Skip to main content

Information Assurance: National Partnership Offers Benefits, but Faces Considerable Challenges

GAO-06-392 Published: Mar 24, 2006. Publicly Released: Mar 24, 2006.
Skip to Highlights

Highlights

In 1997, the National Security Agency and the National Institute of Standards and Technology formed the National Information Assurance Partnership (NIAP) to boost federal agencies' and consumers' confidence in information security products manufactured by vendors. To facilitate this goal, NIAP developed a national program that requires accredited laboratories to independently evaluate and validate the security of these products for use in national security systems. These systems are those under control of the U.S. government that contain classified information or involve intelligence activities. GAO was asked to identify (1) the governmentwide benefits and challenges of the NIAP evaluation process on national security systems, and (2) the potential benefits and challenges of expanding the requirement of NIAP to non-national security systems, including sensitive but unclassified systems.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To assist the NIAP in documenting the effectiveness of the NIAP evaluation process, the Secretary of Defense should direct the Director of the National Security Agency, in coordination with NIST under the provisions of the NIAP partnership, to coordinate with vendors, laboratories, and various industry associations that have knowledge of the evaluation process to develop awareness training workshops for program participants.
Closed – Implemented
In 2006, we reported that the National Information Assurance Partnership program participants faced a number of challenges. Specifically, we reported that software vendors' were not knowledgeable of the evaluation process used by the Common Criteria testing laboratories. Accordingly, we recommended that the National Security Agency (NSA) coordinate with vendors, laboratories, and various industry associations that have knowledge of the evaluation process to develop awareness training workshops for program participants. In 2010, we verified that NSA, in response to our recommendation, coordinated with laboratories, and that the laboratories are offering training to participants of the...
Department of Defense To assist the NIAP in documenting the effectiveness of the NIAP evaluation process, the Secretary of Defense should direct the Director of the National Security Agency, in coordination with NIST under the provisions of the NIAP partnership, to consider collecting, analyzing, and reporting metrics on the effectiveness of NIAP tests and evaluations. Such metrics could include summary information on the number of findings, flaws, and associated fixes.
Closed – Not Implemented
In 2007, Deputy Assistant Secretary of Defense for Information and Identity Assurance in response to this recommendation, stated that in order to continue the program within its constrained budget, National Information Assurance Partnership (NIAP) personnel focused their efforts on re-engineering the validation oversight process for all NIAP evaluations. In addition, the letter stated that NIAP personnel focused on establishing a fee-for-service schedule in order to recoup validation costs from vendors for each evaluation. The re-engineering of the validation process along with the fee-for-service efforts necessitated a complete revision in the way NIAP was originally proposing to gather...

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Cyber securityEvaluation criteriaEvaluation methodsInformation securityInformation technologyProduct evaluationProgram evaluationSystems evaluationInformation managementJoint ventures