other secure operations, Microsoft says.
The
Common Criteria Recognition Arrangement (CCRA) has been adopted worldwide by 24 member countries, and has seven
Evaluation Assurance Levels. Windows Mobile 6.1's EAL2+ rating lets U.S. government agencies with worldwide operations use it knowing the platform is "universally recognized" as having been tested exhaustively, Microsoft says.
As internationally agreed, a security evaluation performed by any of the member countries is automatically accepted by the others, up to a security level designated as EAL4. Windows Mobile 6.1's new EAL2+ certification is the result of testing performed during the summer by the Australian Department of Defense, which awarded Microsoft its certificate yesterday, according to the company.
Windows Mobile 6.1's security architecture
Source: Microsoft
(Click to enlarge)The EAL2+ certification for Windows Mobile 6.1 follows the one
awarded to Windows Mobile 5.0 and 6.0 in March. According to Microsoft, Windows Mobile 6.1 newly extends and strengthens the operating system's core security features by:
- Enabling management of the mobile device with the System Center Mobile Device Manager (SCMDM) client application
- Providing a "double-enveloped" (IPSec and SSL) secure Mobile VPN capability between the mobile device and the trusted enterprise
- Encrypting locally stored data
According to an Australian Department of Defense document viewed by
WindowsForDevices.com, Windows Mobile 6.1 achieved EAL2+ status during testing by complying with requirements that included the following:
- Minimum password length and complexity requirements
- Storage card encryption
- Device encryption
- Local device wipe after maximum unsuccessful authentication attempts
- SMIME settings, with 3DES/SHA1 encryption
- Applications must be signed to be installed or to run
- Device password required for Desktop ActiveSync
However, the certification report added, EAL2+ status applies to the Windows Mobile 6.1 operating system itself, not to specific devices that it ships with.
Randy Siegel, enterprise mobility strategist for Microsoft Federal, said, "Successfully completing the Common Criteria evaluation process ensures that our government customers' security needs and requirements are addressed up front, before our products even ship. We have taken pains to provide additional security assurance to meet the very highest security profiles."
Related stories: 
