This process seems driven by the National Information Assurance Partnership, (NIAP) a joint NIST-NSA group "designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers." The people who validate products appear to be part of the National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body, a group jointly managed NIST and NSA.
Obviously I haven't figured out how all of this works. For example, I don't know how the Evaluation Assurance Levels like "EAL4" fit in. I do know that companies trying to get a product through this process can spend "half a million dollars" and 15+ months, according to speakers at the IATF Forum. Is this better security? I don't know yet.
Besides the Common Criteria, other groups assess security products.
- Neohapsis' Open Security Evaluation Criteria (OSEC) seems much more practical and current.
- ISCA Labs assess a variety of products. They have certifuied some IDS already.
- The NSS Group describes itself as "Europe's foremost independent network and security testing organization." They tend to like Snort.
- While Talisker's site doesn't rate products, it is a comprehensive listing to security products and services.
Bob Hillery of the Insitute for Security Technology Studies at Dartmouth described the findings of the 2002 Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Needs Assessment. I'm going to watch the institute's what's new page for publication of their forthcoming nation-state "cyber threat" report.
You can watch for future events at the IAEvents Web site. Many require a clearance.