GUIDANCE ON THE SELECTION OF LOW LEVEL ASSURANCE EVALUATED PRODUCTS
Information technology (IT) products that can be relied upon to
successfully perform good security functions are needed to help
protect important information of the government and private
sectors.  This security trustworthiness or assurance comes from
two main criteria factors.  The security functions should be pre-
defined so that they are well understood and their utility is
agreed.  Criteria must also be established for development and
independent security evaluation of products using those
functions, so confidence can be gained that the functions are
present and work properly.  This bulletin has been jointly
developed by NIST and the National Security Agency (NSA).

Recommended Minimum Security Criteria - C2
IT products developed and then evaluated against an acceptable
minimum set of security criteria are recommended for general use
in low-threat environments in government and private industry.
These minimum criteria provide for basic security features,
primarily controlled access protection which permits only known
users to gain access to information authorized to them.  The
criteria also provide for adherence to a minimum set of good
product development and documentation practices, to help ensure
that the security features operate correctly. 

In the United States, this minimum set of product security
criteria is defined as Class C2 - "Controlled Access Protection"
in the Department of Defense Trusted Computer Systems Evaluation
Criteria (TCSEC).  Requirements similar to C2 are contained in
the Canadian Trusted Computer Product Evaluation Criteria
(CTCPEC) and the European Information Technology Security
Evaluation Criteria (ITSEC), as described in the next section.

Mutual Recognition of Evaluated Products
Security criteria common to Europe and North America are now
being developed that will form the basis for mutual recognition
and acceptance by the participating nations of each other's IT
product security evaluations.  In the interim, efforts are
underway to establish reciprocity among the U.S., Canada, France,
Germany, the Netherlands, and the United Kingdom for C2-level
products evaluated against the three existing criteria.
Equivalency among these nations is not easy to establish because
of differences in criteria and evaluation methodology.  However,
equivalency should cease to be an issue once the Common Criteria
are adopted and implemented by the participating countries.

Product Selection Guidance
Federal programs with requirements for evaluated low level
assurance products are encouraged to use trusted products
evaluated against one of the three aforementioned criteria and
entered on the respective Evaluated Products Lists (EPLs) of the
countries identified above.  A structure for the selection of
U.S., Canadian and European evaluated products is outlined in
this bulletin.

While recognizing the differences among the three criteria in the
evaluation methodology and the process used to perform
evaluations, there are enough similarities to recommend the use
of low level assurance products from any of these EPLs.  Such
evaluated products could be used to satisfy a user's low level
assurance requirements, given that the product's evaluated level
of security functionality and assurance is similar to that of a
TCSEC C2.

In order to compare products evaluated against the three
criteria, one must select the appropriate security functionality
level.  Under the CTCPEC, the C2 Functionality Profile with
assurance T1 is similar to TCSEC C2.  Under the ITSEC, the
Functionality Class F-C2 with assurance E2 is also similar to
TCSEC C2.

             Functionality                    Assurance Criteria
             Level                                  Level
CTCPEC       C2 Functionality Profile               T1
ITSEC        F-C2                                   E2

Figure 1:  TCSEC C2 Relationships to the CTCPEC and ITSEC

Structure for Product Selection

  -    First preference should be given to a product on the U.S.
       EPL at the C2 level of trust.

  -    Consideration should then be given to U.S. EPL products that
       have been evaluated at a level of trust higher than C2.  To
       satisfy the TCSEC requirement for the higher levels of trust
       (i.e., B1, B2, etc.), these products had to satisfy all of
       the C2 requirements.
      
  -    If there isn't any product currently evaluated within the
       U.S. that could be used to satisfy an organization's C2
       requirement, then products that meet or exceed the
       functionality requirements of a C2 product and have received
       a similar or higher assurance rating (as shown in Figure 1)
       could be selected from one of the CTCPEC or ITSEC-based
       EPLs.
      
  -    If there isn't an evaluated product on any of the EPLs that
       meets the requirements, consideration should then be given
       to products pending evaluation against one of the three
       criteria.  When selecting a product that is pending
       evaluation, an organization may incur a programmatic risk.
       These programmatic risks could include:  the product might
       fail to pass evaluation, the evaluated version may not be
       the current version of the product, the evaluation might
       take longer than expected, etc.

An organization must consider the evaluation methodology and
process along with other programmatic considerations, such as the
development schedule, intended use, and assumed environment, when
assessing a product for potential use.  Each organization must
make a management decision based upon the available evidence as
to whether the risk associated with any of the differences in the
criteria, evaluation methodology, and process used to perform
evaluation are deemed to constitute an acceptable risk.  These
technical issues are discussed in the Background section.

Currently Available Products
Before making any selection decisions, users should obtain the
latest copies of the aforementioned EPLs for complete
descriptions of products or for a listing of products evaluated
at higher levels of assurance.  The EPLs are living documents
that are updated by the various counties on a periodic basis
(e.g., quarterly).  The following points of contact are provided
for the various EPLs.

