After a nearly three-year process, Microsoft Corp. said Tuesday that its Windows 2000 operating system has been certified as secure through an evaluation process that was developed through the cooperative efforts of 15 national governments worldwide.
The certification means Windows 2000 with Service Pack 3 can be used as part of sensitive government security systems without buyers having to get special waivers from the National Security Agency or pass additional testing. Those security systems would be handling sensitive or classified data at government agencies including the U.S. Department of Defense and civilian contractors.
The certification does not mean the software is now bulletproof, but means the testing has confirmed the code is working as advertised.
Microsoft admitted that the certification has no direct implications for non-government users beyond the awareness that the software has passed the test. But the company says that fact is confirmation that the vendor has been working hard on security even before it announced its Trustworthy Computing initiative in January.
"This is a demonstration that many aspects of the things that lead to trust, security being a notable one, are things that we have paying attention to for some period of time," said Microsoft CTO Craig Mundie, during a news conference to announce the certification. "For people who have concerns on an ongoing basis about our level of investment or focus on these questions about all the things that ultimately lead to security in computer systems, this is pretty strong testimony to the level of effort we have been applying."
The security certification is defined by the Common Criteria for Information Technology Security Evaluation (CCITSE), which is known in government circles as Common Criteria certification. The CC certification is a globally recognized ISO standard for evaluating security features in computer software.
Nearly 75 products have passed the CC evaluation. SGI in June of this year had its Trusted IREX 6.5 and its standard IREX 6.5 operating system certified. Sun has had two versions of its operating system CC certified. Solaris 8 was certified, as was a "trusted" version with strong access control, security labels and software compartmentalization. Oracle has had versions 7, 8, and 8i of its database evaluated and certified.
Those products along with Windows 2000 received an Evaluation Assurance Level 4 (EAL4), which is described as "the highest level at which it is likely to be economically feasible to retrofit to an existing application." As part of the evaluation, source code is examined and the vendor has to be prepared to "incur additional security-specific engineering."
EAL4 is the highest CC certification level doled out for the 75 products tested to date, and is the highest level that's recognized by all CC country signatories. Above that, vendors are likely to see specific demands from individual countries.
Although complex to decipher, the EAL scheme basically says EAL1 is appropriate when requirements for security are "not serious." EAL2 ups the ante in asking the product developer for design information and testing "consistent with good commercial practice." At EAL3, the product is going to be "methodically tested and checked" in a CC-accredited lab in a search "for obvious vulnerabilities."
Mundie said the certification process cost Microsoft "many millons of dollars," but would not disclose a specific amount. Other companies have reported similar costs. The independent evaluation was performed by the Science Applications International's (SAIC's) Common Criteria testing lab, which is one of two-dozen certified and accredited to perform the testing.
Windows 2000 is the first Microsoft product to be CC certified. Mundie said Windows XP and Windows .Net Server would also be put through the certification process. He said SQL Server, which is currently certified as C2 under the government's Orange Book system, is not currently slated to be submitted for CC evaluation.
Microsoft also went a step further, including certification of a number of services within the operating system including multi-master directory services, L2TP/IPSec-based virtual private networking, and single sign-on.
To supplement the CC certification, Microsoft will introduce resource materials and tools to provide guidance in the deployment and operation of Windows 2000 in secure network environments.
The company also received the highest level of Systematic Flaw Remediation certification for Window 2000 as issued by the National Information Assurance Partnership (NIAP). The certification means that the Microsoft Security Response Center (MSRC) meets the requirements for tracking and fixing problems with the software.
Microsoft officials say no other company has certified a procedure for ongoing software maintenance.
As an international movement, CC has expanded since it began as a collaborative effort by five countries in 1996. Today, 15 nations formally recognize Common Criteria.
In the U.S., the mandate to buy CC-evaluated products stems from a directive issued two years ago by the National Security Agency (NSA). The directive called The National Security Telecommunications Information Systems Policy No. 11 (NSTISP#11), primarily affects buying habits in the Department of Defense. But civilian agencies and outside government contractors that process sensitive government data also need to comply.
In July, NSA ordered that all new national security systems have to run operating systems, applications, firewalls and other security equipment that have passed the stringent testing spelled out in Common Criteria.