GCN Tech Blog

By GCN Staff

Blog archive

How to overhaul Common Criteria

Last month, the Government Accountability Office stated that the National Information Assurance Partnership wasn't being fully utilized by agencies and vendors. The agency lauded NIAP's independent testing methodology, but noted difficulties matching agency needs to the products being tested. In many cases the validated products weren't the current releases, and many products that agencies required weren't on the list at all.

Perhaps feeling the sting of the GAO critique, Atsec Information Security of Austin, Texas, one of the independent testing labs that does NIAP Common Criteria testing, suggested a number of ways to improve the efficiency of the evaluation process.

One suggestion: Vendors can work with laboratories before the new version of the product is released, allowing the validation to appear shortly after the commercial release. Atsec noted that Red Hat Inc., of Raleigh, N.C. is currently using this approach with Red Hat Enterprise Linux version 5, now under scrutiny. On the government side, agencies can develop their own Protection Profiles, ones that more closely meet their own needs.

Another interesting suggestion from Atsec: Instead of solely evaluating one version of the product (necessitating an entirely new evaluation just to accommodate upgrades and bug fixes), why not set up an assessment process to judge only minor modifications to already-evaluated products? That certainly would beef up the validated products list a bit.

Posted By Joab Jackson

Posted by Brad Grimes, Joab Jackson on Apr 14, 2006 at 9:39 AM


inside gcn

  • Shutterstock ID: 415195669 By Flexey

    Early IPP test flights take off

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities

More from 1105 Public Sector Media Group