>>
>> Depending on how close the revisions of a vendors product are, they may
>> has to go through a complete evaluation, or they may be blessed with
>> getting into the RAMP program. NSA was also talking of coming out with a
>> watered-down evaluation (so Microsoft could get a quick evaluation)
>> called TTAP, or something similar. I haven't heard much about it in the
>> last year, so maybe someone else could clarify its' status.
>
>THis is not a correct description of TTAP. The primary purpose of TTAP as
>I understand it was to keep company's from submitting for evaluation,
>entering VAP (vendor assistance phase) which the vendor can stay in for
>decades, say you are in evaluation, and then do nothing. In TTAP, you are
>in evaluation when you enter FEP - Formal Evaluation Phase. At this point,
>NSA has ensured that most of the work has been completed, all the formal
>docs are done, and the system is essentially complete. THEN the NSA
>critters do their thing to it.
>
....
Both descriptions of TTAP are incorrect. The objective of the TTAP program
was for NSA to certify commercial evaluation labs who would then be
authorized to perform Orange Book product evaluations under direct contract
to a vendor. Once the evaluation was completed, assuming the evaluation
teams recommendations were accepted by NSA's Technical Review Board and
management, the product would then be placed on the same evaluated products
list as if NSA had performed the evaluation themselves. The thinking was
that if there was a contractual arrangement between vendor and evaluator
the evaluation would be quicker because:
- the vendor would make sure they were really ready because they would be
paying for the evaluation
- the commercial evaluation facility would have dedicated resources to
apply to the evaluation
- both sides would be bound by contract to try to meet the agreed upon
schedules.
There was one TTAP experiment that ended about a year ago without
completing a product evaluation. (It was intended to validate the process,
not necessarily complete the evaluation.)
As far as I know, the TTAP program is still alive and a number of
commercial companies have expressed interest in becoming a TTAP lab, but no
one is actually performing a commercial evaluation right now. I think NSA
is waiting for the ability to perform lower assurance Common Criteria based
evaluations to jump start the program again.
-----------------------
Ron Koch
Science Applications International Corporation (SAIC)
Center for Information Security Technology
|
|
