NIAP process helps agencies, but still falls short

Independent testing and validation of commercial off-the-shelf IT security products by laboratories accredited by the National Information Assurance Partnership is helping agencies make their purchase decisions, but there are hiccups in the process that limit the use of the process by vendors and agencies, according to the Government Accountability Office.

In its new report, titled 'NIAP Benefits and Challenges,' GAO described the benefits of the evaluation process as conditional. For instance, 'independent testing and evaluation ' can increase agencies' confidence that products will perform as claimed,' or 'improvements to vendor development processes ... can result in quality improvements to current and future products.'

But the weaknesses of the process affect its usefulness, GAO found. For instance, NIAP has no metrics for measuring the effectiveness of the evaluation program. Just as important, there are difficulties matching agencies' needs with the availability of NIAP-evaluated products, and the number of qualified validators to evaluate products is declining just as the number of products waiting to be evaluated is growing.

NIAP 'intends to pursue legislation allowing it to recoup the costs of validations and hire additional staff' to address that shortcoming, GAO reported.

Featured

  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected