atsec responds to the challenges posed by the GAO report on the NIAP Common Criteria scheme

In March 2006, the United States Government Accountability Office (GAO) issued an assessment regarding Common Criteria certifications and the work performed by the US oversight institution NIAP called “Information Assurance – National Partnership Offers Benefits, but Faces Considerable Challenges”.

The current article prepared by atsec information security corporation, an accredited laboratory experienced in the evaluation of large software components, explains how these challenges can be mitigated and which are, in fact, already addressed in current Common Criteria evaluations performed by atsec. We conclude that all four challenges outlined by the GAO can be addressed within the current setup of the Common Criteria methodology and the CC Evaluation and Validation Scheme implemented by NIAP. Many of the issues set forth by the GAO report can be mitigated by adopting innovative approaches that enhance the efficiency of the evaluation process. atsec has already demonstrated that such an efficient work style is possible to cover a large portion of the challenges addressed by the GAO report.

Read the whole article at:
http://www.atsec.com/downloads/pdf/efficient_cc_evaluations.pdf

You can find the GAO report under:
http://www.gao.gov/new.items/d06392.pdf
Summary

The GAO report outlines the strengths and weaknesses of the Common Criteria methodology with respect to their practical implementation with the CCEVS.
The identified strengths include:
• Appreciation of an independent evaluation and testing of an IT product
• International recognition of the evaluation results, allowing a broader product selection
• Assessment of the functionality of an IT product, including identification and remediation of flaws
• Improvements in the vendor’s development process, helping to improve the overall quality of the current and future products.

In addition to enumerating the benefits of the NIAP evaluation process, the GAO report also identifies the following weaknesses in the current implementation of the process:
• NIAP-evaluated products do not always meet agencies’ needs, which limit agencies’ acquisition and use of these products.
• A lack of vendor awareness of the NIAP evaluation process impacts the timely completion of the evaluation and validation of products.
• A reduction in the number of validators available to certify products could contribute to delays in validating products for agency use; and
• A lack of performance measures and difficulty in documenting the effectiveness of the NIAP process makes it difficult to demonstrate the program’s usefulness or improvements made to products’ security features and functions or improvements to vendors’ development processes.
The weaknesses identified by the GAO are valid and present challenges that Common Criteria participants must address. Most of the identified weaknesses can be mitigated within the current bounds of the Common Criteria and the CCEVS by adopting innovative approaches that enhance the efficiency of the evaluation process. Suggestions for process improvements include facilitating development of useful Protection Profiles; ensuring that all parties understand both agency needs and emerging technologies; staging evaluations such that initial evaluations at lower EALs build a good platform for later more rigorous evaluations; conducting development, consulting, and evaluation efforts in parallel whenever possible; offering expanded Common Criteria training opportunities; and requiring high-quality evaluation work and results from the evaluation labs so that validators’ time is well spent.

Several additional issues are not specifically discussed in the GAO report but should be addressed by the Common Criteria community when considering improvements to the evaluation process. Assurance maintenance measures to create an avenue for quick reevaluation of updates to certified products must be developed. In addition, alignment of CC evaluation with system certification processes within the US government will enhance the value of both programs.

As the evaluation role is largely performed by commercial evaluation laboratories, it makes sense for NIAP to address potential solutions for these issues jointly with all accredited laboratories. The examples provided throughout this article may be useful to all evaluation participants in achieving a process that is efficient and acceptable.

# # #

About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec launched its U.S. business in May 2003, building on extensive success in Europe dating back to 2000. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Swisscom, RWE, and Vodafone. For more information, please visit www.atsec.com.