< Day Day Up > |
In January 1996, the United States, United Kingdom, Germany, France, Canada, and the Netherlands released the jointly developed Common Criteria for Information Technology Security Evaluation (CCITSE) security evaluation specification. CCITSE, which is usually referred to as the Common Criteria (CC), is the recognized multinational standard for product security evaluation. The CC home page is at csrc.nist.gov/cc. The CC is more flexible than the TCSEC trust ratings and has a structure closer to the ITSEC than to the TCSEC. The CC includes the concept of a Protection Profile (PP) to collect security requirements into easily specified and compared sets, and the concept of a Security Target (ST) that contains a set of security requirements that can be made by reference to a PP. Windows 2000 was evaluated as meeting the requirements of the Controlled Access PP, which is the equivalent of TCSEC C2, and additional Common Criteria functional and assurance requirements in October of 2002. Details of its conformance can be found at niap.nist.gov/cc-scheme.html. The additional requirements satisfied by Windows 2000 can be found in the certified Windows 2000 Common Criteria Security Target at niap.nist.gov/ cc-scheme/CCEVS-VID402-ST.pdf. Notable requirements not included on the Controlled Access PP but included in the Windows 2000 Security Target include:
At the time of writing this book, Windows XP Embedded, Windows XP Professional, and Windows Server 2003 were still undergoing evaluation under the Common Criteria. The scope of evaluation is extended even further from that for Windows 2000. The Common Criteria authority currently recognizes Windows XP and Windows Server 2003 (Standard, Enterprise, and Datacenter Edition) as an evaluation of the following technology types as shown on niap.nist.gov/cc-scheme/in_evaluation.html:
|
< Day Day Up > |