SAIC Common Criteria Testing

Trying to Select a Common Criteria Testing Laboratory?

Then ask why:

• More companies select the SAIC's Common Criteria testing laboratory
• SAIC's lab has completed the most evaluations
• SAIC's lab has the most products in evaluation
• SAIC's lab has been selected to perform multiple evaluations by 18 vendors

Why Evaluate?

The benefit of a Common Criteria evaluation is compliance with the NSTISSP #11, the Department of Defense 8500 directive, and instructions 8500.1 and 8500.2. These directives require that the acquisition of all commercial-off-the-shelf (COTS) or government-off-the-shelf (GOTS) information assurance (IA) or IA-enabled information technology products that are to be used as part of a solution for DoD systems entering, processing, storing, displaying, or transmitting national security information must be in a Common Criteria evaluation.

Twenty-two countries now recognize the Common Criteria (also known as ISO international standard 15408) as the official third-party evaluation criteria for IT security procedures.

Why Choose SAIC's Common Criteria Testing Laboratory?

1. We help clients identify exactly what needs to be evaluated and documented.
2. Our quoted costs are based on over a decade of evaluation experience and a realistic evaluation process that includes re-evaluation for required documents.
3. We have an excellent track record for completing evaluations on time and under budget.
4. Our evaluators have computer science, engineering, and mathematics degrees and development experience that give them the ability to deal with any complex technical issues that arise during the evaluation process.
5. We provide customized services based upon the specific needs of each client designed to assist in successfully completing Common Criteria evaluations without burdening development personnel.

Our Approach

SAIC offers pragmatic, business-oriented Common Criteria evaluation solutions. SAIC helps its clients find the competitive, technical, cost, and schedule requirements consistent with a client's business management priorities and concomitant corporate risk management strategy.

The Process

SAIC suggests first performing a Common Criteria Initial Assessment to review required evaluation material before writing a Security Target or performing an evaluation. Initial Assessments have proven helpful in facilitating evaluation success, shortening time "in evaluation," and significantly reducing the overhead cost engendered in reporting problems encountered to government oversight personnel and the resolution of those problems.

Members of the SAIC security engineering team that perform the Initial Assessment laboratory services also write the draft Security Targets necessary to begin the Common Criteria evaluation. Then a separate SAIC team, comprised of different security engineers, perform the evaluation. The U.S. Government provides oversight personnel.

Meeting DoD 8500 Requirements

The government oversight for all Common Criteria evaluations in the United States is controlled by the Common Criteria Evaluation and Validation Scheme (CCEVS), an organization within the National Security Agency. CCEVS announced on October 1, 2009, that any product at any assurance level may apply for evaluation. If the product does not meet a Protection Profile (PP), a Letter of Intent (LOI) for the project must be submitted to CCEVS. The LOI must be on official government agency letterhead and specify the customer, the assurance level required, and the reason the evaluation is required. National Information Assurance Partnership (NIAP) Policy #12 dated October 1, 2009, details the explicit LOI requirements. SAIC CCTL will work closely with you to help develop an acceptable LOI.

History

SAIC's Common Criteria Testing Laboratory was one of the initial four laboratories accredited to perform IT Evaluation Assurance Levels (EAL) 1 through 4 within the CCEVS under the authority of the National Information Assurance Partnership (NIAP).

Our laboratory has experience spanning all the U.S. IT Evaluation Schemes from the NSA Trusted Product Evaluation Program (TPEP), through the NSA Trust Technology Assessment Program (TTAP), and the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS).

SAIC personnel were key players on the team that developed the Common Criteria, the first international standard for IT security evaluation and validation/certification, for the NIAP. Current SAIC Common Criteria Testing Laboratory employees include a former NSA Chief Evaluator, Technical Review Board (TRB) members, Interpretations Working Group (IWG) member, and U.S. Representative directly responsible for the development of the Common Criteria itself.

About Us

SAIC's Common Criteria Testing Laboratory is certified to evaluate products at all levels of assurance where the assurance level is recognized through the international Common Criteria Recognition Agreement (CCRA) on the Recognition of Common Criteria Certificates. SAIC has intimate knowledge of the methodology used in Common Evaluation Methodology (CEM). Use of the CEM is required for all Common Criteria (CC) evaluations by the CCRA. The SAIC CCTL has successfully evaluated IT security products that meet the EAL2, 3, and 4, mutually recognized levels of assurance. And, we can evaluate PPs, STs, and IT security products up to EAL7 under the auspices of NSA.

