First security management tool receives Common Criteria certification

First security management tool receives Common Criteria certification

The Xacta IA Manager from Telos Corp. of Ashburn, Va., has been certified at Assurance Level 2 of the Common Criteria, the first security management tool to be evaluated under the National Information Assurance Partnership.

IA Manager is a security management platform that helps automate risk and compliance assessment with wizard-driven templates. It helps keep track of IT assets and track changes in IT systems and applies risk assessment policies.

It began primarily as a certification and accreditation tool but has been expanded to address vulnerability management and remediation as well. Eventually it will also help with incident response, said Telos chief security officer Richard Tracy.

The Common Criteria are standards for evaluating security software against vendor claims or user requirements. Evaluation is done by approved private laboratories and is recognized by multiple nations. The program is overseen in the United States by the NIAP, a collaboration between the National Institute of Standards and Technology and the National Security Agency.

Common Criteria certification for security products is required by the Defense Department, and on national security systems elsewhere in government.

The evaluation was an expensive, yearlong process but was worth it to help position the security tool in the government market, Tracy said.

'Our customers drove us to do this,' he said.

Telos has a large installed government customer base for IA Manager, but there was continued pressure from agencies to be evaluated.

The length of time needed for evaluation and the lack of uniform requirement for it across government have led some vendors to complain that the program is too cumbersome and offers little value.

David Wilson, Telos vice president of program management support, said a certification program makes sense for a product such as IA Manager, which holds sensitive data about system architecture and vulnerabilities.

'It makes sense to see that controls on access to this information are properly implemented,' he said.

But he said the length of time needed for Common Criteria certification can lead to complications. Telos began the process in February 2004.

'Our software development cycle is a little faster than the evaluation cycle,' Wilson said. 'We went into this with our eyes open and we realized that our evaluation could take a year. We are many releases now beyond the release level that was evaluated, but they were minor changes.'

When the next major release, for version 5.0, is made later this year, the new version will begin evaluation again.

A growing interest in Common Criteria in both government and the private sector makes the process worthwhile, however.

'We're seeing it throughout DOD, and some civilian agencies are starting to point to it as well,' Wilson said. 'We also have some commercial customers who brought it up. They were very pleased' when certification was completed.

Wilson advised companies considering embarking on the evaluation process to use a consultant who can guide them through the process and in dealing with the laboratory doing evaluation. Documentation can be a troublesome issue.

'We had a lot of the documentation, but it didn't necessarily map to the methods of the laboratory,' Wilson said. The company spent several months restructuring the data.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.