Introduction to certification authorities for trusted computing in military and avionics products
ASHBURN, Va. – In the world of security and trusted computing, there are many different disciplines involved, from cyber security to safety certification. With a constantly evolving set of standards and possible certifications, it can be confusing to understand what certifications might apply to your system, which of those are worthwhile, and what the important aspects are when considering certification or certified products.
There are certification authorities involved in trusted computing, which oversee different disciplines they oversee. It can be a challenge on when to get these certification authorities involved, and make judgments on which these bodies are relevant in the U.S. and some international markets.
The National Institute of Standards and Technology (NIST) manages myriad standards across many industries. Some of these standards include areas of trusted computing, including cryptographic algorithms and documents used to define the Risk Management Framework (RMF).
Here are some of the certification programs related to trusted computing in military and avionics applications that are administered by NIST.
Related: Establishing a trusted supply chain for embedded computing design
The Cryptographic Module Validation Program (CMVP) is administered together by NIST and the Canadian Centre for Cyber Security (CCCS). This program performs independent testing of cryptographic modules at independent labs for conformance to FIPS 140-2 Security Requirements for Cryptographic Modules. For stand-alone cryptographic modules, this certification can show thorough testing to provide confidence to customers on the security and implementation of cryptographic algorithms. FIPS 140-2 provides for multiple security levels (1 to 4) mainly related to physical security capabilities, so vendors need to ensure that they apply for the appropriate level of certification, and customers need to verify that products are certified to meet their required level of security.
The Cryptographic Algorithm Validation Program (CAVP) ensures that cryptographic algorithms have been faithfully implemented, either in hardware or software. CAVP is a prerequisite to CMVP. Systems designers can select subsets of algorithms for validation, and NIST maintains the list of certified testing laboratories and validated algorithm implementations.
The Risk Management Framework (RMF) is for assessing risk and is designed for federal information systems. Apart from assessing risks, the RMF also provides guidance on selecting controls to mitigate risk, and then authorizes and monitors those systems. While the framework itself is maintained by NIST in special publications SP 800-53, SP 800-34, SP 800-61, SP 800-53A, SP 800-37, SP-800-137, SP 800-60, and others, NIST does not perform assessment or certification of systems under RMF. Programs should be assessed under guidance of the SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations. Different departments and agencies will determine who provides the oversight needed to sign off on after appropriate assessments are completed in order to allow systems to operate.
Related: Decomposing system security to prevent cyber attacks in trusted computing architectures
The Common Criteria (CC), administered by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), is a framework to help evaluate products against a defined security target (ST) and security functional requirements (SFR). Normally, products will pull much of their ST from an already defined protection profile (PP) for a given set of products. Products are then evaluated against their defined ST and SFR at an independent lab. Furthermore, when being evaluated, the Evaluated Assurance Level (EAL) can also be selected from level 0 to level 7. The EAL dictates the strictness of the evaluation, with higher levels looking at the entire development process of the product, and the highest level requiring formal verification of security claims. It is important to remember that higher EAL levels do not imply higher security; they simply show that there is a higher level of confidence in the verification of the security claims. Because CC certification by itself only states that the evaluated product meets its defined ST and SFR, vendors must select and define, and customers must evaluate the ST and SFR of any product to ensure that the defined capabilities meet the security needs for their system and have been evaluated to the appropriate confidence.
The National Information Assurance Partnership (NIAP) manages the certification of commercial off-the-shelf (COTS) components to Common Criteria (CC) certification. NIAP works with certified testing laboratories to perform CC certification and maintains the list of validated products.
The Defense Information Systems Agency (DISA) within the U.S. Department of Defense (DOD) helps ensure continued operation and security of the DOD Global Information Network. DISA also manages a repository of Security Technical Implementation Guides (STIG) that can help secure computing systems. STIGs can range from general to product-specific. While DISA does not perform certification, they do maintain the set of STIGs used to secure systems, and they approve submitted STIGs prior to including them in the list. Vendors who want to generate and provide specific STIGs for their own products can submit them to DISA for approval and inclusion.
The Commercial Solutions for Classified (CSfC) is a program of the U.S. National Security Agency (NSA) that takes CC-certified security solutions, layers those solutions to produce a product, and certifies that the product can securely protect National Security Systems (NSS) that operate on classified data. NSA may put additional requirements on a product, or require that CC protection profile selections for products are included on the CSfC list. The designer should start discussions on CSfC with NSA prior to going through CC certification for individual portions of that CSfC product. CSfC provides an alternative to using Type-1 NSA certified cryptography. Its use does present tradeoffs that can affect product life cycle, key management requirements, and product classification.
The RTCA DO-178C/EUROCAE ED-12C Software Considerations in Airborne Systems and Equipment Certification is a U.S. Federal Aviation Administration (FAA) design assurance guideline to approve the airworthiness of aviation software. It details the requirements for software development, testing, test coverage, and reliability. There are multiple design assurance levels (DALs) based on the level of criticality of the system failing, with “A” indicating catastrophic danger and “E” indicating no impact on safety. Since DO-178C can influence the entire software development process, ensuring that the requirements are well understood prior to starting development is essential.
The RTCA DO-254/EUROCAE ED-80 Design Assurance Guidance for Airborne Electronic Hardware standard is the FAA hardware counterpart to DO-178C, and provides guidance for certification of complex avionics components that can influence flight safety. As with DO-178C, levels of criticality exist (A to E), and the DO-254 guidelines can influence the entire hardware development process. Requirements to meet DO-254 certification should be understood before beginning development of a new complex hardware avionics component.
David Sheets is senior principal security architect at Curtiss-Wright Defense Solutions in Ashburn, Va. Contact him by email at [email protected].
Ready to make a purchase? Search the Military & Aerospace Electronics Buyer's Guide for companies, new products, press releases, and videos