Dollars and sense of Common Criteria debated at conference
- By William Jackson
- Oct 06, 2004
Money was a common concern Wednesday at a Common Criteria users conference held in Washington.
Vendors complained that Common Criteria certification takes too long and costs too much, and agencies administering the program complained they do not have enough funding.
'We talk a lot about security, but when it comes to putting money down, it doesn't seem to be around,' said Stuart W. Katzke, senior research scientist at the Computer Security Division of the National Institute of Standards and Technology.
NIST and the National Security Agency make up the National Information Assurance Partnership, which oversees Common Criteria certification. The Common Criteria are standards for evaluating security software against vendor claims or against user requirements, called protection profiles. Evaluation is done by approved private laboratories and is recognized by multiple countries.
NSA currently is footing the bill for government oversight of the evaluation process and for validating the results.
'NSA cannot continue to solely fund NIAP,' said Pamela Yocum, NSA's deputy director for the evaluation program.
NSA's budget for this work has remained static for the past five years, while the number of products submitted for evaluation has increased sharply, from 25 in 2000 to 160 this year, Yocum said.
Each year, $2.5 million is budgeted for the program, and 'every year we beg for another $2.5 million, which raises the total to $5 million,' Yocum said. That pays only for the validators.
A budget crunch could change the way Common Criteria evaluations are done, Yocum said. 'We cannot continue to accept everything that is coming in. There will have to be a prioritization process.'
NSA cannot expect funding help any time soon from its NIAP partner. NIST's Computer Security Division already is struggling to meet its obligations under the Federal Information Security Management Act.
'We have been given quite a few unfunded mandates,' Katzke said. 'FISMA was one of these.'
NIST was required under FISMA to develop recommended security configuration settings for all IT platforms commonly used in government, said Computer Science Division chief Ed Roback. 'Then they cut our budget.'
Roback said NIST probably would shift from developing its own configuration recommendations to evaluating recommendations submitted by product vendors.
There is a need for more protection profiles, lists of features and functionality required by specific agencies against which security products can be evaluated. A task force formed at last December's Homeland Security Department cybersecurity summit recommended that NIST receive $12 million up front to create these profiles, and another $6 million a year afterward.
'That is not a trivial amount of money,' said Roback, co-chair of the working group. 'It is certainly over the budget of the Computer Security Division now.'
Although the fiscal 2005 budget has not been finalized, 'the $12 million is not in the mail, as far as we know,' Katzke said.
Katzke said NIAP has not done a good job of creating a business case for vendors to seek Common Criteria certification. Despite the increase in products submitted for evaluation, many companies do not see certification as worth the cost. Certification can cost from $100,000 to $750,000.
Some vendors attending the conference suggested that there are more cost-effective ways of improving product security.
William Jackson is a Maryland-based freelance writer.