Firm leverages unique qualifications

Founder of atsec wrote the book on IT security standard -- literally

When preparing for a test, your chances of passing are better if your study buddy helped write it. That's the idea IBM had when it hired atsec, an information technology security consulting firm, to help it get Common Criteria certification for eServers running Red Hat's Enterprise Linux operating system.

The Common Criteria are a set of internationally recognized standards of assurance for sharing classified information within and across government agencies. Meeting those standards is essential for companies that want federal contracts that include handling classified information.

Last month, IBM submitted the next version of Red Hat Enterprise Linux -- Version 5 -- for Common Criteria certification at Evaluation Assurance Level (EAL) 4. IBM has worked with atsec since 2003, when the latter company evaluated an earlier enterprise version of Linux for EAL 2 certification.

The Common Criteria reflect the Information Technology Security Evaluation Criteria (ITSEC) used throughout Europe. The ITSEC standards are, in turn, based on the German IT security scheme written in the late 1980s by Helmut Kurth, now chief scientist and lab director at atsec.

Kurth and two other IT security gurus formed atsec in 2000 to provide a novel service in the security sphere.

The principle is simple: Customers have a better chance of managing their risk and earning the security certifications to prove it, if they are guided through the process from the start by the experts who helped develop the standards they want to meet.

The company helps its customers identify their areas of critical risk and develop management strategies to lower that risk to an acceptable level and keep it there, Kurth said.

"We're not just helping our customers go through the evaluation but also to enormously improve the quality of their products," said Salvatore La Pietra, atsec's president and co-founder. As a former chief IT security specialist for IBM's European operations, he conducted the first security evaluation of the AIX operating system.

"We enable them to sell their products where security is required, and they need to show their products are really secure," La Pietra said.

All of atsec's consultants are trained in both versions of Common Criteria evaluation: the German Bundesamt für Sicherheit in der Informationstechnik (BSI) and the U.S. National Information Assurance Partnership (NIAP) sponsored by the Defense Department and the National Institute of Standards and Technology.

Since 2000, atsec has helped A-list customers meet demanding IT security goals. In the United States, atsec helped Opteron Computers get Common Criteria certification, which led to the Army Research Lab buying the company. Other atsec customers include Hewlett-Packard, Axalto and Siemens.

IBM has been happy with atsec's performance. A large part of getting security certifications is submitting the right documentation and test results, said Scott Handy, IBM's vice president for worldwide Linux.

"Process is 70 percent of the work," Handy said, and atsec's experts helped write the book on those processes.

"They helped plan our strategy and execution. We couldn't have done it without them this fast," said Kittur "Doc" Shankar, IT architect in IBM's System and Technology Group.

More importantly, Handy said, acquiring Common Criteria certification for Linux has broadened the opportunity to use the operating system in more bids on federal projects.

The security-certification angle of atsec's business, however, interests only a narrow niche of organizations that make security products or sell them to the federal government, said Kelly Kavanagh, a research analyst at Gartner.

"What our customers are most concerned about is assuring their customers, partners and board members that they are taking measures to maintain sufficient security," Kavanagh said.

A small firm with muscle

Although atsec has only 50 employees, it has done more security evaluations on more operating systems than any other accredited Common Criteria evaluation lab worldwide, said Helmut Kurth, the company's chief scientist and lab director.

The company has two evaluation labs. One supports a German organization and the other supports the U.S. National Information Assurance Partnership, sponsored by the Defense Department and the National Institute of Standards and Technology.

In addition, the company has a certified facility to evaluate cryptographic modules for handling classified information under Federal Information Processing Standards 140-1 and 140-2.

-- Michael Arnone

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group