Tech Blog
How to overhaul Common Criteria
Last month, the Government Accountability Office stated that the National Information Assurance Partnership wasn’t being fully utilized by agencies and vendors. The agency lauded NIAP’s independent testing methodology, but noted difficulties matching agency needs to the products being tested. In many cases the validated products weren’t the current releases, and many products that agencies required weren’t on the list at all.
Perhaps feeling the sting of the GAO critique, Atsec Information Security of Austin, Texas, one of the independent testing labs that does NIAP Common Criteria testing, suggested a number of ways to improve the efficiency of the evaluation process.
One suggestion: Vendors can work with laboratories before the new version of the product is released, allowing the validation to appear shortly after the commercial release. Atsec noted that Red Hat Inc., of Raleigh, N.C. is currently using this approach with Red Hat Enterprise Linux version 5, now under scrutiny. On the government side, agencies can develop their own Protection Profiles, ones that more closely meet their own needs.
Another interesting suggestion from Atsec: Instead of solely evaluating one version of the product (necessitating an entirely new evaluation just to accommodate upgrades and bug fixes), why not set up an assessment process to judge only minor modifications to already-evaluated products? That certainly would beef up the validated products list a bit.
Posted By Joab Jackson
| Post a Comment
If you are currently registered, click here to login and post your comment. If you are new to GCN, click here to register and post your comment. |
![1105 Government Information Group [justice]](/images/1105logo_website.gif "Government Computer News [justice]")
