Frequently Asked Questions (V4)

Criteria

1. What are the criteria used for evaluation?

The criteria currently used by the Trust Technology Assessment Program (TTAP) to grade the security offered by a product is the Common Criteria for Information Technology Security Evaluation (CCITSE) (see Criteria FAQ, Question 2). No new evaluations may be conducted against the Trusted Computer System Evaluation Criteria (TCSEC), dated 1985 although there are some ongoing at this time (see Criteria FAQ, Question 6).

2. What is the Common Criteria?

The Common Criteria for Information Technology Security Evaluation (CCITSE) occasionally (and somewhat incorrectly) referred to as the Harmonized Criteria, is a multinational effort to write a successor to the TCSEC (see Criteria FAQ, Question 6) and ITSEC (see Criteria FAQ, Question 12) that combines the best aspects of both. An initial version (V 1.0) was released in January of 1996. Version 2.0 was released in May of 1998. The CCITSE has a structure closer to the ITSEC than the TCSEC and includes the concept of a "profile" (see Criteria FAQ, Question 3) to collect requirements into easily specified and compared sets and the concept of a Security Target (see Criteria FAQ, Question 4). The NSA is actively working to develop profiles and an evaluation process for the CCITSE. Evaluations are now being conducted against CCITSE-based Protection Profiles and Security Targets. The CCITSE is available from <http://www.radium.ncsc.mil/tpep/library/ccitse/>.

3. What is a Protection Profile (PP)?

A PP contains a set of security requirements either from the Common Criteria for Information Technology Security Evaluation (CCITSE) (see Criteria FAQ, Question 2), or stated explicitly, which should include an Evaluation Assurance Level (EAL) (see Common Criteria Concepts FAQ, Question 3). The PP permits the implementation independent expression of security requirements for a set of Targets of Evaluation (TOEs) (see Common Criteria Concepts FAQ, Question 1) that will comply fully with a set of security objectives. A PP is intended to be reusable and to define TOE requirements that are known to be useful and effective in meeting the identified objectives, both for functions and assurance. A PP also contains the rationale for security objectives and security requirements.

A PP could be developed by user communities, IT product developers, or other parties interested in defining such a common set of requirements. A PP gives consumers a means of referring to a specific set of security needs and facilitates future evaluation against those needs.

4. What is a Security Target (ST)?

A ST contains a set of security requirements that may be made by reference to a PP (see Criteria FAQ, Question 3), directly by reference to the Common Criteria for Information Technology Security Evaluation (CCITSE) functional or assurance components, or stated explicitly. A ST permits the expression of security requirements for a specific Target of Evaluation (TOE) (see Common Criteria Concepts FAQ, Question 1) that are shown, by evaluation, to be useful and effective in meeting the identified objectives.

A ST contains the TOE summary specification, together with the security requirements and objectives, and the rationale for each. A ST is the basis for agreement between all parties as to what security the TOE offers.

5. What is the CEM?

The Common Evaluation Methodology (CEM) is developed as an agreed basis for conducting evaluations against the Common Criteria for Information Technology Security Evaluation (CCITSE). The CEM will support the mutual recognition of security evaluations among the United Kingdom, Canada, France, Germany, and the U.S.

6. What is the TCSEC?

The Trusted Computer System Evaluation Criteria (TCSEC) is a collection of criteria that was previously used to grade or rate the security offered by a computer system product. No new evaluations are being conducted using the TCSEC although there are some still ongoing at this time. The TCSEC is sometimes referred to as "the Orange Book" because of its orange cover. The current version is dated 1985 (DOD 5200.28-STD, Library No. S225,711) The TCSEC, its interpretations, and guidelines all have different color covers and are sometimes known as the "Rainbow Series" (see TCSEC Criteria Concepts FAQ, Question 4). It is available at <http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html>

7. What are interpretations?

It is often the case that there are several ways to read a given statement in the criteria. Interpretations are official statements, articulating which of a number of possible ways to read a requirement, and are the acceptable ways for purposes of evaluation by the TTAP. Interpretations are developed by a group of highly experienced product evaluators. These interpretations in proposed form are available for comment by all users of GIBRALTAR (see Evaluation Programs FAQ, Question 10) including vendors with products in evaluation. After considering the comments and revising the interpretation as appropriate (sometimes through several rounds of comments and revision), the interpretation is accepted by the NSA and officially announced.

8. What is the Interpreted TCSEC (ITCSEC)?

The Interpreted Trusted Computer System Evaluation Criteria (ITCSEC) is a version of the TCSEC maintained by the Trusted Product Evaluation Program (TPEP) that annotates the TCSEC requirements with all current interpretations. It is available in postscript from <http://www.radium.ncsc.mil/tpep/library/tcsec/ITCSEC.ps>

9. Is there criteria for commercial (as opposed to military) systems?

The NSA is prohibited by the Computer Security Act of 1987 from attempting to directly address the needs of commercial systems. The NSA does not subscribe, however, to the often espoused belief that the requirements of military systems are entirely divorced from the requirements of commercial systems. It seems reasonable to believe that commercial computer system users require many of the same basic features of military systems: identification and authentication of the users requesting information or service from the system; ability to audit the actions of users; and control of access to information, both at the discretion of the information owner and by corporate policy. Because the TCSEC couched its requirements in terms of DoD classifications, many people have not thought about applying them to similar needs for mandatory controls on protected information pertaining to product development, marketing, and personnel decisions. The Common Criteria provides criteria that use more general terminology.

10. What is the Federal Criteria?

The Federal Criteria was an attempt to develop criteria to replace the Trusted Computer System Evaluation Criteria (TCSEC). A draft version was released for public comment in December 1992. However,this effort was supplanted by the Common Criteria effort (see Criteria FAQ, Question 2), and the Federal Criteria never moved beyond the draft stage (although many of its ideas are retained in the Common Criteria for Information Technology Security Evaluation (CCITSE)). There was no Final Federal Criteria; the draft should not be treated as anything more than a draft.

11. What are the CMWREQs and the CMWEC?

The criteria used by the Defense Intelligence Agency (DIA) to rate a product as a Compartmented Mode Workstation (CMW) was the Compartmented Mode Workstation Evaluation Criteria (CMWEC), which superseded the CMW Requirements (CMWREQs) in 1991. This criteria defined a minimum level of assurance equivalent to the B1 level of the TCSEC (see TCSEC Criteria Concepts FAQ, Questions 9-11). It also defines a minimum set of functionality and usability features outside the scope of the TCSEC (e.g. a graphical user interface via a window system was required along with the capability to cut and paste between windows). Neither set of requirements are currently to evaluate products although products that are designed to have these features may be evaluated with the Common Criteria for Information Technology Security Evaluation (CCITSE).

[Commercial Product Evaluations | TPEP Main Page | TTAP Main Page | Frequently Asked Questions]

Last updated Wed Aug 25 06:45:04 1999
URL: http://www.radium.ncsc.mil/tpep/process/faq-sect2.html
Questions/Comments