Subject: Computer Security Evaluation FAQ, Version 1.0
Date: 29 Mar 1996 17:24:02 GMT
X-Last-Updated: 1996/03/29

Posting-Frequency: monthly

The Computer Security Evaluation Frequently Answered Questions (V1.0)

This FAQ is designed to answer common questions about the evaluation of
trusted products.  It is being posted to comp.security.misc,
comp.security.unix, comp.answers and news.answers.  We have attempted to be as
clear, precise, and accurate as possible.  Some answers are undoubtedly closer
to this ideal than others.  Comments on the FAQ may be sent to
TPEP@dockmaster.ncsc.mil.


----------

Subject: Contents

Section I: The Trusted Product Evaluation Program (TPEP)
  1. What is the National Computer Security Center (NCSC)?
  2. What is TPEP?
  3. How is TPEP related to the National Security Agency (NSA)?
  4. How is TPEP related to the National Institute of Science
     and Technology (NIST)?
  5. How do I contact the TPEP?
  6. What is TTAP?
  7. What is Dockmaster?
  8. Why doesn't TPEP have a WWW server on Dockmaster?
Section II: Criteria
  1. What is the criteria used for evaluation?
  2. What is the TCSEC?
  3. What is the Orange Book?
  4. What are interpretations?
  5. What is the Interpreted TCSEC (ITCSEC)?
  6. What is the ITSEC (as opposed to the ITCSEC)?
  7. What is the CTCPEC?
  8. What is the Common Criteria?
  9. What is the TNI?
 10. What is the TDI?
 11. What is the Rainbow Series?
 12. What are Process Action Team (PAT) Guidance Working Group (PGWG)
     documents?
 13. Is there a criteria for commercial (as opposed to military) systems?
 14. What is the Federal Criteria?
 15. What are the CMWREQs and the CMWEC?
Section III: Criteria Concepts
  1. What are security features?
  2. What is assurance?
  3. What is a division?
  4. What is a class?
  5. What is a network component?
  6. What is a Network Security Architecture Design (NSAD) document?
  7. How do I interpret a rating?
  8. The TCSEC is 10 years old, doesn't that mean it's outdated?
  9. How do the TCSEC and its interpretations apply to routers and
     firewalls?
Section IV: Evaluations
  1. How do I get my product evaluated?
  2. What is the evaluation process?
  3. How long does an evaluation take?
  4. How much does an evaluation cost?
  5. How do I find out about the evaluation process?
  6. Who actually performs the evaluations?
  7. What information is released about an evaluated product?
  8. What is RAMP?
Section V: Evaluated Products
  1. Should I buy an evaluated product?
  2. Does NSA buy/use evaluated products?
  3. How do I know if a product is evaluated?
  4. What does it mean for a product to be "in evaluation"?
  5. What does it mean for a product to be "compliant" with the TCSEC?
  6. What and where is the Evaluated Products List (EPL)?
  7. How do I get a copy of an evaluation report?
  8. Is an evaluated product "hacker proof?"
  9. What is the rating of DOS?
 10. What is the rating of UNIX?
 11. What should I do if evaluated Product X appears to fail a requirement?
 12. Why should I buy a B2/B3/A1 product over a C2/B1 product?

----------

Subject: Section I: The Trusted Product Evaluation Program (TPEP)

  1. What is the National Computer Security Center (NCSC)?

          The Department of Defense Computer Security Center was
          established in 1981 to encourage the widespread availability of
          trusted computer systems for use by facilities processing
          classified or other sensitive information.  In August 1985 the
          name of the organization was changed to the National Computer
          Security Center (NCSC).  

  2. What is TPEP?

          The Trusted Product Evaluation Program (TPEP) is the program by
          which the NCSC evaluates computer systems against security
          criteria.  The Trusted Product Evaluation Program (TPEP) is
          operated by an organization separate from the National Computer
          Security Center (NCSC).  The TPEP performs computer security
          evaluations for, and on behalf of, the NCSC.

  3. How is TPEP related to the National Security Agency (NSA)?

          Both the Trusted Product Evaluation Program (TPEP) and the
          National Computer Security Center (NCSC) are organizational
          units within the National Security Agency (NSA).  The TPEP and
          NCSC are two of a number of organizational units within the NSA
          responsible for the information system security mission with
          respect to classified and sensitive data (see
          <http://www.nsa.gov:8080/>).

