Re: [IDS] IDS Common Criteria

At 09:15 AM 1/7/2003 -0500, Frederick M Avolio wrote:

>>Outside Government and Military circles where I can see Common Criteria

[snippage]

 From "National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11, Subject: National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products is issued by the National Security Telecommunications and Information Systems Security Committee (NSTISSC)"

http://niap.nist.gov/cc-scheme/nstissp_11.pdf

"Effective 1 January 2001, preference shall be given to the acquisition of COTS IA and IA-enabled IT products (to be used on systems entering, processing, storing, displaying, or transmitting national security information) which have been evaluated and validated, as appropriate, in accordance with: - The International Common Criteria for Information Security Technology Evaluation Mutual Recognition Arrangement; - The National Security Agency (NSA)/National Institute of Standards and Technology (NIST) National Information Assurance Partnership (NIAP) Evaluation and Validation Program; or
- The NIST Federal Information Processing Standard (FIPS) validation program."

and

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

"By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products to be used on the systems specified in paragraph (6), above, shall be limited only to those which have been evaluated and validated in accordance with the criteria, schemes, or programs specified in the three sub-bullets."

A clarification to NSTISSP No. 11 is also available at NIST:

http://niap.nist.gov/niap/library/20020215memo.pdf

>Is Common Criteria useful? I don't see how it is.

If you sell IT security products into the U.S Government, like IDS, firewalls, or crypto, or a U.S Government purchaser of same, the usefulness of Common Criteria isn't a debatable topic anymore.

Best regards,

Randy Received on Tue Jan 7 17:34:24 2003