Nearly two years ago, I was lucky enough to join the Illumio team as Federal Product Manager. The first order of business was to acquire the necessary product certifications required by the federal government, including FIPS 140-2 and GSA Section 508 compliance. Recently, Illumio Core achieved another important government security certification called Common Criteria. With this certification, Illumio became the first enterprise security vendor to be certified with conformance to the National Information Assurance Partnership (NIAP) Standard Protection Profile for Enterprise Security Management, Policy Management v2.1, which focuses on access control policy definition and management.
As government agencies (and non-federal organizations) seek to protect their high-value assets from advanced persistent threats, the need to decouple security from network architecture to effectively deploy host-based segmentation has become a top priority. Illumio Core separates security from the network and segments at the host, enabling customers to create and enforce segmentation policies that protect critical applications wherever they run.
So what exactly is Common Criteria? What are NIAP Protection Profiles? And why does this matter to the federal government? Let's drill down a bit...
What is Common Criteria?
Common Criteria lists an internationally recognized set of security standards that are used to evaluate the Information Assurance (IA) of IT products offered to the government by commercial vendors. The Common Criteria Recognition Arrangement (CCRA) is composed of 30 member nations including the U.S., Australia, France, UK, Germany, Netherlands, South Korea, and others. IT products evaluated under the CCRA are mutually recognized by all member nations, allowing companies to evaluate products once and sell to many nations. It is part of the evaluation of capabilities and features for IT security products for assurance requirements.
The security evaluation is rigorous and comprehensive and is conducted by approved third-party independent labs. The IA testing is designed to assess the risks associated with the use, processing, storage, and transmission of information or data entering or exiting the product undergoing evaluation. Part of the protection profile is that a product must conform to all PP requirements.
There are some important key concepts of Common Criteria:
- Security target: The capabilities of the project under evaluation must be explicitly stated
- Protection profile: A template used for a standard set of requirements for a specific class of related products
- Evaluation assurance levels: Define the product and the way it is tested. EALs range from 1 to 7, with 7 being the maximum and 1 being the minimum
- Target of evaluation: The system or device that is to be reviewed for the Common Criteria certification
- Security functional requirements: Requirements that refer to unique security functions
For Illumio Core, an important part of the evaluation focused on the feature-rich set of auditing and security capabilities. In Common Criteria, the vendor defines the security functionality claims to be evaluated by drafting a Security Target. Within the Security Target, the scope of the evaluation is identified via the Target of Evaluation (TOE). In the case of Illumio Core, the TOE (or scope of evaluation) included the Policy Compute Engine (PCE) and the Virtual Enforcement Node (VEN).
What are NIAP Protection Profiles?
In 2009, the National Information Assurance Partnership (NIAP), the United States' scheme for Common Criteria evaluations, updated their policy to require all Common Criteria certifications to comply with the security requirements directly from approved NIAP Protection Profiles. Previously, Common Criteria functional requirements were defined by individual vendors via the Evaluation Assurance Level (EAL) framework. With the change to NIAP Protection Profiles, the Common Criteria functional requirements are tailored to address the security and testing requirements of a specific technology class (e.g., policy management, firewalls, VPN).
Products undergoing evaluations against a protection profile must comply 100% with the functional requirements specified in the protection profile. It is not acceptable to comply with only 99% of the protection profile – complete and total compliance is required to pass the certification. One way you can up your protection is by having complete endpoint security. The tight security requirements speak to the rigorous and comprehensive nature of the Common Criteria certification noted above. So that brings us to the last point...
Why does the government care about Common Criteria and Protection profiles?
First, for U.S. Defense agencies, Common Criteria certification is mandated by U.S. national security policy NSTISSP #11, which governs the acquisition of information assurance and IA-enabled IT products by the U.S. government. Bottom line, if you are an IT or security vendor wishing to sell products to the DoD for the purpose of protecting National Security Systems (NSS), you must have Common Criteria.
Next, according to the Office of Management and Budget's IT dashboard, the U.S. Department of Defense (DoD) is on track to spend $38 billion on unclassified information technology contracts in the fiscal year 2019. One of the biggest hurdles that commercial vendors must overcome to sell IT products to the DoD is achieving the required government compliance and product security certifications such as Common Criteria. As noted by NIAP: "Products listed on the NIAP Product Compliant List (PCL), which claim compliance with the U.S. Government protection profiles, meet the minimum security levels deemed appropriate by NIST and NSA and should generally be preferred over products which make no such claims."
Additionally, NIAP states: "If an approved U.S. Government protection profile exists for a particular technology area, but no validated products that conform to the protection profile are available for use, the acquiring organization must require, prior to purchase, that vendors submit their products for evaluation and validation...against the approved protection profile."
As you can see, Common Criteria certification based on NIAP Protection Profiles serves as a critical IT compliance check to the U.S. government when it comes to the acquisition of commercial products and solutions.
Finally, many thanks and congratulations go to all the folks on the Illumio product development and engineering teams for this important achievement, as well as the talented team at Cygnacom Solutions for their excellent work as Illumio's NVLAP lab.
For more details on Illumio's Common Criteria and other government security certifications, check out: