Search NIST's ICAT
By Patricia Toth,
Recent advances in information technologies and the proliferation of computing systems and networks worldwide have raised the level of concern about security in both the public and private sectors. Security concerns are motivated by an increasing use of information technology (IT) products and systems throughout government and industry in a variety of areas—from electronic commerce to national defense. Consumers have access to a growing number of security-enhanced IT products with different capabilities and limitations and must make important decisions about which products provide an appropriate degree of protection for their information.
To help consumers select commercial off-the-shelf IT products that meet their security requirements and to help manufacturers of those products gain acceptance in the global marketplace, NIST and the National Security Agency (NSA) have established a program under the National Information Assurance Partnership (NIAP) to evaluate IT product conformance using international standards. The program, officially known as the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) for IT Security, or Common Criteria Scheme in abbreviated form, is a partnership between the public and private sectors.
What is Product Evaluation and Validation?
IT security is defined as the protection of information from unauthorized disclosure, modification, or loss of use by countering threats to that information arising from human or systems-generated activities, malicious or otherwise. Countering threats to an IT product (e.g., firewalls, databases, operating systems) and mitigating risk helps to protect the confidentiality and integrity of information and also ensure its availability.
Consumers of IT products need to have confidence in the security features of those products. Consumers need to be able to compare various products to understand their capabilities and limitations. Confidence in a particular IT product can be based on the reputation of the developer, past experience with the developer, or the demonstrated competence of the developer in building products through recognized assessments. The consumer could also test the product directly and obtain the necessary results. Dependence on reputation lacks measurable results and testing requires substantial, costly duplication of effort.
The Common Criteria Scheme enables consumers to obtain an impartial assessment of an IT product by an independent laboratory. This security evaluation includes an analysis of the IT product and the testing of the product for conformance to a set of security requirements. The specific IT product being evaluated is referred to as the Target of Evaluation (TOE). The security requirements for that product are described in its security target. IT security evaluations are composed from analysis and testing, distinguishing these activities from the more traditional forms of conformance testing in other areas. All of these activities are carried out using recognized standards and procedures.
To increase consistency among IT security laboratories, the CCEVS reviews the final evaluation results. This review provides independent confirmation that an IT security evaluation has been conducted in accordance with the provisions of the scheme and that the conclusions of the laboratory are consistent with the facts presented in the evaluation. This review, known as validation, is intended to promote consistency of IT security evaluations and comparability of results for all evaluations conducted within the scheme.
The evaluation, the independent validation of evaluation results, and the documentation resulting from these processes provide valuable information for consumers about the security capability of IT products. However, consumers will still need to review this information carefully and assess its applicability to their needs (e.g., the situation and operating environment in which the product will actually be used).
NIAP has the following objectives in developing, operating, and maintaining an evaluation and validation scheme:
The scheme is intended to serve many communities of interest with very diverse roles and responsibilities, including IT product developers, product vendors, value-added resellers, systems integrators, IT security researchers, acquisition/procurement authorities, consumers of IT products, auditors, and accreditors (individuals deciding the fitness for operation of those products within their respective organizations). Close cooperation between government and industry is paramount to the success of the scheme and the realization of its objectives.
The principal participants in the NIAP Common Criteria Evaluation and Validation Scheme are:
In addition to the principal participants listed above, the NIST National Voluntary Laboratory Accreditation Program (NVLAP) plays an important role in supporting the scheme requirements for the use of accredited laboratories to perform IT evaluations.
In the context of the Common Criteria Scheme, a sponsor is the party requesting and paying for the security evaluation of an IT product or protection profile by an accredited testing laboratory. The sponsor is often the product or profile developer, but could also be a government agency, industry consortium, or other organization seeking to obtain an IT security evaluation.
CCEVS establishes policies and procedures in the interest of the public and private sectors. It also provides technical guidance to those laboratories, validates the results of IT security evaluations for conformance to the Common Criteria, and serves as an interface to other nations on the recognition of such evaluations.
Commercial testing laboratories accredited by NVLAP and recognized by the NIAP Validation Body conduct IT security evaluations. These approved testing laboratories are called Common Criteria Testing Laboratories (CCTLs). NVLAP accreditation is the primary requirement for becoming a CCTL. The purpose of the NVLAP accreditation is to ensure that laboratories meet the requirements of ISO/IEC Guide 25, General Requirements for the Competence of Calibration and Testing Laboratories, and are competent to perform the test methods used for IT security evaluations.
The NIAP Validation Body assesses the results of a security evaluation conducted by a CCTL within the scheme and when appropriate, issues a Common Criteria certificate. The certificate, together with its associated validation report, confirms that an IT product or protection profile has been evaluated at an accredited testing laboratory using the Common Methodology for conformance to the Common Criteria. The certificate also confirms that the IT security evaluation has been conducted in accordance with the provisions of the scheme and that the conclusions of the testing laboratory are consistent with the evidence presented during the evaluation.
The CCEVS maintains a NIAP Validated Products List containing all IT products and protection profiles successfully completing evaluation and validation under the scheme. CCEVS will also provide a means to list products and profiles validated by international arrangement partners.
Guidance to Consumers
It is important that consumers of IT products and protection profiles understand how to interpret the results of IT security evaluations and validations. These results are described in evaluation technical reports produced by CCTLs and summarized in the associated validation reports and Common Criteria certificates published by the NIAP Validation Body.
An IT product is typically evaluated in a controlled laboratory setting. In that regard, there are some general assumptions made about the operational environment where the product is ultimately to be employed subsequent to the security evaluation. In some cases, an evaluated IT product may be integrated into a more complex configuration of products that compose an IT system. The actual environment of use may also be significantly different from the one described in the original assumptions set forth in the security target. In the end, consumers must assess the overall contribution to assurance made by the evaluated IT product. When making assessments, there are several things a consumer should consider. They must realize that
Consumers are responsible for determining the security impact of installing or operating an evaluated IT product in a configuration other than the configuration in which it was evaluated.
Evaluation Assurance Levels
The Common Criteria Evaluation Assurance Levels (EALs) have been developed with the goal of preserving the concepts drawn from the U.S. TCSEC and European ITSEC so that results of previous evaluations remain relevant. Using the table below, general equivalency statements are possible but should be made with caution, as the levels do not define assurance in the same manner.
Assurance levels define a scale for measuring the criteria for the evaluation of Protection Profiles and Security Targets. EALs are constructed from assurance components. EALs provide an increasing scale of requirements that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance. There are seven hierarchically ordered EALs listed below. The increase in assurance across the levels is accomplished by substituting hierarchically higher assurance components from the same assurance family and by the addition of assurance components from other assurance families.
The seven EALs are as follows:
EAL1 - functionally tested
EAL2 - structurally tested
EAL3 - methodically tested and checked
EAL4 - methodically designed, tested and reviewed
EAL5 - semi-formally designed and tested
EAL6 - semi-formally verified design and tested
EAL7 - formally verified design and tested
The CCEVS will help consumers select commercial off-the-shelf IT products that meet their security requirements. The CCEVS will also provide for consistent evaluation and validation results. Valuable information for consumers about the security of IT security products will be provided.
For More Information
Additional information on the Common Criteria Evaluation and Validation Scheme can be found at http://niap.nist.gov/cc-scheme.
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.