Australian government Windows certification proving slow

At least one Australian government agency is lobbying for Windows 2000 to be certified sufficiently secure for use by the government, but the process is proving to be drawn-out

The Defence Signals Directorate (DSD), the agency assigned with evaluating software to determine its appropriateness in security terms for use by government agencies, told ZDNet Australia they had "received a sponsorship letter from an Australian government agency to mutually recognise [Windows 2000] for use within the Australian government".

DSD certification is regarded as desirable, but not mandatory, by government departments when taking on technology products.

Most government agencies use Microsoft products, despite the company not having any listed on the Evaluated Product List. In October last year Microsoft received Common Criteria certification from the US Department of Defense, which makes it easier to obtain certification from the DSD.

However, the DSD is till waiting on evaluation documentation associated with Windows 2000 to be received from the US certifier, Science Applications International Corp.

"Until the Certification Group within the Defence Signals Directorate has had an opportunity to review the Windows 2000 Certification Report it is not possible to provide an estimation on the time it will take to mutually recognise the product," a DSD spokesperson told ZDNet Australia .

As signatories to the Common Criteria Recognition Arrangement, the United States and Australia employ the same evaluation criteria to the software. "Differences may arise in determining whether the security features of a product are consistent with respective Government policies and whether additional guidance is required to be provided to government agencies in relation to the products implementation," said the DSD spokesperson.

"It is important that the security features incorporated within a product be assessed for their suitability to protect Australian government classified information and information systems," said the DSD spokesperson. "Accordingly, the documentation is reviewed by the DSD certifiers to ensure that the security features of the product are consistent with Australian government policy. If there [is] any cryptography employed within the product then DSD will also conduct an independent evaluation of this capability."

Microsoft and the DSD are also in talks concerning Microsoft's Government Security Program, a move designed to reassure governments of the security of Microsoft products.

"Viewing the source code will not affect the security of Microsoft's software as used by government," said the DSD spokesperson.

"Such an examination is undertaken to ensure a level of confidence that the IT security products will provide an appropriate level of information security for Government business requirements and to ensure they work correctly and effectively to provide the stated level of assurance claimed by the product developer."

For all job and work-related news, or to search for a job and get information on training, go to ZDNet Jobs.

Let the editors know what you think in the Mailroom.