SAIC's Common Criteria Testing Lab: Ensuring IT Security Products Can Deliver

U.S. Department of Defense (DoD) network architects are faced with hundreds of information technology (IT) security products, such as firewalls, switches and routers, database management systems, virtual private networks, intrusion detection systems, public key infrastructures, secure operating systems, tokens, and biometrics.

New and worse threats generate new products, making it difficult to match network requirements, assurance measures, and product capabilities. The nagging question is always whether the IT security product is going to deliver as advertised.

That's where a Common Criteria Testing Laboratory (CCTL) comes in. SAIC's CCTL is one of 10 accredited labs in the United States approved to help the DoD determine whether computer and software security products are safe to run on its networks.

Among the CCTLs, SAIC's CCTL is the leader in CCTL market share. Eighty-three certificates for Common Criteria evaluation have been awarded in the United States. Of those, 45 have been awarded to SAIC. That means that 47 percent of all certificates awarded have gone through SAIC's CCTL.

Currently, there are 145 products in Common Criteria evaluation in the United States evaluation scheme. SAIC is doing 70 of those evaluations, or 48 percent of total evaluations. The other evaluations are split between the other nine accredited labs and four candidate labs. SAIC's CCTL also is the only CCTL that has current EAL5, EAL6+, and EAL7 evaluations on-going.

The Common Criteria - the standard for more than 20 countries
To be assured that secure manufacture and security functions work, Department of Defense Directive 8500 mandates that IT security products used on its sensitive networks be evaluated using the Common Criteria Evaluation and Validation Scheme (the CCVES or Common Criteria).

The Common Criteria (international standard ISO 15408) was officially instituted in 1999 to replace a series of DoD programs and various international schemes implemented by the defense agencies of Western nations. The standard provides for evaluation of computer security products by trusted, certified, third-party labs, according to a standardized set of criteria, using a common description language.

More than 20 countries now recognize the standard. In the United States, the program is managed by the National Information Assurance Partnership (NIAP), a joint activity of the National Institute of Standards and Technology and the National Security Agency. The NIAP is the certifying body of the CCTL program.

Part of the standard calls for meeting security assurance requirements that are verified according to an Evaluation Assurance Level (EAL), an assurance-rating system that runs from 1 to 7. SAIC's CCTL was one of the initial four laboratories accredited to perform IT EAL 1 through 4 within the Common Criteria, under the authority of the NIAP.

A thorough understanding
SAIC CCTL personnel were key players on the team that developed the Common Criteria for the NIAP. Current SAIC CCTL employees include individuals directly responsible for the development of the Common Criteria itself, including a former National Security Agency chief evaluator, former Technical Review board members, a member of the Interpretations Working Group, and a U.S. group representative.

Rigorous evaluation
The standard is built around an evaluation system that tests security functions and assurance. The Common Criteria are described in three parts:

  1. Introduction and general model
  2. Security function requirements
  3. Security assurance requirements verified according to an EAL.

Together, these parts are used to create a security target that, in effect, becomes a security specification that a network architect can use to compare similar technology products on a level playing field.

But it's not just testing a black box. "We don't just get the product and bang away at it from the external interfaces," points out one of the CCTL's chief evaluators. "Vendors have to provide a list of claims. We look at the requirements to determine if they make sense. We evaluate the design documents to see how it does against meeting its requirements. We look at how well vendors document their processes. Testing is typically the last phase."

Helping vendors
Certification is more than a "nice to have" for product and software vendors. "They want to know what they need to do to make their products more secure," SAIC's CCTL leadership explains. "They're very anxious about meeting the requirements because they have contracts pending their certification."

What it really comes down to, SAIC believes, is helping vendors improve their products. That involves a good deal of review of documentation and design, evaluating claims, and pointing out glitches or bugs.

"We work very closely with developers and vendors that are interested in improving their security," a chief evaluator says. "We provide assurance that the vendor's security claims are accurate, and often, in the process, we work with them to make their products more secure."

For SAIC, the help its CCTL provides vendors to improve the security of their IT products is another important way SAIC helps support the security of the nation.

Related Information

Data in this article verified as of November 2006.

 


© Science Applications International Corporation. All rights reserved. This page was printed from www.saic.com.