Frequently Asked Questions (V4)
Criteria
Contents
- What are the criteria used for evaluation?
- What is the Common Criteria?
- What is a Protection Profile (PP)?
- What is a Security Target (ST)?
- What is the CEM?
- What is the TCSEC?
- What are interpretations?
- What is the Interpreted TCSEC (ITCSEC)?
- Is there criteria for commercial (as opposed to military) systems?
- What is the Federal Criteria?
- What are the CMWREQs and the CMWEC?
1. What are the criteria used for evaluation?
The criteria currently used by the Trust Technology Assessment Program (TTAP)
to grade the security offered by a product is
the Common Criteria for Information Technology Security Evaluation (CCITSE)
(see Criteria FAQ, Question 2).
No new evaluations may be conducted against the Trusted Computer System Evaluation Criteria (TCSEC), dated
1985 although there are some ongoing at this time (see Criteria FAQ, Question 6).
2. What is the Common Criteria?
The Common Criteria for Information Technology Security
Evaluation (CCITSE) occasionally (and somewhat
incorrectly) referred to as the Harmonized Criteria, is a
multinational effort to write a successor to the
TCSEC (see Criteria FAQ, Question 6)
and ITSEC (see Criteria FAQ, Question 12)
that combines the best aspects of both. An initial
version (V 1.0) was released in January of 1996. Version 2.0
was released in May of 1998. The CCITSE has
a structure closer to the ITSEC than the TCSEC and includes
the concept of a "profile" (see
Criteria FAQ, Question 3) to collect requirements into easily
specified and compared sets and the concept of a Security Target
(see Criteria FAQ, Question 4).
The NSA is actively working to
develop profiles and an evaluation process for the CCITSE. Evaluations
are now being conducted against CCITSE-based Protection Profiles and
Security Targets. The CCITSE is available from
<http://www.radium.ncsc.mil/tpep/library/ccitse/>.
3. What is a Protection Profile (PP)?
A PP contains a set of security requirements either from the
Common Criteria for Information Technology Security
Evaluation (CCITSE) (see Criteria FAQ,
Question 2), or stated explicitly, which should include an
Evaluation Assurance Level (EAL) (see
Common Criteria Concepts FAQ, Question 3). The PP permits the implementation
independent expression of security requirements for a set of Targets
of Evaluation (TOEs) (see Common Criteria Concepts FAQ,
Question 1) that will comply fully with a set of security
objectives. A PP is intended to be reusable and to define TOE
requirements that are known to be useful and effective in meeting
the identified objectives, both for functions and assurance. A PP
also contains the rationale for security objectives and security
requirements.
A PP could be developed by user communities, IT product developers,
or other parties interested in defining such a common set of
requirements. A PP gives consumers a means of referring to a specific
set of security needs and facilitates future evaluation against
those needs.
A ST contains a set of security requirements that may be made
by reference to a PP (see Criteria FAQ,
Question 3),
directly by reference to the Common Criteria for Information
Technology Security Evaluation (CCITSE) functional or assurance
components, or stated explicitly. A ST permits the expression of
security requirements for a specific Target of Evaluation (TOE)
(see Common Criteria Concepts FAQ, Question 1) that
are shown, by evaluation, to be useful and effective in meeting
the identified objectives.
A ST contains the TOE summary specification, together with the
security requirements and objectives, and the rationale for each.
A ST is the basis for agreement between all parties as to what
security the TOE offers.
The Common Evaluation Methodology (CEM) is developed as an agreed basis
for conducting evaluations against the Common Criteria for Information
Technology Security Evaluation (CCITSE). The CEM will support the mutual recognition of
security evaluations among the United Kingdom, Canada, France, Germany, and the
U.S.
6. What is the TCSEC?
The Trusted Computer System Evaluation Criteria (TCSEC) is a
collection of criteria that was previously used to grade or rate the security
offered by a computer system product. No new evaluations are being conducted
using the TCSEC although there are some still ongoing at this time. The TCSEC is sometimes
referred to as "the Orange Book" because of its orange cover.
The current version is dated 1985 (DOD 5200.28-STD, Library No.
S225,711) The TCSEC, its interpretations, and guidelines all
have different color covers and are sometimes known as the
"Rainbow Series" (see TCSEC Criteria Concepts FAQ, Question 4).
It is available at <http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html>
7. What are interpretations?
It is often the case that there are several ways to read a
given statement in the
criteria. Interpretations are official statements,
articulating which of a number of possible ways to read a
requirement, and are the acceptable ways for purposes of evaluation
by the TTAP. Interpretations are developed by a group of
highly experienced product evaluators. These interpretations
in proposed form are available for comment by all users of
GIBRALTAR (see Evaluation Programs FAQ, Question 10)
including vendors with
products in evaluation. After considering the comments and
revising the interpretation as appropriate (sometimes through
several rounds of comments and revision), the interpretation is
accepted by the NSA and officially announced.
8. What is the Interpreted TCSEC (ITCSEC)?
The Interpreted Trusted Computer System Evaluation Criteria
(ITCSEC) is a version of the TCSEC maintained by the Trusted
Product Evaluation Program (TPEP) that annotates the TCSEC
requirements with all current interpretations. It is available
in postscript from
<http://www.radium.ncsc.mil/tpep/library/tcsec/ITCSEC.ps>
9. Is there criteria for commercial (as opposed to military) systems?
The NSA is prohibited by
the Computer Security Act of 1987 from attempting to directly
address the needs of commercial systems. The NSA does not
subscribe, however, to the often espoused belief that
the requirements of military systems are entirely divorced from
the requirements of commercial systems. It seems reasonable to
believe that commercial computer system users require many of
the same basic features of military systems: identification and
authentication of the users requesting information or service
from the system; ability to audit the actions of users; and
control of access to information, both at the discretion of the
information owner and by corporate policy. Because the TCSEC
couched its requirements in terms of DoD classifications, many
people have not thought about applying them to similar needs
for mandatory controls on protected information pertaining to
product development, marketing, and personnel decisions. The
Common Criteria provides criteria that
use more general terminology.
10. What is the Federal Criteria?
The Federal Criteria was an attempt to develop criteria to
replace the Trusted Computer System Evaluation Criteria (TCSEC).
A draft version was released for public comment in December 1992.
However,this effort was supplanted by the Common Criteria effort
(see Criteria FAQ, Question 2), and
the Federal Criteria never moved
beyond the draft stage (although many of its ideas are retained
in the Common Criteria for Information Technology Security Evaluation
(CCITSE)). There was no Final Federal Criteria; the
draft should not be treated as anything more than a draft.
11. What are the CMWREQs and the CMWEC?
The criteria used by the Defense Intelligence Agency (DIA) to
rate a product as a Compartmented Mode Workstation (CMW) was the
Compartmented Mode Workstation Evaluation Criteria (CMWEC),
which superseded the CMW Requirements (CMWREQs) in 1991. This
criteria defined a minimum level of assurance equivalent to the
B1 level of the TCSEC (see TCSEC Criteria
Concepts FAQ, Questions 9-11). It
also defines a minimum set of functionality and usability
features outside the scope of the TCSEC (e.g. a graphical user
interface via a window system was required along with the
capability to cut and paste between windows). Neither set of
requirements are currently to evaluate products although products
that are designed to have these
features may be evaluated with the Common Criteria for Information
Technology Security Evaluation (CCITSE).
Last updated Wed Aug 25 06:45:04 1999
URL: http://www.radium.ncsc.mil/tpep/process/faq-sect2.html
Questions/Comments