12 August 1998
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

[Federal Register: August 12, 1998 (Volume 63, Number 155)]
[Notices]
[Page 43140-43141]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr12au98-36]

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology


Announcement of a Workshop to Discuss the Development and
Implementation of a Common Criteria Evaluation and Validation Scheme
for Information Technology (IT) Security

AGENCY: National Institute of Standards and Technology.

ACTION: Notice of Public Workshop.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) and
the National Security Agency (NSA), partners in the National
Information Assurance Partnership (NIAP), invite interested parties to
attend a public workshop to discuss the development of a Common
Criteria Evaluation and Validation Scheme for IT Security. The purpose
of the Common Criteria Scheme is to meet the needs of industry and
government and for cost-effective security evaluation of IT products,
(e.g., operating systems, database management systems, firewalls). The
proposed scheme represents a significant change to previous IT product
evaluation programs conducted by NSA and completes the transition of
security testing and evaluation from the government to the private
sector.

DATES: The workshop will take place on September 9, 1998 from 9:00 A.M.
until 5:00 P.M. Interested parties should contact NIST at the address
or telephone numbers listed below to confirm their interest in
attending the workshop.

ADDRESSES: The workshop will take place at the Sheraton International
Hotel (BWI Airport), 7032 Elm Road, Baltimore, MD 21240, phone: (410)
859-3300, fax: (410) 859-0565.

FOR FURTHER TECHNICAL INFORMATION CONTACT: Dr. Ron S. Ross, Information
Technology Laboratory, National Institute of Standards and Technology,
820 West Diamond Avenue (Room 426), Gaithersburg, MD 20899, email:
rross@nist.gov, phone: (301) 975-5390, fax: (301) 948-0279. Alternate
point of contact is: Ms. Robin Medlock, Information Technology
Laboratory, National Institute of Standards and Technology, email:
rmedlock@nist.gov, phone: (301) 975-5017, fax: (301) 948-0279. Detailed
workshop information (to include copies of draft documents related to
the Common Criteria Scheme) is available on the NIAP web site at http:/
/niap.nist.gov. Laboratory accreditation information can be accessed at
the following web sites: International Laboratory Accreditation Co-
operation (ILAC), http://www.ilac.org, Asia Pacific Laboratory
Accreditation Cooperation (APLAC), http://www.ianz.govt.nz/aplac/,
National Voluntary Laboratory Accreditation Program (NVLAP) http://
ts.nist.gov/nvlap.

WORKSHOP REGISTRATION: To register for the workshop, visit the NIAP web
site at http://niap.nist.gov and follow the link for Events.
Registration must be received by August 26, 1998. For confirmation or
additional information, contact Lazer Fuerst at Mitretek Systems,
phone: (703) 610-1689, fax: (703) 610-1699, email: scheme-
workshop@mitretek.org.

SUPPLEMENTARY INFORMATION: Recent advances in information technologies
and the proliferation of computing systems and networks world-wide have
raised the level of concern about security in both the public and
private sectors. Security concerns are motivated by a growing use of IT
products throughout industry and government in a variety of critical
areas--from electronic commerce to national defense. Consumers have
access to a growing number of security-enhanced IT products with
different capabilities and limitations and must make important
decisions about which

[[Page 43141]]

products provide an appropriate degree of protection for their
information.
    In order to help consumers choose commercial off-the-shelf IT
products, NIST and NSA are developing a program to evaluate conformance
of IT products to international standards. This program has the
following objectives:
    <bullet> To develop, operate, and maintain a Common Criteria
Evaluation and Validation Scheme;
    <bullet> To provide for security evaluations in private sector
laboratories;
    <bullet> To ensure that evaluations of IT products are performed to
consistent standards and to increase confidence in the security of
those products;
    <bullet> To improve the availability of evaluated IT products;
    <bullet> To create a climate for IT security products of ``Make
them here, test them here, sell them world-wide''.
    The proposed scheme will promote evaluations of IT products
conducted in the private sector by accredited testing laboratories.
Products will be evaluated against the Common Criteria for Information
Technology Security Evaluation, an emerging International Standards
Organization (ISO) standard. Evaluation results will be validated by
NIAP leading to the issuance of a validation certificate and placement
on a validated products list. Certificates for the validated products
will be recognized by participants in mutual recognition agreements
based on the Common Criteria, thus reducing the need for multiple
security evaluations.
    This workshop is for the following audiences:
    <bullet> Manufacturers, developers, and integrators of IT products
interested in having their products evaluated against the Common
Criteria;
    <bullet> Testing laboratories interested in evaluating IT products
to the Common Criteria;
    <bullet> Government and private sector consumers desiring IT
products evaluated against the Common Criteria and validated by NIAP.
    The workshop will cover a variety of topics to include:
    <bullet> Introduction to IT product security evaluation;
    <bullet> Overview of the Common Criteria Scheme;
    <bullet> Status report on the Common Criteria and Common Evaluation
Methodology;
    <bullet> Laboratory accreditation;
    <bullet> Validation of evaluation results by NIAP.

    Dated: August 6, 1998.
Robert E. Hebner,
Acting Deputy Director.
[FR Doc. 98-21630 Filed 8-11-98; 8:45 am]
BILLING CODE 3510-CN-P
