[Federal Register Volume 64, Number 31 (Wednesday, February 17, 1999)]
[Notices]
[Pages 7859-7861]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-3718]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology
[Docket No. 981029270-8270-01]


National Voluntary Laboratory Accreditation Program

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) has 
received a request to establish a laboratory accreditation program. In 
a letter dated August 5, 1998, the National Information Assurance 
Partnership (NIAP), a partnership between NIST and the National 
Security Agency, requested that NIST establish an accreditation program 
for Information Technology Security Testing. A report of the request 
letter is set out as an appendix to this notice. Announcement of this 
request by NIAP and of the NIST request for comments with respect 
thereto, are being made under the procedures of the National Voluntary 
Laboratory Accreditation Program (NVLAP) [15 CFR 285.13] of the 
referenced procedures.

DATES: Comments may be submitted on or before May 3, 1999.

ADDRESSES: Comments should be submitted to James L. Cigler, Chief, 
Laboratory Accreditation Program, National Institute of Standards and 
Technology, 100 Bureau Drive, Stop 2140, Gaithersburg, Maryland 20899-
2140. Copies of comments received will be available for inspection and 
copying at the Department of Commerce Central Reference and Records 
Inspections Facility, Room 6204, Hoover Building, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT: James L. Cigler, telephone 301-975-
4016; e-mail [email protected]; <http://ts.nist.gov/nvlap>.

SUPPLEMENTARY INFORMATION: 

Background

Scope of Laboratory Accreditation

    The requestor referenced two documents to be used in association 
with accreditation of Information Technology (IT) Security Testing 
laboratories: (1) ISO/IEC DIS 15408 Information technology--Security 
techniques--Evaluation criteria for IT

[[Page 7860]]

Security also called the Common Criteria for Information Technology 
Security Evaluation, and (2) Common Evaluation Methodology for 
Information Security (CEM), an international draft. NVLAP currently 
offers accreditation for laboratories conducting testing to Federal 
Information Processing Standard (FIPS) 140-1 for Crypotographic 
Modules. Information about the Common Criteria and the Common 
Evaluation Methodology is available at <http://csrc.nist.gov/cc/ccv20/
ccv2list.htm>.
    After the 75-day comment period, NIST will thoroughly evaluate all 
comments pertaining to the proposed accreditation program and publish 
in the Federal Register an announcement of the decision of the Director 
of NIST, regarding development of the program. Those who submit 
comments and those who request future information will be placed on the 
NVLAP mailing list to receive a copy of that publication. If the 
decision is made to develop the program, technical assistance and input 
will be sought from all interested parties. Assistance will be sought 
in the areas of: (1) Preparation of the technical criteria for the 
program, (2) establishment of the scope of the program based on the 
Common Criteria, and (3) development of appropriate proficiency testing 
programs. The NVLAP procedures also provide for public comment prior to 
publication of the final accreditation requirements.

    Dated: February 8, 1999.
Karen H. Brown,
Deputy Director.

National Information Assurance Partnership

August 5, 1998.
Raymond G. Kramer,
Director, National Institute of Standards and Technology, 
Gaithersburg, MD 20899

    Dear Mr. Kammer: The National Information Assurance Partnership 
(NIAP), a partnership between the National Institute of Standards 
and Technology (NIST) and the National Security Agency (NSA), 
requests the establishment of a National Voluntary Laboratory 
Accreditation Program (NVLAP) Laboratory Accreditation Program (LAP) 
for Information Technology (IT) Security Testing. The requested LAP 
will support the goals and objectives of both NIST and NSA in 
fulfilling their responsibilities in the area of computer and 
information systems security. This request is made in accordance 
with Title 15 Code of Federal Regulations Section 285.13.
    NIST plays a vital role in protecting the security and integrity 
of information in computer systems in the public and private 
sectors. The Computer Security Act of 1987 (P.L. 100-235) reaffirmed 
NIST's leadership role in the federal government for the protection 
of unclassified information. NIST assists industry and government by 
promoting and supporting better security planning, technology, 
awareness and training.
    NSA provides information systems security programs to protect 
classified and unclassified national security systems against 
exploitation through interception, unauthorized access, and related 
technical intelligence threats.
    In a recent move to assist U.S. information security technology 
producers in achieving international competitiveness, NIST and NSA 
signed a letter of partnership establishing the National Information 
Assurance Partnership (NIAP). NIST and NSA have established a 
program under NIAP to evaluate conformance of IT products to 
international standards. This program, called the Common Criteria 
Evaluation and Validation Scheme, will help consumers make informed 
choices when selecting commercial off-the-shelf products in the area 
IT security and will help producers of IT security products gain 
acceptance in the global marketplace.
    The NIAP Common Criteria Scheme requires IT security products to 
be tested in private sector, accredited testing laboratories using 
the test methods in ISO/IEC DIS 15408 (currently a Craft 
international standard), also called the Common Criteria, and the 
Common Evaluation Methodology (currently an international draft). 
Test reports from accredited laboratories will be reviewed by the 
NIAP Validation Body which will issue Common Criteria certificates 
for products that meet the NIAP Common Criteria Scheme requirements.
    NIAP is working towards a Common Criteria Mutual Recognition 
Agreement with bodies in five foreign countries. By agreement, 
testing laboratories approved by the partners in each of the 
Agreement countries will be accredited as meeting the requirements 
of ISO/IEC Guide 25 by an organization that is internationally 
recognized as conforming to the requirements of ISO/IEC Guide 58.
    NIST and NSA have been active participants in the development of 
the Common Criteria, the Common Evaluation Methodology, and the NIAP 
Common Criteria Scheme. NIST will provide technical assistance for 
the development of the LAP.

