Some of us from Corsec recently attended the 14th International Common Criteria Conference (ICCC) in Orlando, Florida, and we came away feeling that the Common Criteria (CC) community is finally coming together in many positive ways. After several years of difficult transition into defining the new CC paradigm of collaborative Protection Profiles (cPPs) and international Technical Communities (iTCs), we believe we have finally begun to make our way forward. Here is a summary of the highlights of this year’s conference:
The first big announcement of this year’s conference concerned the revised Common Criteria Recognition Arrangement (CCRA). This is the agreement among the 26 currently participating nations regarding mutual recognition of CC certificates. Historically, this agreement stated that all 26 nations would recognize any certificates awarded by any other CCRA nation up to EAL4. (There is no requirement in the CCRA for any country to recognize certificates awarded for EALs 5 through 7 by any other country, though they could certainly choose to do so.)
However, this year the CCRA nations have begun to work on a revised agreement. Eight nations (Australia, Germany, Japan, Turkey, Malaysia, Canada, the UK, and the US) are serving as editors of the new arrangement, while 10 to 14 of the nations have participated in bi-monthly meetings to discuss the changes. After producing 17 new versions of the agreement, all 26 nations have now agreed in principle to the updated arrangement. However, all 26 nations must now perform their individual national reviews of the revised document before it can be finalized. The estimate is that it will take six to 12 months for complete this process and for the agreement to be ratified. Once the new CCRA has been ratified, there will follow a 36-month transition period during which re-certifications may be performed and maintenance addenda may be issued according to the current CCRA.
The major change outlined by the revised CCRA regards the types of certificates that will be mutually recognized by all participating nations. The new arrangement states that:
- Evaluations conforming to a cPP up to EAL4+ (augmented with Flaw Remediation), and evaluations conforming to a unique Security Target (ST) up to EAL 2+ (augmented with Flaw Remediation) will be mutually recognized
- Any other certifications will only be recognized by the issuing country (unless other countries actively choose to recognize specific certifications)
The new arrangement also defines iTCs as committees composed of vendors, labs, schemes, consultants, and end users whose task it is to create and maintain cPPs. These committees must be endorsed by the Common Criteria Management Committee (CCMC) and promote fair competition among vendors. Additionally, the revised CCRA requires that cPPs be compliant with the current CC standard and Common Evaluation Methodology (CEM).
Some discussion also took place at the conference around how to develop the new cPPs. One observation was made that the entire cPP document needs to be established in an open group, or else much time will be wasted on repeat effort in separate forums. In addition, although many Schemes and participants support the use of collaborative PPs, they also advised that we need to be sure we don’t re-invent PPs that already exist. It is also worthwhile to note that PPs place more responsibility on the vendor to verify that their product meets the requirements before the targeted version of the product is released, and therefore communication between the vendor and the vendor’s consultant is very important early in the process.
Watch this blog for updates on the revised CCRA. If you have any questions about it or other developments at the ICCC, contact us. In my next post, I’ll update you on additional news from the ICCC including updates about NIAP’s CNSSP #11 and the CCUF and ideas on changing how Common Criteria is used.