openPR Logo
Press release

atsec responds to the challenges posed by the GAO report on the NIAP Common Criteria scheme

04-11-2006 09:04 AM CET | IT, New Media & Software

Press release from: atsec information security corporation

Most of the identified weaknesses can be mitigated within the current bounds of the Common Criteria and the CCEVS

AUSTIN, Texas – In March 2006, the United States Government Accountability Office (GAO) issued an assessment regarding Common Criteria certifications and the work performed by the US oversight institution NIAP called “Information Assurance – National Partnership Offers Benefits, but Faces Considerable Challenges”.
The current article prepared by atsec information security corporation, an accredited laboratory experienced in the evaluation of large software components, explains how these challenges can be mitigated and which are, in fact, already addressed in current Common Criteria evaluations performed by atsec. We conclude that all four challenges outlined by the GAO can be addressed within the current setup of the Common Criteria methodology and the CC Evaluation and Validation Scheme implemented by NIAP. Many of the issues set forth by the GAO report can be mitigated by adopting innovative approaches that enhance the efficiency of the evaluation process. atsec has already demonstrated that such an efficient work style is possible to cover a large portion of the challenges addressed by the GAO report.

Read the whole article at:

You can find the GAO report under:

The GAO report outlines the strengths and weaknesses of the Common Criteria methodology with respect to their practical implementation with the CCEVS.
The identified strengths include:
• Appreciation of an independent evaluation and testing of an IT product
• International recognition of the evaluation results, allowing a broader product selection
• Assessment of the functionality of an IT product, including identification and remediation of flaws
• Improvements in the vendor’s development process, helping to improve the overall quality of the current and future products.

In addition to enumerating the benefits of the NIAP evaluation process, the GAO report also identifies the following weaknesses in the current implementation of the process:
• NIAP-evaluated products do not always meet agencies’ needs, which limit agencies’ acquisition and use of these products.
• A lack of vendor awareness of the NIAP evaluation process impacts the timely completion of the evaluation and validation of products.
• A reduction in the number of validators available to certify products could contribute to delays in validating products for agency use; and
• A lack of performance measures and difficulty in documenting the effectiveness of the NIAP process makes it difficult to demonstrate the program’s usefulness or improvements made to products’ security features and functions or improvements to vendors’ development processes.

The weaknesses identified by the GAO are valid and present challenges that Common Criteria participants must address. Most of the identified weaknesses can be mitigated within the current bounds of the Common Criteria and the CCEVS by adopting innovative approaches that enhance the efficiency of the evaluation process. Suggestions for process improvements include facilitating development of useful Protection Profiles; ensuring that all parties understand both agency needs and emerging technologies; staging evaluations such that initial evaluations at lower EALs build a good platform for later more rigorous evaluations; conducting development, consulting, and evaluation efforts in parallel whenever possible; offering expanded Common Criteria training opportunities; and requiring high-quality evaluation work and results from the evaluation labs so that validators’ time is well spent.

Several additional issues are not specifically discussed in the GAO report but should be addressed by the Common Criteria community when considering improvements to the evaluation process. Assurance maintenance measures to create an avenue for quick reevaluation of updates to certified products must be developed. In addition, alignment of CC evaluation with system certification processes within the US government will enhance the value of both programs.

As the evaluation role is largely performed by commercial evaluation laboratories, it makes sense for NIAP to address potential solutions for these issues jointly with all accredited laboratories. The examples provided throughout this article may be useful to all evaluation participants in achieving a process that is efficient and acceptable.

# # #

About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec launched its U.S. business in May 2003, building on extensive success in Europe dating back to 2000. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Swisscom, RWE, and Vodafone. For more information, please visit .

Media Contact:
Andreas Fabis
atsec information security corporation
(512) 615-7317

This release was published on openPR.

Permanent link to this press release:

Please set a link in the press area of your homepage to this press release on openPR. openPR disclaims liability for any content contained in this release.

