Common Criteria “Reforms”—Sink or Swim– How should Industry Handle the Revolution Brewing with Common Criteria?

NSA has published a short white paper detailing the changes they are pushing out to the entire Common Criteria, entitled Common Criteria Reforms-Better Security Products through Increased Cooperation with Industry.   Chris Salter is the author; he is the architect of all the changes that have been percolating in the CC world for the last two years.

Highlights include:

  • Elimination of EALs (Evaluation Assurance Levels)

  • Requiring PP’s (Protection Profiles)for all evaluations

  • Assurance requirements detailed in the PP’s vs. in the Common Criteria

At the semi-annual meeting of the Common Criteria Vendor Forum with the Common Criteria Development Board at the RSA Conference last month, NIAP confirmed that products that have an approved Protection Profile, (which are evaluated in another CC country without a PP), WILL NOT be able to sell to the US government (will not be recognized as CC certified).   There are four other countries that have signed up to this new strategy (besides the US):  Australia, Netherlands, Sweden and the UK.  The other 21 countries in the CC have not signed up to this new strategy officially; although NIAP claims Canada and Germany have verbally indicated they support it.  If Germany does officially get on board, the rest will likely follow as the German scheme is a big influencer in the CC.   The real question industry needs to now ask itself is whether to get evaluated against one of the new PP’s and be sure you can sell to the US, OR get evaluated in the traditional manner and risk not be recognized by the US?   NIAP is driving change to the Common Criteria.  The question is whether it can drive those changes internationally or will this splinter the “arrangement” to the point that brings us back to the “pre-mutual recognition” days.

Thanks to the Enterprise Security Management (ESM) PP working group, it’s likely CA Technologies relevant Security Products will be able to be evaluated against valid Protection Profiles.   But what to do about products that don’t have protection profiles like Infrastructure Management products?  For non-security enforcing products, perhaps CC may no longer be required.    

Chris’s agenda is clear:

“Government benefits if there is a wide selection of products and thus if industry has a large incentive to participate. Thus it is important for that government to ensure that evaluations are

  • As inexpensive and as quick as possible

  • Accepted in the widest possible market.”

If the new CC means fast, cheap evaluations that are more meaningful, without the tremendous amount of paper, it’s good for industry and really good for government.   The challenge for industry is deciding whether we should be early adopters and work to educate the customers OR do we wait to see how it all shakes out and take a more conservative approach?  The answer is not clear.  I have even heard some companies talk about getting multiple evaluations for the same product (one that is PP compliant and one that is done the old way against a custom security target).  The feedback that the vendors gave the Common Criteria at RSA was that we need a transition plan and that mutual recognition is paramount so one evaluation sells anywhere.   Communication to the level of the procurement officer will be the biggest challenge of all and until the reforms are adopted by all the scheme members this may make Common Criteria more expensive and time consuming in the short term.

The following two tabs change content below.

Joshua Brickman

Joshua Brickman, PMP (Project Management Professional), runs CA Technologies Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last six years (in both the U.S. and Canada). Brickman spoke at the 2013 RSA Security Conference and has given talks at the last five International Common Criteria Conferences. He is also a Steering Committee member on the Open Group consortium focused on Supply Chain Integrity and Security, The Trusted Technology Forum. He also runs CA Technologies Accessibility Program. Prior to CA, he worked in Program and Project Management at several software companies including PeopleSoft and Ceridian. He holds an undergraduate degree from Emerson College and a Masters in Management from Lesley College.

This article has 3 comments

  1. Carol Houck, Director NIAP
    Thursday 17 March 2011, 3:30 pm

    All Just to clairfy a few points made in the blog: 1. Products evaluated in any CC scheme are considered CC certified. The US may not put that product on the NIAP list because it does not meet a US approved PP. But the product is still recognized as CC certified. 2. NIAP has been working closely with several nations as we move forward in our new approach but this does not mean all of these nations are fully on board with all of the NIAP new policies. For example, Sweden is leading an effort to develop a “common” USB PP and The Netherlands is part of that effort (as are other nations). It does not mean Sweden and The Netherlands “have signed up to this new strategy…”. 3. NIAP can only speak for NIAP and the US. Other countries will post and announce their own policy changes. 4. Bottom line is there are lots of discussions going on between nations and within the CC meetings with varying levels of support. It takes time and understanding of each nation’s needs. Hope this helps to clarify a few things. Thanks Carol

  2. Carol:

    Thanks for the clarification. As I mentioned in the blog, communication is key….to industry, agencies and other interested parties. If “Products evaluated in any CC scheme are considered CC certified” means that those products will be able to sell to US agencies than that is very good news. However if being considered “CC certified” does not equal ability to sell because the product was not evaluated against one of the new protection profiles (assuming one exists), then my concerns remain.

  3. I think this is a very insightful blog )

    It is also a welcome change that the NIAP Director reads blogs.

    The agenda cited in the blog does not actually cite product security as a goal ). I think a good measure of effectiveness for a CC evaluation is how much the security of the product is improved as compared to the investment of money and time. In the past many vendors said that this ratio was low. We hope Common Criteria evaluation bodies including NIAP make reasonable steps to improve this ) I think the Common Criteria paper would be greatly improved if it put more emphasis on security of the products.

Leave a Reply