14th Annual Computer Security Applications Conference
December 7-11, 1998
Phoenix, Arizona


The NIMS Protection Profile-A Worked Example

The Federal Aviation Administration (FAA) has developed a Protection Profile (PP) for a nationally-distributed system used to monitor and maintain the National Airspace System (NAS), called the NAS Infrastructure Management System (NIMS). The NIMS PP is one of the first system PPs. NIMS is being implemented by an integration contractor. The size, complexity, and importance of NIMS have provided major new challenges in applying the Common Criteria's PP paradigm.

The NIMS PP has been reviewed by a National Information Assurance Partnership (NIAP) team to determine the suitability of the CC for specifying the NIMS security characteristics. The review team is also providing the results of the NIMS PP review as input toward furthering the development of a Common Evaluation Methodology (CEM) for PPs. We hope that the NIMS PP will become a worked example to ease the development of subsequent system PPs. Lessons to be learned include how well the NIMS PP serves as a security specification for communicating among stakeholders, identifying security concerns, and specifying solutions to these concerns.

This forum will be conducted by the team members who developed and reviewed the NIMS PP. Marshall Abrams, MITRE; Bernard Ramsey, FAA; Gary Stoneburner, NIST; and James Williams, MITRE.