How to overhaul Common Criteria
Last month, the Government Accountability Office stated
that the National Information Assurance Partnership wasn't being fully utilized by agencies and vendors. The agency lauded
NIAP's independent testing methodology, but noted difficulties matching agency needs to the products being tested. In many cases the validated products weren't the current releases, and many products that agencies required weren't on the list at all.
Perhaps feeling the sting of the GAO critique, Atsec Information Security of Austin, Texas, one of the independent testing labs that does NIAP Common Criteria testing, suggested a number of ways
to improve the efficiency of the evaluation process.
One suggestion: Vendors can work with laboratories before the new version of the product is released, allowing the validation to appear shortly after the commercial release. Atsec noted that Red Hat Inc., of Raleigh, N.C. is currently using this approach with Red Hat Enterprise Linux version 5, now under scrutiny. On the government side, agencies can develop their own Protection Profiles, ones that more closely meet their own needs.
Another interesting suggestion from Atsec: Instead of solely evaluating one version of the product (necessitating an entirely new evaluation just to accommodate upgrades and bug fixes), why not set up an assessment process to judge only minor modifications to already-evaluated products? That certainly would beef up the validated products list
a bit.Posted By Joab Jackson
Posted by Brad Grimes, Joab Jackson on Apr 14, 2006 at 9:39 AM