OMB considers NIAP for software certifications

Find opportunities — and win them.

The software certification role of National Information Assurance Partnership might expand from defense and national security agencies to all federal agencies, a White House official tells Congress.

The software certification role of National Information Assurance Partnership might expand from defense and national security agencies to all federal agencies, a White House official told Congress Thursday.

Karen Evans, administrator for e-government and IT at the Office of Management and Budget, told the House Government Reform Committee that NIAP could be used to certify the security of commercial software used by civilian agencies.

The expanding role is part of a comprehensive review of the NIAP program, Evans said at a hearing on Internet security.

"One thing they will consider is to what extent, if any, NIAP can address the continuing problem of security flaws in commercial software products," Evans said. "This review will include lessons learned from the implementation of the Defense Department's July 2002 policy requiring the acquisition of products reviewed under the NIAP evaluation process."

House Government Reform Committee Chairman Tom Davis, R-Va., expressed frustration at the number and scope of vulnerabilities that continue to hamper the Internet and agency networks.

NIAP oversees security-testing standards for military and intelligence agencies. Started in 1997, NIAP is a collaboration between the National Security Agency and the National Institute of Standards and Technology to establish a framework for security testing of commercial software for use on classified military networks.

The testing was required by National Security Directive No. 42, issued by the Defense Department's National Security Telecommunications and Information Systems Security Committee, now the Committee on National Security Systems.

The policy mandated that all commercial software used in government systems handling national security information be certified by one of several organizations or validation programs, including the NIAP's Common Criteria Evaluation and Validation Scheme and NIST's Federal Information Processing Standards Cryptomodule Validation Program.

Common Criteria evaluations for individual software products can range from $500,000 to $1 million per evaluation, according to industry officials. NIAP certifies integrators as well as commercial and government laboratories to test products. Booz Allen Hamilton Inc., Computer Sciences Corp. and Science Applications International Corp. run Common Criteria labs, according to NIAP's Web site.