Common Criteria Certification

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We have learnt here in D.C. that Microsoft will not be attaining Common
Criteria certification of Vista and W2K8. This concerns us greatly, as most
of our clients are Federal agencies that require Common Criteria evaluation.
We will not be able to deploy new OS to these agencies without this CC
certification. Many people will lose their jobs if government can no longer
use Windows. What is Microsoft going to do about this obstacle?
 
Kim_Jong said:
We have learnt here in D.C. that Microsoft will not be attaining Common
Criteria certification of Vista and W2K8. This concerns us greatly, as most
of our clients are Federal agencies that require Common Criteria evaluation.
We will not be able to deploy new OS to these agencies without this CC
certification. Many people will lose their jobs if government can no longer
use Windows. What is Microsoft going to do about this obstacle?
Click to expand...

You need to ask Microsoft that question. This is a public newsgroup
hosted on Microsoft servers. While some Microsoft employees post
occasionally, the vast majority of regular helpers (like me) are
volunteers who don't work for the company. If you work for a company
that deploys operating systems, then you have a regular channel to
Microsoft licensing and support. Use it.


Malke
 
Thank you for responding, however we have already tried that route
unsuccessfully through our Premier contacts and account executive. It seems
Microsoft is reluctant to discuss this at this time. We are more looking for
responses from other customers or vendors who have heard about Microsoft
pulling the Vista Common Critieria certification and what their plans are to
address it.

Thank you again.
 
Thank you Steve, can you please post your response here? I wish to keep my
email address private, thank you.
 
My gosh, an employee of Microsoft has offered to help you, and must do it
privately, and you refuse?

Good luck.

| Thank you Steve, can you please post your response here? I wish to keep my
| email address private, thank you.
| --
| Kim Jong, MCSE
|
|
| "Steve Riley [MSFT]" wrote:
|
| > Please reply to me privately. I can help you with this.
| >
| > Steve Riley
| > (e-mail address removed)
| > http://blogs.technet.com/steriley
| >
| >
| > | > > We have learnt here in D.C. that Microsoft will not be attaining
Common
| > > Criteria certification of Vista and W2K8. This concerns us greatly, as
| > > most
| > > of our clients are Federal agencies that require Common Criteria
| > > evaluation.
| > > We will not be able to deploy new OS to these agencies without this CC
| > > certification. Many people will lose their jobs if government can no
| > > longer
| > > use Windows. What is Microsoft going to do about this obstacle?
| > > --
| > > Kim Jong, MCSE
| >
 
I wanted to try to find out from you where you heard this information,
because it's wrong. We are indeed pursuing Common Criteria (ISO/IEC 15408)
certification for both Windows Vista and Windows Server 2008. In fact, we
expect both to be listed at
http://www.niap-ccevs.org/cc-scheme/in_evaluation.cfm in a few weeks.

Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley


Kim_Jong said:
Thank you Steve, can you please post your response here? I wish to keep my
email address private, thank you.
Click to expand...
 
Steve, this came from someone who is married to a Microsoft person in the
MSRC. (Now you understand why I prefer not to contact you privately.) We were
told that Microsoft has chosen to pursue a different certification but that
it is not the Common Criteria. We know of no other certifications, and we are
close to the NSA here. We can't seem to get any more information than that.
The account team is stymied. Thank you, we will watch for the posting on
CCEVS.
 
To double-check my own understanding, I verified with the program manager
responsible for our participation in certification programs. Common Criteria
evaluation will begin soon.

And speaking of stymied, I'm at a loss to make the link between my knowing
your email and the spouse of an MSRC employee! Just so that everyone here
knows: you are all welcome to email me privately. If I have to forward your
mail to someone else to get an answer, I cut out all identifying information
first. Only I will know your email/phone/blood type/credit
history/temperature of your ass in your chair. :)

Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
 
Thank you for that reassurance. :)

Do you have an anticipated completion date? I imagine others are asking this
question of Microsoft too.

