Some realism from CNSS

[Gary Stoneburner <gary.stoneburner@nist.gov>]

re: 
http://www.nstissc.gov/Assets/pdf/cnssam-ia-1-04.pdf

Title: CNSS Advisory Memorandum Information Assurance (IA) – Security
Through Product Diversity
Signed by: MICHAEL V. HAYDEN Lieutenant General, USAF, Director
NSA

CNSS = The Committee on National Security Systems (sets policy for US
national security systems, largely the classified systems)

"For instance, products evaluated against basic National Information
Assurance (NIAP) protection profiles, levels 4 and below, do not include
robust vulnerability testing as part of their validation. In most cases,
certification of these products simply implies that the product functions
as advertised."

Of course it is more than just testing that is missing.  The
essential (for high confidence and ability to withstand attack) design
and implementation disciplines are also missing from Common Criteria EAL
1-4.  Yet the reality of EAL4 and below truly being LOW assurance is
getting said.

Cheers,
Gary

**************************************************************************
* Opinions expressed are not intended to reflect an official position
**************************************************************************
* Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930         
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************