GUIDANCE ON THE SELECTION OF LOW LEVEL ASSURANCE EVALUATED PRODUCTS Information technology (IT) products that can be relied upon to successfully perform good security functions are needed to help protect important information of the government and private sectors. This security trustworthiness or assurance comes from two main criteria factors. The security functions should be pre- defined so that they are well understood and their utility is agreed. Criteria must also be established for development and independent security evaluation of products using those functions, so confidence can be gained that the functions are present and work properly. This bulletin has been jointly developed by NIST and the National Security Agency (NSA). Recommended Minimum Security Criteria - C2 IT products developed and then evaluated against an acceptable minimum set of security criteria are recommended for general use in low-threat environments in government and private industry. These minimum criteria provide for basic security features, primarily controlled access protection which permits only known users to gain access to information authorized to them. The criteria also provide for adherence to a minimum set of good product development and documentation practices, to help ensure that the security features operate correctly. In the United States, this minimum set of product security criteria is defined as Class C2 - "Controlled Access Protection" in the Department of Defense Trusted Computer Systems Evaluation Criteria (TCSEC). Requirements similar to C2 are contained in the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) and the European Information Technology Security Evaluation Criteria (ITSEC), as described in the next section. Mutual Recognition of Evaluated Products Security criteria common to Europe and North America are now being developed that will form the basis for mutual recognition and acceptance by the participating nations of each other's IT product security evaluations. In the interim, efforts are underway to establish reciprocity among the U.S., Canada, France, Germany, the Netherlands, and the United Kingdom for C2-level products evaluated against the three existing criteria. Equivalency among these nations is not easy to establish because of differences in criteria and evaluation methodology. However, equivalency should cease to be an issue once the Common Criteria are adopted and implemented by the participating countries. Product Selection Guidance Federal programs with requirements for evaluated low level assurance products are encouraged to use trusted products evaluated against one of the three aforementioned criteria and entered on the respective Evaluated Products Lists (EPLs) of the countries identified above. A structure for the selection of U.S., Canadian and European evaluated products is outlined in this bulletin. While recognizing the differences among the three criteria in the evaluation methodology and the process used to perform evaluations, there are enough similarities to recommend the use of low level assurance products from any of these EPLs. Such evaluated products could be used to satisfy a user's low level assurance requirements, given that the product's evaluated level of security functionality and assurance is similar to that of a TCSEC C2. In order to compare products evaluated against the three criteria, one must select the appropriate security functionality level. Under the CTCPEC, the C2 Functionality Profile with assurance T1 is similar to TCSEC C2. Under the ITSEC, the Functionality Class F-C2 with assurance E2 is also similar to TCSEC C2. Functionality Assurance Criteria Level Level CTCPEC C2 Functionality Profile T1 ITSEC F-C2 E2 Figure 1: TCSEC C2 Relationships to the CTCPEC and ITSEC Structure for Product Selection - First preference should be given to a product on the U.S. EPL at the C2 level of trust. - Consideration should then be given to U.S. EPL products that have been evaluated at a level of trust higher than C2. To satisfy the TCSEC requirement for the higher levels of trust (i.e., B1, B2, etc.), these products had to satisfy all of the C2 requirements. - If there isn't any product currently evaluated within the U.S. that could be used to satisfy an organization's C2 requirement, then products that meet or exceed the functionality requirements of a C2 product and have received a similar or higher assurance rating (as shown in Figure 1) could be selected from one of the CTCPEC or ITSEC-based EPLs. - If there isn't an evaluated product on any of the EPLs that meets the requirements, consideration should then be given to products pending evaluation against one of the three criteria. When selecting a product that is pending evaluation, an organization may incur a programmatic risk. These programmatic risks could include: the product might fail to pass evaluation, the evaluated version may not be the current version of the product, the evaluation might take longer than expected, etc. An organization must consider the evaluation methodology and process along with other programmatic considerations, such as the development schedule, intended use, and assumed environment, when assessing a product for potential use. Each organization must make a management decision based upon the available evidence as to whether the risk associated with any of the differences in the criteria, evaluation methodology, and process used to perform evaluation are deemed to constitute an acceptable risk. These technical issues are discussed in the Background section. Currently Available Products Before making any selection decisions, users should obtain the latest copies of the aforementioned EPLs for complete descriptions of products or for a listing of products evaluated at higher levels of assurance. The EPLs are living documents that are updated