OPINION / An argument for leveraging commercial third-party assurance programs in government procurement of off-the-shelf products
By Al Potter
“Government computers” (the employees who operate or procure government computing equipment) are all too familiar with compliance requirements. Where these mandates are in effect, they consist of requirements to satisfy specific government standards, such as FIPS 140-2 for cryptographic modules, and there is typically very little latitude or “wiggle room” in the compliance mandate. In other words, if you are procuring or otherwise deploying IT assets and are subject to these requirements, you must comply, and your product choice is restricted to approved or certified products, components or solutions. Other third-party assurance programs, commercial or otherwise, which are independent of the government’s programs, do not satisfy these government compliance requirements. End of story, right? It doesn’t have to be….
Consider the cases where the purchase or deployment scenario is not formally subject to the aforementioned compliance requirements. While the “government computer” does not in these cases have to comply with a specific mandate, the individual does have a responsibility to make the best possible decisions when selecting products. Government routinely takes advantage of the scale of the worldwide commercial marketplace through procurement and deployment of commercially available products, otherwise known as commercial off-the-shelf (COTS) solutions, and many of these software and hardware products are deployed in those mandate-free scenarios. Why then should a procurement officer not take the same type of advantage by considering commercial third-party assurance programs in their procurement actions? It’s clear that although they do not have to, they could and should in order to reduce risk.
ICSA Labs, an independent division of Verizon Business, has more than 20 years of experience providing third-party product assurance in the commercial sector. The recently published ICSA Labs Product Assurance Report (available at http://www.icsalabs.com/whitepaper/report) discusses trends uncovered from testing thousands of security products.
The results in the report are stunning: 96 percent of the products tested failed to satisfy certification requirements on their first pass through the testing process. Of those products tested, only 82 percent eventually satisfy certification requirements.
It is important to note that it is an ICSA Labs requirement that a product be commercially available before it is submitted for testing. In other words, the products which failed 96 percent of initial certification tests were all shipping COTS products at the time of their test. It becomes clear that in the absence of third-party assurance to the contrary (such as an ICSA Labs certification seal), confidence in the security of COTS products is misplaced. Since government is a major purchaser of COTS products, this misplaced confidence is clearly not limited to the commercial sector. Yet, in the absence of a mandate for compliance with government assurance requirements (FIPS 140-2, et al), there is no requirement for government to consider commercial third-party assurance when procuring COTS products. That doesn’t mean it’s not a good idea.
As discussed above, in the deployment scenarios within the government sector where high degrees of confidence in product are desirable, compliance with the standards of government programs is mandatory. These government third-party assurance programs all contain provisions for the qualification and accreditation of the third party itself, in most cases a testing laboratory. For example, the FIPS 140-2 program requires that the labs performing the testing be accredited to ISO 17025 (i.e., general requirements for the competence of testing and calibration laboratories), by the National Voluntary Laboratory Accreditation Program (NVLAP), operated by the National Institute of Standards and Technology (NIST). Government is thereby assured that the lab is competent to perform the tests within the scope of the accreditation.
ICSA Labs is accredited by NIST under ISO 17025 (NVLAP Lab code 200697-1) for FIPS 140-2 and other government testing, and will soon be the first commercial laboratory in the U.S. accredited under ISO 17025 to perform testing of information security products outside the government sector. Government computers rely on mandated testing and certification programs to ensure confidence in their products, and by reviewing certification testing reports produced by ICSA Labs, consumers can do the same. The end result is that consumers -- be they commercial or government -- who review certification testing reports produced by ICSA Labs can have the equivalent level of confidence in those reports that government places in analogous reports produced under the umbrella of government-mandated testing and certification programs.
Even though not mandated, “government computers” can clearly enjoy increased confidence in COTS products they are acquiring and deploying if they restrict the field of products under consideration to those bearing the seal of commercial third-party assurance. In those cases where “government certification” is an absolute requirement, there is nothing to prevent giving preference to those products that also bear commercial third-party assurance certification marks, effectively using the commercial certification program as either a pre-screening mechanism or an additional layer of security assurance.
Giving preference to commercially certified products costs the government nothing. It serves to increase confidence in the selected product without delaying the procurement or deployment process and provides an additional layer of risk reduction, all while leveraging the existence and scale of commercial programs. Given all that: why would government not give more weight to commercial third-party assurance programs?
Al Potter is the senior consulting analyst for ICSA Labs. He can be reached at: [email protected]