Presentation on theme: "DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing."— Presentation transcript:
DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing Division
National Security Telecommunications and Information Systems Security Committee NSTISSP No. 11 January 2000 National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products - Effective 1 Jan 2001 Preference shall be given to acquisition of evaluated IA products - Effective 1 Jul 2002 (Revised Fact Sheet) Acquisitions must specify evaluated products UNCLASSIFIED
Acquisition of COTS IA products limited to those on NIAP Validated Products List or NIST Crypto Module Validation List Acquisition of GOTS IA products limited to NSA approved Waivers (Deferred Compliance Authorization (DCA)) reviewed by NSA and granted on case-by case basis – not available for encrypted products
FACTORS DRIVING NSTISSP 11 IA is broader than COMSEC GOTS to GOTS and COTS Philosophy Shift Explosion in number of COTS IA Products NSA resource constraints requires a NIAP approach No standardized evaluation language or methodology Create demand for evaluated products The problem: Does the product provide the security it claims?
Requires compliance with NSTISSP 11 Defines generic “robustness” levels of basic, medium, high and assigns “baseline levels” for IA services of integrity, availability and confidentiality dependent upon value of information protected and environment Requires NSA: – Serve as DOD focal point for NIAP – Approve cryptographic devices used to protect classified information – Generate Protection Profiles for GIG core technologies DoD 8500.1 and DoD 8500.2
Guidelines for Federal Organizations Re: Information Security NIST Special Publication 800.23- Guide for the Security Certification and Accreditation of Federal Information Systems NIST Special Publication 800.37 – Guide for Security Assurance and Acquisition/Use of Tested/Evaluated Products
Other Policy influencing security concerns for IT equipment: Gramm Leach Bliley Act (GLBA) - Financial Modernization Act of 1999 Healthcare Information Portability and Accountability Act of 1996 (HIPPA) – National Standards to Protect the Privacy of Personal Health Information Family Education Rights Privacy Act (FERPA) – security for student privacy
Example of Policy Driving Canadian IT Security Intiatives: The Personal Information Protection and Electronic Documents Act (PIPEDA) became an official requirement on January 1, 2004 PIPEDA is Federal Privacy Legislation to regulate privacy compliance of collection of personal data of citizens during commercial activity by organizations.