NSA to back private security testing
- By Heather Harreld
- Jul 20, 1997
In an attempt to bring consistency to computer security products the National Security Agency plans to exit the security product-testing business in favor of helping the private sector develop product-testing laboratories.
NSA as part of a joint agreement with the National Institute of Standards and Technology this summer will establish a new security testing center dedicated to accrediting commercial testing laboratories and promoting the demand for information technology security products.
The testing center which will be housed at NIST will foster the growth of commercial laboratories that would test security products against a set of international guidelines called the common criteria said Timothy Grance NIST manager of systems and network security.
The common criteria are security guidelines that encompass product functions assurance levels and protection levels. They were adopted by entities in Europe Canada and the United States including NIST and NSA. Tasks of the center initially will include common-criteria product-testing research the development of firewall tests the design of tools to test security products and the crafting accreditation requirements for laboratories.
"We want to foster the idea that operational security testing should be done in commercial labs " Grance said. "We would be accrediting on a voluntary basis private laboratories under the common criteria. Our ultimate ambition would be that a vendor or user group would know that [the private laboratories are] competent they're viable they're able to perform. People want swift cheap and credible testing and they want us to square that circle between those three items."
The common-criteria security guidelines will replace the Trusted Product Evaluation Program (TPEP) which NSA began in 1983 and now uses to test products against its own guidelines outlined in what is known as the "Orange Book."
NSA's TPEP program has been criticized in recent years for the length of time the testing process spanned - sometimes as long as two years.
Rob Clyde a founder of Rockville Md.-based Axent Technologies Inc. an information technology company said that the Orange Book evaluations often were viewed as irrelevant because the vendors themselves no longer supported the versions of the product that had been evaluated.
"For years the frustration with the Orange Book testing was...by the time the testing was finished the product was obsolete " Clyde said.
The new center will employ 20 people by the end of fiscal 1997 and up to 40 employees by the end of fiscal 1998 Grance said.
According to a statement issued by NSA to FCW NSA officials believe it is important that the functionality and assurance of information technology products be described in a common language and evaluated to a common test methodology across government and the private sector.
"Thus customers will be able to compare apples to apples instead of apples to a plethora of fruits and vegetables as we have today " according to the statement. "We have also learned from our TPEP experience that we simply do not have the internal resources to evaluate in a cost-effective and timely manner the myriad security products available in today's marketplace that are being used by our customers " the statement said.
Federal customers will be able to rely on reports issued by government accredited laboratories to assess the security functionalities and assurance of commercial products the statement added.
Too Many Choices?
Fred Avolio vice president of technology for Trusted Information Systems Inc. Glenwood Md. said that testing laboratories would make purchasing decisions easier for customers.
Avolio said that the proliferation of security products sometimes makes product selection difficult. "If you have one or two organizations [that] have published their criteria and tested against it that helps people who cannot afford to bring in 10 products and compare them " he said.
NSA and NIST are jointly funding the center but NSA would not detail in its statement the exact level of funding the center would require. The statement noted that NSA resources now devoted to product testing will remain fairly constant or increase slightly during the next two or three years. After that period NSA said it expected the funding to decrease as the costs of the program will be absorbed by fees charged by the laboratories to the vendors for the evaluation.