You are in the: Small Business Computing Channelarrow
Small Business Technology
» ECommerce-Guide | Small Business Computing | Webopedia | WinPlanet

ECommerce-Guide News provides online business owners with information about new ecommerce products, ecommerce laws and taxes, trends in ecommerce and market research on how to run an eBay business.   News, reviews and practical solutions for your online business  
Home News & Trends Solutions Resources eBiz FAQ Selling on eBay Forums Video Products Glossary About
News Research Trends


Search
ECommerce-Guide

ECommerce Glossary
Enter a Term:

Free Newsletters
Small Business Tech Daily
Webopedia

You are in: ECommerce-Guide > News > Trends

ECommerce-Guide Essentials
eBiz FAQ
Everything you need to know to start your own successful e-business.

Selling on eBay
How to make money in the online marketplace.

PayPal Payments and More
What's new in secure payments for your online store.

Shopping Cart Software
Solutions to close, process and track your online sales.

ecommerce-guide news and trends

Committing to IT Security
By Mark Merkow, CCP, CISSP

June 14, 2002


Big changes are happening in how US government agencies can purchase hardware and software. These changes are bound to cause a huge effect for you too!

Beginning in July 2002, the National Information Assurance Acquisition Policy takes full effect. It states:

"By July 1 2002, the acquisition of all Commercial Off The Shelf (COTS) Information Assurance (IA) and IA-enabled IT products to be used on systems entering, processing, storing, displaying, or transmitting national security information shall be limited only to those which have been evaluated and validated in accordance with these criteria, schemes, or programs:

  • The International Common Criteria for Information Security Technology Evaluation Mutual Recognition Arrangement;
  • The National Security Agency (NS)/National Institute of Standards and Technology (NIST) National Information Assurance Partnership (NIAP) Evaluation and Validation Program, or;
  • The NIST Federal Information Processing Standard (FIPS) validation program."

The Acquisition Policy was issued in January 2000 by the National Security Telecommunications and Information Systems Security Committee (NSTISSC), as National Security Telecommunications and Information Systems Security Policy (NSTISS) Number 11. The objective of NSTISSP No. 11 is to help provide assurance that off-the-shelf IA software and systems acquired by the US government will perform as advertised and/or will satisfy the information security requirements established by the prospective user. IA products are defined as any IT product or technology that provides security services. Examples include data and network encryption systems, firewalls, intrusion detection systems, Single-Sign-On solutions, etc. IA-enabled products are defined as products whose primary role is not security but offer security services within the application. Examples include security-enabled Web browsers, packet-screening routers, trusted operating systems, or security-enabled messaging systems.

NSTISSP No. 11 is a tool to help evaluate IT-security enabled products at various levels to help reduce the costs related to custom development of Government Off The Shelf (GOTS) systems and corresponding certification by the NSA. By purchasing commercial systems with adequate confidence that they can protect national secrets, the US government and governments worldwide benefit from increased choices of products from vendors who undergo evaluations, increased capabilities, and specialization of tools.

Evaluating IA and IA-enabled Products
To participate in an evaluation of an IT-security enabled product, a vendor will volunteer to sponsor and pay for an evaluation and prepare the sets of documentation needed throughout the process. For a Common Criteria evaluation, a vendor will write a document, called a Security Target (ST) that contains all the claims of security functionality within the product. The ST may claim conformance to one or more Protection Profiles (PPs) that implement a customer's ability to formally state their security requirements for product operating in a given environment. The ST also makes a claim about the robustness of the security function's implementation, giving independent evaluators the level of evaluation desired. Along with the ST, the product itself, called a Target of Evaluation (TOE), is securely delivered to a testing lab that's been certified under a NIAP or international CC scheme, and tested for conformance to claims. When the product is successfully evaluated, a report, called an Evaluation Technical Report (ETR) is sent the scheme (NIAP in the US) for review and concurrence. If concurrence is reached, a Common Criteria Certificate is issued, and placed on the registry of evaluated products. With the certificate, international recognition may be gained, eliminating the need for a vendor to conduct additional evaluations on the same version of the product, and opening a worldwide market that honors acceptance of proven secure products.

Current member countries of the Common Criteria Mutual Recognition Arrangement (CCMRA) include:

  • US
  • Canada
  • France
  • United Kingdom
  • Germany
  • Netherlands
  • Australia
  • New Zealand
  • Finland
  • Greece
  • Israel
  • Norway
  • Spain
  • Sweden

Products produced in any of these countries and evaluated through a Common Criteria Scheme are mutually recognized (up to certain evaluation levels), and may be sold to other local governments without further security evaluations.

As a vendor of IA or IA-enabled products you sell or want to sell to government agencies (anywhere), NSTISSP No. 11 is a powerful driver to improving the security of COTS systems, and by participating in evaluations, you prove your commitment to reducing the computer security problems we witness daily, and clearly show you're serious about your personal responsibility as a member of the global e-commerce community.

Links you may find interesting:

EC Outlook article on Common Criteria Part One
EC Outlook article on Common Criteria Part Two
NIST Computer Security Handbook
International Common Criteria Project
National Information Assurance Partnership (NIAP)
FIPS 140-1 Specifications and Current Validated Modules
NSA/NIST US Government Recommended Protection Profiles

Tools:
Add ecommerce-guide.com to your favorites
Add ecommerce-guide.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed