Federal officials say they’ve turned over a new leaf in a program that was originally intended to let agencies rapidly incorporate commercial hardware and software into national security systems, but so far has failed to keep up with the pace of commercial innovation.
The National Information Assurance Partnership first got off the ground 14 years ago as a way to let agencies make use of a then-still-maturing crop of commercial information assurance products, rather than having to rely on expensive, government-specific IT designed and developed by the National Security Agency.
But NIAP has been widely criticized for falling well short of its intentions. Commercial companies that wanted to get their products certified as secure enough to be incorporated into national security systems routinely waited years. According to a 2004 report by the Cyber Security Industry Alliance, getting a single product through the process cost hundreds of thousands to millions of dollars.
“Agility is one of the things we’ve struggled with. I often joke that NIAP spelled backwards is ‘PAIN,'” said Janine Pedersen, the NIAP program’s director. “A lot of what we’ve gone through has involved a lot of growing pains, as anyone who’s been involved in the program will tell you. But we’ve made some changes that have made us more agile and allow us to be more relevant to our end users and provide them with some reasonable products.”
NIAP, which originated as a partnership between the National Security Agency and the National Institute of Standards and Technology, now is managed by NSA.
Changes to the program including abandoning the practice of assigning “evaluation assurance levels” based on the testing a given product goes through at a NIAP-certified lab. Officials determined that scheme resulted in approval language that was esoteric and difficult to apply in the real world, and also too subjective. Two different labs could evaluate the same product and come up with vastly different results, depending on precisely what they decided to measure.
Instead, NIAP, which is the U.S. government’s implementation of a 26-nation approach called the Common Criteria Evaluation and Validation Scheme (CCEVS), has moved to a system of “protection profiles” that are tailored to specific groups of technologies, and should, in theory, set up a more objective set of security parameters for private labs to test against. Technical working groups made up of members of industry, agency officials, academia and end users build these profiles.
NIAP now uses them to measure the security of commercial products, including firewalls, gateways, mobile devices, virtual private networking systems, wireless networking and several categories of technology.
“We develop these profiles collaboratively, and from an industry perspective, the benefit of participating in those communities is that it gives them a heads-up look at what the requirements are going to eventually be for a given technology,” Pedersen said at AFCEA’s annual cyber symposium in Baltimore in June. “We’re no longer looking at evaluation assurance levels, because we found that they were trying to be a generic one-size-fits-all for any technology. We recognized that doesn’t make sense and it doesn’t lead to efficient evaluations. It ended up being much more of a paperwork exercise than actually testing the product in front of you.”
The NIAP program also is combining its own process with a separate government IT approval gauntlet for commercial products that fall within the authority of the Defense Information Systems Agency.
While the NIAP attempts to verify that it’s possible to make a commercial product safe enough for government work, DISA’s security technical implementation guides tell agency-level security officers exactly how to configure that product so that it performs the same way it did when it received the original NIAP approval.
NIAP and DISA, Pedersen said, have reached an agreement that will ensure that each product that makes it through NIAP will receive a STIG at about the same time.
“To use an analogy, NIAP is the organization that makes sure that when you turn your car’s air conditioner to blue, cold air comes out. DISA, on the other hand, gives you the owner’s manual that tells you which knobs and switches to turn to get your air conditioner to work,” she said.
Approved before it hit the streets
Since the NIAP program revamped its processes, it’s achieved only one major success, though it is a significant one: It paved the way for a modern commercial mobile device to make its way into use for secret-level data within the military and the intelligence community for the first time.
The two latest versions of the Samsung Galaxy smartphone made it through NIAP even before the company was ready to release the devices into the commercial marketplace.
“Our goal is to complete the evaluation just as the product hits the streets,” Pedersen said. “We accomplished that with both the Galaxy S4 and the S5. We don’t want our evaluations to happen two years after the product is released.”
Despite some limited success under the new model, Pedersen said NIAP has had some trouble getting the word out about the changes it’s made, even within the corners of government that are most affected by its procedures.
DoD instructions and other government policies require agencies to use nothing but NIAP-approved products in certain systems unless they obtain a waiver, so contracting officers routinely include demands for NIAP certifications in their solicitations.
But Pedersen said she regularly sees requests for proposals in which agencies insist their vendors meet a certain evaluation assurance level (EAL), even though NIAP stopped issuing certifications under the EAL system almost two years ago.
“If your procurement language has a reference to EALs, you’re either setting yourself up for failure or for getting an old product, because we don’t do EALs anymore.”