You can edit or delete your press release atsec responds to the challenges posed by the GAO report on the NIAP Common Criteria scheme here

News-ID: 7607 • Views:

More Releases from atsec information security corporation

The Vatican signs the ISO/IEC 15408 International Recognition Arrangement (I^2RA …
Recognizing the need for secure IT products in all regions of the world, and in support of an internationally agreed Arrangement allowing for the mutual recognition of independently evaluated and validated information technology (IT) products, the Vatican has decided to sign the ISO/IEC 15408 International Recognition Arrangement (I^2RA) and has started to validate the security evaluations of IT products. The I^2RA was established in 1996 and was used as the basis
atsec offers Recognized Assessor services for the Open Trusted Technology Provider™ Standard Accreditation Program
atsec offers Recognized Assessor services for the Open Trusted Technology Provid …
atsec is one of the initial Recognized Assessor companies(i) accredited for the Open Trusted Technology Provider™ Standard Accreditation Program which was announced today during The Open Group(ii) conference in San Francisco, CA. This accreditation program provides the opportunity for technology integrators and their suppliers throughout the global supply chain, to demonstrate conformance to the O-TTPS standard. atsec has participated in the industry-led Open Group Trusted Technology Forum since the forum's formation
Call for papers: International Cryptographic Module Conference 2013
This first ICMC aims to bring together experts from around the world to confer on the topic of cryptographic modules, with emphasis on their secure design, implementation, assurance, and use, referencing both new and established standards such as FIPS 140-2 and ISO/IEC 19790. We are focused on attracting participants from the engineering and research community, test laboratories, government organizations, the procurers, deployers and administrators of cryptographic modules and academia. Our program
atsec makes Third Party Auditor agreement with NASPO
atsec makes Third Party Auditor agreement with NASPO
Austin, TX – atsec information security is pleased to announce its affirmation as a third party auditor for the North American Security Products Organization (NASPO). In this role, atsec has completed the necessary training from NASPO and will conduct audits required to attain certification under the ANSI/NASPO-SA-2008 standard. NASPO was founded in 2002 by companies and individuals in the security products industry who recognized the need for the control of

All 4 Releases

More Releases for Common

Common Credit Mistake You Must Avoid
Your Credit Safe Having credit cards is the best way to pay your expenses and build your credit. But misusing and maxing out credit out can damage your credit score and got you charged extra money. Here are some common credit mistakes maybe you are doing that and how you can avoid these common mistakes and keep your credit safe. Month to Month balance carrying A lot of people still
Common Treatable Areas Of Liposuction Surgery
Popular Body Areas That Can Be Treated By It is very hard to get rid of the fat deposits from the waistline or love handles even though one tries every possible balanced diet and strenuous workout regimes. As these fat pockets are very stubborn in nature, a surgical approach is the best choice through which the adipose accumulation can be permanently culminated. Also, as the area around the belly button
5 Most Common Content Marketing Mistakes : Content is definitely the king, but there are a number of factors that can impact the success of content marketing campaigns. Just creating random content and posting it on web and social media is unlikely to get the desired results. To ensure success, there has to be a definitive strategy powering the content marketing initiatives of an organization. Since content marketing is a key component of digital marketing
Equip robots with common sense
In the future, a new generation of autonomous robots is set to complete tasks autonomously, even if something unforeseeable happens. With the support of the Austrian Science Fund FWF, information technology experts in Graz are working to advance the development of artificial intelligence and equip robots with common sense. Something that children learn through play and that adults are able to do on the basis of past experience, such as
Alzheimer’s, Arthritis & Heart Disease - Research Reveals: Common Cause, Commo …
Aneby, Sweden, (Ekotopia) – Sept. 14, 2011 - Researchers in dozens of countries have largely confirmed the original thesis of cardiologist Kurt A. Oster, M.D. and Fairfield University professor Donald J. Ross, Ph.D. about the enzyme XO in homogenized milk triggering atherosclerosis, chest pain, heart attacks, non-healing wounds, gout, psoriasis and multiple sclerosis. In fact, XO is now thought to be behind more than 50 chronic degenerative diseases. According to the
Common Work at Home Jobs
Working from home spells out a lot of difference when you want to get a no hassle less stressful job. Different jobs online have been posted to cater to the demand of companies who are looking for outsourced professionals to do these tasks for them from different work aspects. Online jobs mostly cater to technology and internet marketing resources that need to be worked upon. In these cases, companies found