NIAP process helps agencies, but still falls short

Independent testing and validation of commercial off-the-shelf IT security products by laboratories accredited by the National Information Assurance Partnership is helping agencies make their purchase decisions, but there are hiccups in the process that limit the use of the process by vendors and agencies, according to the Government Accountability Office.

In its new report, titled 'NIAP Benefits and Challenges,' GAO described the benefits of the evaluation process as conditional. For instance, 'independent testing and evaluation ' can increase agencies' confidence that products will perform as claimed,' or 'improvements to vendor development processes ... can result in quality improvements to current and future products.'

But the weaknesses of the process affect its usefulness, GAO found. For instance, NIAP has no metrics for measuring the effectiveness of the evaluation program. Just as important, there are difficulties matching agencies' needs with the availability of NIAP-evaluated products, and the number of qualified validators to evaluate products is declining just as the number of products waiting to be evaluated is growing.

NIAP 'intends to pursue legislation allowing it to recoup the costs of validations and hire additional staff' to address that shortcoming, GAO reported.

inside gcn

  • ARL seeks private cloud to modernize IT infrastructure

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group