NIAP process helps agencies, but still falls short

Independent testing and validation of commercial off-the-shelf IT security products by laboratories accredited by the National Information Assurance Partnership is helping agencies make their purchase decisions, but there are hiccups in the process that limit the use of the process by vendors and agencies, according to the Government Accountability Office.

In its new report, titled 'NIAP Benefits and Challenges,' GAO described the benefits of the evaluation process as conditional. For instance, 'independent testing and evaluation ' can increase agencies' confidence that products will perform as claimed,' or 'improvements to vendor development processes ... can result in quality improvements to current and future products.'

But the weaknesses of the process affect its usefulness, GAO found. For instance, NIAP has no metrics for measuring the effectiveness of the evaluation program. Just as important, there are difficulties matching agencies' needs with the availability of NIAP-evaluated products, and the number of qualified validators to evaluate products is declining just as the number of products waiting to be evaluated is growing.

NIAP 'intends to pursue legislation allowing it to recoup the costs of validations and hire additional staff' to address that shortcoming, GAO reported.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.