IDS mailing list archives
Re: [IDS] IDS Common Criteria
From: Randy Taylor <gnu () charm net>
Date: Tue, 07 Jan 2003 15:22:38 -0500
At 09:15 AM 1/7/2003 -0500, Frederick M Avolio wrote:
Outside Government and Military circles where I can see Common Criteria Certification being extremely useful, how valuable is it, ie within the financial sector etc ? More importantly what are it's failings?CAVEAT: My direct knowledge of the CC is about 2 years old. Maybe things are better. I doubt it.
[snippage] From "National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11, Subject: National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products is issued by the National Security Telecommunications and Information Systems Security Committee (NSTISSC)" http://niap.nist.gov/cc-scheme/nstissp_11.pdf "Effective 1 January 2001, preference shall be given to the acquisition of COTS IA and IA-enabled IT products (to be used on systems entering, processing, storing, displaying, or transmitting national security information) which have been evaluated and validated, as appropriate, in accordance with: - The International Common Criteria for Information Security Technology Evaluation Mutual Recognition Arrangement; - The National Security Agency (NSA)/National Institute of Standards and Technology (NIST) National Information Assurance Partnership (NIAP) Evaluation and Validation Program; or - The NIST Federal Information Processing Standard (FIPS) validation program." and "By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products to be used on the systems specified in paragraph (6), above, shall be limited only to those which have been evaluated and validated in accordance with the criteria, schemes, or programs specified in the three sub-bullets." A clarification to NSTISSP No. 11 is also available at NIST: http://niap.nist.gov/niap/library/20020215memo.pdf
Is Common Criteria useful? I don't see how it is. Fred
If you sell IT security products into the U.S Government, like IDS, firewalls, or crypto, or a U.S Government purchaser of same, the usefulness of Common Criteria isn't a debatable topic anymore. Best regards, Randy
Current thread:
- IDS Common Criteria Talisker (Jan 06)
- Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- Re: [IDS] IDS Common Criteria Talisker (Jan 07)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- RE: [IDS] IDS Common Criteria Greg van der Gaast (Jan 08)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
- <Possible follow-ups>
- RE: IDS Common Criteria Greenspan, Howard (Jan 07)
- RE: IDS Common Criteria Alan Shimel (Jan 07)
- RE: IDS Common Criteria Joseph M Hoffman (Jan 07)