8.3 Deploying more secure technology and trusted systems

One approach to improving security is to eliminate or reduce the population of older and less reliable equipment. IT environments and networks can then be upgraded or replaced with more secure protocols and routing technology in order to reduce vulnerabilities. It is also important to be very selective about what technology is deployed.

The U.S. government is recommending that organizations use only digital-control systems and supervisory control and data-acquisition systems that the government has labeled as trusted or that in some other way meet government standards. The U.S. government has established a program to support the security and trustworthiness of IT products that are part of the national information infrastructure, both in the public and private sectors. The NIST and NSA have worked with government and industry to develop and apply information security technology, assurance metrics, and standards necessary for the protection of information critical to overall economic and national security interests. These efforts have focused primarily on government-sponsored initiatives to produce effective IT security evaluation criteria (e.g., the Trusted Computer System Evaluation Criteria and the Federal Criteria for IT Security) and to evaluate products developed by industry in response to those criteria.

The development of similar IT security evaluation criteria by Canada and several European countries during the last decade has prompted the effort to begin harmonizing existing evaluation criteria into common criteria that are internationally accepted and standards based. The Common Criteria is the result of a multiyear effort by the governments of the United States, Canada, the United Kingdom, France, Germany, and the Netherlands to develop harmonized security criteria for IT products.

At the same time the Common Criteria were being developed, there was a parallel effort to transition trusted product evaluations from the government to the private sector. NSA began the transition of its commercial IT product evaluation capability to the private sector with the establishment of the Trust Technology Assessment Program (TTAP). Under this program, IT security evaluations were conducted by commercial testing laboratories using the Trusted Computer Systems Evaluation Criteria (TCSEC) in accordance with cooperative research and development agreements. The transition continues under the Common Criteria Evaluation and Validation Scheme (CCEVS) with commercial testing laboratories conducting Common Criteria-based evaluations of IT products on a fee-for-service basis using the Common Evaluation Methodology.

The NIAP CCEVS is an activity jointly managed by the NIST and the NSA and staffed by personnel from those agencies. The focus of the CCEVS is to establish a national program for the evaluation of IT products for conformance to the International Common Criteria for IT Security Evaluation. The validation body approves participation of security testing laboratories in the scheme in accordance with its established policies and procedures. During the course of an evaluation, the validation body provides technical guidance to those testing laboratories, validates the results of IT security evaluations for conformance with the Common Criteria, and serves as an interface to other countries for the recognition of such evaluations.

IT security evaluations are conducted by commercial testing laboratories accredited by the NIST's National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the validation body. These approved testing laboratories are called Common Criteria Testing Laboratories (CCTL). NVLAP accreditation is one of the requirements for becoming a CCTL. The purpose of the NVLAP accreditation is to ensure that laboratories meet the requirements of ISO/IEC Guide 25, General Requirement for the Competence of Calibration and Testing Laboratories and the specific scheme requirements for IT security evaluation.

The validation body assesses the results of a security evaluation conducted by a CCTL within the scheme and, when appropriate, issues a Common Criteria certificate. The certificate, together with its associated validation report, confirms that an IT product or protection profile has been evaluated at an accredited laboratory using the Common Evaluation Methodology for conformance with the Common Criteria. The certificate also confirms that the IT security evaluation has been conducted in accordance with the provisions of the scheme and that the conclusions of the testing laboratory are consistent with the evidence presented during the evaluation. The validation body maintains a NIAP Validated Products List (VPL) containing all IT products and protection profiles that have successfully completed evaluation and validation under the scheme.

More information about Common Criteria can be obtained at www.commoncriteria.org, along with an updated list of tested products. Tested products are classified into the following categories:

• Antivirus

• Biometrics

• Certificate management

• Firewalls

• Guards

• IDSs

• Mobile code

• Network management

• Operating systems

• PC access control

• Peripheral switch

• Public-key infrastructure (PKI)/key management infrastructure

• Secure messaging

• Sensitive data protection

• Single-level Web servers

• Smart cards

• Trusted database management systems (DBMS)

• Virtual private networks (VPNs)