NIST Issues High Level FIPS 140-1 Certifications

FIPS 140-1 is the US government standard for cryptographic modules, and largely the de facto industry standard for commercial devices. The standard provides four increasing, qualitative levels of security intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. The first product certified was an Entrust hardware module in October 1995 at level 1. During the autumn of 1998, several products have been certified at an overall level of 3. These include GTE's SafeKeyper Signer, nCipher's nFast Accelerators, the Chrysalis-ITS LunaCA3 PCMCIA card, the Pitney Bowes PC Meter Crypto Module, and the Litronics Argus/300 Security Adapter. On November 25, IBM's 4758 PCI card crypto coprocessor became the first product certified at level 4.

Common Criteria News: MRA signed, ISO Adopts CC, more
contributed by Gene Troy

The Common Criteria Project is very active these days, and momentum and consensus continue to build on world-wide adoption of the CC as both de-facto and official International Standard. Several important items of interest have happened recently in CC-land. Read on! (Contact: Gene Troy, NIST, email: criteria@nist.gov)

-- CC Mutual Recognition Arrangement (MRA) Signed. On 5 October, as part of the opening ceremonies of the NISSC, senior officials of six of the seven CC Project Sponsoring Organizations signed the MRA, ensuring mutual recognition of CC-based IT security product evaluations conducted in each others' countries. This is an historic event and an important break-through, signaling the culmination of the CC Project. The signatories were: Canada (CSE), France (SCSSI), Germany (GISA/BSI), United Kingdom (CESG), and the United States (NIST and NSA). The Netherlands (NLNCSA) temporarily abstained, as their evaluation program is not yet in place. Read the MRA at: http://niap.nist.gov/ccmra-v1.pdf.

-- ISO Adopts CC as Final Draft International Standard (FDIS) 15408. At its meeting in Rio de Janeiro on 26 October, ISO/JTC1 "Security Techniques" Subcommittee 27 adopted the CCv2.0 with some minor editorial changes as the new ISO FDIS 15408. This is the next-to-last step in the CC's process of becoming International Standard 15408. All that remains is a short up-or-down ballot among the ISO National Bodies, which will be completed this winter. The text of the CCv2.0, with the recent ISO editing changes included, is now almost certain to become the exact text of the new IS 15408. This slightly revised CC text is posted at: http://csrc.nist.gov/cc/ccv20/ccv2list.htm.

-- NIST Information Technology Lab (ITL) Publishes CC Bulletin. On 24 November, NIST-ITL published a new bulletin, "Common Criteria: Launching the International Standard", that is the most current description of the CC Project. The bulletin provides an introduction and overview of the CC and discusses its US and multi-national implementation. The CC Project's relationship with ISO and its new FDIS 15408 (the CCv20 in ISO lingo) are also described. The bulletin discusses mutual recognition of evaluated products. It also provides some potential scenarios for using the CC. Get the bulletin at http://csrc.nist.gov/cc/info/infolist.htm#papers.

-- NIAP Announces CC Application Courses. The joint NIST-NSA National Information Assurance Partnership (NIAP) has developed a series of three courses to help educate IT personnel in the use and application of the CC. These courses are open to the public. Course descriptions and further information are available at: http://niap.nist.gov/announcements/98highlights.html#Classes. There are still openings in the third offering to date of Class #1, "Developing CC Protection Profiles", which will be given December 15-18, 1998 at NIST, Gaithersburg, MD. This four-day class provides introductory information to IT product developers and consumers in the use and application of the CC. Students will get hands-on experience in defining IT security requirements and developing CC Protection Profiles using practical real-world examples. Security Target construction will also be addressed. There is a charge for these classes; group rates and on-site delivery are available. To register or for further information call +1.410.859.4458. Ask for the CC Usage Class Administrator. Other NIAP CC classes, dates and venues will be announced soon, so check out http://niap.nist.gov/event.html#Classes from time to time.