  4. How is TPEP related to the National Institute of Science
     and Technology (NIST)?

          In Public Law 100-235 congress directed the National Security
          Agency (NSA), of which the Trusted Product Evaluation Program
          (TPEP) is a part, to lead the efforts of the United States
          Government in information systems security for classified
          information.  The National Institute of Science and Technology
          (NIST) as part of the Department of Commerce is directed to lead
          the efforts for sensitive but unclassified information with
          technical support from the NSA.  The NSA and NIST have established
          a Memorandum of Understanding detailing the responsibilities of
          each organization with respect to the other in this area.  While
          NSA and NIST each have individual efforts, the agencies attempt to
          develop methods and standards that are compatible.  (see
          <http://csrc.ncsl.nist.gov/>)

  5. How do I contact the TPEP?

          The Trusted Product Evaluation Program can be reached by mail at:

             Trusted Product Evaluation Program, Attn: V24
             Department of Defense
             9800 Savage Road
             Fort George G. Meade, MD 20755-6000
          
          or by phone at (410) 859-4458.
          
  6. What is the TTAP?

          The Trust Technology Assessment Program (TTAP) is a joint
          National Security Agency (NSA) and National Institute of
          Standards and Technology (NIST) effort to commercialize the
          evaluation of commercial-off-the-shelf (COTS) products at the
          lower levels of trust.  Under the auspice of the National
          Voluntary Laboratory Accreditation Program (NVLAP), TTAP will
          establish, accredit and oversee commercial evaluation
          laboratories focusing initially on products with features and
          assurances characterized by the Trusted Computer System
          Evaluation Criteria (TCSEC) B1 and lower levels of trust
          (see Section II, Question 2 and Section III, Question 4).
          Vendors desiring a level of trust evaluation will contract with
          an accredited laboratory and pay a fee for their product's
          evaluation.

          TTAP approval and oversight mechanisms will assure continued
          quality and fairness.  Using the NVLAP model of standardized
          testing and analysis procedures, TTAP will strive to achieve
          mutual recognition of evaluations with other nations.  The
          European Community evaluations are performed under the purview
          of national test standardization bodies associated with NVLAP.

          The TTAP is being established with a planned transition from
          TCSEC based evaluations to Common Criteria based evaluations
          (see Section II, Question 8).  The implementation of the Common
          Criteria will occur upon acceptance of the Common Criteria and
          the Common Evaluation Methodology, which is in the process of
          being developed.

  7. What is Dockmaster?

          Dockmaster, or more precisely dockmaster.ncsc.mil, is an
          unclassified computer system used by the Trusted Product
          Evaluation Program (TPEP) to exchange information between
          product evaluators, vendors, and others within the computer
          system security community.  Dockmaster is based on the
          B2-evaluated Honeywell MULTICS product.  This is a very old
          platform, and efforts are underway to replace Dockmaster with a
          more current product.

  8. Why doesn't TPEP have a WWW server on Dockmaster?

          Many desirable network access features are not available in the
          MULTICS operating system used by Dockmaster.  As the system is
          upgraded, it is anticipated that it will support some of these
          features.

----------

Subject: Section II: Criteria

  1. What is the criteria used for evaluation?

          The criteria currently used by the Trusted Product Evaluation
          Program (TPEP) to grade the security offered by a product is
          the Trusted Computer System Evaluation Criteria (TCSEC), dated
          1985 (see Section II, Question 2)

  2. What is the TCSEC?

          the Trusted Computer System Evaluation Criteria (TCSEC) is a
          collection of criteria used to grade or rate the security
          offered by a computer system product.  The TCSEC is sometimes
          referred to as "the Orange Book" because of its orange cover.
          The current version is dated 1985 (DOD 5200.28-STD, Library No.
          S225,711)  The TCSEC, its interpretations and guidelines all
          have different color covers, and are sometimes known as the
          "Rainbow Series" (see Section II, Question 11.)

  3. What is the Orange Book?

          See Section II, Question 2.

  4. What are interpretations?

          It is often the case that there are several ways to read a
          given statement in the Trusted Computer System Evaluation
          Criteria (TCSEC).  Interpretations are official statements
          articulating which of a number of possible ways to read the
          requirement are the acceptable ways for purposes of evaluation
          by the TPEP.  Interpretations are developed by an group of
          highly experienced product evaluators.  These interpretations
          in proposed form are available for comment by all users of
          Dockmaster (see Section 1, Question 6) including vendors with
          products in evaluation.  After considering the comments and
          revising the interpretation as appropriate (sometime through
          several rounds of comments and revision) the interpretation is
          accepted by the TPEP and officially announced.

