top of the Common Criteria pyramid, would permit product use in the most secure government networks.

'There is a great window of opportunity' in the United States for tools to interconnect networks securely, Tenix vice president Terry Whelan said.

NIAP, a joint program of the National Security Agency and the National Institute of Standards and Technology, runs the Common Criteria Evaluation and Validation Scheme in this country.

All 14 participating nations have agreed to recognize product evaluations by approved commercial laboratories in the other nations.

To date, no product has received validation above EAL4. Only one, a secure operating system from DigitalNet Inc. of Herndon, Va., is undergoing evaluation for EAL5. That is because there is not yet an internationally recognized methodology for evaluating the higher levels, said Arnold Johnson, senior IT specialist in NIST's Computer Security Division.

'Mutual recognition between countries only goes up to EAL4,' Johnson said. That means a higher certification from one country will not necessarily be acceptable to another.

Evaluation methodology was worked out first for EAL1 through 4. 'The majority of people would be looking for assurances at those levels,' Johnson said.

The evaluations become complex for higher levels. Testing for EAL4 involves low-level design specifications, but the higher levels call for examination of source code and design methodology.

Clear for Europe

'The resources required at the higher levels are considerable,' Johnson said, and few companies are interested in a single-country certification.

That is not a problem for Tenix. Interactive Link already has an E6 certification under the older European IT Security Evaluation and Certification scheme, so it is cleared for government use in the United Kingdom and much of Europe.

Whelan said the U.S. government's blessing is valuable enough to warrant the expense of going for the first EAL7. He said he believes Canada and Japan are willing to accept an EAL7 certification from the United States.

Interactive Link products include:
  • A gateway for a secure network to access information from outside while blocking data from leaving

  • A keyboard-mouse-video switch that securely alternates between PCs on secure and nonsecure networks

  • A device that lets a user switch between a PC on a secure network and a thin client on a nonsecure net.

Saves money, space

The products reduce the number of workstations needed by users on secure networks, saving money while freeing desktop space.

Tenix Datagate is part of the Tenix Group based in Sydney, Australia.

'I've been coming to the U.S. for more than two years,' Whelan said. 'It's taken that long to set up the business and overcome reluctance to connect sensitive networks.'

COACT Inc. of Columbia, Md., is doing the EAL7 testing by a NIAP-approved process.

'Yes, we're the guinea pigs,' Whelan said. 'Being the first, they will be making sure all our t's are crossed and i's dotted. We'd like it to be quicker, but we don't want it to be quick and nasty. We don't want questions to be raised afterward.'

About the Author

William Jackson is a Maryland-based freelance writer.


  • 2020 Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected