[Federal Register Volume 64, Number 31 (Wednesday, February 17, 1999)]
[Notices]
[Pages 7859-7861]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-3718]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 981029270-8270-01]
National Voluntary Laboratory Accreditation Program
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST) has
received a request to establish a laboratory accreditation program. In
a letter dated August 5, 1998, the National Information Assurance
Partnership (NIAP), a partnership between NIST and the National
Security Agency, requested that NIST establish an accreditation program
for Information Technology Security Testing. A report of the request
letter is set out as an appendix to this notice. Announcement of this
request by NIAP and of the NIST request for comments with respect
thereto, are being made under the procedures of the National Voluntary
Laboratory Accreditation Program (NVLAP) [15 CFR 285.13] of the
referenced procedures.
DATES: Comments may be submitted on or before May 3, 1999.
ADDRESSES: Comments should be submitted to James L. Cigler, Chief,
Laboratory Accreditation Program, National Institute of Standards and
Technology, 100 Bureau Drive, Stop 2140, Gaithersburg, Maryland 20899-
2140. Copies of comments received will be available for inspection and
copying at the Department of Commerce Central Reference and Records
Inspections Facility, Room 6204, Hoover Building, Washington, DC 20230.
FOR FURTHER INFORMATION CONTACT: James L. Cigler, telephone 301-975-
4016; e-mail [email protected]; <http://ts.nist.gov/nvlap>.
SUPPLEMENTARY INFORMATION:
Background
Scope of Laboratory Accreditation
The requestor referenced two documents to be used in association
with accreditation of Information Technology (IT) Security Testing
laboratories: (1) ISO/IEC DIS 15408 Information technology--Security
techniques--Evaluation criteria for IT
[[Page 7860]]
Security also called the Common Criteria for Information Technology
Security Evaluation, and (2) Common Evaluation Methodology for
Information Security (CEM), an international draft. NVLAP currently
offers accreditation for laboratories conducting testing to Federal
Information Processing Standard (FIPS) 140-1 for Crypotographic
Modules. Information about the Common Criteria and the Common
Evaluation Methodology is available at <http://csrc.nist.gov/cc/ccv20/
ccv2list.htm>.
After the 75-day comment period, NIST will thoroughly evaluate all
comments pertaining to the proposed accreditation program and publish
in the Federal Register an announcement of the decision of the Director
of NIST, regarding development of the program. Those who submit
comments and those who request future information will be placed on the
NVLAP mailing list to receive a copy of that publication. If the
decision is made to develop the program, technical assistance and input
will be sought from all interested parties. Assistance will be sought
in the areas of: (1) Preparation of the technical criteria for the
program, (2) establishment of the scope of the program based on the
Common Criteria, and (3) development of appropriate proficiency testing
programs. The NVLAP procedures also provide for public comment prior to
publication of the final accreditation requirements.
Dated: February 8, 1999.
Karen H. Brown,
Deputy Director.
National Information Assurance Partnership
August 5, 1998.
Raymond G. Kramer,
Director, National Institute of Standards and Technology,
Gaithersburg, MD 20899
Dear Mr. Kammer: The National Information Assurance Partnership
(NIAP), a partnership between the National Institute of Standards
and Technology (NIST) and the National Security Agency (NSA),
requests the establishment of a National Voluntary Laboratory
Accreditation Program (NVLAP) Laboratory Accreditation Program (LAP)
for Information Technology (IT) Security Testing. The requested LAP
will support the goals and objectives of both NIST and NSA in
fulfilling their responsibilities in the area of computer and
information systems security. This request is made in accordance
with Title 15 Code of Federal Regulations Section 285.13.
NIST plays a vital role in protecting the security and integrity
of information in computer systems in the public and private
sectors. The Computer Security Act of 1987 (P.L. 100-235) reaffirmed
NIST's leadership role in the federal government for the protection
of unclassified information. NIST assists industry and government by
promoting and supporting better security planning, technology,
awareness and training.
NSA provides information systems security programs to protect
classified and unclassified national security systems against
exploitation through interception, unauthorized access, and related
technical intelligence threats.
In a recent move to assist U.S. information security technology
producers in achieving international competitiveness, NIST and NSA
signed a letter of partnership establishing the National Information
Assurance Partnership (NIAP). NIST and NSA have established a
program under NIAP to evaluate conformance of IT products to
international standards. This program, called the Common Criteria
Evaluation and Validation Scheme, will help consumers make informed
choices when selecting commercial off-the-shelf products in the area
IT security and will help producers of IT security products gain
acceptance in the global marketplace.
The NIAP Common Criteria Scheme requires IT security products to
be tested in private sector, accredited testing laboratories using
the test methods in ISO/IEC DIS 15408 (currently a Craft
international standard), also called the Common Criteria, and the
Common Evaluation Methodology (currently an international draft).
Test reports from accredited laboratories will be reviewed by the
NIAP Validation Body which will issue Common Criteria certificates
for products that meet the NIAP Common Criteria Scheme requirements.
NIAP is working towards a Common Criteria Mutual Recognition
Agreement with bodies in five foreign countries. By agreement,
testing laboratories approved by the partners in each of the
Agreement countries will be accredited as meeting the requirements
of ISO/IEC Guide 25 by an organization that is internationally
recognized as conforming to the requirements of ISO/IEC Guide 58.
NIST and NSA have been active participants in the development of
the Common Criteria, the Common Evaluation Methodology, and the NIAP
Common Criteria Scheme. NIST will provide technical assistance for
the development of the LAP.
Statement of Perceived Need
The recent President's Commission on Critical Infrastructure
Protection has pointed out that the United States is becoming
increasingly dependent on information technology to carry out the
day-to-day operations of business and government. This growing
dependence on advanced technology, coupled with its inherent
complexity, has introduced significant security vulnerabilities into
the information systems that support the critical national
infrastructure. Consumers within the public and private sectors are
becoming increasingly aware of these vulnerabilities and are
beginning to demand greater protection for their information from
commercial IT products and systems.
As industry begins to respond to demands for security-enhanced
IT products and systems, consumers must have confidence in the
security claims producers make about them. Testing at an accredited
laboratory provides confidence to consumers in the test results and
that the tested products and systems conform to the security
criteria.
Acceptance of test results from a commercial laboratory by
consumers in other nations and government organizations, such as
those organizations in the countries participating in the Common
Criteria project, requires trust and confidence in the laboratory
testing processes. This trust and confidence is achieved through the
use of accredited testing laboratories and government involvement in
validating the results of commercial security evaluations. Thus,
governments have greater confidence in the evaluation processes
employed in the respective national schemes of other nations.
Scope of the LAP, Applicable Standards, and Applicable Test Methods
The scope of the proposed LAP includes conformance testing of
commercial off-the-shelf, security-enhanced, IT products and systems
to international standards. Applicable standards and test methods
defined by government and industry will be employed by NVLAP-
accredited testing laboratories operating within the scope of the
LAP. Initially the score of the LAP will draw from, ISO/IEC DIS
15408 Information technology--Security techniques--Evaluation
criteria for IT Security also called the Common Criteria for
Information Technology Security Evaluation and Common Evaluation
Methodology for Information Technology Security (CEM), an
international draft. Additional standards and test methods may be
added as they become available.
Evidence of a national need to accredit calibration or testing
laboratories for the specific scope beyond that served by an
existing laboratory accreditation program in the public or private
sector.
The scope of the proposed LAP is beyond that served by any
existing laboratory accreditation program in the public or private
sector. The only commercial security testing laboratories currently
available to conduct Common Criteria-based testing are the Trust
Technology Assessment Program (TTAP) laboratories under a program
established by the National Security Agency. These laboratories
operate under cooperative research and development agreements
(CRADA) with NSA and have not been accredited to ISO Guide 25.
Recognition of evaluation results in the context of the nations
participating in the Common Criteria project requires that IT
products be evaluated at accredited testing laboratories. The unique
nature of security testing and the associated knowledge and skills
needed to operate an accreditation program in this area make NVLAP
the essential choice to develop and implement the proposed LAP.
NIAP will hold public workshops to solicit comments on the
Common Criteria Scheme and the proposed LAP from all sectors
including producers, the testing laboratory community, and consumers
of IT security products in the private and government sectors.
[[Page 7861]]
Sincerely,
Stuart W. Katzke,
Chief, Computer Security Division, Information Technology Laboratory
NIST.
Louis F. Giles,
Chief, Information Assurance Partnerships Evaluations, and Knowledge
Management NSA.
cc: S. Wakid, Director, Information Technology Laboratory, NIST M.
Jacobs, Deputy Director Information Systems Security, NSA
[FR Doc. 99-3718 Filed 2-16-99; 8:45 am]
BILLING CODE 3510-13-M