Frequently Asked Questions (V4)

Evaluation Programs

Contents

  1. What is the National Computer Security Center (NCSC)?
  2. What is TTAP?
  3. What is a TEF?
  4. How is TTAP related to the National Security Agency (NSA)?
  5. How is TTAP related to the National Institute of Standards and Technology (NIST)?
  6. What is NIAP?
  7. What is CCEVS?
  8. What is TPEP?
  9. Who do I contact?
  10. What is GIBRALTAR?
  11. What was Dockmaster?

1. What is the National Computer Security Center (NCSC)?

 The Department of Defense Computer Security Center was established in 1981 to encourage the widespread availability of trusted computer systems for use by facilities processing classified or other sensitive information. In August 1985 the name of the organization was changed to the National Computer Security Center (NCSC). The NCSC may be reached at:

National Computer Security Center
9800 SAVAGE ROAD STE 6765
FT MEADE MD 20755-6765

or by phone at (410) 854-4376 or fax at (410) 854-4375.

2. What is TTAP?

The Trust Technology Assessment Program (TTAP) is a National Security Agency (NSA) effort to commercialize the evaluation of commercial-off-the-shelf (COTS) products at the lower levels of trust. TTAP establishes and oversees commercial evaluation laboratories focusing initially on products with features and assurances characterized by the Common Criteria EAL4 and below (see Criteria FAQ, Question 2 and Common Criteria Concepts, Question 3). Vendors desiring an evaluation will contract with an authorized laboratory and pay a fee for their product's evaluation. TTAP approval and oversight mechanisms will assure quality and fairness. TTAP provides for the mutual recognition of evaluations with other nations at Common Criteria EAL3 and below. The extension of mutual recognition to EAL4 will occur on the acceptance of the Common Evaluation Methodology (CEM) (see Criteria FAQ, Question 5). The CEM is currently under development.

3. What is a TEF?

 A TTAP Evaluation Facility (TEF) is a commercial facility that has been authorized by the TTAP Oversight Board to conduct trusted product evaluations under TTAP. See <http://www.radium.ncsc.mil/tpep/ttap/facilities.html> for a list of current TEFs.

4. How is TTAP related to the National Security Agency (NSA)?

 The Trust Technology Assessment Program (TTAP) and the National Computer Security Center (NCSC) are organizational units within the National Security Agency (NSA). The TTAP and NCSC are two of a number of organizational units within the NSA responsible for the information system security mission with respect to classified and sensitive data (see <http://www.nsa.gov:8080/isso/>).

5. How is TTAP related to the National Institute of Standards and Technology (NIST)?

 In Public Law 100-235 Congress directed the National Security Agency (NSA), of which the Trust Technology Assessment Program (TTAP) is a part, to lead the efforts of the United States Government in information systems security for classified information. The National Institute of Standards and Technology (NIST) as part of the Department of Commerce is directed to lead the efforts for sensitive but unclassified information with technical support from the NSA. The NSA and NIST have established a Memorandum of Understanding detailing the responsibilities of each organization with respect to the other in this area. While NSA and NIST each have individual efforts, the agencies attempt to develop methods and standards that are compatible.

6. What is NIAP?

 The National Information Assurance Partnership (NIAP) is a collaboration of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) designed to meet the security testing needs of both information technology producers and users. The program is intended to foster the availability of objective measures and test methods for evaluating the quality of Information Technology (IT) security products. In addition, it is designed to foster the development of commercial testing laboratories that can provide the types of testing and evaluation services which will meet the demands of both producers and users.

The program should help producers increase the value and competitiveness of their products (in the U.S. and abroad) through the availability of formal, independent testing and certification. NIAP efforts will help users-- in both public and private sectors--by providing a sound and reliable basis for the evaluation, comparison, and selection of security products.

The internationally developed Common Criteria for Information Technology Security Evaluation (CCITSE) will be the focus of much of the NIAP's work. See <http://niap.nist.gov/> for more information.

7. What is CCEVS?

In order to help achieve greater comparability between commercial off-the-shelf products in the area of IT security, the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have established a program under the National Information Assurance Partnership (NIAP) to evaluate conformance of IT products to standards. The program, officially known as the Common Criteria Evaluation Validation Scheme (CCEVS), is a partnership between the public and private sectors.

8. What is TPEP?

 The Trusted Product Evaluation Program (TPEP) was the program by which the NCSC evaluated computer systems against security criteria. The Trusted Product Evaluation Program (TPEP) was operated by an organization separate from the National Computer Security Center (NCSC). The TPEP performed computer security evaluations for, and on behalf of, the NCSC. The Trust Technology Assessment Program (TTAP) has replaced TPEP (see Evaluation Programs FAQ, Question 2).

9. Who do I contact?

 The Information Assurance Criteria Support Office can be reached by mail at:

V13, INFORMATION ASSURANCE CRITERIA SUPPORT
NATIONAL SECURITY AGENCY
9800 SAVAGE ROAD STE 6740
FT MEADE MD 20755-6740

by phone at (410) 854-4458,
by e-mail at tpep@gibraltar.ncsc.mil,
or by fax at (410) 854-7512.

10. What is GIBRALTAR?

GIBRALTAR, or more precisely gibraltar.ncsc.mil, is an unclassified computer system used by NSA Commercial off the Shelf Assurance and Evaluation Programs to exchange information between product evaluators, vendors, TTAP Evaluation Facilities, and others within the computer system security community. GIBRALTAR is based on the Data General AViiON running DG/UX with B2 Security Option product. GIBRALTAR also provides service to the information security community through electronic mail and newsgroups for the exchange of ideas. Important information is made available for public review/distribution via the newsgroups. This includes, but is not limited to, EPL announcements, discussions of security criteria, and pending interpretations of criteria. Anyone with an interest in computer security can get an unclassified GIBRALTAR account but must have an NSA sponsor. Having such an account will allow you to, among other things, connect with NNTP to the GIBRALTAR based newsgroups. The GIBRALTAR news server requires an account for access and does not provide feeds to sites.

To register for an account, write to:

Attn: GIBRALTAR Accounts Administrator, Y432
National Computer Security Center
9800 SAVAGE ROAD STE 6725
FT MEADE MD 20755-6725

11. What was Dockmaster?

Dockmaster, or more precisely dockmaster.ncsc.mil, was the predecessor of GIBRALTAR (see Evaluation Programs FAQ, Question 10). Dockmaster was based on the B2-evaluated Honeywell MULTICS product.

[Commercial Product Evaluations | TPEP Main Page | TTAP Main Page | Frequently Asked Questions]

Last updated Mon Aug 16 13:52:11 1999
URL: http://www.radium.ncsc.mil/tpep/process/faq-sect1.html
Questions/Comments