17 February 1999 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: February 17, 1999 (Volume 64, Number 31)] [Notices] [Page 7859-7861] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr17fe99-63] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 981029270-8270-01] National Voluntary Laboratory Accreditation Program AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The National Institute of Standards and Technology (NIST) has received a request to establish a laboratory accreditation program. In a letter dated August 5, 1998, the National Information Assurance Partnership (NIAP), a partnership between NIST and the National Security Agency, requested that NIST establish an accreditation program for Information Technology Security Testing. A report of the request letter is set out as an appendix to this notice. Announcement of this request by NIAP and of the NIST request for comments with respect thereto, are being made under the procedures of the National Voluntary Laboratory Accreditation Program (NVLAP) [15 CFR 285.13] of the referenced procedures. DATES: Comments may be submitted on or before May 3, 1999. ADDRESSES: Comments should be submitted to James L. Cigler, Chief, Laboratory Accreditation Program, National Institute of Standards and Technology, 100 Bureau Drive, Stop 2140, Gaithersburg, Maryland 20899- 2140. Copies of comments received will be available for inspection and copying at the Department of Commerce Central Reference and Records Inspections Facility, Room 6204, Hoover Building, Washington, DC 20230. FOR FURTHER INFORMATION CONTACT: James L. Cigler, telephone 301-975- 4016; e-mail james.cigler@nist.gov; . SUPPLEMENTARY INFORMATION: Background Scope of Laboratory Accreditation The requestor referenced two documents to be used in association with accreditation of Information Technology (IT) Security Testing laboratories: (1) ISO/IEC DIS 15408 Information technology--Security techniques--Evaluation criteria for IT [[Page 7860]] Security also called the Common Criteria for Information Technology Security Evaluation, and (2) Common Evaluation Methodology for Information Security (CEM), an international draft. NVLAP currently offers accreditation for laboratories conducting testing to Federal Information Processing Standard (FIPS) 140-1 for Crypotographic Modules. Information about the Common Criteria and the Common Evaluation Methodology is available at . After the 75-day comment period, NIST will thoroughly evaluate all comments pertaining to the proposed accreditation program and publish in the Federal Register an announcement of the decision of the Director of NIST, regarding development of the program. Those who submit comments and those who request future information will be placed on the NVLAP mailing list to receive a copy of that publication. If the decision is made to develop the program, technical assistance and input will be sought from all interested parties. Assistance will be sought in the areas of: (1) Preparation of the technical criteria for the program, (2) establishment of the scope of the program based on the Common Criteria, and (3) development of appropriate proficiency testing programs. The NVLAP procedures also provide for public comment prior to publication of the final accreditation requirements. Dated: February 8, 1999. Karen H. Brown, Deputy Director. National Information Assurance Partnership August 5, 1998. Raymond G. Kramer, Director, National Institute of Standards and Technology, Gaithersburg, MD 20899 Dear Mr. Kammer: The National Information Assurance Partnership (NIAP), a partnership between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), requests the establishment of a National Voluntary Laboratory Accreditation Program (NVLAP) Laboratory Accreditation Program (LAP) for Information Technology (IT) Security Testing. The requested LAP will support the goals and objectives of both NIST and NSA in fulfilling their responsibilities in the area of computer and information systems security. This request is made in accordance with Title 15 Code of Federal Regulations Section 285.13. NIST plays a vital role in protecting the security and integrity of information in computer systems in the public and private sectors. The Computer Security Act of 1987 (P.L. 100-235) reaffirmed NIST's leadership role in the federal government for the protection of unclassified information. NIST assists industry and government by promoting and supporting better security planning, technology, awareness and training. NSA provides information systems security programs to protect classified and unclassified national security systems against exploitation through interception, unauthorized access, and related technical intelligence threats. In a recent move to assist U.S. information security technology producers in achieving international competitiveness, NIST and NSA signed a letter of partnership establishing the National Information Assurance Partnership (NIAP). NIST and NSA have established a program under NIAP to evaluate conformance of IT products to international standards. This program, called the Common Criteria Evaluation and Validation Scheme, will help consumers make informed choices when selecting commercial off-the-shelf products in the area IT security and will help producers of IT security products gain