Oracle, Symantec validated under security standard
- By Joab Jackson
- May 28, 2002
Oracle Corp., Redwood Shores, Calif., and Symantec Corp., Cupertino, Calif., have both had products receive Common Criteria certification through an evaluation program run by the National Security Agency and the National Institute of Standards and Technology.
Oracle received Common Criteria Evaluation Assurance Level Four for its Oracle8i Label Security, version 8.1.7. This product can control what information users can see in a database according to their access levels.
Symantec received level four validation for its Enterprise Firewall 7.0 product.
Both products are eligible for use in systems that handle information concerning national security. The National Security Telecommunications and Information Systems Security Policy No. 11, or NSTISSP No. 11, stipulates that, starting in July, all networks handling national security data must use equipment that is certified as secure.
The International Common Criteria for Information Security Technology Security Evaluation is one of the standards approved by Policy 11. Common Criteria is a set of evaluation criteria agreed to by a NSA-NIST effort called the National Information Assurance Partnership.
Common Criteria testing laboratories are operated by companies such as Booz Allen Hamilton Inc., McLean, Va., Computer Sciences Corp., El Segundo, Calif., and Science Applications International Corp., San Diego.
Mary Ann Davidson, chief security officer for Oracle, said that, given the events of Sept. 11, the NSTISSP mandate will be far-reaching and will affect systems not commonly considered a part of national security. She said the Defense Integrated Military Human Resource System, the Defense Department's unified payroll system now in the solicitation stage, might come under mandate.
Another candidate would be the Navy-Marine Corps Intranet, the $6.9 billion project led by Electronic Data Systems Corp., Plano, Texas, said Eric Mazzacone, a spokesperson for the Navy's Program Executive Officer for Information Technology
To pass NSTISSP muster, products must be certified by a Common Criteria laboratory, NIAP or NIST's Federal Information Processing Standard.
For more information on Policy 11, see www.nstissc.gov/Assets/pdf/nstissp_11.pdf. A list of validated equipment appears at niap.nist.gov/cc-scheme/ValidatedProducts.html.
Joab Jackson is the senior technology editor for Government Computer News.