IBM and atsec achieve independent certification of Red Hat Enterprise Linux 5 at Common Criteria EAL4+ under NIAP scheme

2007-06-25

atsec information security is pleased to announce that the U.S. National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) has certified Red Hat Enterprise Linux 5 as conformant to EAL4+ and the following Protection Profiles: Controlled Access Protection Profile (CAPP), Role Based Access Control (RBAC) Protection Profile and Labeled Security Protection Profile (LSPP). The operating system is certified on several IBM server platforms. The evaluation work was performed by atsec information security corporation, and the effort was sponsored by IBM.

Steve Walker, President of Walker Ventures, founder and former President of Trusted Information Systems Inc., commented: “Since the origins of the Orange Book, it has always been our goal that trusted or multi-level secure systems would be implemented as part of mainstream operating systems.  And so I am very pleased to see that Red Hat's Enterprise Linux has now been certified to the Common Criteria EAL4 and LSPP and that the evaluation was completed just a few months after the operating system's release.  This shows that mainstream operating systems like Linux are capable of achieving higher levels of trust and our evaluation procedures have matured to the point that such evaluations can be done in a timely manner.  This is a very positive development in the evolution of computing systems!“

The completion of this evaluation adds to atsec’s unparalleled reputation for timely completion of Linux evaluations. Since August 2003, atsec has initiated and completed fourteen Linux evaluations at EAL3+ and EAL4+ for five different Linux distributions on a large range of hardware platforms. atsec’s customers have valued atsec’s record of timely completion of projects in conjunction with development schedules in order to reach their markets effectively and take the maximum benefit from their evaluation investment.

Dan Frye, vice president of open systems with IBM, commented earlier in an infoworld.com article: "This is the highest level of security function that anybody has," Frye said. "We have delivered LSPP (Labeled Security Protection Profile) functionality in Red Hat Enterprise Linux 5, and we have certified that at the EAL4 level of assurance."

atsec has extensive experience with the Common Criteria. Applying the methodology to Open Source Software has presented the opportunity to demonstrate that although rigorous, the Common Criteria can be flexible and adaptable to a variety of software paradigms; for instance, it was possible to evaluate existing product and design documentation without the need to refactor this evidence specifically for the evaluation.

Fiona Pattinson, Lab Manager for atsec U.S., notes: “atsec is proud to be the first lab to evaluate a Linux product with the SE-Linux security enhancement against the Controlled Access Protection Profile (CAPP), Role Based Access Control (RBAC) Protection Profile and Labeled Security Protection Profile (LSPP). As Linux industry experts have noted, this evaluation is particularly important because it represents a historic opportunity to integrate security features previously specific to the security Linux branch back into the mainstream commercial Linux branch.”

atsec is one of only four companies worldwide that is accredited to perform evaluations under more than one national scheme. atsec labs have been accredited by NIAP CCEVS in the U.S., BSI in Germany, and CSEC in Sweden to perform evaluations using the Common Criteria standard. Eligibility to perform evaluations under multiple schemes and the availability of a large (50+) staff of qualified evaluators enable atsec to offer its customers both maximum flexibility and proven expertise and experience in Common Criteria evaluations. For more information about atsec’s qualifications and competence, see www.atsec.com. For independent confirmation of atsec’s competence and reputation, visit the NIAP, BSI or CSEC websites.

About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec was founded in Munich (Germany) in January 2000 and has extensive international operations with offices in the US, Germany, Sweden, the UK, and China. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, Oracle, Cray, BMW, SGI, Vodafone, Swisscom, RWE, and Wincor-Nixdorf. For more information please visit www.atsec.com.