Why is Common Criteria bad for government?
By user12611852 on May 04, 2007
Some time ago, I blogged about what the Common Criteria process is all about and how the government (in particular my customer in the US DoD) uses it. At that time I said:
What's wrong with the current Common Criteria process?
Although the current process is somewhat better than the old NSA process, it still leaves something to be desired. I have heard it stated in public forums by DoD employees that the CC process does not meet all Government's goals. Current problems include:
- It still take a long time (about 1 1/2 years) resulting in delays in purchasing state of the art products.
- The process is not designed to actually detect software bugs or vulnerabilities in an OS
- The rules for adoption of the OS are interpreted in a wide variety of ways across organizations.
- It is not flexible in handling OS updates and patches
Apparently, I was not alone. Recently an article was published in the Government Computer News in which Symantec agrees with me stating:
“I would say our [DOD] customers are not satisfied with Common Criteria,” said Wesley Higaki, Symantec's director of product certifications, in an interview with GCN. “People on the ground are finding that Common Criteria doesn't help them make their products more secure. It doesn't help them pass accreditation. It's just a procurement hurdle at this point.”
Recently I have been asked if Sun could have our Lights Out Management (LOM) devices CC evaluated because they accept a user name and password. This feature makes them IA-enabled according to DoD Directive 8500.2. Nearly every server, tape array and disk array that Sun sells has a LOM interface to facilitate remote management and problem diagnosis. This requirement could generate a huge cost in dollars and time for Sun while delaying innovation and product development. In the end it would not create a better product because the market already demands that our products provide a high level of security.
I have heard it said at Sun that, "No CC evaluation has ever changed a line of code." Although I can't prove this because I have not been directly involved, I certainly believe that CC evaluations are primarily documentation efforts.
If you also see this as a problem, feel free to add your comments here.