FAA puts Common Criteria to work

Officials at the Federal Aviation Administration had been aware of Common Criteria for years, but it was not until Marshall Potter joined the staff in 2000 as chief scientist for information technology in the chief information officer's office that the work really got started.

In January 2001, Potter launched an effort to apply Common Criteria to the management of the National Airspace System (NAS). Using Common Criteria, the FAA has created a template to help define the security requirements in the solicitations for each piece of this "system of systems," Potter said.

"The whole intent is to get complete and understandable requirements for the systems," said Joe Veoni, principal information security engineer in the communications and information systems department of Mitre Corp.'s Center for Advanced Aviation System Development. Mitre, a nonprofit organization that performs federally funded research, is part of the team working on the NAS protection profile template.

This approach made more sense than simply replicating the Defense Department mandate for national security organizations, Potter said.

In the national security community, priorities include maintaining confidentiality and controlling access to information. Most civilian agencies' top priorities are ensuring the integrity and availability of information. The different priorities require different approaches when it comes to defining security requirements, Potter said.

"There are those of us who need trusted systems, but we're not focused on security. We're focused on mission," he said.

Potter's team evaluated the threats to NAS and outlined the system's high-level security requirements — such as high integrity and high availability — and matched them up with the Common Criteria standard to develop the template. The team then brought in FAA program managers and acquisition officials to help make sure the template could be understood and used by the people who would actually be developing the solicitations.

The FAA released Version 1 of its template in March and is testing it on two project solicitations — the next version of the Controller Pilot Data Link wireless communications system and the En Route Automation Modernization program.

Featured

  • Budget
    Stock photo ID: 134176955 By Richard Cavalleri

    House passes stopgap spending bill

    The current appropriations bills are set to expire on Oct. 1; the bill now goes to the Senate where it is expected to pass.

  • Defense
    concept image of radio communication (DARPA)

    What to look for in DOD's coming spectrum strategy

    Interoperability, integration and JADC2 are likely to figure into an updated electromagnetic spectrum strategy expected soon from the Department of Defense.

Stay Connected