So what is a CSfC solution? To answer that question, let’s explore how the CSfC certification is achieved. In many cases, U.S. government organizations, especially those dealing with classified data, require both tested and approved commercial off-the-shelf security solutions to achieve mission requirements. In the U.S. and 26 member countries, the Common Criteria evaluation methodology has been a longstanding and accepted framework to establish both common security review and testing procedures for commercially available security products. In the U.S., the National Information Assurance Partnership (NIAP) oversees and manages the Common Criteria program.
The road to Common Criteria certification is typically a 12 to 16-month, three-phase process that begins with a design and documentation phase, followed by laboratory testing and finishes with a certification scheme review.
In addition to Common Criteria, the CSfC candidate product must also be validated against the Federal Information Processing Standard 140-2 or FIPS 140-2. This validation focuses on the cryptographic modules and components that are utilized as part of the security solution to ensure that the cryptographic implementation is done securely. Authentication, operating environment and key management are a few areas that are part of the validation process.
Unfortunately, there is no single security product that provides “silver bullet” protection across the enterprise. Most organizations require multiple commercial technologies that can be weaved together to create a robust solution to meet mission security requirements. This multi-component integration requirement poses an additional security issue: How can an organization ensure that the overall security of the integrated solution(s) has not been compromised in any way when combining multiple solutions?
CSfC specifically addresses these concerns by adding a list of approved CSfC solutions and an additional set of guidelines/integration requirements to solutions that have already achieved Common Criteria/FIPS 140-2 certification. Following NIAP certification, vendors and submit their solutions to be certified as part of the CSfC program. CSfC provides a methodology for implementation and accountability process that allows for expedited and agile integration of COTS technologies which is accomplished through a network of CSfC trusted integrators. In addition to addressing security issues, the program enables government organizations to move quickly to adopt new, agile security technology solutions while significantly reducing overall costs previously associated with the longer, rigid process known as government off-the-shelf solutions.
Unisys is proud to have Stealth certified as part of the CSfC program, and we encourage you to further explore the security, agility and cost savings benefits that Stealth delivers. |