CA announced that three of its leading mainframe security management software products-CA ACF2, CA Top Secret r14 and CA Compliance Manager for z/OS r1-are officially in evaluation for EAL4+ certification under the Common Criteria International security standard. Common Criteria evaluation of security products is mandated for commercial information security products purchased by the U.S. government for use in national security systems.
The three CA products have cleared the first, pre-evaluation stage of the certification process and have advanced to the "in-evaluation" stage where they will be tested for specific security functionality against a set of predetermined requirements. Common Criteria certification is granted when a Common Criteria testing laboratory determines that a product meets a measure of security. The certification addresses product functionality, development environment, documentation and product testing measures.
The Common Criteria status is a benchmark that can be referenced by private-sector businesses as well, Kirk Willis, vice president of mainframe security management at CA, tells 5 Minute Briefing. "The Common Criteria is an international framework for security that has been recognized by the consuming countries in the Common Criteria Recognition Agreement," he says. "Some financial institutions have started adding CC as a "nice to have" in RFPs and RFIs. With the private-sector adoption of DoD standards as documented in the Security Technical Implementation Guides (STIG), we have had inquiries from a few of our larger mainframe security sites. We expect this trend to continue as the DoD standards are becoming more widely adopted for regulatory mandates, audits and compliance."
Common Criteria status is a holistic look at a system security environment, Willis adds. "Common Criteria only applies to the Target of Evaluation (TOE) defined for the specific evaluation," he says. "At the EAL4+ level of evaluation, tools and techniques for developing the product, as well as, source code are considered as part of the evaluation. The solution's deployment process, as described in the documentation, is also evaluated. CA strongly recommends choosing the highest security settings within each product. We also offer a best practice guide that helps customers properly implement these controls. In addition, we offer our customers implementation reviews to confirm that they have implemented CA ACF2 or CA Top Secret to our recommended settings without compromising performance."
Common Criteria is recognized by governments in more than 26 countries. CA ACF2 and CA Top Secret provide comprehensive access control for IBM z/OS resources across operating systems, subsystems, third-party software and databases which includes externalized security controls for CICS, DB2, Unix System Services (USS) and IMS. They enable organizations to monitor and adjust their security policies and accommodate virtually all organizational structures.
CA Compliance Manager for z/OS is the first platform-resident solution to provide real-time policy management of security and compliance events across the z/OS environment and mainframe security subsystems. It consolidates real-time and historical monitoring of select system events and security events to safeguard IT environments. CA ACF2 and CA Top Secret also work with CA Compliance Manager to provide a single view of compliance for the mainframe.
All three solutions are part of CA's Mainframe 2.0 initiative, which is greatly simplifying mainframe ownership and facilitating the generational shift in mainframe management staffs.
CA SiteMinder, CA eHealth Performance Manager and CA NSM are among the CA products most recently evaluated under the Common Criteria. Additional CA products currently in evaluation include CA Access Control and CA Identity Manager.
The evaluation of CA software will be performed by Booz Allen Hamilton's Common Criteria Testing Laboratory (CCTL). For more information, visit the CA website.