  5. What is the Interpreted TCSEC (ITCSEC)?

          The Interpreted Trusted Computer System Evaluation Criteria
          (ITCSEC) is a version of the TCSEC maintained by the Trusted
          Product Evaluation Program (TPEP) that annotates the TCSEC
          requirements with all current interpretations.  A possibly
          outdated copy is available by anonymous FTP in postscript from
          <ftp://chacs.itd.nrl.navy.mil/pub/chacs/ITCSEC.ps> It is
          available to anyone with a Dockmaster account in
          >udd>CPE>public>iwg>Interpreted.TCSEC.ps

  6. What is the ITSEC (as opposed to the ITCSEC)?

          The Information Technology Security Evaluation Criteria (ITSEC)
          is a European-developed criteria filling a role roughly
          equivalent to the TCSEC.  While the ITSEC and TCSEC have many
          similar requirements, there are some important distinctions.
          The ITSEC places increased emphasis on integrity and
          availability, and attempts to provide a uniform approach to the
          evaluation of both products and systems.  The ITSEC also
          introduces a distinction between doing the right job
          (effectiveness) and doing the job right (correctness).  In so
          doing, the ITSEC allows less restricted collections of
          requirements for a system at the expense of more complex and
          less comparable ratings and the need for effectiveness analysis
          of the features claimed for the evaluation.  The question of
          whether the ITSEC or TCSEC is the better approach is the
          subject of sometimes intense debate.  The ITSEC is available in
          postscript at <http://hightop.nrl.navy.mil/rainbow.html>.

          On 21 August 1995, The National Institute of Standards and
          Technology (NIST) released a draft National Computer Systems
          Laboratoty (NCSL) Bulletin.  This draft bulletin adresses the
          relationship of low assurance products evaluated under the
          TCSEC, ITSEC, and CTCPEC.  In the case of the ITSEC, it is
          recommended that if an appropriate C2 rated product is not
          available, that ITSEC rated FC2/E2 products be used.

  7. What is the CTCPEC?

          The Canadian Trusted Computer Product Evaluation Criteria is
          the Canadian equivalent of the TCSEC.  It is somewhat more
          flexible than the TCSEC (along the lines of the ITSEC) while
          maintaining fairly close compatibility with individual TCSEC
          requirements.  The CTCPEC is available in postscript at
          <http://hightop.nrl.navy.mil/rainbow.html>.

          On 21 August 1995, The National Institute of Standards and
          Technology (NIST) released a draft National Computer Systems
          Laboratoty (NCSL) Bulletin.  This draft bulletin adresses the
          relationship of low assurance products evaluated under the
          TCSEC, ITSEC, and CTCPEC.  In the case of the CTCPEC, it is
          recommended that if an appropriate C2 rated product is not
          available, that CTCPEC products rated with a C2 functionality
          profile and T1 assurance be used.

  8. What is the Common Criteria?

          The Common Criteria (CC) occasionally (and somewhat
          incorrectly) referred to as the Harmonized Criteria, is a
          multinational effort to write a successor to the TCSEC and
          ITSEC that combines the best aspects of both.  A number of
          countries are expending considerable effort on this at the
          current time.  A draft (V 0.9) was released in October of 1994,
          and received comments from the security community.  A new draft
          is expected shortly.  The CC currently has a structure closer
          to the ITSEC than the TCSEC and includes the concept of a
          "profile" to collect requirements into easily specified and
          compared sets.

  9. What is the TNI?

          The Trusted Network Interpretation (TNI) of the TCSEC, also
          referred to as "The Red Book," is a restating of the
          requirements of the TCSEC in a network context.  Evaluations of
          the type of systems (sometimes called distributed or homogeneous)
          described by Part I are often evaluated directly against the TCSEC
          without reference to the TNI.  TNI component evaluations are
          evaluations performed against Appendix A of the TNI.  (see
          Section III, Question 5)

  10. What is the TDI?

          The Trusted Database Interpretation (TDI) of the TCSEC is
          similar to the Trusted Network Interpretation (TNI) in that it
          decomposes a system into independently evaluatable components.
          It differs from the TNI in that the paradigm for this
          decomposition is the evaluation of an application (e.g.,
          database) running on an already evaluated system.  The Trusted
          Product Evaluation Program (TPEP) has to date only evaluated
          databases using this interpretation.  In principle arbitrary
          trusted applications could be evaluated.

 11. What is the Rainbow Series?

          The "Rainbow Series" is the name given to the collection of
          interpretation documents (e.g., TNI and TDI) and guidance
          documents (e.g., Guide to understanding MAC, Password
          Guidelines) published by the National Computer Security Center
          (NCSC).  Each document has a different color cover, thus the
          name "Rainbow Series."  The guidelines of the rainbow series,
          are designed to expand on, and clarify, the requirements in the
          Trusted Computer System Evaluation Criteria (TCSEC).  They are,
          however, only guidance.  The words of the requirements and
          interpretations are used as the metric for evaluation, not the
          guidelines.  A single copy of every rainbow series
          document is available without charge by writing to:

              INFOSEC Awareness, Attn: Y13/IAOC
              Department of Defense
              9800 Savage Road
              Fort George G. Meade, MD 20755-6000

          or by calling (410) 766-8729.  Additional copies may be
          obtained from the Government Printing Office.  The Trusted
          Computer System Evaluation Criteria (TCSEC) and some of the
          other rainbow series documents are available from
          <http://hightop.nrl.navy.mil/docs/orangebook.html>.

