The criteria are applied to hardware or software whose purpose is to protect information. HP announced that it already achieved level 4 certification for HP-UX 11i, level 3 for its ProLiant, Integrity and carrier-grade servers, and level 1 for Tru64 UNIX V5.1A. Level 2 certification testing is currently underway for several HPO OpenView modules, including Network Node Manager, the heart of the product, and Operations for UNIX.
The government is planning to apply the Common Criteria for all IT procurement for all agencies, according to Sai Allavarpu, director of product management and marketing for HP’s identity management and security products. He added that agencies across Europe and Asia are considering imposing similar guidelines.
Over the next 12 to 18 months, HP intends to submit most of the rest of the OpenView stack, including Service Desk, identity management, change management, configuration management and software distribution.
The common criteria address areas including configuration management, delivery and operation, development, guidance documents, life cycle support, tests and vulnerability assessment. The Common Criteria includes seven levels of certification that are similar to the five levels of software engineering maturity assessed by the Capability Maturity Model (CMM).
Starting at level one, the most basic, which examines a product to ensure that it conforms to documented claims, the criteria step in severity as they test the structure of the product, evaluate the product from design stage forward, to assurance that the products have closed all the back doors and can withstand high risk environments.
From a practical standpoint, above level 4, products generally have to be designed from scratch to meet the criteria. Vendors pay for tests conducted by independent labs, which are in turn certified to award certifications.
Although intended as a way to qualify software for federal procurement, according to Allavarpu, it can apply to private sector companies such as financial services, telco or aerospace contractors who act as government contractors.
HP is hardly alone in seeking certification. Virtually every major platform vendor has or is submitting one or more of their OSs for Common Criteria, from IBM to Sun, Apple, Red Hat and even Microsoft. Others in the club range from BMC Patrol for systems management; Symantec for intrusion detection; Trend Micro for antivirus; Groove Networks (recently acquired by Microsoft) for software encryption; RSA for certificate authority; Canon, Sharp, and Xerox for multi-function copier/printers; and Juniper Networks for routers.