Meeting DoD 8500 Requirements During 2007
The government oversight for all Common Criteria evaluations in the United States is controlled by the Common Criteria Evaluation and Validation Scheme (CCEVS), an organization within the National Security Agency. CCEVS recently announced they will only accept Medium and High Robustness evaluations in 2007. CCEVS will continue to provide updates on the status of the program. Updated information can be found at the CCEVS web site.
Per 8500.2, vendors must submit their products for evaluation and validation by a NIAP EVP or CCRA laboratory. SAIC has strategies for vendors to be complaint under the CCEVS October 1, 2006 announcement.
Submitted and Evaluated Security Targets
The following products have been submitted to the SAIC Common Criteria Testing Laboratory (CCTL), a CCRA certified laboratory for a Common Criteria (CC) evaluation.
| Product | Vendor | Technology Type | Submitted Date | Conformance | Sponsor |
|---|---|---|---|---|---|
| Eracent Solution Set Product Suite | Eracent, Inc. 8133 Easton Road Ottsville, PA 1894 |
Security Management | April 30, 2007 | EAL4 augmented with ALC_FLR.1 | SAIC |
| PowerBroker v5.1 | Symark Software 30401 Agoura Hills Rd. Suite 200 Agoura Hills, CA 91301 |
Security Management | March 20, 2008 | EAL3 augmented with ALC_FLR.1 | SAIC |
SAIC's Posting and the DoD Procurement Requirement
DoD procurement requirements for IA enabled products are identified in DoD 8500.2. DoD 8500.2 reads as follows:
"E3.2.5.1. If an approved U.S. Government protection profile exists for a particular technology area and there are validated products available for use that match the protection profile description, then acquisition is restricted to those products; or to products that vendors, prior to purchase, submit for evaluation and validation to a security target written against the approved protection profile. Products used within the Department of Defense may be submitted for evaluation at evaluation assurance levels (EALs) 1-7 through the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS). Alternatively, the United States recognizes products that have been evaluated under the sponsorship of other signatories and in accordance with the International Common Criteria for Information Security Technology Evaluation Recognition Arrangement (CCRA) for EALs 1-4 only."
"E3.2.5.2. If an approved U.S. Government protection profile exists for a particular technology area, but no validated products that conform to the protection profile are available for use, the acquiring organization must require, prior to purchase, that vendors submit their products for evaluation and validation by a NIAP EVP or CCRA laboratory [The SAIC CCTL is a CCRA laboratory] to a security target written against the approved protection profile or acquire other U.S.-recognized products that have been evaluated under the sponsorship of other signatories to the CCRA."
Thus, under paragraph E3.2.5.2, if a vendor meets the following requirements for an IA enabled product, then the product satisfies the requirements levied in this paragraph.
- Vendor submits a product ST to the SAIC CCTL to perform an evaluation,
- Product ST claims compliance with a PP,
- SAIC CCTL evaluates the ST and finds the ST passes the ASE, requirements in the CC Part 3 and is fully compliant with the PP,
- SAIC CCTL prepares an Evaluation Acceptance Package for acceptance by CCEVS,
- Product is waiting for CCEVS to begin accepting evaluations.
"E3.2.5.3. If no U.S. Government protection profile exists for a particular technology area and the acquiring organization chooses not to acquire products that have been evaluated by the NIAP CCEVS or CCRA laboratories, then the acquiring organization must require, prior to purchase, that vendors provide a security target that describes the security attributes of their products, and that vendors submit their products for evaluation and validation at a DAA-approved EAL. Robustness requirements, mission, and customer needs will together enable an experienced information systems security engineer to recommend a specific EAL for a particular product to the DAA."
Thus, under paragraph E3.2.5.3, if a vendor meets the following requirements for an IA enabled product, then the product satisfies the requirements levied in this paragraph.
- Vendor submits a product ST to the SAIC CCTL to perform an evaluation,
- SAIC CCTL evaluates the ST and finds the ST passes the ASE requirements in the CC Part 3,
- SAIC CCTL prepares an Evaluation Acceptance Package for acceptance by CCEVS,
- Product is waiting for CCEVS to begin accepting evaluations.
