>[Minor nit: evaluation != certification. Evaluation is what NCSC does.
>Certification in what the accreditor does. Evaluation deals with the
>product's suitability as a base technology. Certification deals with
>the accreditor's determining that the product is being used appropriately
>in its context.
Well kinda. Unless they have changed the language since my last issue, the
NCSC provides a list of stuff that is not only "evaluated" but also products
that are "endorsed by the NSA as having met the requirements and standards
set for these products by the government."
Well maybe its just 'Orange Book' showing its age. The Governments of the
United Kingdom, the Netherlands, Germany and France concluded that it was
inadequate to reflect the real world of IT systems in the late 1980s. Thats
why ITSEC got written. It was a brave attempt and it moved IT security
forward. It is still a long way short of being an adequate criteria to the
environment in the 1990s and a great deal of work has been going since 1991
to improve it. Not all 'improvements' have been productive. One weakness was
to attempt to postulate mapping to the 'Orange Book' and that suggests
B1=E3. However, E3 includes things like covert channel analysis which come
in at B2. Products which may have difficulty in receiving certification or
endorsement at B2 will achieve E3 and have done, including CMW (of course
some products currently at B1 or E3 are not necessarily the extent of any
vendor's capability and there are some folk who cant make B2 today but will
tomorrow with the next major version releases). Equally, some products which
have achieved B1 have required considerable re-working to achieve ITSEC
To be a little picky, when a product successfully comes to the end of an
NCSC evaluation, and the VSA congratulates himself or herself on a
particularly creative presentation of the genisis of the product to the
evaluators, the vendor receives what is commonly called a 'certificate'
which may technically only be an 'endorsement'. Under ITSEC, the vendor
receives a Certificate which is issued not by the Commercial Licensed
Evaluation Facility, CLEF, which did the evaluation, but by the ITSEC
National Scheme Body. However, in either case the delivery of a few boxes of
products with 'endorsed' or 'certified' labels doesnt make a solution
system. Final testing can only be done when the implementation is complete
and thats usually called ' accreditation', but I know some folk also call it
What is good about independent evaluation is that there is only one
interpretation of the criteria (at least theoretically) and it is a check
against a vendor claiming something which is total bull. It also removes the
problem of a vendor who makes a claim in good faith based on his false
interpretation of what the criteria says. It also provides a number to
crudely measure products which is more meaningful than MIPS (I think that
stands for Meaningless Information Put out by Sales) which we all used to
get so excited about. 'Designed-to-meet' is very much like MIPS in that it
is open to all sorts of misuse.
Whats bad about criteria is that we still are not putting enough effort into
developing them to achieve and maintain currency and a lot of the blame is
down to commercial enterprises leaving it all to the bureaucrats and
academics and then complaining that it doesnt meet commercial needs.