Government Computer News
Under attack
Common Criteria has loads of critics, but is it getting a bum rap?
Digg
De.licio.us
Slashdot
Technorati
Levels of Common Criteria’s Evaluation Assurance
Products validated under the Common Criteria Evaluation and Validation Scheme are assigned one of seven Evaluation Assurance Levels, sets of predefined assurance packages that give an indication of how rigorous the evaluation process has been.
The assurance level applies to the evaluation process rather than to the product’s functionality.
EAL 1 is the lowest level and EAL 7 is the highest. Most products validated to date are certified at EAL 2, 3 and 4. Levels 1 through 4 are recognized under the Common Criteria Recognition Agreement, meaning that all participating countries recognize the evaluation result regardless of the country in which the evaluation was done. The higher EALs are generally country-specific.
The National Information Assurance Partnership warns that “reliance on EALs alone does not provide a method for determining the security robustness of a product. The EAL merely provides a convenient reference for the amount of analysis and testing performed on the product.”
A recent listing of 186 products validated under Common Criteria showed the following assurance levels.
NO. OF VALIDATED PRODUCTS BY ASSURANCE LEVELS
EAL 1 - 5
EAL 2 - 90
EAL 3 - 33
EAL 4 - 53
EAL 5 - 3
EAL 6 - 0
EAL 7 - 2
The use of evaluated security products is mandated for government networks carrying sensitive information. But vendors say the validation process is too expensive and cumbersome. Security folks say it is a paperwork drill rather than a product evaluation. Both agree that it has not made software on government systems more secure.
“Common Criteria is just something that we do,” said Wesley Higaki, director of product certification at Symantec. “We’re just going through the motions.”
“If you’re asking, is the effort worth the money, the an
Trying to be all things to all people, Common Criteria has ended up pleasing almost no one. That is not to say that no one has a good word for it. But even the positive statements are damning in their faint praise.
“The scheme itself is sound,” said Jonathan Shapiro, an assistant professor at Johns Hopkins University’s Computer Science Department. Shapiro has been one of the biggest critics of the Common Criteria. “Personally I think that there is benefit — evaluation is certainly no worse than any other inspection process — but it is not cost-effective,” he said.
It is enough to make you feel sorry for the National Information Assurance Partnership, which oversees Common Criteria in the United States.
“Defending the program is a full-time effort. It is a difficult job,” said NIAP Director Audrey Dale of the National Security Agency. Dale acknowledges industry frustration with the scheme, and she said NIAP is trying to address vendors’ concerns.
| |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [valor]](/images/1105logo_website.gif "Government Computer News [valor]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