acceptance in the global marketplace. The NIAP Common Criteria Scheme requires IT security products to be tested in private sector, accredited testing laboratories using the test methods in ISO/IEC DIS 15408 (currently a Craft international standard), also called the Common Criteria, and the Common Evaluation Methodology (currently an international draft). Test reports from accredited laboratories will be reviewed by the NIAP Validation Body which will issue Common Criteria certificates for products that meet the NIAP Common Criteria Scheme requirements. NIAP is working towards a Common Criteria Mutual Recognition Agreement with bodies in five foreign countries. By agreement, testing laboratories approved by the partners in each of the Agreement countries will be accredited as meeting the requirements of ISO/IEC Guide 25 by an organization that is internationally recognized as conforming to the requirements of ISO/IEC Guide 58. NIST and NSA have been active participants in the development of the Common Criteria, the Common Evaluation Methodology, and the NIAP Common Criteria Scheme. NIST will provide technical assistance for the development of the LAP. Statement of Perceived Need The recent President's Commission on Critical Infrastructure Protection has pointed out that the United States is becoming increasingly dependent on information technology to carry out the day-to-day operations of business and government. This growing dependence on advanced technology, coupled with its inherent complexity, has introduced significant security vulnerabilities into the information systems that support the critical national infrastructure. Consumers within the public and private sectors are becoming increasingly aware of these vulnerabilities and are beginning to demand greater protection for their information from commercial IT products and systems. As industry begins to respond to demands for security-enhanced IT products and systems, consumers must have confidence in the security claims producers make about them. Testing at an accredited laboratory provides confidence to consumers in the test results and that the tested products and systems conform to the security criteria. Acceptance of test results from a commercial laboratory by consumers in other nations and government organizations, such as those organizations in the countries participating in the Common Criteria project, requires trust and confidence in the laboratory testing processes. This trust and confidence is achieved through the use of accredited testing laboratories and government involvement in validating the results of commercial security evaluations. Thus, governments have greater confidence in the evaluation processes employed in the respective national schemes of other nations. Scope of the LAP, Applicable Standards, and Applicable Test Methods The scope of the proposed LAP includes conformance testing of commercial off-the-shelf, security-enhanced, IT products and systems to international standards. Applicable standards and test methods defined by government and industry will be employed by NVLAP- accredited testing laboratories operating within the scope of the LAP. Initially the score of the LAP will draw from, ISO/IEC DIS 15408 Information technology--Security techniques--Evaluation criteria for IT Security also called the Common Criteria for Information Technology Security Evaluation and Common Evaluation Methodology for Information Technology Security (CEM), an international draft. Additional standards and test methods may be added as they become available. Evidence of a national need to accredit calibration or testing laboratories for the specific scope beyond that served by an existing laboratory accreditation program in the public or private sector. The scope of the proposed LAP is beyond that served by any existing laboratory accreditation program in the public or private sector. The only commercial security testing laboratories currently available to conduct Common Criteria-based testing are the Trust Technology Assessment Program (TTAP) laboratories under a program established by the National Security Agency. These laboratories operate under cooperative research and development agreements (CRADA) with NSA and have not been accredited to ISO Guide 25. Recognition of evaluation results in the context of the nations participating in the Common Criteria project requires that IT products be evaluated at accredited testing laboratories. The unique nature of security testing and the associated knowledge and skills needed to operate an accreditation program in this area make NVLAP the essential choice to develop and implement the proposed LAP. NIAP will hold public workshops to solicit comments on the Common Criteria Scheme and the proposed LAP from all sectors including producers, the testing laboratory community, and consumers of IT security products in the private and government sectors. [[Page 7861]] Sincerely, Stuart W. Katzke, Chief, Computer Security Division, Information Technology Laboratory NIST. Louis F. Giles, Chief, Information Assurance Partnerships Evaluations, and Knowledge Management NSA. cc: S. Wakid, Director, Information Technology Laboratory, NIST M. Jacobs, Deputy Director Information Systems Security, NSA [FR Doc. 99-3718 Filed 2-16-99; 8:45 am] BILLING CODE 3510-13-M