NIAP process helps agencies, but still falls short
- By Patience Wait
- Mar 27, 2006
Independent testing and validation of commercial off-the-shelf IT security products by laboratories accredited by the National Information Assurance Partnership is helping agencies make their purchase decisions, but there are hiccups in the process that limit the use of the process by vendors and agencies, according to the Government Accountability Office.
In its new report
, titled 'NIAP Benefits and Challenges,' GAO described the benefits of the evaluation process as conditional. For instance, 'independent testing and evaluation ' can increase agencies' confidence that products will perform as claimed,' or 'improvements to vendor development processes ... can result in quality improvements to current and future products.'
But the weaknesses of the process affect its usefulness, GAO found. For instance, NIAP has no metrics for measuring the effectiveness of the evaluation program. Just as important, there are difficulties matching agencies' needs with the availability of NIAP-evaluated products, and the number of qualified validators to evaluate products is declining just as the number of products waiting to be evaluated is growing.
NIAP 'intends to pursue legislation allowing it to recoup the costs of validations and hire additional staff' to address that shortcoming, GAO reported.