This article describes an effort lead by NIST and NSA to define and promote an open and commercially driven set of testing methods for software security through the National Information Assurance Partnership (NIAP) (see http://niap.nist.gov
). This partnership is open to industry participation and validates conforming implementations using NIST s National Voluntary Laboratory Accreditation Program composed of private testing organizations that use established and well-understood methods. In this article we will describe specific projects at NIST that address validation of software for crypto modules, firewalls, and the Java applications. These efforts are an incremental step towards validating security for components of computing devices. We will focus on software because, as we have learned from our Crypto Module Validation Program described below, software implementations can pass our stringent testing criteria, thus introducing significant savings to the users. Further, we will discuss the emerging ISO standard, the Common Criteria, which provides the general methodology for testing systems.