Changes in Common Criteria and Product Advocacy

As companies look to their 2016 sales objectives, the allure of the FED and it’s $70 billion budget, as well as emerging markets for healthcare, finance, critical infrastructure and the Internet of Things (IoT) is insatiably appealing.

As we have all seen, U.S. and international governments as well as the aforementioned industries have stronger restrictions on the procurement of hardware and software, which help to protect the systems that house sensitive data and user information. Mandates for FIPS 140-2, Common Criteria and the utilization of the DoDIN APL have set the bar for security and have even restricted the procurement of products to those that are internationally certified and validated. With enormous amounts of money and time dedicated to protecting data and preventing security breaches, the market for secured products is at an all time high.

Changes in Security Certifications:

Companies dedicated to securing their products and tapping into this huge market have already begun the process of security certifications. But these certifications are an evolving entity, with constant changes in requirements and restrictions, thus companies trying to stay up to date on the current state of the certifications must attend events and discussions continuously.

At the end of this month, the International Common Criteria Conference (ICCC) and Common Criteria User Forum (CCUF) Workshop will be held in London, England. The ICCC offers an opportunity to meet with government officials, product vendors, and end users and to review the CC standard and the policies that surround it. This years attendees are among the who’s who in product security, including 450 top professionals from 26 countries. The conference allows participants to see the labs and to participate in discussions on where policy is heading, what changes need to be made, as well as provide our input on necessary improvements. The CCUF Workshop will set aside an entire day for joint sessions between the CCUF, an organization comprised of key players whose mission is to “provide a voice and communications channel amongst the CC community…and to improve and promote Common Criteria.” and the Common Criteria Development Board (CCDB). As with the excitement we all felt after the reform of the CCRA last year at ICCC in India, this year’s events look to be even more engaging, as we better understand the new Collaborative Protection Profiles (cPPs), receive updates on the next CC version and ultimately learn more about changes to evaluations within each country/scheme.

Advocacy for Product Vendors:

These two events are examples of the industry’s quest to bring together individuals and organizations from around the world that are committed to the advancement of Common Criteria. Participation at these conferences is vital as we gain inside knowledge of the changes, modifications, advancements in the standard, as well as help influence them. Product vendors hoping to better understand the changes as well as influence policy must attend.

As part of the conference, Corsec’s Amy Nicewick has been invited to present her insights and updates on her accepted paper where she advocates on behalf of clients for a mutually recognized international cryptographic standard. Her presentation will discuss how a unified approach to cryptographic evaluation will help with international acceptance of CC evaluations that include cryptographic claims. She will also present on the current ISO 19790:2012 and the draft version of FIPS 140-4.

Additionally, Corsec’s Matt Keller, who currently serves as vice chair of the CCUF, will be hosting a discussion on improving the overall structure of CC validations to meet industry and government needs at ICCC. He will provide audience members with an overview of the current state of the CCUF and all outstanding initiatives. Matt will also share insights on the current direction of the CCUF as well as what is to come in the future.

Can’t Make the Conference?

The commitment and resources needed to attend events such as these around the globe are costly and time consuming. If you are unable to attend, connect with us to gain insights on conference outcomes and how they will affect your 2016 federal goals and product security initiatives.

Corsec will be among a select group invited to meet with the CCDB to talk about revisions, as they strategize on where Common Criteria is going and the Common Criteria policy.

Over the past 17 years Corsec has been committed to maintaining an active leadership role in the security certifications industry. Our involvement in the Common Criteria (CC) community in particular, has allowed us to establish and sustain relationships with industry leaders, as well as play a key part in influencing the direction of the standard and its policies.