Frequently Asked Questions (V4)
Evaluation Programs
Contents
- What is the National Computer Security Center (NCSC)?
- What is TTAP?
- What is a TEF?
- How is TTAP related to the National Security Agency (NSA)?
- How is TTAP related to the National Institute of Standards
and Technology (NIST)?
- What is NIAP?
- What is CCEVS?
- What is TPEP?
- Who do I contact?
- What is GIBRALTAR?
- What was Dockmaster?
1. What is the National Computer Security Center (NCSC)?
The Department of Defense Computer Security Center was
established in 1981 to encourage the widespread availability of
trusted computer systems for use by facilities processing
classified or other sensitive information. In August 1985 the
name of the organization was changed to the National Computer
Security Center (NCSC). The NCSC may be reached at:
National Computer Security Center
9800 SAVAGE ROAD STE 6765
FT MEADE MD 20755-6765
or by phone at (410) 854-4376 or fax at (410) 854-4375.
The Trust Technology Assessment Program (TTAP) is a
National Security Agency (NSA) effort to commercialize the
evaluation of commercial-off-the-shelf (COTS) products at the
lower levels of trust. TTAP establishes and oversees commercial
evaluation
laboratories focusing initially on products with features and
assurances characterized by the
Common Criteria EAL4 and below (see
Criteria FAQ, Question 2 and
Common Criteria Concepts, Question 3).
Vendors desiring an evaluation will contract with
an authorized laboratory and pay a fee for their product's
evaluation.
TTAP approval and oversight mechanisms will assure quality and fairness.
TTAP provides for the
mutual recognition of evaluations with other nations at
Common Criteria EAL3 and below.
The extension of mutual recognition to EAL4 will
occur on the acceptance of the Common Evaluation Methodology (CEM)
(see Criteria FAQ, Question 5).
The CEM is currently under development.
3. What is a TEF?
A TTAP Evaluation Facility (TEF) is a commercial facility that has
been authorized by the TTAP Oversight Board to conduct trusted
product evaluations under TTAP. See
<http://www.radium.ncsc.mil/tpep/ttap/facilities.html> for a
list of current TEFs.
4. How is TTAP related to the National Security Agency (NSA)?
The Trust Technology
Assessment Program (TTAP) and the
National Computer Security Center (NCSC) are organizational
units within the National Security Agency (NSA). The TTAP and
NCSC are two of a number of organizational units within the NSA
responsible for the information system security mission with
respect to classified and sensitive data (see
<http://www.nsa.gov:8080/isso/>).
5. How is TTAP related to the National Institute of Standards
and Technology (NIST)?
In Public Law 100-235 Congress directed the National Security
Agency (NSA), of which the Trust Technology Assessment Program (TTAP) is
a part, to lead the efforts of the United States
Government in information systems security for classified
information. The National Institute of Standards and Technology
(NIST) as part of the Department of Commerce is directed to lead
the efforts for sensitive but unclassified information with
technical support from the NSA. The NSA and NIST have established
a Memorandum of Understanding detailing the responsibilities of
each organization with respect to the other in this area. While
NSA and NIST each have individual efforts, the agencies attempt to
develop methods and standards that are compatible.
6. What is NIAP?
The National Information Assurance Partnership (NIAP) is a collaboration
of the National Institute of Standards and Technology (NIST) and the
National Security Agency (NSA) designed to meet the security testing needs of both information
technology producers and users. The program is intended to foster the
availability of objective measures and test methods for evaluating the
quality of Information Technology (IT) security products. In addition, it
is designed to foster the development of commercial testing laboratories
that can provide the types of testing and evaluation services which will
meet the demands of both producers and users.
The program should help producers increase the value and competitiveness
of their products (in the U.S. and abroad) through the availability of
formal, independent testing and certification. NIAP efforts will help users--
in both public and private sectors--by providing a sound and reliable basis
for the evaluation, comparison, and selection of security products.
The internationally developed Common Criteria for Information Technology
Security Evaluation (CCITSE) will be the focus of much of the NIAP's work.
See <http://niap.nist.gov/> for more information.
In order to help achieve greater comparability between commercial
off-the-shelf products in the area of IT security, the National
Institute of Standards and Technology (NIST) and the National
Security Agency (NSA) have established a program under the
National Information Assurance Partnership (NIAP) to evaluate
conformance of IT products to standards. The program, officially
known as the Common Criteria Evaluation Validation Scheme (CCEVS), is a
partnership between the public and private sectors.
8. What is TPEP?
The Trusted Product Evaluation Program (TPEP) was the program by
which the NCSC evaluated computer systems against security
criteria. The Trusted Product Evaluation Program (TPEP) was
operated by an organization separate from the National Computer
Security Center (NCSC). The TPEP performed computer security
evaluations for, and on behalf of, the NCSC. The Trust Technology
Assessment Program (TTAP) has replaced TPEP (see
Evaluation Programs FAQ, Question 2).
9. Who do I contact?
The Information Assurance Criteria Support Office can be reached by mail at:
V13, INFORMATION ASSURANCE CRITERIA SUPPORT
NATIONAL SECURITY AGENCY
9800 SAVAGE ROAD STE 6740
FT MEADE MD 20755-6740
by phone at (410) 854-4458,
by e-mail at
tpep@gibraltar.ncsc.mil,
or by fax at (410) 854-7512.
GIBRALTAR, or more precisely gibraltar.ncsc.mil,
is an unclassified computer system used by NSA Commercial
off the Shelf Assurance and Evaluation Programs to exchange
information between
product evaluators, vendors, TTAP Evaluation Facilities,
and others within the computer
system security community. GIBRALTAR is based on the
Data General AViiON running DG/UX with B2 Security Option
product. GIBRALTAR also provides service to
the information security
community through electronic mail and newsgroups
for the exchange of ideas. Important information is made
available for public review/distribution via the newsgroups.
This includes, but is not limited to, EPL announcements, discussions
of security criteria, and pending interpretations of criteria.
Anyone with an interest in computer security can get an unclassified
GIBRALTAR account but must have an NSA sponsor. Having such an
account will allow you to, among
other things, connect with NNTP to the GIBRALTAR based newsgroups.
The GIBRALTAR news server requires an account for access and does
not provide feeds to sites.
To register for an account, write to:
Attn: GIBRALTAR Accounts Administrator, Y432
National Computer Security Center
9800 SAVAGE ROAD STE 6725
FT MEADE MD 20755-6725
Dockmaster, or more precisely dockmaster.ncsc.mil, was the
predecessor of
GIBRALTAR (see Evaluation Programs FAQ,
Question 10). Dockmaster was based on the
B2-evaluated Honeywell MULTICS product.
Last updated Mon Aug 16 13:52:11 1999
URL: http://www.radium.ncsc.mil/tpep/process/faq-sect1.html
Questions/Comments