Common Criteria “Reforms”—Sink or Swim– How should Industry Handle the Revolution Brewing with Common Criteria?

NSA has published a short white paper detailing the changes they are pushing out to the entire Common Criteria, entitled Common Criteria Reforms-Better Security Products through Increased Cooperation with Industry.

NSA has published a short white paper detailing the changes they are pushing out to the entire Common Criteria, entitled Common Criteria Reforms-Better Security Products through Increased Cooperation with Industry.   Chris Salter is the author; he is the architect of all the changes that have been percolating in the CC world for the last two years.

Highlights include:

  • Elimination of EALs (Evaluation Assurance Levels)

  • Requiring PP’s (Protection Profiles)for all evaluations

  • Assurance requirements detailed in the PP’s vs. in the Common Criteria

At the semi-annual meeting of the Common Criteria Vendor Forum with the Common Criteria Development Board at the RSA Conference last month, NIAP confirmed that products that have an approved Protection Profile, (which are evaluated in another CC country without a PP), WILL NOT be able to sell to the US government (will not be recognized as CC certified).   There are four other countries that have signed up to this new strategy (besides the US):  Australia, Netherlands, Sweden and the UK.  The other 21 countries in the CC have not signed up to this new strategy officially; although NIAP claims Canada and Germany have verbally indicated they support it.  If Germany does officially get on board, the rest will likely follow as the German scheme is a big influencer in the CC.   The real question industry needs to now ask itself is whether to get evaluated against one of the new PP’s and be sure you can sell to the US, OR get evaluated in the traditional manner and risk not be recognized by the US?   NIAP is driving change to the Common Criteria.  The question is whether it can drive those changes internationally or will this splinter the “arrangement” to the point that brings us back to the “pre-mutual recognition” days.

Thanks to the Enterprise Security Management (ESM) PP working group, it’s likely CA Technologies relevant Security Products will be able to be evaluated against valid Protection Profiles.   But what to do about products that don’t have protection profiles like Infrastructure Management products?  For non-security enforcing products, perhaps CC may no longer be required.    

Chris’s agenda is clear:

“Government benefits if there is a wide selection of products and thus if industry has a large incentive to participate. Thus it is important for that government to ensure that evaluations are

  • As inexpensive and as quick as possible

  • Accepted in the widest possible market.”

If the new CC means fast, cheap evaluations that are more meaningful, without the tremendous amount of paper, it’s good for industry and really good for government.   The challenge for industry is deciding whether we should be early adopters and work to educate the customers OR do we wait to see how it all shakes out and take a more conservative approach?  The answer is not clear.  I have even heard some companies talk about getting multiple evaluations for the same product (one that is PP compliant and one that is done the old way against a custom security target).  The feedback that the vendors gave the Common Criteria at RSA was that we need a transition plan and that mutual recognition is paramount so one evaluation sells anywhere.   Communication to the level of the procurement officer will be the biggest challenge of all and until the reforms are adopted by all the scheme members this may make Common Criteria more expensive and time consuming in the short term.

Written by

Joshua Brickman

Joshua Brickman, PMP (Project Management Professional), runs CA Technologies Federal Certifications Program. He has led…

Published in

View this topic
  • James Holland

    This is great. Hooray for Disney’s imagineers!


    become a new brand in the share market research with its accurate research. Proven
    itself always right whether market is bull or bear. Last week all paid clients
    booked handsome profit in NIFTY, BANKINIFTY & STOCKS. Now for the coming
    week we expect more correction can come in NIFTY as the IRAQ issue is getting
    more tense, If it happens more then you will see a sharp fall in all world marketNSE BSE, STOCK TIPSbecause as we know all world run on
    crude & most of the crude comes from IRAQ. So be ready for a sharp fall so
    sell will be the best strategy for next week also. Traders can make a sell
    position in NIFTY around 7600-7650 with stoploss 7750 for the target of
    7300-7200.One can also make a sell call NIFTY 50 stocks as per NIFTY levels. You
    can also take our two days free trial to check our accuracy. For further updates
    you can visit our website.



  • king lear

    testing comment functionality, please do not publish this

  • Rachel Macik

    Love the personal pic :)

    • CAHighlight

      Thank you!

  • Plutora Inc

    This is a good case study. 2.3 sec’s off a login transaction is big.

  • Michele Hudnall

    While the analysts were hyping DevOps, I posted the oversight of not including security as part of that discussion as you are highlighting here. Instead of just talking DevOps, it should be DOS (what’s old is new again :-) – DevOpsSec. As a previous AppDev person, it’s the app, who’s using it, why and where rather than the device and having the service available.

    As you rightly point, out Security should be baked into the solution.

    Nice Post and Timely!


    • CAHighlight

      Thank you for your feedback Michele. Agreed – security cannot be overlooked. Appreciate your input!

  • Mitesh

    I would love a printed copy

  • Lars Johansson

    I love the idea of BYOID! This makes me choose if I am almost anonymous (with my Hotmail Nicname) or official with identity from an official organisation. My Identity Provider will attach identity with right level of LoA according to the need of the Service provider.

    • CAHighlight

      Thank you for your comment. BYOID has tangible benefits for end users and relying parties but it also has to be weighed in the balance with potential risks and liability concerns. It will be interesting to see how BYOID plays out in the enterprise.