GCN Tech Blog

By GCN Staff

Blog archive

How to overhaul Common Criteria

Last month, the Government Accountability Office stated that the National Information Assurance Partnership wasn't being fully utilized by agencies and vendors. The agency lauded NIAP's independent testing methodology, but noted difficulties matching agency needs to the products being tested. In many cases the validated products weren't the current releases, and many products that agencies required weren't on the list at all.

Perhaps feeling the sting of the GAO critique, Atsec Information Security of Austin, Texas, one of the independent testing labs that does NIAP Common Criteria testing, suggested a number of ways to improve the efficiency of the evaluation process.

One suggestion: Vendors can work with laboratories before the new version of the product is released, allowing the validation to appear shortly after the commercial release. Atsec noted that Red Hat Inc., of Raleigh, N.C. is currently using this approach with Red Hat Enterprise Linux version 5, now under scrutiny. On the government side, agencies can develop their own Protection Profiles, ones that more closely meet their own needs.

Another interesting suggestion from Atsec: Instead of solely evaluating one version of the product (necessitating an entirely new evaluation just to accommodate upgrades and bug fixes), why not set up an assessment process to judge only minor modifications to already-evaluated products? That certainly would beef up the validated products list a bit.

Posted By Joab Jackson

Posted by Brad Grimes, Joab Jackson on Apr 14, 2006 at 9:39 AM


Featured

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

  • Defense
    Dana Deasy, DOD Chief Information Officer, hosts a roundtable discussion on the enterprise cloud initiative with reporters, Aug. 9, 2019, at the Pentagon, Washington, D.C. (DoD photo by Air Force Staff Sgt. Andrew Carroll)

    DOD CIO 'very confident' that White House influence didn't guide JEDI award

    At his Senate confirmation hearing, Defense Department CIO Dana Deasy said the department's $10 billion cloud contract was awarded by a team of experts.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.