 12. What are Process Action Team (PAT) Guidance Working Group (PGWG)
     documents?

          The PGWG (sometimes pronounce pig-wig) documents are also known
          as the Form and Content documents.  These documents are
          published directly by the Trusted Product Evaluation Program
          (TPEP) and are designed to provide guidance to vendors
          submitting products for evaluation.  This guidance is not
          security or requirements guidance in the Rainbow Series style.
          Rather, these documents provide rules used by the TPEP in
          accepting products into evaluation to ensure that the
          information provided to the evaluation team is in a state that
          is most conducive to a expeditious and trouble-free
          evaluation.  The document discussing design documentation is
          available by annonymous FTP from
          <ftp://chacs.itd.nrl.navy.mil/pub/chacs/PATdesign.ps>.  The
          document discussing test documentation is available by
          anonymous FTP from
          <ftp://chacs.itd.nrl.navy.mil/pub/chacs/PATtest.ps>

 13. Is there a criteria for commercial (as opposed to military) systems?

          The Trusted Product Evaluation Program (TPEP) is prohibited by
          the Computer Security Act of 1987 from attempting to directly
          address the needs of commercial systems.  The TPEP does not
          subscribe, however, to the often loudly espoused belief that
          the requirements of military systems are entirely divorced from
          the requirements of commercial systems.  It seems reasonable to
          believe that commercial computer system users require many of
          the same basic features of military systems: identification and
          authentication of the users requesting information or service
          from the system; ability to audit the actions of users; and
          control of access to information, both at the discretion of the
          information owner and by corporate policy.  Because the TCSEC
          couched its requirements in terms of DoD classifications, many
          people have not thought about applying them to similar needs
          for mandatory controls on protected information pertaining to
          product development, marketing, and personnel decisions.  It is
          one of the aims of the Common Criteria to provide criteria that
          use more general terminology.

 14. What is the Federal Criteria?

          The Federal Criteria was an attempt to develop a criteria to
          replace the Trusted Computer System Evaluation Criteria (TCSEC).
          A draft version was released for public comment in December 1992.
          However,this effort was supplanted by the Common Criteria effort
          (see Section II, Question 8), and the Federal Criteria never moved
          beyond the draft stage (although many of its ideas are retained
          in the Common Criteria).  There is no FINAL Federal Criteria; the
          draft should not be treated as a final criteria document.  The
          draft of the Federal Criteria is available at
          <http://hightop.nrl.navy.mil/rainbow.html>.

 15. What are the CMWREQs and the CMWEC?

          The criteria used by the Defense Intelligence Agency (DIA) to
          rate a product as a Compartmented Mode Workstation (CMW) is the
          Compartmented Mode Workstation Evaluation Criteria (CMWEC),
          which superseded the CMW Requirements (CMWREQs) in 1991. This
          criteria defines a minimum level of assurance equivalent to the
          B1 level of the TCSEC (see Section III, Questions 2-4).  It
          also defines a minimum set of functionality and usability
          features outside the scope of the TCSEC (e.g. a graphical user
          interface via a window system is required along with the
          capability to cut and paste between windows).  Neither set of
          requirements are currently used by the Trusted Product Evaluation
          Program (TPEP).

----------

Subject: Section III: Criteria Concepts

  1. What are security features?

          A security feature is a specific implementable function in a
          system which supports some part of the system's security
          policy.  Examples of security features would be access control,
          trusted path, and audit.  The Trusted Computer System
          Evaluation Criteria (TCSEC) (see Section II, Question 1)
          ratings are not designed to express the rating of individual
          features, as are some other criteria.  Rather, each class
          specifies a set of security features that a system must
          implement in order to be rated at that class.  However, many
          evaluations are given "extra credit" in the evaluation results
          for successful implementations of features that are required
          only in a higher overall rating in the criteria.

  2. What is assurance?

          In the context of the Trusted Computer System Evaluation
          Criteria (TCSEC), assurance coincides with correctness
          assurance.  It is a measure of confidence that the security
          features and architecture of a computer system accurately
          mediate and enforce the system security policy.  The TCSEC's
          assurance-related requirements constrain development methods
          (e.g., configuration management) and software engineering
          practices (e.g., modular code).  Higher evaluation classes
          contain more assurance-promoting requirements and give more
          confidence in correctness.

