More from the ICCC: Update on CNSSP #11 and Common Criteria

In a previous post, I brought everyone up to speed on some happenings from the recent ICCC Conference in Orlando, including the revised Common Criteria Recognition Arrangement (CCRA) and its implications.

There was a great deal of other discussion on various topics of interest, including the subject of collaboration. It was acknowledged that collaborating saves time and money by not wasting time on repeat effort. There are a number of obstacles to collaboration, including competing business interests, language barriers, and different government policies, but these must be overcome and participants must make an effort to understand all points of view if the international Technical Communities (iTCs) are to make progress. An advantage to working together is that it gives participants an opportunity to influence the process and the end result, in terms of both technology and business. One powerful aspect of working in large groups that each iTC must keep in mind is the fact that people simply communicate better when they have the opportunity to meet face to face. So, occasional in-person meetings are essential to success. Finally, it was noted that progress should not be sacrificed for perfection. A published collaborative Protection Profile (cPP) that requires some minor modification is preferable to no cPP at all.

The new CNSSP #11 and NIAP’s Product Compliant List

Another big change that occurred in the past year that was discussed at length during the conference was the publication of the Committee on National Security Systems’ Policy #11 (CNSSP #11). CNSSP #11 supersedes National Security Telecommunications and Information System Security Policy #11 (NSTISSP #11), which was initially published in January 2000. NSTISSP #11 was the primary policy governing the acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) products for United States government agencies. The new policy, CNSSP #11, clearly states that products must be on NIAP’s Product Compliant List (PCL) in order for agencies to purchase them. However, NIAP has defined the PCL to include all products on the PCL as being on the NIAP website, plus all products on NIAP’s Validated Products List (VPL), as well as all products on the Common Criteria Portal. In other words, the PCL referenced in CNSSP #11 includes all currently evaluated and mutually recognized products worldwide. NIAP has no plans at this time to remove the VPL and CC Portal from their definition of the PCL. Mark Loepker, Director of NIAP, posted an announcement about this last month on NIAP’s website.

The Keynote address on Day 2 of the conference was given by Alicia Squires, Chair of the Common Criteria Users’ Forum (CCUF). She stated that there are 25 participating nations, and somewhere in the neighborhood of 400 members. The CCUF has, since their inception in 2012, created an expanded web presence, liaised with CC leadership, and formed working groups to help with challenges, such as marketing the CC, exploring the lifecycle of TCs, and figuring out how to do repeated structured vulnerability testing. Some solutions to these challenges include increasing the involvement of end users, increasing the number of active participants with the CCUF membership, convincing skeptical parties that the CCUF is worth their time, letting the CCUF oversee the progress of TCs, and igniting the interest of Scheme leaders to leverage the talent within the CCUF.

A panel discussion did a deeper dive into one of these issues: marketing the new CC. The CCDB and the CCUF have begun looking into how to market the CC to various audiences, such as other vendors and end users. How this is done will depend on the specific audience targeted. Some of the solutions the panelists came up with include tapping private companies’ marketing departments for help in crafting the message, and making the ICCC friendlier to end users. Other ideas included identifying other ways to get the end users involved in the CC community, perhaps by publicizing at trade shows, conferences, and other industry events. The CC community should work on improving the content on existing CC-related websites, such as the CC Portal, making it more accessible to the uninformed, as well as adding CC-related information to other relevant and often-visited websites.

Expanding the use of Common Criteria

Another theme of the conference was the reform and expansion of the use of Common Criteria. Marketing plays one role in this, but there are also other ways of approaching it. Debra Plunkett, the Director of US Information Assurance, presented the opening keynote address on this topic, stating that this reform is not about changing the CC itself, but rather about changing how it is used. It needs to be “achievable, repeatable, and testable,” and, in order to achieve mutual recognition for certifications, it is necessary to start with collaborative PPs that properly reflect the technologies incorporated in specific types of products.

There was also a panel discussion on widening the use of CC. All the panelists felt that the move toward collaborative protection profiles is important, despite the issues and difficulties inherent in the process. They also agreed that expanding the use of the CC will depend on all 26 nations implementing it in the same manner. As long as the CCRA nations continue to move forward together, there is no reason the CC community will not be successful in broadening the use of CC.

In addition to the keynote addresses and panel discussions, there were dozens of presentations given on a wide variety of topics in three different tracks (“Reforming the Use of CC,” “Technology,” and “Collaboration”). If you have any questions about CC, the ICCC, or the CCUF, Corsec would be happy to help you.

The conference closing remarks were given by Anne Neuberger, Director of the National Security Agency/ Central Security Service (NSA/CSS), Commercial Solutions Center (NCSC). In her address, she encouraged the ICCC attendees to be proud of what was accomplished and not to be overwhelmed by the work yet to come. The fact that the 26 nations of the CCRA came together and agreed on a revision to the arrangement and a transition plan is an enormous accomplishment. We still have much work to do, but we have come far in the past year.

To find out how Corsec can help you navigate Common Criteria or for more information on any ICCC developments, contact us.