1 / 28

Common Criteria Background

Common Criteria National Information Assurance Partnership Evaluation of Mobile Technology Janine Pedersen . Common Criteria Background. History Developed more than 12 years ago Unified earlier schemes (ITSEC for UK, Orange book for US)

glynis
Download Presentation

Common Criteria Background

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Criteria National Information Assurance PartnershipEvaluation of Mobile TechnologyJanine Pedersen

  2. Common Criteria Background History • Developed more than 12 years ago • Unified earlier schemes (ITSEC for UK, Orange book for US) • Commercial basis (recognized that govt could no longer fund evaluation) Truly International • 26 Nations in the recognition arrangement (Major western • nations plus India, Japan, Korea, etc) • More than 50 Evaluation Laboratories • China and Russia are possible future members, as is Brazil

  3. NewZealand Norway Spain UK Sweden Common Criteria Recognition Arrangement (CCRA) 26 Member NationsMutual Recognition ® Certificate Producers Canada France Japan Italy Australia Germany Malaysia Netherlands Turkey US South Korea Austria Czech Republic Finland Greece Denmark Certificate Consumers Hungary Singapore Pakistan Israel India

  4. Common Criteria • Much more detail on www.commoncriteriaportal.org • A worldwide standard - also ISO 15408 • Recognition Arrangement - (CCRA) is very important Minimizes need for re-evaluations • This is a primary aim of CCRA

  5. 21st Century Approach Last Century • CC was developed when products took a long time to develop • Remaining static in use • Threats were also less dynamic Now • Threats evolving all the time • Products constantly updated • Architectures also adapt rapidly • Decision makers need detailed information

  6. Common Criteria Recognition Arrangement • Ensure evaluations are performed to consistent standards • Increase availability of evaluated ICT products • Evaluate once - sell to many • Improve the efficiency and cost-effectiveness of evaluation, certification and validation process for ICT products

  7. Cyber Defense Needs • Architectural Approach • Agility • More information • Many more products covered • More realism • More comparability

  8. What is Happening in CCRA? • Protection Profile-based evaluations (cPPs) - detailed requirements specifications • Produced by an International Technical Community • Kept up to date by that community • Provides a robust foundation • Outside of cPPs - recognition limited to EAL2 activities

  9. Why is this Happening in CCRA? • Evaluations took too long, and were too costly, with inconsistent Return on Investment • Unrealistic on a technical level (Firewalls -OS) • Unrealistic expectations on Evaluators (developers at leading edge, not evaluators) • Not using power of community and peer input/review • Little connection to system integrator, procurement needs

  10. What is the Process? Governments set high level requirements • Through `Essential Security Requirements’ Industry (and others) perform the work • With consultation and review - using plain language Governments steer the work • Using `Position Statements' and `Endorsement Statements' Kept up to date • Technical communities continue to develop the technology standards

  11. Providing the Recognition Vehicle • Some of the technical communities setting the standards will already exist (e.g. 3GPP, ETSI, TCG, Open Group, etc.) • Different approaches to interaction/oversight • Working on a lightweight oversight approach

  12. Industry Linkage Common Criteria User Forum • Significant role • Significant growth (~ 500 members, > 26 countries) • Incubator for technical communities Recent NATO CC-CAT Workshop • Strong support for the change • Keep up the pace • Provide more information • Maintain the Industry involvement

  13. NIAP Partnership to evaluate commercial IT products for use in National Security Systems

  14. NIAP Mission • Evaluate COTS IT products for use in National Security Systems (NSS) and • Develop requirements specifications • US representative within the international Common Criteria Recognition Arrangement (CCRA)

  15. NIAP Goals • Ensure Commercial ICT products represent best practice level of security • Raise the security bar toward a goal of “secure-by-default” • Independent 3rd party assessment of a product against a specified set baseline security requirements, using defined, objective tests

  16. StakeholderEngagement • Industry (Commercial IT vendors, Common Criteria Test Labs) • DoD & Federal Government Groups & Reps - Committee on National Security Systems (CNSS) • IC Community Stakeholders • International Stakeholders (NATO) • International-Common Criteria Recognition Arrangement (26 member nations)

  17. NIAP • Protection Profiles (PP) Define the totality of product security functions to be tested and how they will be tested • Technical Communities (TC) Collaborative group from industry, government (US and foreign), and academia working to develop Protection Profiles for a specified technology.

  18. Protection Profiles • Technology Specific • Objective Test Criteria • Requirements Address Documented Threats • Achievable, Repeatable, and Testable

  19. Common Criteria Evolution • Technology focused Protection Profiles • Emphasison Security Functional Requirements (SFR) with specified Assurance Activities • Establishing Technical Communities with international partners & industry representatives (vendors & labs) to develop the next generation of technology focused PPs

  20. Focus • For National Security System Procurement, COTS IA Products Must be Evaluated per NIAP processes • U.S. National Policy, CNSSP#11 • NIAP evaluates COTS IA Products against requirements in NIAP approved Protection Profiles

  21. Progress • Currently 9 Technical Communities • Published 12 technology based PPs • Ongoing international evaluations against NIAP approved PPs (Various Nations) • Evaluations complete in 3-6 months

  22. Protection Profile Technology Types • Mobile Devices (smartphones, tablets, etc) • Mobile Device Management • Network Devices • VPN • Application • Encrypted Storage • Wireless Local Area Network (LAN)

  23. Technical Communities • Mobility • Redaction • CA certificate Authority • Apps on OS • Data at rest • Network Device (ND) • Intrusion Prevention Systems (IPS) • Peripheral Sharing Switch (PSS) • Trusted Platform Management

  24. Stakeholder Participation • Increase Industry participation in Technical Communities • Continue developing consistent set of technology-focused security requirements with associated assurance activities • Continue work on collaborative PP development through International Technical Communities • Partner with Industry to improve Time to Market

  25. Vendors Working with NIAP • Wireless LAN • Aruba • Motorola • General Dynamics • Fortress Technologies • Cisco Network Devices • Dell • Juniper • Cisco • Microsoft • SafeNet • Checkpoint • Symantec • MDM and MDF • Samsung • Air-Watch • Fixmo • RIM/Blackberry • Mocana • Motorola • Mobile Iron

  26. NIAP High Priority Technology Areas • Mobility • Network Devices • Operating Systems • Wireless Local Area Networks (WLAN) • Virtualization

  27. US Governing Policies • (U) National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems” • (U) CNSSP 11, “National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products” as follows: • (U) CNSS Directive 502, “National Directive on Security of National Security Systems” • Department of Defense Directives • DoDD 5100.2, “National Security Agency/Central Security Service (NSA/CSS)” • DoDD 8500.01E, “Information Assurance (IA)” • DoDI 8500.02, “Information Assurance (IA) Implementation”

  28. Contact Information • NIAP website: • http://www.niap-ccevs.org/ • Contact info: • Email:scheme-comments@niap-ccevs.org • Telephone: • 410.854.4458

More Related