Wednesday, April 26, 2006

GAO Hammers Common Criteria

I've written about Common Critera before. If you also think CC is a waste of money, read GAO: Common Criteria Is Not Common Enough by Michael Arnone. It summarizes and comments upon a report by the Government Accounting Office titled INFORMATION ASSURANCE: National Partnership Offers Benefits, but Faces Considerable Challenges. Mr. Arnone writes:

GAO also criticized the National Information Assurance Partnership (NIAP) for not providing metrics or evidence that the Common Criteria actually improves product security. In addition, the Common Criteria process takes so long to complete that agencies often find that the products they need are not on the list of certified offerings or that only older versions have been accredited, GAO’s report states...

Pescatore said GAO’s call for increased education and awareness of NIAP’s function is overblown. Large vendors already know the process well and can afford millions of dollars for tailor-made product evaluations, he said.

Any education efforts should target smaller vendors — with $10 million to $50 million a year in annual revenue — that don’t know about the NIAP process, don’t know how expensive it is and have trouble affording it, Pescatore said. NIAP must do more than educate, he added. It must provide subsidies or reduce prices so smaller vendors can participate, he said.


It sounds like Common Criteria is becoming nothing but a hurdle to keep smaller companies from providing products to government agencies.

1 comment:

Ray Potter said...

Why should any one single group of vendors be targeted for specialized education? There are plenty of folks who don’t know the process. Even companies who have been through evaluation before can struggle with understanding the CC. Why? Different business units, changes in roles, attrition, etc. They may not have someone (or multiple someones) responsible for educating the organization.

Also, how can NIAP possibly provide evaluation subsidies when they can’t even afford enough validators?