Information Assurance: National Partnership Offers Benefits, but Faces Considerable Challenges
Highlights
In 1997, the National Security Agency and the National Institute of Standards and Technology formed the National Information Assurance Partnership (NIAP) to boost federal agencies' and consumers' confidence in information security products manufactured by vendors. To facilitate this goal, NIAP developed a national program that requires accredited laboratories to independently evaluate and validate the security of these products for use in national security systems. These systems are those under control of the U.S. government that contain classified information or involve intelligence activities. GAO was asked to identify (1) the governmentwide benefits and challenges of the NIAP evaluation process on national security systems, and (2) the potential benefits and challenges of expanding the requirement of NIAP to non-national security systems, including sensitive but unclassified systems.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To assist the NIAP in documenting the effectiveness of the NIAP evaluation process, the Secretary of Defense should direct the Director of the National Security Agency, in coordination with NIST under the provisions of the NIAP partnership, to coordinate with vendors, laboratories, and various industry associations that have knowledge of the evaluation process to develop awareness training workshops for program participants. | In 2006, we reported that the National Information Assurance Partnership program participants faced a number of challenges. Specifically, we reported that software vendors' were not knowledgeable of the evaluation process used by the Common Criteria testing laboratories. Accordingly, we recommended that the National Security Agency (NSA) coordinate with vendors, laboratories, and various industry associations that have knowledge of the evaluation process to develop awareness training workshops for program participants. In 2010, we verified that NSA, in response to our recommendation, coordinated with laboratories, and that the laboratories are offering training to participants of the... program via their websites. As a result of the training, evaluations have a greater likelihood of being completed more efficiently since the vendors are already familiar with the evaluation process and the extensive documentation requirements necessary to complete the evaluation.
View More |
| Department of Defense | To assist the NIAP in documenting the effectiveness of the NIAP evaluation process, the Secretary of Defense should direct the Director of the National Security Agency, in coordination with NIST under the provisions of the NIAP partnership, to consider collecting, analyzing, and reporting metrics on the effectiveness of NIAP tests and evaluations. Such metrics could include summary information on the number of findings, flaws, and associated fixes. | In 2007, Deputy Assistant Secretary of Defense for Information and Identity Assurance in response to this recommendation, stated that in order to continue the program within its constrained budget, National Information Assurance Partnership (NIAP) personnel focused their efforts on re-engineering the validation oversight process for all NIAP evaluations. In addition, the letter stated that NIAP personnel focused on establishing a fee-for-service schedule in order to recoup validation costs from vendors for each evaluation. The re-engineering of the validation process along with the fee-for-service efforts necessitated a complete revision in the way NIAP was originally proposing to gather...
|