The U.S. EPL can be obtained in hardcopy from the INFOSEC
Awareness Group at NSA, (410) 766-8729.  Additionally,
individuals with access to Dockmaster can obtain the current on-
line information about the U.S. EPL from the Announce.forum.  For
specific information related to an evaluated product, an
organization should contact the Trusted Product and Network
Security Evaluation Division at (410) 859-4458.

The Canadian EPL can be obtained by contacting:
Communications Security Establishment
ATTN: ITS Publications Administrator
P.O. Box 9703, Terminal
Ottawa, Canada K1G 3Z4
Tel: (+1)613.991.7409, Fax: (+1)613.991.7411
E-mail: criteria@cse.dnd.ca

The United Kingdom's EPL is available through:
Certification Body Secretary
UK IT Security and Certification Scheme
P.O. Box 152
Cheltenham GL52 5UF, United Kingdom
Tel:  +44.1242.238739, Fax: +44.1242.235233
E-mail: cbsec@itsec.gov.uk

The German EPL should be requested from:
Bundesamt fuer Sicherheit in der Informationstechnik
Referat II2 / II3
Postfach 20 03 63
D-53133 Bonn, Germany
Tel: +49.228.9582.111, fax:+49.228.9582.455
E-mail: zerti@bsi.de

The French EPL should be requested from:
Service Central de la Securite des Systemes d'Information
Centre de Certification de la Securite des TI
18 rue du docteur Zamenhof
92131 Issy les Moulineaux, France
Tel: (+33)(1)41463753, Fax:(+33)(1)41463701
E-mail: 100565.1335@compuserve.com

Information about evaluation activities in the Netherlands can be
obtained from:
Netherlands National Communications Security Agency
P.O. Box 20061
2500 EB The Hague, The Netherlands
Tel: (+31) 70 3485637, Fax: (+31).70.3486503
E-mail: criteria@nlncsa.minbuza.nl
- -----------------------------------------------------------------
Background Information (text box in paper copy)

Differences Among Criteria
A major difference between the TCSEC and the CTCPEC and ITSEC is
that the latter two criteria split functional and assurance
requirements.  There is a separate rating for each security
service or function implemented by the product and an overall
assurance rating (as opposed to a single rating associated with a
specific set of defined functions and assurances).  This split
approach provides flexibility for articulating security
requirements for a broad range of perceived needs.

The assignment of responsibilities between the developer and the
evaluators for ensuring correctness of product implementation
differs among the criteria.  During evaluations against both the
TCSEC and CTCPEC, the evaluators are closely involved in
documenting the design of a product in addition to validating it.
In ITSEC evaluations, the developer documents the product design
and carries out security analysis while the evaluators mainly
perform a verification role against the developer's results.

Effectiveness is the ability of a product to address the threats
and objectives that are the basis for the security requirements
it claims to meet.  In ITSEC evaluations, the notion of
effectiveness is covered during the evaluation process.  In the
U.S. evaluation process, effectiveness is implied in the
standardized set of requirements given in the TCSEC for C2 and
the other levels.  In TCSEC evaluations, effectiveness aspects
are considered during the advice phase prior to evaluation;
however, the move to evaluation does not happen until the product
is judged to be effective.

Another difference between the criteria exists in the strength of
requirements for testing assurance and hardware assurance, as
indicated below.  When selecting products from any of the EPLs,
users should use this information to make risk-based decisions.

Testing Assurance
For TCSEC C2 and CTCPEC T1 levels of trust, only functional
testing is carried out.  A deliberate search for errors is not
undertaken, but if any are found they must be removed.  At C2,
the Trusted Computing Base (TCB) external interfaces are tested
(both program and otherwise), together with procedures to bring
the system into and maintain a trusted state.  Internal TCB
interfaces and the trusted subject interfaces are not tested, but
the trend is towards testing them because it eases the task of
subsequent application evaluation.  In order to get the most from
testing assurance, the entire set of test suites is expected to
have been run by the vendor.  In addition to carrying out new
tests, the evaluators repeat the vendor's entire set of test
suites.

For the ITSEC E2 level of trust, evaluators are required to
witness the developer's testing, repeat some tests for
themselves, and perform both penetration tests and tests which
search for errors.  E2 penetration testing strategy is developed
to test the claims made in a product's Security Target.  In the
ITSEC, the Security Target serves both as a specification of the
security enforcing functions, against which the product will be
evaluated, and as a description relating the product to the
environment in which it will operate.

Hardware Assurance
The TCSEC and the CTCPEC require architectural evaluation down to
the hardware level.  The operating system together with the
hardware are evaluated in combination.  In the case of
application evaluations, the underlying operating system and
hardware must also be included in the evaluation or have been
previously evaluated under the TCSEC or CTCPEC respectively.  In
an ITSEC evaluation, hardware is only looked at in the event that
Security Enforcing Functions are specifically implemented in
hardware or by virtue of the hardware being special purpose (not
commercial off-the-shelf).  Developers may include statements
about platform independence in their Security Target; this would
normally lead to caveats in the Certification Report.
-----------------------------------------------------------------