FAA puts Common Criteria to work

Officials at the Federal Aviation Administration had been aware of Common Criteria for years, but it was not until Marshall Potter joined the staff in 2000 as chief scientist for information technology in the chief information officer's office that the work really got started.

In January 2001, Potter launched an effort to apply Common Criteria to the management of the National Airspace System (NAS). Using Common Criteria, the FAA has created a template to help define the security requirements in the solicitations for each piece of this "system of systems," Potter said.

"The whole intent is to get complete and understandable requirements for the systems," said Joe Veoni, principal information security engineer in the communications and information systems department of Mitre Corp.'s Center for Advanced Aviation System Development. Mitre, a nonprofit organization that performs federally funded research, is part of the team working on the NAS protection profile template.

This approach made more sense than simply replicating the Defense Department mandate for national security organizations, Potter said.

In the national security community, priorities include maintaining confidentiality and controlling access to information. Most civilian agencies' top priorities are ensuring the integrity and availability of information. The different priorities require different approaches when it comes to defining security requirements, Potter said.

"There are those of us who need trusted systems, but we're not focused on security. We're focused on mission," he said.

Potter's team evaluated the threats to NAS and outlined the system's high-level security requirements — such as high integrity and high availability — and matched them up with the Common Criteria standard to develop the template. The team then brought in FAA program managers and acquisition officials to help make sure the template could be understood and used by the people who would actually be developing the solicitations.

The FAA released Version 1 of its template in March and is testing it on two project solicitations — the next version of the Controller Pilot Data Link wireless communications system and the En Route Automation Modernization program.

Featured

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected