Frequently Asked Questions (V4)
Evaluated Products
Contents
- Should I buy an evaluated product?
- Does NSA buy/use evaluated products?
- How do I know if a product is evaluated?
- What does it mean for a product to be "in evaluation"?
- What and where is the Evaluated Products List (EPL)?
- How do I get a copy of an evaluation report?
- How do I interpret a CCITSE rating?
- Is an evaluated product "hacker proof?"
- What is the rating of UNIX?
- What should I do if an evaluated product appears to fail a requirement?
1. Should I buy an evaluated product?
An evaluated product has the benefit of providing an
independent assessment that the product meets the criteria for
the rating it achieved. When considering a specific
installation, the value of the data and the threat to that data
both need to be considered. If some threats
to the data can be countered by the features or assurance of a
trusted product, then it is certainly worthwhile to consider
that in your purchase decision.
2. Does NSA buy/use evaluated products?
NSA endeavors to be an exemplary customer of the products it
recommends for use by its customers and expects NSA-evaluated
products to comprise the foundation of its own secure information
systems architecture and is developing policy towards that end.
3. How do I know if a product is evaluated?
All evaluated products
are placed on the Evaluated Products List (EPL) (see
Evaluated Products FAQ,
Question 5). That is the first place to look. The EPL entries
are available at
<http://www.radium.ncsc.mil/tpep/epl/index.html>. If a vendor claims to have an evaluated product, you should
independently verify the details of the evaluation (e.g.,
product version, configuration, rating.) To verify
a specific
detail (e.g., the rating) of an evaluation, you may call the Information
Assurance Criteria Support Office directly at (410) 854-4458. This
will often result in less complete information since generally we
don't read entire EPL entries over the phone.
For the most complete information about a specific evaluated
product, you should obtain a copy of the evaluation report
(see Evaluated Products FAQ, Question 6).
Unfortunately, the publication of the report sometimes postdates the
evaluation significantly.
An increasing number of final evaluation reports are available
via links from the product's electronic EPL entry or from
<http://www.radium.ncsc.mil/tpep/library/fers/> by report number.
4. What does it mean for a product to be "in evaluation"?
A product may go through several releases, incorporate
fixes during the course of evaluation, or even potentially drop
out of evaluation or fail evaluation. Because of this, a
product in evaluation is not equivalent to an evaluated
product. While it does show some intent to have an evaluated
product, and a consideration of security criteria in the
product development, it does not necessarily imply any security
features or assurances. Buyers of products in evaluation
should consider what options will be available to them should
the evaluated configuration differ significantly from the
purchased configuration, or if the product does not ultimately
complete evaluation.
5. What and where is the Evaluated Products List (EPL)?
The Evaluated Products List (EPL) is maintained electronically
on GIBRALTAR and updated as new
products are announced. (see Evaluation
Programs FAQ, Question 10) There is no
anonymous access to GIBRALTAR so this is available only to
GIBRALTAR users. EPL entries
are also available at
<http://www.radium.ncsc.mil/tpep/epl/index.html>.
6. How do I get a copy of an evaluation report?
A number of evaluation reports are available for downloading
at <http://www.radium.ncsc.mil/tpep/library/fers/index.html>.
Older reports may be out of print and are not available.
A CDROM containing a copy of this website is produced at least annually.
The current CDROM is based on the site as of October 1999. Pages
and documents subsequently updated or added to the site are not yet
available on CDROM. To receive a copy of the current CDROM, write or call:
NATIONAL SECURITY AGENCY
ATTN: V (NISC)
9800 SAVAGE ROAD STE 6755
FT MEADE, MD 20755-6755
NSA/ISSO Service Center (NISC)
1-800-688-6115 opt 3
(410) 854-7661
A product evaluated against the Common Criteria for Information
Technology Security Evaluation (CCITSE) will have one of seven
hierarchical Evaluation Assurance Level (EAL) ratings:
EAL1 through EAL7. EALs provide a uniformly increasing
scale which balances the level of assurance obtained with the cost
and feasibility of acquiring that degree of assurance, i.e., the
higher the EAL the greater the degree of assurance.
Each Protection Profile (PP) (see
Criteria FAQ, Question 3) or Security Target (ST)
(see
Criteria FAQ, Question 4) written against the CCITSE will
include an EAL.
No product can be guaranteed to be "hacker proof" or
"impenetrable." An evaluated product has demonstrated certain
features and assurances, as specified by the rating criteria.
Those features and assurances counter certain threats. Thus an
evaluated product is usually vulnerable to fewer threats than
an unevaluated product. Products with higher ratings are
vulnerable to fewer threats than products with low ratings.
Vulnerabilities that remain in products can often be
addressed through other means. No rating class in the
TCSEC, for example,
counters the threat of directly tampering with the hardware.
That threat would need to be addressed physically or
procedurally if it was realistic for the particular system
environment.
Finally, it seems many "hackers" today prefer to use "social
engineering" to accomplish their goals. As with other
insider-related threats, education is necessary in preventing
naive users from disclosing sensitive information. However,
technical measures can also help. They can enforce the the
principle of least privilege, check the reasonableness of
administrative inputs, and provide timely on-line cautions.
CCITSE Protection Profiles and Security Targets contain specific
descriptions of the environmental assumptions and threats and
objectives.
9. What is the rating of UNIX?
There are a number of evaluated products conforming to one or
another of the UNIX interface standards (see
Evaluated Products FAQ,
Question 3). These products range from TCSEC class C2 to class B3.
10. What should I do if an evaluated product appears to fail a requirement?
If an evaluated product does not seem to meet the requirements
against which it was evaluated,
the first thing to do is carefully look at the Final Evaluation
Report (FER) and the product's Trusted Facility Manual (TFM).
The product was evaluated with specific configuration options and
most likely
on specific hardware. These should be stated in the TFM and FER
respectively. If the evaluated configuration still seems to not
meet some requirement for its rated class, then it is possible that
there was an oversight during the evaluation. Please send that
information to
TPEP@gibraltar.ncsc.mil. Unfortunately we will, in most cases,
not be able to directly respond to the concern. We do read all
comments and they help us improve our evaluation programs and
future evaluations.
Last updated Mon Aug 16 13:16:24 1999
URL: http://www.radium.ncsc.mil/tpep/process/faq-sect6.html
Questions/Comments