Existing assurance standards: FIPS 140 and CC


A small niche of computer systems need high assurance of correctness. A system may in fact be free of bugs, but if it is not known whether it is, then any risk analysis must make a worst case assumption that bugs may be present. Assurance has a role in evaluating the risk associated with deploying systems. Risks can be social (voting machines, data protection), life threatening (automobile software, medical equipment) or commercial (secure digital rights management, financial processing).

There are various standards offering a spectrum of degrees of assurance, with the highest levels requiring formal methods. For example, Level 4 assurance is described in Section 4.10.3 of the FIPS 140-2 as follows:

A standard that is more general than FIPS 140, because it applied to all security IT products not just encryption, is the Common Criteria (CC), whose highest level is Evaluation Assurance Level 7 (EAL7). This is somewhat weaker than FIPS level 4, but does require some formal analysis of the Target of Evaluation (TOE). Section 5.9 of Part 3: Security Assurance Requirements (v2.2) of the Common Criteria requirements says:

Assurance standards like FIPS 140 and CC are sometimes criticised for delivering results that are misleading. A vendor may procure an evaluator who will give an easy ride, and the organisation that licenses the evaluator may be reluctant to punish abuse in case that brings the whole evaluation system into disrepute. There is a good discussion in Chapter 23 of the textbook Security Engineering by Ross Anderson.


Page maintained by Mike Gordon
Sun Mar 27 2005