Product Security Validation for U.S. Government Agencies
By J. Mark Braga, Science Applications International Corporation (SAIC)

“The Only Reason I Feel Secure…Is That I’m Validated by My Peers” — David Bazan, recording as Pedro the Lion (1999)

The U.S. government (and many others as well) requires third party validation of product security to help ensure protection of sensitive data on its networks. Such accreditation provides confidence, because it offers a recognized means of verifying claims about security functionality. Independent laboratories, such as the SAIC Accreditation Testing and Evaluation Laboratory (AT&E), provide the actual testing services.

Currently, government procurement rules recognize three major validation assessments, namely FIPS 140-2, Secure Content Automation Protocol (SCAP), and Common Criteria (ISO 15408). They cover cryptography, Office of Management and Budget purchasing requirements, and Department of Defense networks, respectively.

Cryptography applications used by US Federal Agencies must undergo Federal Information Processing Standards (FIPS) 140-2 validation. The U.S. National Institute of Standards and Testing (NIST) and the Canadian federal government, through the Communications Security Establishment (CSE), accredit third party laboratories to test commercial cryptographic modules and the implementation of approved algorithms. FIPS 140-2 is the current standard. FIPS 140-3 will replace it in late 2009.

Achieving FIPS 140-2 validation involves testing products to ensure they correctly implement approved cryptographic standards. An approved independent third party testing laboratory assesses the product’s design documents, source code, and related materials. It then subjects the product to extensive tests that increase in rigor through four security levels. The process requires considerable expertise, takes several months, and is quite expensive.

In April 2008, the National Voluntary Laboratory Accreditation Program (NVLAP) added Secure Content Automation Protocol (SCAP) testing to its third party laboratory testing menu to meet Office of Budget and Management purchasing requirements. SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance).

For sensitive Department of Defense networks, the internationally recognized (14 countries) Common Criteria (ISO 15408) is the basis for certifying security products. The National Security Agency (NSA) Common Criteria Evaluation and Validation Scheme (CCEVS) provides validation and certification based on evaluation and testing performed by accredited third party laboratories. The security tests cover both functional and assurance requirements. The former refers to the actual product or system, whereas the latter refers to the development and maintenance processes. With the Common Criteria, evaluation assurance levels (EALs) 1-7 show “strength of assurance”, indicating the degree of confidence that functions work as advertised and are securely maintained. Achieving CC certification takes considerable expertise, a period of 8 to 24 months (depending on the EAL), and a substantial financial investment.

Third-party independent security testing helps ensure the quality of products intended for US Federal Government use. Several standards (FIPS, SCAP, or Common Criteria) may be involved, depending on the type of product and its use and purpose. Product validation involves extensive, detailed tests to assure both correct functionality and proper design and maintenance.