Big changes are happening in how US government agencies can purchase hardware and software. These changes are bound to cause a huge effect for you too!

Beginning in July 2002, the National Information Assurance Acquisition Policy takes full effect. It states:

"By July 1 2002, the acquisition of all Commercial Off The Shelf (COTS) Information Assurance (IA) and IA-enabled IT products to be used on systems entering, processing, storing, displaying, or transmitting national security information shall be limited only to those which have been evaluated and validated in accordance with these criteria, schemes, or programs:

  • The International Common Criteria for Information Security Technology Evaluation Mutual Recognition Arrangement;
  • The National Security Agency (NS)/National Institute of Standards and Technology (NIST) National Information Assurance Partnership (NIAP) Evaluation and Validation Program, or;
  • The NIST Federal Information Processing Standard (FIPS) validation program."

The Acquisition Policy was issued in January 2000 by the National Security Telecommunications and Information Systems Security Committee (NSTISSC), as National Security Telecommunications and Information Systems Security Policy (NSTISS) Number 11. The objective of NSTISSP No. 11 is to help provide assurance that off-the-shelf IA software and systems acquired by the US government will perform as advertised and/or will satisfy the information security requirements established by the prospective user. IA products are defined as any IT product or technology that provides security services. Examples include data and network encryption systems, firewalls, intrusion detection systems, Single-Sign-On solutions, etc. IA-enabled products are defined as products whose primary role is not security but offer security services within the application. Examples include security-enabled Web browsers, packet-screening routers, trusted operating systems, or security-enabled messaging systems.

NSTISSP No. 11 is a tool to help evaluate IT-security enabled products at various levels to help reduce the costs related to custom development of Government Off The Shelf (GOTS) systems and corresponding certification by the NSA. By purchasing commercial systems with adequate confidence that they can protect national secrets, the US government and governments worldwide benefit from increased choices of products from vendors who undergo evaluations, increased capabilities, and specialization of tools.

Evaluating IA and IA-enabled Products
To participate in an evaluation of an IT-security enabled product, a vendor will volunteer to sponsor and pay for an evaluation and prepare the sets of documentation needed throughout the process. For a Common Criteria evaluation, a vendor will write a document, called a Security Target (ST) that contains all the claims of security functionality within the product. The ST may claim conformance to one or more Protection Profiles (PPs) that implement a customer's ability to formally state their security requirements for product operating in a given environment. The ST also makes a claim about the robustness of the security function's implementation, giving independent evaluators the level of evaluation desired. Along with the ST, the product itself, called a Target of Evaluation (TOE), is securely delivered to a testing lab that's been certified under a NIAP or international CC scheme, and tested for conformance to claims. When the product is successfully evaluated, a report, called an Evaluation Technical Report (ETR) is sent the scheme (NIAP in the US) for review and concurrence. If concurrence is reached, a Common Criteria Certificate is issued, and placed on the registry of evaluated products. With the certificate, international recognition may be gained, eliminating the need for a vendor to conduct additional evaluations on the same version of the product, and opening a worldwide market that honors acceptance of proven secure products.

Current member countries of the Common Criteria Mutual Recognition Arrangement (CCMRA) include:

  • US
  • Canada
  • France
  • United Kingdom
  • Germany
  • Netherlands
  • Australia
  • New Zealand
  • Finland
  • Greece
  • Israel
  • Norway
  • Spain
  • Sweden

Products produced in any of these countries and evaluated through a Common Criteria Scheme are mutually recognized (up to certain evaluation levels), and may be sold to other local governments without further security evaluations.

As a vendor of IA or IA-enabled products you sell or want to sell to government agencies (anywhere), NSTISSP No. 11 is a powerful driver to improving the security of COTS systems, and by participating in evaluations, you prove your commitment to reducing the computer security problems we witness daily, and clearly show you're serious about your personal responsibility as a member of the global e-commerce community.

Links you may find interesting:

EC Outlook article on Common Criteria Part One
EC Outlook article on Common Criteria Part Two
NIST Computer Security Handbook
International Common Criteria Project
National Information Assurance Partnership (NIAP)
FIPS 140-1 Specifications and Current Validated Modules
NSA/NIST US Government Recommended Protection Profiles