  3. What is a division?

          A division is a set of classes (see Question 5) from the
          Trusted Computer System Evaluation Criteria (TCSEC) (see
          Section II, Question 1).  There are 4 divisions A, B, C, and D
          in decreasing order of assurance and features.  Thus, a system
          evaluated at a class in division B has more security features
          and/or a higher confidence that the features work as intended
          than a system evaluated at a class in division C.  Although the
          Computer Security Subsystem Interpretation (CSSI) of the TCSEC
          specifies criteria for various D ratings, these are not
          reflected in the TCSEC itself, which has no requirements for D
          division systems.  An unrated system is, by default, division
          D.

  4. What is a class?

          A class is the specific collection of requirements in the
          Trusted Computer System Evaluation Criteria (TCSEC) to which an
          evaluated system conforms.  There are seven classes in the
          TCSEC A1, B3, B2, B1, C2, C1, and D, in decreasing order of
          features and assurances.  Thus, a system evaluated at class B3
          has more security features and/or a higher confidence that the
          security features work as intended than a system evaluated at
          class B1.  The requirements for a higher class are always a
          superset of the lower class.  Thus a B2 system meets every C2
          functional requirement and has a higher level of assurance.
          
  5. What is a network component?

          A "network component" is the target of evaluation for a Trusted
          Network Interpretation (TNI) evaluation (see Section II,
          Question 9) done against appendix A of the TNI.  These
          "network component" evaluations allocate basic requirements
          (Mandatory Access Control (MAC); Discretionary Access Control
          (DAC); Audit; and Identification and Authentication) to
          components of a "network system".  Each component may be
          evaluated in isolation.  The TPEP does evaluate degenerate TNI
          components that independently meet all basic requirements (but
          nevertheless have an interface to other, perhaps identical
          components), but has not evaluated any degenerate TNI component
          that met none of the basic requirements (relying totally on
          other components for the security features).  It is not
          expected that a component meeting none of the basic
          requirements would be evaluated.

  6. What is a Network Security Architecture Design (NSAD) document?

          The documentation for a network component (see Section III,
          Question 5) must include a Network Security Architecture Design
          (NSAD) document which describes the security expectations by this
          component about other components.  Each component evaluation
          proceeds under the assumption that the expectations of the NSAD
          are met by the other components.  A collection of components
          designed around the same architecture should interoperate
          securely.
  
  7. How do I interpret a rating?

          A product evaluated by the Trusted Product Evaluation Program
          (TPEP) will have one of several styles of ratings.  A product
          evaluated against the Trusted Computer System Evaluation
          Criteria (TCSEC) will have one of the seven class ratings: A1,
          B3, B2, B1, C2, C1, or D (see Section III, Question 4.)  In
          addition a TCSEC evaluated product may be evaluated to have met
          requirements above it's class.  These would be specified
          additionally such as "meets the B1 requirements and the B2
          Trusted Path requirement."  It is very important to note that,
          for example, a B1 evaluated system with B2 trusted path,
          provides significantly less confidence that trusted path is
          implemented correctly than a B2 evaluated system.  That is to
          say that the assurance is always that of the system's rated
          class.

          Some systems have been evaluated against the Compartmented Mode
          Workstation (CMW) criteria.  The CMW criteria levies minimum
          features and assurances from the TCSEC as well as additional
          usability criteria (e.g., specifying that the window system must
          manipulate window at multiple levels in certain ways.)  The
          TPEP has treated these systems as standard TCSEC evaluations
          with additional requirements.  From a security perspective the
          CMW requirements do not preclude a B2 or higher CMW, however,
          to this point all CMW evaluated systems are B1 evaluated with
          additional TCSEC features above the evaluated class.

          Another form of rating is a Trusted Network Interpretation
          (TNI) component (see Section III, Question 5) rating.  TNI
          component ratings specify the evaluated class as well as which
          of the four basic security services the evaluated component
          provides.  Thus, a B2-MD component is one that provides both
          Mandatory Access Control (MAC) and Discretionary Access Control
          (DAC).  A B1-MDIA component is one that provides MAC, DAC,
          Identification and Authentication, and Audit.  Since a B1-MDIA
          component meets all the Trusted Computer System Evaluation
          Criteria (TCSEC) requirements for B1, it is likely that this
          component is also evaluated as a B1 system if it can be used in
          a non-network configuration.

          A third form of rating is a Trusted Database Interpretation
          (TDI) rating.  This rating is the same as a TCSEC rating except
          that the rating applies to the composite of the evaluated
          application and each of the listed underlying systems.

