The Trust Technology Assessment Program (TTAP) is a joint effort by NIST and NSA to allow evaluation of low assurance commercial products by commercially licensed facilities. On September 26, NIST and NSA held a public workshop to explain how TTAP will work. This is a summary of the workshop.
The TTAP project has been underway for about five years, and has been explained in numerous papers and conference panels. The workshop was to make available, for the first time, the documents that provide detailed explanations of how organizations can become licensed to perform TTAP evaluations and how TTAP evaluations will be performed. The 45 workshop attendees were about 50% potential TTAP laboratories, 25% vendors, and 25% government (mostly TTAP presenters).
Under TTAP, evaluations will be performed by LTEFs (Licensed TTAP Evaluation Facilities). There are two parts to understanding TTAP: the licensing process and the evaluation process. To be licensed, an organization needs to be accredited under NIST's National Voluntary Laboratory Accreditation Program (NVLAP). In addition, the organization must pay accreditation fees and pass an on-site assessment (which includes reviewing the backgrounds of the proposed evaluators, conducting an evaluator proficiency exam, and examining the organization's quality assurance). Once the LTEF is licensed, it can conduct TTAP evaluations. Initially, TTAP will cover TCSEC C2 evaluations only. TTAP evaluations will be reviewed by an NSA Technical Review Board (TRB), just as is done with the current NSA-run Trusted Product Evaluation Process (TPEP) evaluations. TTAP evaluations may eventually include TCSEC B1 evaluations, C2 and/or B1 network evaluations, and Common Criteria evaluations.
A set of draft documents were handed out describing the above processes in detail:
All of these will be available (soon) from the TTAP Web site http://csrc.nist.gov/ttap. NIST and NSA invited comments and questions on the documents and the process (send to ttap@csmes.ncsc.nist.gov). A workshop will be held on November 20 at the Institute for Defense Analysis (IDA) in Alexandria VA to discuss TTAP further.
Under government sponsorship, Computer Sciences Corporation (CSC) started an experimental TTAP evaluation of Hewlett-Packard's HP-UX to determine the viability of the process. Thus far, the CSC team has completed IPAR TRB, after expending approximately 6 person-years of evaluation effort.
Starting in spring 1997, NIST will begin a two year pilot program to accredit LTEFs and do TTAP evaluations. The plan is that once a sufficient number of LTEFs are accredited, NSA will cease beginning new C2 evaluations.
One of the more interesting topics covered was the business case for being an LTEF. While NIST and NSA were unable to give expected effort levels or costs for a TTAP evaluation, members of the audience estimated the cost from $300K (for a very straightforward evaluation, such as a standalone UNIX system) to $2,000K or more for a more typical complex product. Although a dollar figure was not provided, the CSC experiment seems to bear out that this is an accurate order of magnitude for cost. It remains to be seen whether vendors will pay these fees to an LTEF in addition to the expenses already incurred to develop and support the evaluation of a trusted product. The NIST representative suggested that an LTEF might be more viable once other types of evaluations are started (such as Common Criteria evaluations of firewalls).
It is unclear today whether vendors will spend the money to support both a TTAP and an ITSEC (European) evaluation, given that U.S. government organizations will accept an ITSEC evaluation if there is no competitive product with a U.S. rating. Finally, several vendors expressed the opinion that unless government organizations start purchasing evaluated products rather than obtaining waivers, there is no value to the vendor in evaluating the product.