Cover V08, I09



Uncommon Common Ground

While many of us who are not directly involved in the computer security community have continued to think that our pot of security gold could still be found at the end of the Rainbow Series (or more specifically, the Orange Book), the international IT security community has made amazing progress. In early June of this year, the International Standards Organization (ISO) Central Secretariat announced that sufficient support had been received during National Body balloting to enable The Common Criteria for Information Technology Security Evaluation (CC) version 2.0 to become an international standard. With that balloting, the Common Criteria became International Standard (IS) 15408, in ISO terms. Considering how contentious security definitions are even within this country, such a level of international agreement on the topic is remarkable.

Although it may be convenient to think of the CC as replacing the Orange Book, and the corresponding Federal Information Processing Standard, FIPS 140-1, that is not completely accurate. As explained in a letter from Stuart Katzke (Chief, Computer Security Division, NIST) and Louis Giles (Chief, information assurance partnerships, evaluations and knowledge management, NSA Information Systems Security Organization) to Government Computer News (, FIPS 140-1 is undergoing a five-year review, with completion expected in December, 1999. Thus, it may be more accurate to think of our “Orange juice” as having extra Vitamin C.

Katzke and Giles describe the CC as being more like a language for describing security properties of products or systems, rather than specific sets of technical security requirements, as are defined by the Orange Book. As IS 15408 and a correspondingly revised FIPS 140-1 are rolled out, I would expect to see a hierarchy of increasingly detailed definitions being used to define the specific security requirements and features of systems. ISO and the standards community are keen on using Profiles to describe general requirements, and separate other documents to describe more specific aspects of a system. Thus, it is not surprising to see CC include Protection Profiles, which define implementation-independent requirements for classes of products, and Security Targets, which have tighter definitions for a specific environment.

If you are interested in more information about the CC, and what NIST is doing, point your browser to There is a wealth of information available. It appears we can be comforted, however, that Rainbows will still be seen in the security sky. The hue of Orange will just be changed a bit.

Sincerely yours,
Ralph Barker