          Finally, products evaluated against the Computer Security
          Subsystem Interpretation (CSSI) of the TCSEC have been given
          variations of D division (see Question 4) ratings.  These
          appear for example as I&A/D2, Audit/D1, DAC/D3, and OR/D.
          These products all have very low assurance regardless of the
          features.

  8. The TCSEC is 10 years old, doesn't that mean it's outdated?

          The Trusted Computer System Evaluation Criteria (TCSEC) was
          published in 1985.  While some of the details need
          interpretation for current systems, in general the requirements
          of the TCSEC are at a level of abstraction that has not
          experienced great change.  For the areas where it is becoming
          difficult to use the TCSEC, the Common Criteria (see Section
          II, Question 8) should provide more relevant criteria.

  9. How do the TCSEC and its interpretations apply to routers and
     firewalls?

          The Trusted Network Interpretation (TNI) of the TCSEC has been
          used to evaluate these types of products.  While there is some
          value to those evaluations it is true that many of the specific
          mechanisms of these products on which one might wish to have an
          evaluator comment are not recognized by the TNI.  It is hoped
          that the Common Criteria (see Section II, Question 8) will be
          able to address these products more directly with, for example,
          an appropriate profile.

----------

Subject: Section IV: Evaluations

  1. How do I get my product evaluated?

          Product developers who have a product that they wish to have
          evaluated need to request a proposal package from:

              Trusted Product Evaluation Program, Attn: V24
              Department of Defense
              9800 Savage Road
              Ft. George G. Meade, MD 20755-6000

          The ultimate proposal for product evaluation will include
          technical and marketing details for the product.  Because the
          Trusted Product Evaluation Program (TPEP) is legislatively
          prohibited from directly evaluating products that are not
          intended to protect classified information, the proposal
          marketing information should include details about the market
          potential within the United States Department of Defense and
          intelligence communities.  Additionally, the TPEP in general
          does not accept products targeting the C1 and below evaluation
          classes, as these are usually inappropriate for processing any
          classified information.  The product technical details will
          include descriptions of the product's documentation and how that
          documentation's structure compares to that required by the PGWG
          documents (see Section II, Question 11).  Finally, the proposed
          configuration of the product should be a configuration likely
          to be used by the described potential market.

  2. What is the evaluation process?

          In general terms a successful evaluation proceeds through the
          following stages:
             An initial contact is made by a vendor.
             A product proposal is submitted.
             An Intensive Preliminary Technical Review is performed
             The product corrects deficiencies in preparedness and has
               additional IPTRs until the product is sufficiently
               prepared for evaluation.
             An evaluation team is assigned and is given training on the
               specific product.
             The team performs security analysis and writes an initial
               report.
             The team's analysis and report is reviewed by a technical
               board.
             The team performs testing of the product and completes the
               report.
             The team's results and final report and reviewed by a
               technical board.
             The product is placed on the EPL and the report is
               published.

  3. How long does an evaluation take?

          The length of time a developer needs to prepare for an
          Intensive Preliminary Technical Review (IPTR) varies
          considerably.  The IPTR is a short (one to two week) assessment
          of the state of the product documentation and testing.  A
          successfull IPTR ensures that the materials needed for
          evaluation are complete and usable.  Currently, we expect
          successful evaluations at the C2/B1 class to take approximately
          one year to complete from successful IPTR to final technical
          review.  We continue to explore ways to reduce the time
          required.  Higher class evaluations take longer, although this
          is somewhat mitigated by the fact that the TPEP is usually
          involved earlier in the design process for systems at
          relatively higher classes.  Problems during evaluation, changes
          in the configuration the vendor is planning to market, and
          system complexity can all add to the length of evaluation.
          Vendors participating in the RAMP (Rating Maintenance) process
          can perform analysis of changes to an already evaluated system
          to maintain the evaluated rating on subsequent versions and
          configurations.  The length of time to obtain a RAMP rating is
          largely dependent on the vendor and on the nature and
          complexity of the change.  However, it is reasonable to expect
          this RAMP to take far less time than an evaluation.

  4. How much does an evaluation cost?

          The Trusted Product Evaluation Program (TPEP) does not charge
          for evaluations.  It may be a significant expense for a product
          developer to prepare for and support evaluation.  There are
          often travel expenses for staff, training costs for the
          evaluation team, and the cost of having development personnel
          take time to respond to the evaluation team's questions.  In
          addition, if the product did not previously meet the
          requirements for a given class, the cost of improving the
          product (i.e., doing the testing, analysis and documentation)
          can be high.  Ultimately, this should result in an improved
          product that will be recognized as superior to competitors.

