INFORMATION ASSURANCE
Security Certification
& Accreditation
Computer Security
Planning & Training
Disaster Recovery & Contingency Planning
Network & System Vulnerability/Threat ID
Common Criteria Testing Laboratory
Independent Validation
& Verification
Steganography Analysis
and Research Center
PCI Compliance
Managed Network Security Support Services
All Services
Home
....
.....
|
|
Common
Criteria (CC) Testing
DSD Information
Assurance Laboratories (DIAL) has been approved as a Common Criteria
Testing Laboratory (CCTL) . This accreditation and the satisfaction
of National Information Assurance Partnership (NIAP) Common Criteria
Evaluation and Validation Scheme (CCEVS) specific requirements permits
DIAL to begin operations as a CCTL and authorizes DIAL’s placement
on the NIAP CCEVS Approved Laboratories List. This accreditation was
awarded following rigorous oversight from four senior validators assigned
to DIAL’s Technical Oversight Panel (TOP) and took over 24 months
to complete. DIAL is now one of only nine authorized CCTLs in the United
States and the first to receive their accreditation based on the current
proficiency system. DIAL will be officially receiving its accreditation
certificate from CCEVS at the RSA Conference in San Francisco in April
2008.
At a national level, Information Assurance (IA) has been considered
a critical issue for some time. In 1998, Presidential Decision Directive
(PDD) 63 clearly articulated the threat to “cyber-based information
systems”. In 2003, PDD-63 was updated by Homeland Security Presidential
Directive (HSPD)-7 requiring federal agencies and departments to develop
methods and technologies to protect the infrastructure. Additional guidance
was provided by the National Security Telecommunications and Information
System Security Policy (NSTISSP) No. 11, DoD Directive 8500.1, DoD Instruction
8500.2, and Public Law 107-314. The purpose of these was to ensure that
IA related products used to process sensitive information are evaluated
according to appropriate security criteria. This is a key element in
protecting the critical IT infrastructure. The criteria used are known
as the Common Criteria (CC).
The National Information Assurance Partnership (NIAP) has developed
the Common Criteria Evaluation and Validation Scheme (CCEVS) to facilitate
evaluations against the CC. There are currently nine accredited CC Testing
Laboratories (CCTL) concurrently conducting approximately 200 evaluations.
Since 2003, this represents an increase in the demand for evaluations
of more than 500% while the number of labs available to conduct the
evaluations has grown by only one, from eight to nine. Undoubtedly,
due to the limited number labs there is a need for competent testing
labs to perform this critical service requirement.
DIAL’s CC
services include:
Selection of a Protection Profile
Evaluation/Development of a Security Target
Performing CC evaluations
for EAL 1-4 (upon CCEVS approval)
Development of CC documentation
Protection Profile
Selection
The Protection Profile (PP) describes implementation-independent sets
of security requirements for categories of TOEs, and contains a statement
of the security problem that a compliant product is intended to solve.
It specifies Common Criteria (CC) functional and assurance requirements
components (including an EAL), and provides a rationale for the selected
functional and assurance components. Using a PP can have a significant
positive impact on a CC Evaluation.
Security Target Evaluation
The ST is the basis for the agreement between the TOE developers, consumers,
evaluators and evaluation authorities as to what security the TOE offers,
and on the scope of the evaluation. The audience for an ST may also
include those managing, marketing, purchasing, installing, configuring,
operating and using the TOE.
CC Evaluation
The first four of the seven CC Evaluation Assurance Levels are summarized
below. EAL1 is the entry level. Up to EAL4 increasing rigor and detail
are introduced, but without introducing significantly specialized security
engineering techniques. EAL 1-4 can generally be retrofitted to pre-existing
products and systems.
EAL1 - Functionally Tested |
EAL1 is applicable where some confidence in correct operation is required, but the threats to security are not viewed serious. It will be of value where independent assurance required to support the contention that due care has exercised with respect to the protection of personal information. This level provides an evaluation of the TOE as made available to the customer, including independent testing against a specification and an examination of the guidance documentation provided. It is intended that an EAL1 evaluation could be successfully conducted without assistance from the developer of the TOE, and for minimum outlay. An evaluation at this level should provide evidence that the TOE functions in a manner consistent with its documentation, and that it provides useful protection against identified threats. |
EAL2 - Structurally Tested
|
EAL2 requires the co-operation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of the developer than is consistent with good commercial practice. As such it should not require a substantially increased investment of cost or time. EAL2 is applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems, or where access to the developer may be limited. |
EAL3 - Methodically Tested and Checked
|
EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage, without substantial alteration of existing sound development practices. It is applicable where the requirement is for a moderate level of independently assured security, with a thorough investigation of the TOE and its development without incurring substantial re-engineering costs. An EAL3 evaluation provides an analysis supported by testing based on “gray box” testing, selective independent confirmation of the developer test results, and evidence of a developer search for obvious vulnerabilities. Development environment controls and TOE configuration management are also required. |
EAL4 - Methodically Designed, Tested, and Reviewed
|
EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and there is willingness to incur some additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for obvious vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management. |
CC Documentation
Creating Common Criteria documentation can be a daunting task to undertake. DIAL’s test engineers are skilled in producing evaluation documentation and are ready assist in the preparation of evidence for an evaluation.
To create a Security Target, DIAL will need the following information:
Product Purpose
Summary of product physical Environment
Assets requiring protection
The following documentation should be provided to DIAL in order to develop the Security Target:
Admin and User guidance
Functional Specification
High-Level Design
The assurance level (EAL) determines which of the documents are needed to support the evaluation. DIAL can help create any of the following information for your evaluation:
Phase |
Documentation Services |
Requirements |
Security Target (ST)
Lifecycle Definition Documentation
Strength of TOE Security Function (SOF) Claims Analysis
TOE Security Policy Model
|
Design
|
Functional Specification (FSP)
Correspondence Analysis Between TOE Summary Specification (TSS) and Functional Specification (FSP)
High-Level Design (HLD)
Correspondence Analysis Between Functional Specification (FSP) and High-Level Design (HLD)
Low-Level Design (LLD)
Configuration Management Plan
Configuration Item List |
Development
|
Correspondence Analysis Between High-Level Design (HLD) and Low-Level Design (LLD)
Subset of the Implementation Representation
Correspondence Analysis Between Low-Level Design (LLD) and the Subset of the Implementation Representation
Development Security Documentation
Development Tool Documentation |
| Guidance |
Administrator Guidance
User Guidance
Delivery Documentation
Secure Installation, Generation and Start-Up Procedures
Misuse Analysis of Guidance |
Testing
|
Test Documentation including Test Procedures
Test Coverage Analysis
Depth of Testing Analysis
Current Information Regarding Obvious Vulnerabilities
Vulnerability Analysis |
Why Should You Select DIAL for your CC Services?
Quick entry – No long delays to begin the evaluation process
Cost – Competitive pricing for its services
Quality – as a small business DSD is focused on delivering the highest possible service to its customers. We realize that our success is linked to the customer's satisfaction, that's why at DSD the job is not finished until the customer is satisfied.
Experience – DSD has been in business for over 25 years. DSD employs a professional work force dedicated to getting the job done and providing the best value to our customers. Experience and education make the difference, at DSD 59% of our employees hold a Bachelor’s degrees, while 37% of our employees have Master’s Degrees. In addition, many have industry certifications.
|
