Security focus shifts to systems
- By Diane Frank
- Oct 18, 2000
NIAP Common Criteria Evaluation and Validation Scheme
In its third year, a joint civilian/defense information assurance program
is shifting its focus from the certification of products to helping agencies
secure their systems.
Through the National Information Assurance Partnership, the National
Security Agency and the National Institute of Standards and Technology had
set up an accrediting system for laboratories to follow to certify security
products under an international standard — the Common Criteria Evaluation
and Testing Scheme.
"Now we're going to be turning our attention to the system-level problems,"
said Ron Ross, director of the NIAP, at the National Information Systems
Security Conference in Baltimore on Monday.
The NIAP has been helping agencies develop "protection profiles," a
set of security requirements that vendors follow to adapt a product to an
agency's needs. Until now, those protection profiles have been only for
products such as software and appliance-based firewalls.
But now the NIAP is helping to develop protection profiles for systems
and services. One such project involves the health care industry, which
needs to meet federal security requirements set forth in the Health Insurance
Portability and Accountability Act of 1996.
The Health Care Security Forum project at the NIAP is working with members
of the health care community to define security needs and determine how
a protection profile and the Common Criteria can help the health care sector
comply with HIPAA, said L. Arnold Johnson, project leader at the NIAP.
Already, many of the top health care user organizations have joined
to support the project, which will include requirements for systems to provide
traceable and documented evidence that they are meeting HIPAA policies,