NSA to back private security testing

In an attempt to bring consistency to computer security products the National Security Agency plans to exit the security product-testing business in favor of helping the private sector develop product-testing laboratories.

NSA as part of a joint agreement with the National Institute of Standards and Technology this summer will establish a new security testing center dedicated to accrediting commercial testing laboratories and promoting the demand for information technology security products.

The testing center which will be housed at NIST will foster the growth of commercial laboratories that would test security products against a set of international guidelines called the common criteria said Timothy Grance NIST manager of systems and network security.

The common criteria are security guidelines that encompass product functions assurance levels and protection levels. They were adopted by entities in Europe Canada and the United States including NIST and NSA. Tasks of the center initially will include common-criteria product-testing research the development of firewall tests the design of tools to test security products and the crafting accreditation requirements for laboratories.

"We want to foster the idea that operational security testing should be done in commercial labs " Grance said. "We would be accrediting on a voluntary basis private laboratories under the common criteria. Our ultimate ambition would be that a vendor or user group would know that [the private laboratories are] competent they're viable they're able to perform. People want swift cheap and credible testing and they want us to square that circle between those three items."

The common-criteria security guidelines will replace the Trusted Product Evaluation Program (TPEP) which NSA began in 1983 and now uses to test products against its own guidelines outlined in what is known as the "Orange Book."

NSA's TPEP program has been criticized in recent years for the length of time the testing process spanned - sometimes as long as two years.

Rob Clyde a founder of Rockville Md.-based Axent Technologies Inc. an information technology company said that the Orange Book evaluations often were viewed as irrelevant because the vendors themselves no longer supported the versions of the product that had been evaluated.

"For years the frustration with the Orange Book testing was...by the time the testing was finished the product was obsolete " Clyde said.

The new center will employ 20 people by the end of fiscal 1997 and up to 40 employees by the end of fiscal 1998 Grance said.

According to a statement issued by NSA to FCW NSA officials believe it is important that the functionality and assurance of information technology products be described in a common language and evaluated to a common test methodology across government and the private sector.

"Thus customers will be able to compare apples to apples instead of apples to a plethora of fruits and vegetables as we have today " according to the statement. "We have also learned from our TPEP experience that we simply do not have the internal resources to evaluate in a cost-effective and timely manner the myriad security products available in today's marketplace that are being used by our customers " the statement said.

Federal customers will be able to rely on reports issued by government accredited laboratories to assess the security functionalities and assurance of commercial products the statement added.

Too Many Choices?

Fred Avolio vice president of technology for Trusted Information Systems Inc. Glenwood Md. said that testing laboratories would make purchasing decisions easier for customers.

Avolio said that the proliferation of security products sometimes makes product selection difficult. "If you have one or two organizations [that] have published their criteria and tested against it that helps people who cannot afford to bring in 10 products and compare them " he said.

NSA and NIST are jointly funding the center but NSA would not detail in its statement the exact level of funding the center would require. The statement noted that NSA resources now devoted to product testing will remain fairly constant or increase slightly during the next two or three years. After that period NSA said it expected the funding to decrease as the costs of the program will be absorbed by fees charged by the laboratories to the vendors for the evaluation.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.