Volume 1, Issue 1
April 18, 2006
A man walking along a country road comes across a farmer droving a huge mob of sheep. He stops and chats for a while and then says, "Tell you what, I'll bet you $100 against one of your sheep that I can tell you the exact number in that flock."
The farmer thinks for a moment, it is a big mob and he can't see how anyone could guess cor- rectly so he says, "OK. You're on."
Nine hundred and thirty two," says the man.
The farmer takes off his hat and scratches his head. "I don't know how you did it but that's exactly right. A bet's a bet. Take any sheep."
The man picks up an animal and is about to walk off when the farmer says, "Hang on. Bet you double or nothing that I can guess your occupa- tion."
The man thinks, "How would he know, he's never met me before" and says "Right. You're on".
The farmer says, "You're an auditor with a Big Four firm."
The man whistles. "How the heck did you know that?"
Well," says the farmer, "put my dog down and I'll tell you."
A Brief Guide to the Common Criteria
By Alex Ragen, CISSP
On July 1, 2002, the US De- partment of Defense began to enforce National Security Telecommunications and In- formation Systems Security Policy (NSTISSP) # 11 (issued in January 2000), which mandates that US gov- ernment agencies purchase only those IT security prod- ucts which have been vali- dated in accordance with Common Criteria and/or FIPS 140-1 or FIPS 140-2 as appropriate.
we wont deal with FIPS 140-1 and FIPS 140-2 here except to note that they are Federal Information Processing encryption standar ds (see http://csrc.nist.gov/publicatios/fips/index.html for more information.). It’s the Common Criteria that is
the subject of this article. NSTISSP # 11 made official what had been a recommendation honored more “in the breach than in the observance”. IT security vendors who were blindsided by new policy (and to be frank, they should not have been) suddenly found themselves in panic mode, trying to figure out how to get their products certified before their US government sales evaporated. As a result of NSTISSP # 11 , there has been a marked increase in the number of IT security vendors seeking and obtaining Common Criteria certification. But even those who have successfully certified products find the standard and its processes to be esoteric and often confusing.