GCN Tech Blog

By GCN Staff

Blog archive

How to overhaul Common Criteria

Last month, the Government Accountability Office stated that the National Information Assurance Partnership wasn't being fully utilized by agencies and vendors. The agency lauded NIAP's independent testing methodology, but noted difficulties matching agency needs to the products being tested. In many cases the validated products weren't the current releases, and many products that agencies required weren't on the list at all.

Perhaps feeling the sting of the GAO critique, Atsec Information Security of Austin, Texas, one of the independent testing labs that does NIAP Common Criteria testing, suggested a number of ways to improve the efficiency of the evaluation process.

One suggestion: Vendors can work with laboratories before the new version of the product is released, allowing the validation to appear shortly after the commercial release. Atsec noted that Red Hat Inc., of Raleigh, N.C. is currently using this approach with Red Hat Enterprise Linux version 5, now under scrutiny. On the government side, agencies can develop their own Protection Profiles, ones that more closely meet their own needs.

Another interesting suggestion from Atsec: Instead of solely evaluating one version of the product (necessitating an entirely new evaluation just to accommodate upgrades and bug fixes), why not set up an assessment process to judge only minor modifications to already-evaluated products? That certainly would beef up the validated products list a bit.

Posted By Joab Jackson

Posted by Brad Grimes, Joab Jackson on Apr 14, 2006 at 9:39 AM


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.