Over the past two months Corsec has traveled from Seoul, Korea to Ontario, Canada in order to attend security certification events such as the Common Criteria Users Forum (CCUF), and the International Cryptographic Module Conference (ICMC). The discussions held as these events have given Corsec insight on changes that are coming to certification requirements, updates on the strategic outlook and vision of the governing bodies that oversee the certifications, as well as general industry news and announcements.
Corsec now brings you a snapshot of the most important takeaways from each event:
Common Criteria Users Forum (CCUF) – Seoul, Korea
- The National Information Assurance Partnership (NIAP), which governs Common Criteria in the United States, is trying to find ways to increase testing automation in order to reduce time and costs.
- Both the Common Criteria Users Forum and the Common Criteria Development Board (CCDB) have developed working groups focused on international cryptography. There is a new Deterministic Random Bit Generator (DRBG) subgroup in the CCUF Working Group.
- The CCUF Working Group has been discussing what they feel the DRBG information requirements should include. Thus far, the focus has been on DRBG architecture, strength of entropy generated (using published analysis tools), whiting techniques used, how and where entropy is stored, how is entropy pushed to Random Number Generators (RNG), how does reseeding work, and is the entropy source immediately ready or does it need operating time to ensure the pool is random?
- The CCUF Working Group felt that a good entropy solution should have multiple entropy sources that blend together, while making sure that one source does not provide the majority of the entropy. This could affect future entropy claims and documentation in the future.
- The CCDB is working on a Common Criteria Recognition Arrangement (CCRA) wide policy of sunsetting certifications after 5 years.
- A group has been formed to focus on better understanding how the Common Criteria evaluation framework could apply to other bodies and industries such as Automotive, IoT, Financial, Medical, and new nation states.
- The Management Group presented a summary of the CCUF Strategic Plan as well as the Proposal for Incorporation.
International Cryptographic Module Conference (ICMC) – Ontario, Canada
- This years conference saw a 25% growth in attendance despite holding one almost six months rather than one year after the last.
- This larger attendee list included 23 labs and their staff, government officials, industry experts, and vendors.
- NIST and NIAP presented an update on their collaboration efforts. NIST and NIAP have a reinvigorated relationship and are working to eliminate duplicative testing requirements, thus Common Criteria will accept FIPS testing from the Cryptographic Module Validation Program (CMVP) and are working towards allowing the reverse. They are also working on remapping Common Criteria and FIPS 140-2 profiles against NIAP-accepted protection profiles.
- NIST, who governs FIPS in the United States, says they are working on FIPS 140-3 wrappers to point to ISO/IEC 19790 and ISO/IEC 24759.
- NIST is working on a license with ANSI to post the standards without fee during the open comment period. They intend to pursue the use and adoption of these international standards wherever possible. They hope to announce the schedule for this by December of this year.
- The Communications Security Establishment (CSE), who oversees Common Criteria in Canada announced a new Medium Assurance program to protect SECRET data in Canada. Similar in goals to the CSfC program in the United States, it will leverage commercial solutions and require FIPS 140-2 and Common Criteria. They will publish Medium Assurance solutions that can meet government needs without needing a Type 1 product.
- The CMVP will move forward with a policy to sunset all certificates that are older than 5 years starting February 2017. The date of the last validation activity will be used to measure the 5 years. Vendors should be motivated to seek a simple FIPS re-certification (1SUB) if they can and their certificate will be valid for another 5 years.
The CMVP is officially tracking demerit points for each CMVP lab. Labs are given demerit points when they submit a final test report that is not up to the CMVP expectations. The program has been officially under way since October 2015 and several labs have demerit points at this point. When a lab reaches a threshold of points the lab must cease ALL evaluation work until a lab reaccreditation can be performed.
For additional information on either conference or to set up some time to talk to our experts, Contact Us.