Brief: House considers Common Criteria

The Common Criteria for security software evaluation are not a panacea for assuring government IT systems, government and industry officials told a House panel Sept. 17.

The criteria are standards for evaluating security software against vendor claims or user requirements. The House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census held a hearing to consider if certification should be required.

Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, called the criteria a tool of "great value," but said certification "does not guarantee that what you have is safe."