[Federal Register Volume 72, Number 122 (Tuesday, June 26, 2007)]
[Notices]
[Pages 35036-35042]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 07-3114]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[DoD-2007-OS-0066]


National Information Assurance Program

AGENCY: Department of Defense; National Security Agency.

ACTION: Notice of new fees.

-----------------------------------------------------------------------

SUMMARY: Section 933 of Pub. L. 109-364, the John Warner National 
Defense Authorization Act for Fiscal Year 2007, provides that the 
Director, National Security Agency, may collect charges for evaluating, 
certifying, or validating information assurance products under the 
National Information Assurance Program (NIAP) or successor program. 
Table A sets forth the Fee-For-Service rates that will be assessed to 
NIAP accredited commercial Common Criteria Testing Labs (CCTLs) for 
``validation'' services performed by NIAP validator personnel on 
information technology (IT) security products being evaluated by the 
NIAP CCTLs pursuant to the Common Criteria Evaluation and Validation 
Scheme (CCEVS).

DATES: Comments must be received on or before August 27, 2007. Do not 
submit comments directly to the point of contact or mail your comments 
to any address other than what is shown below. Doing so will delay the 
posting of the submission.

ADDRESSES: You may submit comments, identified by docket number and or 
RIN number and title, by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Federal Docket Management System Office, 1160 
Defense Pentagon, Washington, DC 20301-1160.
    Instructions: All submissions received must include the agency name 
and docket number or Regulatory Information Number (RIN) for this 
Federal Register document. The general policy for comments and other 
submissions from members of the public is to make these submissions 
available for public viewing on the Internet at http://regulations.gov 
as they are received without change, including any personal identifiers 
or contact information.

FOR FURTHER INFORMATION CONTACT: Audrey M. Dale, 410-854-4458.

SUPPLEMENTARY INFORMATION: NSA and the National Institute of Standards 
and Technology (NIST) formed the NIAP in order to promote information 
security in various ways, including the evaluation of IT security 
products. Commercial IT security product vendors initiate the NIAP 
evaluation process through submission of their IT security product to a 
nationally accredited commercial CCTL for evaluation against the 
internationally recognized Common Criteria (CC) Standard for 
Information Technology Security Evaluation (ISO Standard 15408). NIAP 
evaluation is voluntary for IT security products that are acquired by 
United States Government (USG) civil agencies and non-USG entities, but 
as per National Security Telecommunications & Information Systems 
Security Policy (NSTISSP) No. 11, mandatory for IT

[[Page 35037]]

security products purchased for use on systems that process national 
security information. Additionally, per DoD Instruction 8500.2 the DoD 
mandates the use of CC or NIAP evaluated IT security products on all 
DoD networks.
    Evaluations are conducted by NIAP accredited commercial CCTLs, with 
oversight provided by NIAP validator personnel who are NSA government 
employees, Federally Funded Research & Development Center (FFRDCs) 
personnel or contractors. Prior to the enactment of Sec 933, NSA paid 
for all validation costs. Sec 933 shifts the costs for this validation 
oversight from NSA to the commercial CCTLs (who may, in turn, will pass 
these fees onto the product vendors seeking NIAP evaluation of their IT 
security products). This change will ensure that NIAP can keep pace 
with the commercial demand for IT security product evaluations and will 
not be constrained by NSA's program budget for validation services.
    Fee Schedule: TABLE A delineates the NIAP Validation Oversight Fee 
Schedule which will be assessed to CCTLs for validation services 
provided in support of their NIAP evaluations. Fees are predicated on a 
per hourly basis by validator skill type and are a function of the 
Evaluation Assurance Levels (EALs) along with the type and complexity 
of the product technology. The CC standard used for NIAP evaluations is 
broken down into increasingly more rigorous Evaluation Assurance Levels 
(EALs) beginning at EAL 1 and moving up to the highest possible 
assurance at EAL 7.
    The two primary factors used in developing the Validation Fee 
Schedules were the EALs of the evaluations and the complexity (simple, 
moderately complex, and complex) of the product being evaluated. Higher 
EALs require more rigorous and thus more costly evaluations. More 
complex products typically take more time to analyze resulting in 
longer and more costly evaluations. The complexity factor takes into 
account size of the product in terms of lines of code but must also 
reflect the fact that new technologies will require additional 
analysis. Simple products would include basic routers, switches or file 
encryptors. Products of moderate complexity would include simple 
firewalls or general application software. Complex products would 
include standard operating systems and new/unique IA products or 
technologies.
    While validation oversight occurs throughout the course of an 
evaluation, the majority of this oversight is focused on Validation 
Oversight Reviews (VORs). These reviews take place at critical points 
during the evaluation. Evaluations require Initial, Test and Final 
VORs. The VOR process typically consists of three phases: the 
preparation phase where validators review documents pertaining to that 
specific VOR, the actual VOR meeting (attended by the validators and 
lab personnel), and the Issue Resolution and Wrap-Up phase. During this 
final phase all relevant issues are addressed by the CCTL then the VOR 
report is finalized. At EAL 3s and above, witnessing of testing by 
validator personnel may also be required.
    An additional factor that will affect the validation oversight 
costs is the length of the evaluation since monthly validation fees 
will be applied to cover validator coordination and guidance costs 
throughout the course of the evaluation.
    The final section of the fee schedule depicts costs for assurance 
maintenance which is the process vendors use to maintain the currency 
of their product evaluations. Vendors submit rationale for why changes 
to their product did not impact their evaluated product's security. The 
vendor proposals are reviewed by a NIAP senior validator who determines 
if their rationale is sound and makes a recommendation to NIAP 
management who then renders a verdict on the vendor assurance 
maintenance proposal.

    Dated June 19, 2007.
L.M. Bynum,
Alternate OSD Federal Register Liaison Officer, DoD.
BILLING CODE 5001-06-P

[[Page 35038]]

[GRAPHIC] [TIFF OMITTED] TN26JN07.000


[[Page 35039]]


[GRAPHIC] [TIFF OMITTED] TN26JN07.001


[[Page 35040]]


[GRAPHIC] [TIFF OMITTED] TN26JN07.002


[[Page 35041]]


[GRAPHIC] [TIFF OMITTED] TN26JN07.003


[[Page 35042]]


[GRAPHIC] [TIFF OMITTED] TN26JN07.004

[FR Doc. 07-3114 Filed 6-25-07; 8:45 am]
BILLING CODE 5001-06-C