Our friends over at the FutureFed blog reported that Windows 7 the has passed the Common Criteria (CC) certification process and achieved Evaluation Assurance Level 4 with augmentation (EAL4+). Common Criteria certification is an international standard recognized by 26 member nations including the United States and is a procurement requirement for U.S. Defense and national security customers.
With this certification, we are excited that our federal customers as well as foreign governments can feel secure in deploying Windows 7, having successfully passed the rigorous security testing protocols set forth by the National Information Assurance Partnership.
Several governments have already successfully deployed Windows 7, including the Moscow North District Prefecture in Russia, the Vernon Hills Police Department in Chicago, Illinois, the City of Miami, Florida and the City of Stockholm, Sweden.
This is exciting news, but not surprising as Windows 7 is our most secure operating system to date. In addition to enhancing existing security features in Windows, we incorporated customer feedback throughout the development process of Windows 7 to deliver innovative new security features, including Direct Access, AppLocker and BitLocker To Go.
Congratulations, Windows 7!
"Direct Access"? Is that when you use a live distribution to change/remove user passwords or enable the administrator account?
Now someone direct us to the SCAP contect and GPO settings required to achieve this level of security. That would be a nice starter.
As for the CC process, its a big WASTE of time and the security industry knows it. Whose dollars fund the CC process? Let's see, IAD and NIST perhaps? Hmm, so that means we the tax payers are ultimately paying for this process in the end?
WOW so I am curious why we the tax payer pay for Apple, Microsoft and others to have their OS security tested. All that testing and we still have zero day flaws... Help me, have I missed something of value here?
Perhaps I a jaded by over exposure to the U.S. governments failure to pay the bills with my tax dollars. A simpleton could invest social security money in wallstreet and we waste dollars on a silly CC program... I give up!!!!
Congrats, I know that can be a lot of work.
But (pet peeve alert) -- it is very imprecise to say Windows 7 passed Common Criteria certification. You leave out the single most important detail - the CC protection profile (PP). There are a lot of different CC evaluations, for all I know from this post (and the one in FutureFed as well), this could be a simplified PP (the somewhat joking remark above reflects this). If you go to the trouble of giving the EAL (e.g. how much effort was taken to prove your compliance), don't you think it is worthwhile to provide the criteria it was evaluated against?
Aside -- for those who don't know the history, the first public Orange book certification of Windows NT (3.51?) was only valid without the networking drivers. So I take it as kind of a typical snide remark, but woefully out-of-date as the last several versions of Windows have been successfully evaluated with most of the stack including networking features.
Even after 5 minutes of clicking on the various links provided at the FutureFed site, I could not determine which PP was used. Perhaps grisutheguru has a point beyond the snarky humor -- just what was evaluated?
As with all prior Common Criteria certifications of Windows, network connection is included.
with or without network connection?