  5. How do I find out about the evaluation process?

          For an abstract view of the evaluation process you can read
          this list of Frequently Answered Questions (FAQ)!  For a more
          detailed view appropriate to those who wish to participate in
          the process, the process is described in great detail in the
          material provided for creating product proposals. (see Section IV,
          Question 1)

  6. Who actually performs the evaluations?

          Trusted product evaluators come from the Trusted Product
          Evaluation Program (TPEP) organization within the National
          Security Agency (NSA) as well as from a small group of federal
          contract research organizations.  Some evaluations have also
          benefitted from the participation of evaluators from the
          security evaluation organizations of other cooperating
          governments.  In cooperation with the National Institute of
          Science and Technology (NIST), a program is being developed to
          evaluate products in the lower Trusted Computer System
          Evaluation Criteria (TCSEC) classes (i.e., C2/B1) using
          approved commercial evaluation facilities.  However, many
          details remain to be finalized for that program.

  7. What information is released about an evaluated product?

          As we begin working with a product, the vendor and target
          rating are made available.  When that product is accepted into
          evaluation, information such as the vendor, target rating, and
          target completion date are announced in a product announcement
          on the Evaluated Products List (EPL) (see Section V, Question
          6).  When the evaluation is completed the general evaluated
          product configuration, general product information, and rating
          are announced in an entry on the EPL.  In addition at the
          completion of evaluation a report is published (see Section V,
          Question 7).  This report contains the analysis of the
          evaluation team, a complete description of the evaluated
          product, and often comments about the usability of the product
          in its evaluated configuration by the evaluation team.

  8. What is RAMP?

          The Rating Maintenance Phase (RAMP) Program was established to
          provide a mechanism to extend the previous rating to a new
          version of a previously evaluated computer system product.
          RAMP seeks to reduce evaluation time and effort required to
          maintain a rating by using the personnel involved in the
          maintenance of the product to manage the change process and
          perform Security Analysis.  Thus, the burden of proof for RAMP
          efforts lies with those responsible for system maintenance
          (i.e., the vendor) instead of with an evaluation team.

----------

Subject: Section V: Evaluated Products

  1. Should I buy an evaluated product?

          An evaluated product has the benefit of providing an
          independent assessment that the product meets the criteria for
          the rating it achieved.  When considering a specific
          installation the value of the data and the threat to that data
          need to both be considered.  These are often related, in that
          more valuable data has a higher threat.  If some of the threats
          to the data can be countered by the features or assurance of a
          trusted product, then it is certainly worthwhile to consider
          that in your purchase decision.  All other things being equal
          (which is rarely the case) the independent assessment of an
          evaluated product adds value.

  2. Does NSA buy/use evaluated products?

          NSA endevours to be an exemplary customer of the products it
          recommends for use by its customers and expects NSA-evaluated
          products to comprise the foundation of its own secure information
          systems architecture and is developing policy towards that end.

  3. How do I know if a product is evaluated?

          The simplest way to find out if a product is not evaluated is
          to ask the product vendor.  If the vendor has an evaluated
          product, it is a pretty good bet that the company marketing
          people are aware of it.

          If a vendor claims to have an evaluated product, you should
          independently verify the details of the evaluation (e.g.,
          product version, configuration, rating.) All evaluated products
          are placed on the Evaluated Products List (EPL) (see Section V,
          Question 6).  That is the first place to look.  Calling the
          Trusted Product Evaluation Program (TPEP) organization directly
          at (410) 859-4458 may also be a way to verify a specific detail
          (e.g., the rating) but will often result in less complete
          information since generally we don't read entire EPL entries
          over the phone.  For the most complete information about a
          specific evaluated product, you should request a copy of the
          evaluation report.  (see Section V, Question 7)  Unfortunately,
          the publication of the report sometimes postdates the
          evaluation significantly.  We are examining options for making
          the reports available sooner.

  4. What does it mean for a product to be "in evaluation"?

          In the past it has been the case that Trusted Product
          Evaluation Program (TPEP) evaluations where conducted over
          longer periods of time and included time for a developer to
          work out problems with their documentation and testing that a
          current Intensive Preliminary Architecture Review (IPTR) is
          designed to limit.  Currently a product is not announced to be
          in evaluation until it has successfully passed an IPTR.  Even
          so, a product may go through several releases, incorporate
          fixes during the course of evaluation, or even potentially drop
          out of evaluation or fail evaluation.  Because of this a
          product in evaluation is not equivalent to an evaluated
          product.  While it does show some intent to have an evaluated
          product, and a consideration of security criteria in the
          product development, it does not necessarily imply any security
          features or assurances.  Buyers of products in evaluation
          should consider what options will be available to them for
          migration to the ultimately evaluated product.
          
