Who is Defining the Criteria That Your Products Will Need to be Evaluated Against?
I have been involved in the Common Criteria (CC) community since the first International Common Criteria Conference (ICCC) in 2000. While I spend a lot of my time down in the weeds of Common Criteria issues, it’s refreshing to look at the Common Criteria “machine” from the outside when talking with those that are new to CC. I recently had a conversation with a product vendor who was new to CC and she was surprised to learn who was actually defining the security requirements that her product was going to be evaluated against.
There are many mechanisms and groups that keep the Common Criteria “machine” working. They include:
- Several layers of international management boards that define mutual recognition between the 26 participating nations and develop the standard and evaluation methodology.
- Teams of people from each participating nation defining national purchasing policies.
- The Common Criteria User Forum (CCUF), which provides a voice and communications channel among the CC community including the vendors, consultants, testing laboratories, Common Criteria organizational committees, and national schemes.
- Technical Communities, which are communities of interested parties working together to define the evaluation criteria for specific product types. The responsibility that was given to the Technical Communities (TCs) is what surprised my client and what I want to cover today.
Understanding Protection Profiles First
A Protection Profile (PP) defines a set of required security functionality for a specific product type, like a firewall or an operating system. A PP also defines the rigor of evaluation activities that will be used to verify that the product provides the claimed security functionality through “assurance requirements” and “assurance activities.” A product vendor can choose to evaluate their security product against a defined Protection Profile or create a unique set of security functional requirements specific for their product to be evaluated against. In general, there is the expectation (and sometimes the hard requirement) that a product be evaluated against an existing Protection Profile if one exists for the product’s technology type.
What are Technical Communities?
Technical Communities (TCs) produce Protection Profiles. Technical Communities are international groups of product developers, consultants, evaluation labs, government schemes, and other participants working to author one or several CC Protection Profiles in a specific security product space. The goal for TCs is to not only author a PP but to maintain it so it stays relevant as technology advances, as well as to work with government participants to understand the product purchasers’ needs.
Currently TCs are formed in many different ways. Some are formed by a single nation to address that nation’s specific security products needs. For instance, the US government, specifically the National Information Assurance Partnership (NIAP), has several NIAP TCs, most of which are currently by invitation only, but recently there has been some indication they could be opened up to the wider CC community for participation. Other TCs are formed by groups of vendors or interested parties in a specific product space. There is the concept of an international Technical Community (iTC), which will be a TC that is formed by the initial direction of the Common Criteria Development Board (CCDB). There is currently a pilot iTC that is developing a PP for USB devices. The CCUF’s Teamlab site provides the collaboration tools for many of the TCs.
There is a CC insiders joke that “TCs are going to save the world!” because so many responsibilities have been placed on the TCs. The TCs are literally defining the IT security requirements that products will be tested against and detailing additional evaluation steps that evaluation labs will follow to verify that security functionality. As I mentioned before, many product vendors will be expected or required to perform a CC evaluation against the requirements defined in these Protection Profiles. Therefore, it becomes critical for product vendors to stay informed about which TCs are related to the products they offer and what those TCs are currently working on.
If you would like to learn more about the existing TCs, TCs that are currently forming, or how to get information about specific TCs, contact Corsec. And stay tuned for my next post to learn about the role of Common Criteria Working Groups.