NIAP process helps agencies, but still falls short

Independent testing and validation of commercial off-the-shelf IT security products by laboratories accredited by the National Information Assurance Partnership is helping agencies make their purchase decisions, but there are hiccups in the process that limit the use of the process by vendors and agencies, according to the Government Accountability Office.

In its new report, titled 'NIAP Benefits and Challenges,' GAO described the benefits of the evaluation process as conditional. For instance, 'independent testing and evaluation ' can increase agencies' confidence that products will perform as claimed,' or 'improvements to vendor development processes ... can result in quality improvements to current and future products.'

But the weaknesses of the process affect its usefulness, GAO found. For instance, NIAP has no metrics for measuring the effectiveness of the evaluation program. Just as important, there are difficulties matching agencies' needs with the availability of NIAP-evaluated products, and the number of qualified validators to evaluate products is declining just as the number of products waiting to be evaluated is growing.

NIAP 'intends to pursue legislation allowing it to recoup the costs of validations and hire additional staff' to address that shortcoming, GAO reported.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected