PRODUCT DESCRIPTION

The Target of Evaluation (TOE), Xacta IA Manager Enterprise Edition V4.0 SP2 (Xacta IA Manager), build 485, is an information security risk management software application.

By defining the network or system configuration and the environment in which it operates, Xacta IA Manager automatically engages the appropriate security requirements according to government and/or industry best practices. The software then generates the appropriate test procedures, processes the test results, produces a risk assessment, and allows the user to automatically publish a complete certification and accreditation (C&A) package, including all appendices.

Supported commercial risk assessments, or United States Government-specified C&A projects, include those in accordance with the National Institute of Standards and Technology (NIST); the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP); the National Information Assurance Certification and Accreditation Process (NIACAP); or the Director of Central Intelligence Directive (DCID). Through the software's automation of these formal processes, organizations can validate their compliance to United States Government mandates, such as the Federal Information Security Management Act; Health Insurance Portability and Accountability Act; Gramm-Leach-Bliley Act; and the Privacy Act of 1974. In addition to traditional security assessment and compliance, the software provides continuous assessment of the network and system security posture to ensure emerging threats are mitigated prior to an attack.

The Xacta IA Manager TOE has four primary components as follows:

• Application Server - the core risk and compliance engine;
  
• Detect Server - performs discovery, vulnerability, and collection scans over a defined network address range;
  
• Publishing Server - produces printable risk and compliance assessment results;
  
• Graphical User Interface - allows user and administrator access to the application server via a browser.

The evaluated configuration of Xacta IA Manager included all these components installed on the same physical machine running Microsoft Windows 2000 Server, with Oracle 9i as the supporting database management system. This underlying OS, DBMS, and hardware are not part of the TOE; therefore no security characteristics of them were analyzed.

SECURITY EVALUATION SUMMARY

The Xacta IA Manager TOE was evaluated against the Common Criteria for Information Technology Security Evaluation, Version 2.2, by the CygnaCom Solutions Common Criteria Testing Laboratory (CCTL). The evaluation methodology used was the Common Methodology for Information Technology Security Evaluation, Version 2.2. The CCTL concluded that the TOE was Common Criteria Part 2 and Part 3 conformant, and recommended that an EAL2 certificate be issued. The validation was conducted by NIAP's Common Criteria Evaluation and Validation Scheme (CCEVS). The evaluation was completed on January 14, 2005.

ENVIRONMENTAL STRENGTHS

The Xacta IA Manager TOE provides security features associated with the following CC Part 2 classes:

 

Class FAU: Security audit The TOE provides its own auditing capabilities separate from those of the underlying operating system, including the ability to search, sort, order, and view its own audit records.

Class FDP: User data protection The TOE supports an access control policy that applies to subjects and objects. This access control policy is separate from that of the underlying operating system.

Class FIA: Identification and authentication The TOE provides user identification and authentication through the use of user accounts and the enforcement of password policies.

Class FMT: Security management The TOE provides security management through the use of the administrative interface. The ability to manage various security attributes is controlled through the enforcement of the TOE access control policy.

Class FTA: TOE access Prior to the establishment of a user session, the TOE causes a warning message to be displayed regarding unauthorized use of the TOE.