The Institute for Defense Analyses led a review of the National Information Assurance Partnership (NIAP) to uncover issues in the Common Criteria evaluation program and to provide recommendations for resolution. The IDA led a series of interviews and solicitations for feedback to the Common Criteria evaluation process, and at the present time the report is not available for public review (perhaps because it’s not complete, or perhaps because the project sponsors do not want the information released).

Here are a few things to keep in mind:

• Common Criteria is a methodology which is recognized globally. Therefore, issues found in the US program may also exist in other certificate producing nations because the process is meant to be similar across different schemes (hence Mutual Recognition).
• The two most prolific criticisms of the Common Criteria are:
  1. Evaluations take too long.
  2. Evaluations are too expensive.

  The Common Criteria is a complex, thorough evaluation methodology that is not part of most vendors’ development life cycles. While a product vendor can take steps to alleviate the time and cost of evaluations, AAG feels that these two points will not be easily mitigated unless the CC evaluation methodology changes significantly. And hopefully the IDA report will go beyond these two criticisms.

• The Common Criteria Community should realize that implementing changes recommended by IDA will not happen overnight. Agencies will continue to purchase and use evaluated products, and it’s doubtful that the IDA report will have any effect on that. But hopefully some gaps in the evaluation process can be tightened and the Community will have more awareness of Common Criteria once this report is releases and digested.

IDA certainly did its job in talking to a broad range of communities (including test labs, product vendors, and end users. AAG’s Managing Director also provided perceptions and insights to support the effort.).

Hopefully this report will be available soon for public consumption, and hopefully it will deliver the value that it has the potential to deliver.