I ask this because the other thing I recall from the conversation that a
couple of us were privy to was that the Vista evaluation is going to consist
of producing a minimal number of security specifications each month (we heard
one spec a month) toward certification, pushing the actual CC completion date
out to the year 2050 or thereabouts. This is what led us to believe that
Microsoft is not pursuing CC certification, despite the appearance of being
"in evaluation" with a CCTL. We are also checking with the NSA and the CCTL
in Maryland to see if we can get more information.

Many thanks again.
 
I would love to know where you get your rumors from, because those people
must be smoking some really great stuff! They probably wouldn't share,
though...

We don't set completion targets because it's largely out of our control when
the evaluation will finish. I do know that completed certification, in a
reasonable time, is our goal. Most certifications take two to three years
after evaluation begins. But for most customers, "in evaluation" is
sufficient for deployment--time lengths for evaluations haven't been
blockers in our experience.

If I get any more details, I'll follow up here.

Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
 
Hello Steve,

From what we're learning, these aren't rumors. My bosses made some headway
today. As I'm sure you know, Steve Lipner is on a different course. It's
common knowledge in the government sector that he's vented his concerns about
CC certification both here and abroad. We've heard him express his doubts
over the years. It's just that now it looks like the decision is more firm,
and he's in favor of piloting some other certification the NSA is sponsoring
(or they themselves piloting). This corroborated the information we received
through that internal channel I mentioned earlier.

This is obviously a sensitive topic, so I'm going to sign off and leave the
rest to the higher-ups.

Thank you again for your assistance.
 
Heya. Just wanted to close this out. You have been hearing some rumors or
poorly-stated information. While it's true that we're exploring a new
evaluation method with NSA, we have no plans now to abandon Common Criteria,
and Steve Lipner has never made such a claim. If in fact this new program
does supersede Common Criteria, that'll be years down the road.

We kicked off our Common Criteria evaluation of Windows Vista and Windows
Server 2008 on 31 July 2007. It's expected to complete in December 2010. You
can see it listed at http://www.niap-ccevs.org/cc-scheme/in_evaluation.cfm.

Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
 
Steve Riley said:
Heya. Just wanted to close this out. You have been hearing some rumors or
poorly-stated information. While it's true that we're exploring a new
evaluation method with NSA, we have no plans now to abandon Common Criteria,
and Steve Lipner has never made such a claim. If in fact this new program
does supersede Common Criteria, that'll be years down the road.

We kicked off our Common Criteria evaluation of Windows Vista and Windows
Server 2008 on 31 July 2007. It's expected to complete in December 2010. You
can see it listed at http://www.niap-ccevs.org/cc-scheme/in_evaluation.cfm.

Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
Click to expand...
 
Kim - you are on to something here - we've been having the same discussion
for weeks but I only noticed this post today. Check the Contacts page on the
CCEVS web - you can email the director:
http://www.niap-ccevs.org/contacts.cfm. Even though Vista is listed on the
CCEVS web site we don't think its getting evaluated for real. The CCTL let
go the entire Microsoft evaluation staff two months ago - we know this
because a 10 or 15 resumes from SAIC landed in our office the first week of
June. Everyone was let go but one guy who is a P/T developer and has been
instructed to produce one spec a month. One spec a month! With Vista code
requiring at least 500-1,000 X that it'll be the middle of the century before
an evaluation is done. The former employees from SAIC that we interviewed
wouldn't say much, just that their "current project had ended unexpectedly"
and things like that. I guess they signed some sort of agreement. In a phone
screen we asked one guy who'd only been working at SAIC for a few months why
he was leaving so soon. Hed been hired just to work on the Vista and Longhorn
evaluations but Microsoft had pulled the plug on the project so he suddenly
found himself without a job. We first thought he was lying because this just
doesn't happen but we were wrong.

We think that CCEVS let them sign up for evaluation without really doing any
work - just because they are Microsoft. By producing one spec a month,
Microsoft is doing less than the bare minimum to actually do a real CC
evaluation. So it doesn't matter what is listed on the CCEVS web site right
now. Trust me it isn't going to happen unless other software companies jump
up and down screaming this is not fair and Microsft does a 180 to save face.
All I know is with all this speculation no one is going to be installing
Vista in D.C. before 2010 when we see that certification.

JimK
 
Back
Top