Statement of Perceived Need

    The recent President's Commission on Critical Infrastructure 
Protection has pointed out that the United States is becoming 
increasingly dependent on information technology to carry out the 
day-to-day operations of business and government. This growing 
dependence on advanced technology, coupled with its inherent 
complexity, has introduced significant security vulnerabilities into 
the information systems that support the critical national 
infrastructure. Consumers within the public and private sectors are 
becoming increasingly aware of these vulnerabilities and are 
beginning to demand greater protection for their information from 
commercial IT products and systems.
    As industry begins to respond to demands for security-enhanced 
IT products and systems, consumers must have confidence in the 
security claims producers make about them. Testing at an accredited 
laboratory provides confidence to consumers in the test results and 
that the tested products and systems conform to the security 
criteria.
    Acceptance of test results from a commercial laboratory by 
consumers in other nations and government organizations, such as 
those organizations in the countries participating in the Common 
Criteria project, requires trust and confidence in the laboratory 
testing processes. This trust and confidence is achieved through the 
use of accredited testing laboratories and government involvement in 
validating the results of commercial security evaluations. Thus, 
governments have greater confidence in the evaluation processes 
employed in the respective national schemes of other nations.

Scope of the LAP, Applicable Standards, and Applicable Test Methods

    The scope of the proposed LAP includes conformance testing of 
commercial off-the-shelf, security-enhanced, IT products and systems 
to international standards. Applicable standards and test methods 
defined by government and industry will be employed by NVLAP-
accredited testing laboratories operating within the scope of the 
LAP. Initially the score of the LAP will draw from, ISO/IEC DIS 
15408 Information technology--Security techniques--Evaluation 
criteria for IT Security also called the Common Criteria for 
Information Technology Security Evaluation and Common Evaluation 
Methodology for Information Technology Security (CEM), an 
international draft. Additional standards and test methods may be 
added as they become available.
    Evidence of a national need to accredit calibration or testing 
laboratories for the specific scope beyond that served by an 
existing laboratory accreditation program in the public or private 
sector.
    The scope of the proposed LAP is beyond that served by any 
existing laboratory accreditation program in the public or private 
sector. The only commercial security testing laboratories currently 
available to conduct Common Criteria-based testing are the Trust 
Technology Assessment Program (TTAP) laboratories under a program 
established by the National Security Agency. These laboratories 
operate under cooperative research and development agreements 
(CRADA) with NSA and have not been accredited to ISO Guide 25. 
Recognition of evaluation results in the context of the nations 
participating in the Common Criteria project requires that IT 
products be evaluated at accredited testing laboratories. The unique 
nature of security testing and the associated knowledge and skills 
needed to operate an accreditation program in this area make NVLAP 
the essential choice to develop and implement the proposed LAP.
    NIAP will hold public workshops to solicit comments on the 
Common Criteria Scheme and the proposed LAP from all sectors 
including producers, the testing laboratory community, and consumers 
of IT security products in the private and government sectors.


[[Page 7861]]


        Sincerely,
Stuart W. Katzke,
Chief, Computer Security Division, Information Technology Laboratory 
NIST.

Louis F. Giles,
Chief, Information Assurance Partnerships Evaluations, and Knowledge 
Management NSA.

cc: S. Wakid, Director, Information Technology Laboratory, NIST M. 
Jacobs, Deputy Director Information Systems Security, NSA

[FR Doc. 99-3718 Filed 2-16-99; 8:45 am]
BILLING CODE 3510-13-M