The SAIC CCTL has the most completed evaluations and the most high assurance evaluation experience of any lab operating under National Information Assurance Partnership (NIAP), and our lead is growing. We encourage potential clients to see NIAP's list of Products and Protection Profiles In Evaluation.

Total Evaluations completed by SAIC

Can our evaluation begin right away?

We have no queue. The SAIC Common Criteria Testing Laboratory (CCTL) has project management expertise, proven evaluation techniques, and 18 full-time evaluators. For specific technologies, we have immediate access to additional employees and a large team of IT security engineers and product specialists.

Does the SAIC CCTL offer Firm-Fixed-Price (FFP) contracts?

Yes, for the Initial Assessment and Security Target tasks. However, to protect you, us, and our business relationship, SAIC uses a Time & Materials (T&M) contract for the evaluation task. Common Criteria evaluations are interactive and dynamic. Therefore, the SAIC CCTL believes that a T&M contract saves you money in the long run because you pay for only the hours SAIC actually uses.

We will be happy to direct you to our clients. Please feel free to ask them about SAIC's ability to perform successful, timely, and cost-effective CC evaluations.

Will SAIC add a "not to exceed" statement to the evaluation task in the contract?

Our contracts for the evaluation task are T&M only. Adding a cap adds a Fixed Price element to the evaluation task in the proposal that may limit a client's decision to add functionality, platforms, and change the evaluated version before testing.

What Evaluation Assurance Level (EAL) should I attain?

If an EAL is not specified by a Protection Profile or your DoD client a vendor should seek an EAL level that makes business and market sense. An SAIC CCTL Initial Assessment will help you in the decision process.

Articles and Presentations

View the following articles and presentations for more information on the Common Criteria and SAIC's Common Criteria Testing Laboratory.

Product Security Validation for U.S. Government Agencies

SAIC's Common Criteria Testing Lab: Ensuring IT Security Products Can Deliver

SAIC's Common Criteria Testing Laboratory (CCTL) (157k PDF file*) was a Featured Facility in the September/October 2002 issue of the ITEA Journal, a publication of the International Test and Evaluation Association (ITEA).

IT Product Certification Programs: Are they useful? (188k PDF file*)

Research Paper: Common Criteria Mutual Recognition (125k PDF file*)

Common Criteria: Vulnerability Analysis of Cryptographic Security Mechanisms (140k PDF file*)

Has the Common Criteria Delivered? (144k PDF file*)

Common Criteria: Security Target Level of Detail (144k PDF file*)

Common Criteria: Optional Security Requirements and Functions? (151k PDF file*)

Threats, Policies, and Assumptions in the Common Criteria (140k PDF file*)

Related Links

Visit the web sites below for additional information on the Common Criteria.

• Common Criteria Portal
  
  
• CCEVS Validated Product List
  
  
• CCEVS Products in Evaluation
  
  
• CCEVS Accreditation
  and
  NVLAP certification
  
  
• National Voluntary Laboratory Accreditation Program (NVLAP)

Free Common Criteria Training

SAIC offers training to educate IT security product company personnel about the processes, terminology, required documentation, and resource needs associated with a Common Criteria evaluation. SAIC Common Criteria training is offered free via an SAIC telephone bridge and web conferencing to qualified companies and organizations. The course can be tailored to specific information needs and meeting lengths.

SAIC consultants will discuss:

Common Criteria Background

• History of the Common Criteria standard
• Defense Department directives driving compliance and product selection
• Milestone of "in evaluation"
• Future including Common Criteria V3 and FISMA

Common Criteria Evaluation Process

• Common Criteria terms and acronyms
• SAIC three-step evaluation process including an assessment of product's readiness for evaluation
• Security Target and its security functions
• Government Protection Profiles and their application
• Client supplied evaluation documentation and resources
• SAIC consulting and assurance evidence services

Common Criteria Methodology

• Common Criteria evaluation methodology
• Evaluation assurance levels and their assurance requirements
• Evaluation schedule and milestones
• SAIC and client responsibilities during the evaluation
• Evaluation work units
• Security Target and its content
• Performing and evaluation
• Evidence preparation and evaluation
• Product testing
• Maintenance evaluations

If your company anticipates a need to demonstrate conformance to the Common Criteria, the employees participating in the process should understand the basics of the standard, the evaluation process, and their role within the process. SAIC's free Common Criteria training can help.