Common Criteria Certification
Common Criteria is an internationally approved set of security standards (ISO 15408) which provides a transparent and consistent evaluation of the security capabilities of IT products. A Common Criteria evaluation gives customers third-party assurance that the product which they are purchasing provides the functionality and security that it claims to provide.
By providing an independent assessment, Common Criteria increases customer confidence and helps buyers make more informed purchasing decisions. Once completed, Common Criteria certifications are mutually accepted by 26 countries through Common Criteria Recognition Agreement (CCRA).
Common Criteria certification of security products is mandated by the U.S. Government for all federal purchases.
Evaluated Configuration - Sensage 4.6.2 Event Data Warehouse
The following security functions were analyzed, documented and tested:
Involves recognizing, recording, storing, and analyzing information related to security relevant activities.
Provides timely visibility into events that may require immediate attention or further investigation through logging or sending alerts.
Cryptographic Support and Protection of the TOE Security Functions
Analysis of the cryptographic key management and cryptographic operation of the boundary evaluated. Provides confidentiality and integrity to both stored data and data being transferred between separate parts of the product by using SenSage’s FIPS 140-2 evaluated module.
User Data Protection
Requirements related to protecting user data are specified in this section. Enforces Access Control policy as defined by the administrator, and based on the permissions of Subjects and Objects.
Identification and Authentication
Analysis of the functions used to establish and verify a claimed user identity. This ensures that users are associated with the proper groups, roles, etc. Provides identification and authentication of all users.
Specifies the management of security function data, security attributes, and defines security roles. Manages and enforces roles and permissions.
Common Criteria FAQ - Frequent questions about Common Criteria and the validation process
Common Criteria Recognition Agreement - Common Criteria is mutually recognized and accepted by 26 countries around the globe
ISO 15048 - Common Criteria is an internationally recognized standard
Federal Directives - Department of Defense Instructions and Directives that mandate Common Criteria for IA products purchased by government agencies
FIPS 140-2 Validation
The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography based standards.
The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC). The main website for the NIST/CSEC CMVP is hosted by NIST, and contains complete details on the program, all the related standards and documents, as well as the official lists of FIPS 140-2 validated cryptographic modules.
FIPS 140-2 refers specifically to the security requirements for cryptographic modules. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. A complete description of each level can be found within the FIPS 140-2 publication found on the NIST website (FIPS PUB 140-2).
Cryptographic Modules validated as conforming to FIPS 140-2 are mandated by the Federal Agencies of the United States and Canada for the protection of sensitive information.
Configuration Under Evaluation, “In Process” Status
Sensage 4.6.2 Event Data Warehouse Crypto Core Module
The FIPS 140-2 evaluation in process includes the following areas:
Cryptographic Module Specification
The Crypto Core Module is a software-only module that operates within Sensage’s Event Data Warehouse solutions.
Roles and Services
The module offers both a Crypto-Officer and a User Role. The module was validated to ensure proper user functions and limitations available within each user role.
The Sensage Crypto Core Module has been tested and validated while running on RedHat Enterprise Linux 5.1 and 5.5.
Cryptographic Key Management
A number of FIPS-Approved algorithms have been implemented and were tested for this module including AES, TDES, RSA, DSA, SHA-1, and HMAC.
Power-up and conditional self-tests are implemented to ensure that the module is functioning properly at startup and continues to operate properly while in use.
Validates the use of best practices during the design, deployment, and operation phases of the cryptographic module.
FIPS 140-2 FAQ - Frequent questions about FIPS 140-2 and the validation process
ISO/IEC 19790 - The requirements of this international standard are based on FIPS 140-2