Certifications, Validations, and Compliance – a maze of twisty requirements all different…

by in Security
At a recent speaking engagement, I shared the successful results of our most recent Common Criteria certification efforts. After being congratulated by a member of the audience, we proceeded to have the following discussion:
Audience member: “When are you going to be done with SP800-53 certification?”
Me: “Huh? Which part of it?”
Audience member: “All of it.”
Me: “You do realize that I, as a vendor, provide technology that enables you as a user to be in compliance with SP800-53?”
Audience member: “Yes, but are you certified for it?”

Angelo Speaking-4

This exchange told me a great deal about common misconceptions around certifications and standards (e.g. SP800-53.) In short, it highlighted the fact that the general public might not recognize the differences between certifications and standards. It also told me that potential consumers may not realize that the standards identify and provide elements for their environment. Finally it told me there is still a great deal of confusion about what a technology vendor can certify and how to communicate the difference between using a technology to enable compliance to a standard as opposed to providing that complies with a standard. It is critical that this [perception / understanding] be addressed, or both the public and technology vendors will fail. With this in mind, I thought I should end my long absence from the NetIQ blogs and try to explain the nuances that most seem to be missing. First, let’s define a few key terms:

Certification - A certification involves a third party that will review your claims, evidence, and tests. This party will review your materials and then run their own test(s). Assuming nothing goes wrong, the results will be a third party certification around the explicit functionality that was claimed. The Common Criteria is an example of a Certification.

Validation – A validation involves a test created by a third party. The results of the test are captured and presented as a mechanism to prove you are compliant with the requirements. FIPS 140-2 is an example of a validation process.

Self-Certification or Declared Compliance – A Self-certification involves making a claim that one complies with and or fulfills all requirements of a standard. The American Disabilities Act Section 508 deals with website accessibility. Compliance to Section 508 is an example of a Self-Certification.

To understand why certification confusion exists, it helps to get a little context about the environment from which they emerge, and what they are truly intended to do. We’ll use the aforementioned SP800-53 certification as an example.

Through the glass, darkly
In the past, the US president would issue executive orders, which would require compliance to various certifications for US National security agencies. For example, NSTISSP #11 governed all Information Assurance (IA) and IA-enabled information technology products. This policy required “Commercial Off- the-Shelf” (COTS) IA and IA-enabled products be evaluated and validated in accordance with:

  • the Common Criteria

  • National Information Assurance Partnership program

  • National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) validation program (aka FIPS 140)

Since this was issued, it has been superseded1 in 2013 with CNSSP #11. Among the additional requirements is SP800-53:
“Ensure security categorization and controls as set forth in CNSS Instruction 1253, ‘Security Categorization and Control Selection for National Security Systems,’ and National Institute of Standards and Technology Special Publication (NIST SP) 800-53.”

As you can see, SP800-53 is about security categorizations and controls. The goal of SP800-53 is to provide organizations a framework on which to build their security infrastructure. Examples of the infrastructure categories within SP800-53 are:

  • Access Control

  • Security Assessment and Authorization

  • Configuration Management

  • Identification and Authentication

  • Incident Response

  • Risk Assessment

  • System and Communications Protection

  • System and Information Integrity

The categories are further broken down into areas or elements in which controls should exist. So, for example, the category “Security Assessment and Authorization” has the following elements or controls:

  • Security Assessment and Authorization Policies and Procedures

  • Security Assessments

  • System Interconnections

  • Plan of Action and Milestones

  • Security Authorization

  • Continuous Monitoring

  • Penetration Testing

  • Internal System Connections

Gaining clarity
Now let’s apply this example to an actual product. If we use NetIQ Privileged User Manager (PUM) as an illustration, we can see that it enables all technology aspects of “Security Assessment and Authorization” category. An element that PUM does not cover within the category is the “Plan of Action and Milestones” because it does not create the organizational policies or procedures; PUM enables the enforcement of policies and procedures. In this case, the organization would need to document and maintain plans to address weaknesses, and then configure PUM to enforce them.

As demonstrated in my SP800-53 certification example, most products (such as PUM) reside in the categories and serve to enable organizations to meet the controls and requirements as opposed to meeting the requirements themselves. Put another way:
“Products help organizations meet controls and requirements; they will not always meet the requirements themselves.”

This explains why the question of whether a particular product or program has SP800-53 certification doesn’t make sense. Or at least isn’t the right question to ask.

Asking the right question
SP800-53 has three tables that may be interesting for certifications. The first table (H-1) provides a mapping of SP800-53 controls to ISO/IEC 27001 controls. The second table (H-2) provides a mapping from ISO/IEC 27001 controls to SP800-53 controls. The last table (H-3) maps ISO/IEC 15408 (aka common criteria requirements) to SP800-53 controls. Given this table, a Common Criteria certified product could easily be mapped to SP800-53.

So, you may be asking ‘How does a product get a Common Criteria Certification?’ As my old teacher used to say ‘read the book’; of course, I was never sure if I had found the book they were talking about, so that was always a problem2 . In my next blog, I will answer the question ‘What is the VALUE of a Common Criteria Certification?’


1https://www.cnss.gov/CNSS/openDoc.cfm?Mqolpwj5JM6L9g/Y/Q6kyw (of course, the website has a certificate error)

2Not meaning to be cruel, to find out how to get a Common Criteria Certification check out: http://www.amazon.com/Writing-Common-Criteria-Documentation-Wesley/dp/1500411221/ref=sr_1_2?ie=UTF8&qid=1418158158&sr=8-2&keywords=wes higaki


Identity & Access Mgmt