OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Randy Taylor (gnu_at_charm.net)
Date: Tue Jan 07 2003 - 14:22:38 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At 09:15 AM 1/7/2003 -0500, Frederick M Avolio wrote:

    >>Outside Government and Military circles where I can see Common Criteria
    >>Certification being extremely useful, how valuable is it, ie within the
    >>financial sector etc ? More importantly what are it's failings?
    >
    >CAVEAT: My direct knowledge of the CC is about 2 years old. Maybe things
    >are better. I doubt it.

    [snippage]

     From "National Security Telecommunications and Information Systems Security
    Policy (NSTISSP) No. 11, Subject: National Policy Governing the Acquisition of
    Information Assurance (IA) and IA-Enabled Information Technology (IT) Products
    is issued by the National Security Telecommunications and Information
    Systems Security Committee (NSTISSC)"

    http://niap.nist.gov/cc-scheme/nstissp_11.pdf

    "Effective 1 January 2001, preference shall be given to the acquisition of
    COTS IA and IA-enabled IT products (to be used on systems entering,
    processing, storing, displaying, or transmitting national security information)
    which have been evaluated and validated, as appropriate, in accordance with:
    - The International Common Criteria for Information Security Technology
    Evaluation Mutual Recognition Arrangement;
    - The National Security Agency (NSA)/National Institute of Standards and
    Technology (NIST) National Information Assurance Partnership (NIAP)
    Evaluation and Validation Program; or
    - The NIST Federal Information Processing Standard (FIPS) validation
    program."

    and

    "By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products
    to be used on the systems specified in paragraph (6), above, shall be limited
    only to those which have been evaluated and validated in accordance with the
    criteria, schemes, or programs specified in the three sub-bullets."

    A clarification to NSTISSP No. 11 is also available at NIST:

    http://niap.nist.gov/niap/library/20020215memo.pdf

    >Is Common Criteria useful? I don't see how it is.
    >
    >Fred

    If you sell IT security products into the U.S Government, like IDS, firewalls,
    or crypto, or a U.S Government purchaser of same, the usefulness of
    Common Criteria isn't a debatable topic anymore.

    Best regards,

    Randy