Department of Defense; National Security Agency.
Notice of new fees.
Section 933 of Pub. L. 109-364, the John Warner National Defense Authorization Act for Fiscal Year 2007, provides that the Director, National Security Agency, may collect charges for evaluating, certifying, or validating information assurance products under the National Information Assurance Program (NIAP) or successor program. Table A sets forth the Fee-For-Service rates that will be assessed to NIAP accredited commercial Common Criteria Testing Labs (CCTLs) for “validation” services performed by NIAP validator personnel on information technology (IT) security products being evaluated by the NIAP CCTLs pursuant to the Common Criteria Evaluation and Validation Scheme (CCEVS).
Comments must be received on or before August 27, 2007. Do not submit comments directly to the point of contact or mail your comments to any address other than what is shown below. Doing so will delay the posting of the submission.
You may submit comments, identified by docket number and or RIN number and title, by any of the following methods:
- Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
- Mail: Federal Docket Management System Office, 1160 Defense Pentagon, Washington, DC 20301-1160.
Instructions: All submissions received must include the agency name and docket number or Regulatory Information Number (RIN) for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the Internet at http://regulations.gov as they are received without change, including any personal identifiers or contact information.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Audrey M. Dale, 410-854-4458.End Further Info End Preamble Start Supplemental Information
NSA and the National Institute of Standards and Technology (NIST) formed the NIAP in order to promote information security in various ways, including the evaluation of IT security products. Commercial IT security product vendors initiate the NIAP evaluation process through submission of their IT security product to a nationally accredited commercial CCTL for evaluation against the internationally recognized Common Criteria (CC) Standard for Information Technology Security Evaluation (ISO Standard 15408). NIAP evaluation is voluntary for IT security products that are acquired by United States Government (USG) civil agencies and non-USG entities, but as per National Security Telecommunications & Information Systems Security Policy (NSTISSP) No. 11, mandatory for IT Start Printed Page 35037security products purchased for use on systems that process national security information. Additionally, per DoD Instruction 8500.2 the DoD mandates the use of CC or NIAP evaluated IT security products on all DoD networks.
Evaluations are conducted by NIAP accredited commercial CCTLs, with oversight provided by NIAP validator personnel who are NSA government employees, Federally Funded Research & Development Center (FFRDCs) personnel or contractors. Prior to the enactment of Sec 933, NSA paid for all validation costs. Sec 933 shifts the costs for this validation oversight from NSA to the commercial CCTLs (who may, in turn, will pass these fees onto the product vendors seeking NIAP evaluation of their IT security products). This change will ensure that NIAP can keep pace with the commercial demand for IT security product evaluations and will not be constrained by NSA's program budget for validation services.
Fee Schedule: TABLE A delineates the NIAP Validation Oversight Fee Schedule which will be assessed to CCTLs for validation services provided in support of their NIAP evaluations. Fees are predicated on a per hourly basis by validator skill type and are a function of the Evaluation Assurance Levels (EALs) along with the type and complexity of the product technology. The CC standard used for NIAP evaluations is broken down into increasingly more rigorous Evaluation Assurance Levels (EALs) beginning at EAL 1 and moving up to the highest possible assurance at EAL 7.
The two primary factors used in developing the Validation Fee Schedules were the EALs of the evaluations and the complexity (simple, moderately complex, and complex) of the product being evaluated. Higher EALs require more rigorous and thus more costly evaluations. More complex products typically take more time to analyze resulting in longer and more costly evaluations. The complexity factor takes into account size of the product in terms of lines of code but must also reflect the fact that new technologies will require additional analysis. Simple products would include basic routers, switches or file encryptors. Products of moderate complexity would include simple firewalls or general application software. Complex products would include standard operating systems and new/unique IA products or technologies.
While validation oversight occurs throughout the course of an evaluation, the majority of this oversight is focused on Validation Oversight Reviews (VORs). These reviews take place at critical points during the evaluation. Evaluations require Initial, Test and Final VORs. The VOR process typically consists of three phases: the preparation phase where validators review documents pertaining to that specific VOR, the actual VOR meeting (attended by the validators and lab personnel), and the Issue Resolution and Wrap-Up phase. During this final phase all relevant issues are addressed by the CCTL then the VOR report is finalized. At EAL 3s and above, witnessing of testing by validator personnel may also be required.
An additional factor that will affect the validation oversight costs is the length of the evaluation since monthly validation fees will be applied to cover validator coordination and guidance costs throughout the course of the evaluation.
The final section of the fee schedule depicts costs for assurance maintenance which is the process vendors use to maintain the currency of their product evaluations. Vendors submit rationale for why changes to their product did not impact their evaluated product's security. The vendor proposals are reviewed by a NIAP senior validator who determines if their rationale is sound and makes a recommendation to NIAP management who then renders a verdict on the vendor assurance maintenance proposal.Start Signature
Dated June 19, 2007.
Alternate OSD Federal Register Liaison Officer, DoD.
BILLING CODE 5001-06-P
[FR Doc. 07-3114 Filed 6-25-07; 8:45 am]
BILLING CODE 5001-06-C