SAIC's Common Criteria Testing Lab: Measuring IT Product Assurance
U.S. Department of Defense (DoD) network architects are faced with hundreds of information technology (IT) security products, such as firewalls, switches and routers, database management systems, virtual private networks, intrusion detection systems, public key infrastructures, secure operating systems, tokens, and biometrics.
New and worse threats generate new products, making it difficult to match network requirements, assurance measures, and product capabilities. The nagging question is always how much trust is it reasonable to place in the security functions provided by an IT product.
That's where a Common Criteria Testing Laboratory (CCTL) comes in. SAIC's CCTL is one of 9 accredited labs (NVLAP Lab Code 200427-0) in the United States approved to help the DoD determine whether computer and software security products are safe to run on its networks.
Among the CCTLs, SAIC's CCTL is the leader in CCTL market share. Over 320 certificates for Common Criteria evaluation have been awarded in the United States. Of those, over 160 have been awarded to SAIC. That means that 50 percent of all certificates awarded have gone through SAIC's CCTL.
Currently, there are over 100 products in Common Criteria evaluation in the United States evaluation scheme. SAIC is doing nearly one half of those evaluations,and nearly 60% of the total completed evaluations that provide a higher lever of trust in the product security functions. The other evaluations are split between the other eight accredited labs and four candidate labs. SAIC's CCTL is currently performing 2/3 of all CC evaluations to measure the highest level of trust that can be placed in the security functions of an IT product. These products are typically are dependent upon in life-preserving situations..
The Common Criteria - the standard for more than 25 countries
To be assured that secure manufacture and security functions work, Department of Defense Directive 8500 mandates that IT security products used on its sensitive networks be evaluated using the Common Criteria Evaluation and Validation Scheme (the CCVES or Common Criteria).
The Common Criteria (international standard ISO 15408) was officially instituted in 1999 to replace a series of DoD programs and various international schemes implemented by the defense agencies of Western nations. The standard provides for evaluation of computer security products by trusted, certified, third-party labs, according to a standardized set of criteria, using a common description language.
The number of countries that now recognize the standard is 28 and the number grows each year. In the United States, the program is managed by the National Information Assurance Partnership (NIAP), a joint activity of the National Institute of Standards and Technology and the National Security Agency. The NIAP is the body that certifies IT product assurance for CCTL program.
Part of the standard calls for meeting security assurance requirements that are described according an Evaluation Assurance Level (EAL), an assurance-rating system that runs from 1 to 7. The highest levels require maximum trust can be place in the security functions of these products since these products have life preserving requirements. In 2000, SAIC's CCTL was one of the initial four laboratories accredited to perform CC evaluations in the U.S. and we have maintained our dominant market share since that time..
A thorough understanding
SAIC CCTL personnel were key players on the team that developed the Common Criteria for the NIAP. Current SAIC CCTL employees include individuals directly responsible for the development of the Common Criteria itself, including a former National Security Agency chief evaluator, former Technical Review board members, a member of the Interpretations Working Group, and a U.S. group representative.
Rigorous evaluation
The standard is built around an evaluation system that tests security functions and assurance. The Common Criteria are described in three parts:
- Introduction and general model
- Security function requirements
- Security assurance requirements verified according to an EAL.
Together, these parts are used to create a security target that, in effect, becomes a security specification that a network architect can use to compare similar technology products on a level playing field.
But it's not just testing a black box. "We don't just get the product and bang away at it from the external interfaces," points out one of the CCTL's chief evaluators. "Vendors have to provide an assertion that claims the security functions provided by their product; then evidence is provided by a vendor to a CCTLto support the vendor’s assertion. The CCTL evaluates the statements in the evidence to determine if the assertion can be supported. Finally the CCTL plays the role of a consumer and the CCTL installs and configures the product using evidence provided by the vendor. Then the CCTL test the product against the evidence provided and performs vulnerability testing to determine if the product has known vulnerabilities. For medium and higher assurance products the CCTL performs penetration testing after the CCTL has studied design information, reviewed the product source code and all vendor tests. ."
Helping vendors
Certification is more than a "nice to have" for product and software vendors. "They want to know what they need to do to make their products more secure," SAIC's CCTL leadership explains. "They're very anxious about meeting the requirements because they have contracts pending their certification."
"We work very closely with developers and vendors that are interested in improving their security," a chief evaluator says. "We provide assurance that the vendor's security claims are accurate, and often, in the process, we work with them to make their products more secure."
For SAIC, the help its CCTL provides vendors to improve the security of their IT products is another important way SAIC helps support the security of the nation.
Related Information
Data in this article verified as of June 2010.