atsec information security Completes Red Hat Enterprise Linux 4 CAPP/EAL4+ Common Criteria Certification for IBM

AUSTIN, Texas – February 17, 2006 – atsec information security corporation, an independent, standards-based IT (information technology) security consulting and evaluation services company, has completed the Common Criteria (CC) evaluation of Red Hat Enterprise Linux 4 on a range of IBM server platforms.

The evaluation of Red Hat Enterprise Linux 4 at Evaluation Assurance Level (EAL) 4+ is the first successful Linux evaluation at this assurance level performed under the U.S. NIAP (National Information Assurance Partnership) CCEVS (Common Criteria Evaluation and Validation Scheme). This success builds on atsec’s long record of more than 20 successful CC evaluations including six Linux evaluations on five different Linux platforms at assurance levels EAL2, EAL3, and EAL4+, performed with several vendors under both the German BSI (Bundesamt f??r Sicherheit in der Informationstechnik) and U.S. CCEVS schemes.

“atsec and IBM’s maturity in evaluating Linux facilitated a smooth and timely evaluation under the U.S. scheme,” said Fiona Pattinson, atsec Common Criteria lab manager.

The WS and AS distributions of the Red Hat Enterprise Linux 4 operating system platform were certified by the NIAP CCEVS as conformant to EAL4+ and the Controlled Access Protection Profile (CAPP), which specifies a set of security functional and assurance requirements for IT products.

The scrutiny of Linux continues. Red Hat Enterprise Linux 5 is in evaluation at EAL4 including the security functionality defined in three protection profiles recognized by the Common Criteria: Controlled Access Protection Profile (CAPP), Labeled Security Protection Profile (LSPP) and Role-Based Access Control Protection Profile (RBAC). These profiles support the requirements of Director of Central Intelligence Directive (DCID) 6/3 at Protection Level 4, which specifies security intelligence related information and systems measures, including those necessary for Top Secret and Below Interoperability (TSABI).

One more significant “first” emerged during the Red Hat Enterprise Linux 4 evaluation. In order to address the requirements of the CAPP, the audit subsystem was re-implemented. In accordance with the collaborative, open source nature of Linux development, the audit subsystem solution was offered back to the open source community for discussion and ultimately, acceptance.

“Throughout the history of atsec’s Linux evaluation projects, I have been amazed by the level of support provided by commercial enterprises for the open source community,” said Stephan Mueller, atsec’s lead evaluator for Linux projects since 2004.

“IBM demonstrated its real commitment to the Linux open source community – as well as to security – by sharing the results of its substantial investment leading to the Red Hat Enterprise Linux 4 evaluation.”

The formal announcement of the successful CAPP/EAL4+ evaluation completion of Red Hat Enterprise Linux 4 was made at the RSA Conference 2006 in San Jose, Calif.

About atsec information security

atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec launched its U.S. business in May 2003, building on extensive success in Europe dating back to 2000. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Swisscom, RWE, and Vodafone. For more information, please visit www.atsec.com.