  5. What does it mean for a product to be "compliant" with the TCSEC?

          If a product has been evaluated by the Trusted Product
          Evaluation Program (TPEP) to comply with the requirements of a
          rated class, then it means that an independent assessment
          showed the product to have the features and assurances of that
          class.  It does not mean that the product is impenetrable.  It
          is even possible that the independent assessment overlooked
          some failure to meet the criteria, although we expend a lot of
          energy attempting to prevent that.  A vendor claim to be
          "compliant" without an evaluation often doesn't mean very much
          since the vendor's interpretation of the requirement may not be
          the same as an independent assessor's would be.

  6. What and where is the Evaluated Products List (EPL)?

          The Evaluated Products List (EPL) officially is published
          quarterly in the INFOSEC Products and Services Catalog (as a
          chapter).  The INFOSEC Products and Services Catalog is
          available from the Government Printing Office.  The EPL is also
          maintained electronically on Dockmaster and updated as new
          products are announced. (see Section I, Question 6) There is no
          anonymous access to Dockmaster so this is available only to
          Dockmaster users.  We are considering ways to make the EPL
          directly available to a wider audience electronically.

  7. How do I get a copy of an evaluation report?

          Single copies of evaluation reports are available without charge
          by writing:
          
              INFOSEC Awareness, Attn: Y13/IAOC
              Department of Defense
              9800 Savage Road
              Fort George G. Meade, MD 20755-6000
          
          Multiple copies are available from the Government Printing
          Office.  In either case you will need the report number
          (CSC-EPL-xx/xxx or CSC-FER-xx/xxx) which is given in the
          Evaluated Products List (EPL) entry for the product. (see
          Section V, Question 6)
          
  8. Is an evaluated product "hacker proof?"
  
          No product can be guaranteed to be "hacker proof" or
          "impenetrable."  An evaluated product has demonstrated certain
          features and assurances, as specified by the rating criteria.
          Those features and assurances counter certain threats.  Thus an
          evaluated product is usually vulnerable to fewer threats than
          an unevaluated product.  Products with higher ratings are
          vulnerable to fewer threats than products with low ratings.
          Vulnerabilities to threats that remain in products can often be
          addressed through other means.  No rating class used by the
          Trusted Product Evaluation Program (TPEP), for example,
          counters the threat of directly tampering with the hardware.
          That threat would need to be addressed physically or
          procedurally if it was realistic for the particular system
          environment.

          Finally, it seems many "hackers" today prefer to use "social
          engineering" to accomplish their goals.  As with other
          insider-related threats, education is necessary in preventing
          naive users from disclosing sensitive information.  However,
          technical measures can also help.  They can enforce the the
          principle of least privilege, check the reasonableness of
          administrative inputs, and provide timely on-line cautions.

  9. What is the rating of DOS?

          MS-DOS, PC-DOS, and DR-DOS have not been evaluated.  Without
          modification, it is apparent from the most cursory examination
          that they do not implement many of the features required by the
          C1 class of the Trusted Computer System Evaluation Criteria
          (TCSEC).  Several vendors support a DOS application interface
          in products designed to achieve higher class ratings.

 10. What is the rating of UNIX?

          There are a number of evaluated products conforming to one or
          another of the UNIX interface standards (see Section V,
          Question 3).  These products range from class C2 to class B3.
          In general, unevaluated UNIX products lack several features,
          including sufficient auditing, to achieve anything other than a
          D class rating without some modification.

 11. What should I do if evaluated Product X appears to fail a requirement?

          If an evaluated product does not seem to meet the requirements,
          the first thing to do is carefully look at the Final Evaluation
          Report (FER) and the product's Trusted Facility Manual (TFM).
          The product was evaluated with specific configuration options and
          on specific hardware.  These should be stated in the TFM and FER
          respectively.  If the evaluated configuration still seems to not
          meet some requirement for its rated class, then it is possible that
          there was an oversight during the evaluation.  You can send that
          information to tpep@dockmaster.ncsc.mil and we may investigate the
          issue.

 12. Why should I buy a B2/B3/A1 product over a C2/B1 product?

          While the features and assurances of each class increase, the
          increase is not linear.  B1 and below rated products provide a
          basic set of security features and an independent assesment that
          those features are implemented correctly.  At B2 and above there
          is significantly more effort and analysis both in development and
          in evaluation that the features are correctly implemented.  The
          additional development effort often translates into increased cost
          for the product.  For applications involving sensitive data, the
          added cost may be well worth the added protection.  