by the various counties on a periodic basis (e.g., quarterly). The following points of contact are provided for the various EPLs. The U.S. EPL can be obtained in hardcopy from the INFOSEC Awareness Group at NSA, (410) 766-8729. Additionally, individuals with access to Dockmaster can obtain the current on- line information about the U.S. EPL from the Announce.forum. For specific information related to an evaluated product, an organization should contact the Trusted Product and Network Security Evaluation Division at (410) 859-4458. The Canadian EPL can be obtained by contacting: Communications Security Establishment ATTN: ITS Publications Administrator P.O. Box 9703, Terminal Ottawa, Canada K1G 3Z4 Tel: (+1)613.991.7409, Fax: (+1)613.991.7411 E-mail: criteria@cse.dnd.ca The United Kingdom's EPL is available through: Certification Body Secretary UK IT Security and Certification Scheme P.O. Box 152 Cheltenham GL52 5UF, United Kingdom Tel: +44.1242.238739, Fax: +44.1242.235233 E-mail: cbsec@itsec.gov.uk The German EPL should be requested from: Bundesamt fuer Sicherheit in der Informationstechnik Referat II2 / II3 Postfach 20 03 63 D-53133 Bonn, Germany Tel: +49.228.9582.111, fax:+49.228.9582.455 E-mail: zerti@bsi.de The French EPL should be requested from: Service Central de la Securite des Systemes d'Information Centre de Certification de la Securite des TI 18 rue du docteur Zamenhof 92131 Issy les Moulineaux, France Tel: (+33)(1)41463753, Fax:(+33)(1)41463701 E-mail: 100565.1335@compuserve.com Information about evaluation activities in the Netherlands can be obtained from: Netherlands National Communications Security Agency P.O. Box 20061 2500 EB The Hague, The Netherlands Tel: (+31) 70 3485637, Fax: (+31).70.3486503 E-mail: criteria@nlncsa.minbuza.nl - ----------------------------------------------------------------- Background Information (text box in paper copy) Differences Among Criteria A major difference between the TCSEC and the CTCPEC and ITSEC is that the latter two criteria split functional and assurance requirements. There is a separate rating for each security service or function implemented by the product and an overall assurance rating (as opposed to a single rating associated with a specific set of defined functions and assurances). This split approach provides flexibility for articulating security requirements for a broad range of perceived needs. The assignment of responsibilities between the developer and the evaluators for ensuring correctness of product implementation differs among the criteria. During evaluations against both the TCSEC and CTCPEC, the evaluators are closely involved in documenting the design of a product in addition to validating it. In ITSEC evaluations, the developer documents the product design and carries out security analysis while the evaluators mainly perform a verification role against the developer's results. Effectiveness is the ability of a product to address the threats and objectives that are the basis for the security requirements it claims to meet. In ITSEC evaluations, the notion of effectiveness is covered during the evaluation process. In the U.S. evaluation process, effectiveness is implied in the standardized set of requirements given in the TCSEC for C2 and the other levels. In TCSEC evaluations, effectiveness aspects are considered during the advice phase prior to evaluation; however, the move to evaluation does not happen until the product is judged to be effective. Another difference between the criteria exists in the strength of requirements for testing assurance and hardware assurance, as indicated below. When selecting products from any of the EPLs, users should use this information to make risk-based decisions. Testing Assurance For TCSEC C2 and CTCPEC T1 levels of trust, only functional testing is carried out. A deliberate search for errors is not undertaken, but if any are found they must be removed. At C2, the Trusted Computing Base (TCB) external interfaces are tested (both program and otherwise), together with procedures to bring the system into and maintain a trusted state. Internal TCB interfaces and the trusted subject interfaces are not tested, but the trend is towards testing them because it eases the task of subsequent application evaluation. In order to get the most from testing assurance, the entire set of test suites is expected to have been run by the vendor. In addition to carrying out new tests, the evaluators repeat the vendor's entire set of test suites. For the ITSEC E2 level of trust, evaluators are required to witness the developer's testing, repeat some tests for themselves, and perform both penetration tests and tests which search for errors. E2 penetration testing strategy is developed to test the claims made in a product's Security Target. In the ITSEC, the Security Target serves both as a specification of the security enforcing functions, against which the product will be evaluated, and as a description relating the product to the environment in which it will operate. Hardware Assurance The TCSEC and the CTCPEC require architectural evaluation down to the hardware level. The operating system together with the hardware are evaluated in combination. In the case of application evaluations, the underlying operating system and hardware must also be included in the evaluation or have been previously evaluated under the TCSEC or CTCPEC respectively. In an ITSEC evaluation, hardware is only looked at in the event that Security Enforcing Functions are specifically implemented in hardware or by virtue of the hardware being special purpose (not commercial off-the-shelf). Developers may include statements about platform independence in their Security Target; this would normally lead to caveats in the Certification Report. -----------------------------------------------------------------