Updates from the Joint CCDB/CCUF Workshop

It’s always great to get together with others from our industry to discuss advances and collaborate on moving processes forward for Common Criteria. Last month, several of us had the opportunity to work with colleagues from around the world at two separate events in Orlando, Florida.

A group of us spent the first two weeks of September in Orlando, as Corsec sent multiple attendees to both the 4th Joint CCDB/CCUF Workshop and the 14th International Common Criteria Conference this year.

What is the Joint Workshop?

The Common Criteria Development Board (CCDB) is made up of representatives from the 17 certificate producing nations in the Common Criteria Recognition Agreement (CCRA). The CCDB meets twice a year, and in February 2012, the CCDB invited “industry” to join them in Tokyo, Japan for the first Joint Workshop.  Corsec was one of 15 consultants, labs, and vendors that attended the first workshop. A key part of these workshops is a set of scheduled discussion sessions for the CCDB and Common Criteria User Forum (CCUF). The CCDB can ask the CCUF questions and ask the CCUF to consider working on specific areas to help move Common Criteria forward and vice versa with CCUF asking the CCDB the same things. The Joint Workshops that followed Tokyo had increasing attendance:

  • September 2012 – Paris, France: approximately 40 industry attendees
  • April 2013 – Ottawa, Canada: approximately 60 industry attendees

The 4th Joint Workshop was an even bigger success, with approximately 80 industry attendees, and several Technical Communities (TC) and Technical Working Groups (TWG) meeting to advance their goals. The attendees were from many different nations and included consultants, evaluation labs, product vendors, scheme representatives and some other interested parties. The 4th Joint Workshop did several new things to improve the collaboration and the output. While the workshops have always had a focus on discussion (not presentations) and producing some output or work product from each session, this workshop focused on giving TCs and TWGs longer periods of time to work towards producing their work product.  Throughout the four-day workshop, there were at least three and sometimes four separate tracks focusing on different tasks. Some TCs or TWGs were given two to three hours, others were allocated an entire eight-hour day. Also new for this Joint Workshop was time allocated for multi-hour joint working sessions attended by both members of the CCDB and the CCUF. They worked collaboratively on four key topics to move the Common Criteria forward.

Technical Communities

TCs are an international group of product developers, consultants, evaluation labs, government schemes, and other participants working to author one or several CC protection profiles in a specific security product space. TCs for several product areas met during the week, including:

  • Enterprise Security Management
  • Operating Systems
  • Database Management Systems
  • Multi-Function Printers
  • Mobile Devices

Technical Working Groups

TWGs are open to the same participants as the TCs but focus on a specific task needed to move the Common Criteria or the CCUF forward. There are TWGs working on many topics including:

  • How to use the CC to provide assurance in a product vendors supply chain.
  • Discussing and defining what can be done to harmonize the cryptographic module and cryptographic implementation evaluations that currently vary from nation to nation.
  • Organizing the marketing of the Common Criteria benefits to product purchaser, product vendors, and to nations that do not currently formally recognize Common Criteria evaluations.  Defining rules and guidance for repeatable structured vulnerability testing.


One session that was particularly interesting was a session co-hosted by a National Information Assurance Partnership (NIAP) representative to discuss the United States’ information assurance product acquisition policy, Committee on National Security Systems Policy (CNSSP) #11 . The policy specifically requires information assurance products acquired for National Security Systems to be Common Criteria and FIPS 140-2 validated. NIAP clarified that products currently listed on the NIAP-maintained Product Compliant List (PCL), on the NIAP-maintained Validated Products List (VPL), and the Common Criteria Portal maintained Certified Product List all currently meet the criteria for purchase.  Many other details of this acquisition policy were discussed.

Contact Corsec to find out more about the sessions held during the Joint CCDB/CCUF Workshop.

If you are interested in joining the efforts of the CCUF, please go to http://sitdev.ccusersforum.org/.