|
A Cryptome DVD is offered by Cryptome. Donate $25 for a DVD of the Cryptome 11-years archives of 41,000 files from June 1996 to June 2007 (~4.4 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost. |
27 June 2007
[Federal Register: June 26, 2007 (Volume 72, Number 122)]
[Notices]
[Page 35036-35042]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr26jn07-24]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
[DoD-2007-OS-0066]
National Information Assurance Program
AGENCY: Department of Defense; National Security Agency.
ACTION: Notice of new fees.
-----------------------------------------------------------------------
SUMMARY: Section 933 of Pub. L. 109-364, the John Warner National
Defense Authorization Act for Fiscal Year 2007, provides that the
Director, National Security Agency, may collect charges for evaluating,
certifying, or validating information assurance products under the
National Information Assurance Program (NIAP) or successor program.
Table A sets forth the Fee-For-Service rates that will be assessed to
NIAP accredited commercial Common Criteria Testing Labs (CCTLs) for
``validation'' services performed by NIAP validator personnel on
information technology (IT) security products being evaluated by the
NIAP CCTLs pursuant to the Common Criteria Evaluation and Validation
Scheme (CCEVS).
DATES: Comments must be received on or before August 27, 2007. Do not
submit comments directly to the point of contact or mail your comments
to any address other than what is shown below. Doing so will delay the
posting of the submission.
ADDRESSES: You may submit comments, identified by docket number and or
RIN number and title, by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Mail: Federal Docket Management System Office, 1160
Defense Pentagon, Washington, DC 20301-1160.
Instructions: All submissions received must include the agency name
and docket number or Regulatory Information Number (RIN) for this
Federal Register document. The general policy for comments and other
submissions from members of the public is to make these submissions
available for public viewing on the Internet at http://regulations.gov
as they are received without change, including any personal identifiers
or contact information.
FOR FURTHER INFORMATION CONTACT: Audrey M. Dale, 410-854-4458.
SUPPLEMENTARY INFORMATION: NSA and the National Institute of Standards
and Technology (NIST) formed the NIAP in order to promote information
security in various ways, including the evaluation of IT security
products. Commercial IT security product vendors initiate the NIAP
evaluation process through submission of their IT security product to a
nationally accredited commercial CCTL for evaluation against the
internationally recognized Common Criteria (CC) Standard for
Information Technology Security Evaluation (ISO Standard 15408). NIAP
evaluation is voluntary for IT security products that are acquired by
United States Government (USG) civil agencies and non-USG entities, but
as per National Security Telecommunications & Information Systems
Security Policy (NSTISSP) No. 11, mandatory for IT
[[Page 35037]]
security products purchased for use on systems that process national
security information. Additionally, per DoD Instruction 8500.2 the DoD
mandates the use of CC or NIAP evaluated IT security products on all
DoD networks.
Evaluations are conducted by NIAP accredited commercial CCTLs, with
oversight provided by NIAP validator personnel who are NSA government
employees, Federally Funded Research & Development Center (FFRDCs)
personnel or contractors. Prior to the enactment of Sec 933, NSA paid
for all validation costs. Sec 933 shifts the costs for this validation
oversight from NSA to the commercial CCTLs (who may, in turn, will pass
these fees onto the product vendors seeking NIAP evaluation of their IT
security products). This change will ensure that NIAP can keep pace
with the commercial demand for IT security product evaluations and will
not be constrained by NSA's program budget for validation services.
Fee Schedule: TABLE A delineates the NIAP Validation Oversight Fee
Schedule which will be assessed to CCTLs for validation services
provided in support of their NIAP evaluations. Fees are predicated on a
per hourly basis by validator skill type and are a function of the
Evaluation Assurance Levels (EALs) along with the type and complexity
of the product technology. The CC standard used for NIAP evaluations is
broken down into increasingly more rigorous Evaluation Assurance Levels
(EALs) beginning at EAL 1 and moving up to the highest possible
assurance at EAL 7.
The two primary factors used in developing the Validation Fee
Schedules were the EALs of the evaluations and the complexity (simple,
moderately complex, and complex) of the product being evaluated. Higher
EALs require more rigorous and thus more costly evaluations. More
complex products typically take more time to analyze resulting in
longer and more costly evaluations. The complexity factor takes into
account size of the product in terms of lines of code but must also
reflect the fact that new technologies will require additional
analysis. Simple products would include basic routers, switches or file
encryptors. Products of moderate complexity would include simple
firewalls or general application software. Complex products would
include standard operating systems and new/unique IA products or
technologies.
While validation oversight occurs throughout the course of an
evaluation, the majority of this oversight is focused on Validation
Oversight Reviews (VORs). These reviews take place at critical points
during the evaluation. Evaluations require Initial, Test and Final
VORs. The VOR process typically consists of three phases: the
preparation phase where validators review documents pertaining to that
specific VOR, the actual VOR meeting (attended by the validators and
lab personnel), and the Issue Resolution and Wrap-Up phase. During this
final phase all relevant issues are addressed by the CCTL then the VOR
report is finalized. At EAL 3s and above, witnessing of testing by
validator personnel may also be required.
An additional factor that will affect the validation oversight
costs is the length of the evaluation since monthly validation fees
will be applied to cover validator coordination and guidance costs
throughout the course of the evaluation.
The final section of the fee schedule depicts costs for assurance
maintenance which is the process vendors use to maintain the currency
of their product evaluations. Vendors submit rationale for why changes
to their product did not impact their evaluated product's security. The
vendor proposals are reviewed by a NIAP senior validator who determines
if their rationale is sound and makes a recommendation to NIAP
management who then renders a verdict on the vendor assurance
maintenance proposal.
Dated June 19, 2007.
L.M. Bynum,
Alternate OSD Federal Register Liaison Officer, DoD.
BILLING CODE 5001-06-P
[[Page 35038]]
[GRAPHIC] [TIFF OMITTED] TN26JN07.000
[[Page 35039]]
[GRAPHIC] [TIFF OMITTED] TN26JN07.001
[[Page 35040]]
[GRAPHIC] [TIFF OMITTED] TN26JN07.002
[[Page 35041]]
[GRAPHIC] [TIFF OMITTED] TN26JN07.003
[[Page 35042]]
[GRAPHIC] [TIFF OMITTED] TN26JN07.004
[FR Doc. 07-3114 Filed 6-25-07; 8:45 am]
BILLING CODE 5001-06-C