FIAC 2003 will unravel the mysteries of one of the government's leading frameworks for IT security.

With the peaceful well-being of cyberspace under incessant threat by provocateurs as varied as hacker contest operators and full-bore cyber terror war combatants, the time has probably come for all who are less than fluent in IT security best practices to begin "training up." A good place to start is with one of the U.S. federal government's most ambitious efforts, known referentially as the "Common Criteria."

"The Common Criteria for Information Technology Security Evaluation provides a language for defining and evaluating IT security systems and products," said John Morris, president and co-founder of Corsec Security Inc. Corsec specializes in Common Criteria, FIPS 140 and cryptographic engineering consultancy.

"The framework provided by the Common Criteria [CC] allows organizations to define sets of specific Functional and Assurance requirements, called Protection Profiles. The CC also provides evaluation laboratories with procedures for evaluating products or systems against the specified requirements."

The main reason manufacturers are lining up to get their products or systems evaluated under the CC these days is that, increasingly, agencies are requiring it under the July 2002 National Security Telecommunications and Information Systems Security Policy #11 (NSTISSP #11). This policy directive was carved out by the National Security Agency and the National Institute of Standards and Technology, and is being adopted in many agencies including the Defense Department.

Because many are still unfamiliar with CC, its mysteries will be unraveled at this year's Federal Information Assurance Conference at College Park, MD, where Morris will lead a session explaining Common Criteria basics and intricacies on Oct. 21. Attendees can expect to get the lowdown on such issues as:

• The EAL levels (evaluation levels) that can be achieved under the CC . 
• What constitutes a Protection Profile and why it is important
• How the CC differs from other NIST certification and accreditation programs

The NSTISSP #11 policy was drafted in the pre-Sept. 11 period but gained urgency as threats to government systems and critical infrastructure were re-evaluated post-9/11. "It's gratifying to see government put a policy like NSTISSP #11 in place," said Matthew Mosher, a federal division V.P. with CyberGuard, one of the first companies to provide a firewall system meeting the highest EAL levels under the Common Criteria evaluation program.

Mosher said he believes that as critical infrastructure needs are more closely examined in terms of how IT systems interoperate with "utilities, power grids, transportation," the more likely that "information assurance procurement standards similar to NSTISSP #11" will be adopted in both the private- and critical infrastructure sectors.

Morris said that as world events have conspired to change the leisurely pace of security planning and implementation into an immediacy for many organizations, "interest in pursuing Common Criteria evaluations has never been higher. Recent security spending growth and heightened security awareness are driving government agencies to push vendors for CC-evaluated products, and to refine their required Protection Profiles and Evaluation Assurance Levels."

Folks looking to get a jump-start on the FIAC Common Criteria session can learn more by visiting Corsec's online CC Center at http://www.corsec.com/ccc_center.php. For more information on FIAC2003, October 21-23 University of Maryland, College Park, MD, visit www.fbcinc.com/fiac.

Article by PSI Senior Editor Bob Green. Green has covered government for more than 15 years.  He has been focusing on security issues since 1998. You can reach him at BobGreen@PubSector.net.