Panel: IT Security Certs Need Overhaul

A National Cyber Security Partnership task force lays out its recommendations for overhauling computer security practices.

The computer industry and the federal government alike need to greatly improve their efforts to reduce the vulnerability of the nations networks, beginning with a major shift in the way software and hardware are built and sold, according to a federal report due out this week.

The report, written by a task force from the National Cyber Security Partnership, lays out dozens of recommendations for overhauling the way vendors build and sell their products and the process the government uses to evaluate them for compliance with technical standards.

This is the fifth and final task force report from the NCSP, a group of government officials and industry executives formed last year to help implement the Presidents National Strategy to Secure Cyberspace.

The reports main thrust is an effort to improve and expand the governments Common Criteria process so that it becomes a more recognizable certification, something akin to a seal of approval.

The task force is also asking that the government help pick up the tab for the certification process—which can cost millions of dollars—in the form of tax credits for research and development or direct payment of some evaluation costs.

"We would like [Common Criteria certification] to be table stakes," said Mary Ann Davidson, chief security officer of Oracle Corp., in Redwood Shores, Calif., and co-chair of the Technical Standards and Common Criteria Task Force of the NCSP. "It would be a seal that customers can see so they know that the vendor built this product with security in mind. The government is starting to use this as part of the procurement process."

The Common Criteria certification program is overseen by the National Institute of Standards and Technology and the National Security Agency under the National Information Assurance Partnership umbrella. There are several levels of certification, and the process is open to most hardware and software products, not just security offerings.

Specifically, the task force is recommending that NIAP develop "protection profiles" for a larger number of products so that vendors know exactly how to build their products to meet NIAPs standards. Currently, there are only a handful of protection profiles, many of which are classified. The report also encourages the government to require a vulnerability analysis of each product, even at the lowest certification levels, as a way to root out more flaws.

Next page: Needed: Better code-scanning tools.