NSA has published a short white paper detailing the changes they are pushing out to the entire Common Criteria, entitled Common Criteria Reforms-Better Security Products through Increased Cooperation with Industry. Chris Salter is the author; he is the architect of all the changes that have been percolating in the CC world for the last two years.
- Elimination of EALs (Evaluation Assurance Levels)
- Requiring PP's (Protection Profiles)for all evaluations
- Assurance requirements detailed in the PP's vs. in the Common Criteria
At the semi-annual meeting of the Common Criteria Vendor Forum with the Common Criteria Development Board at the RSA Conference last month, NIAP confirmed that products that have an approved Protection Profile, (which are evaluated in another CC country without a PP), WILL NOT be able to sell to the US government (will not be recognized as CC certified). There are four other countries that have signed up to this new strategy (besides the US): Australia, Netherlands, Sweden and the UK. The other 21 countries in the CC have not signed up to this new strategy officially; although NIAP claims Canada and Germany have verbally indicated they support it. If Germany does officially get on board, the rest will likely follow as the German scheme is a big influencer in the CC. The real question industry needs to now ask itself is whether to get evaluated against one of the new PP's and be sure you can sell to the US, OR get evaluated in the traditional manner and risk not be recognized by the US? NIAP is driving change to the Common Criteria. The question is whether it can drive those changes internationally or will this splinter the "arrangement" to the point that brings us back to the "pre-mutual recognition" days.
Thanks to the Enterprise Security Management (ESM) PP working group, it's likely CA Technologies relevant Security Products will be able to be evaluated against valid Protection Profiles. But what to do about products that don't have protection profiles like Infrastructure Management products? For non-security enforcing products, perhaps CC may no longer be required.
Chris's agenda is clear:
"Government benefits if there is a wide selection of products and thus if industry has a large incentive to participate. Thus it is important for that government to ensure that evaluations are
- As inexpensive and as quick as possible
- Accepted in the widest possible market."
If the new CC means fast, cheap evaluations that are more meaningful, without the tremendous amount of paper, it's good for industry and really good for government. The challenge for industry is deciding whether we should be early adopters and work to educate the customers OR do we wait to see how it all shakes out and take a more conservative approach? The answer is not clear. I have even heard some companies talk about getting multiple evaluations for the same product (one that is PP compliant and one that is done the old way against a custom security target). The feedback that the vendors gave the Common Criteria at RSA was that we need a transition plan and that mutual recognition is paramount so one evaluation sells anywhere. Communication to the level of the procurement officer will be the biggest challenge of all and until the reforms are adopted by all the scheme members this may make Common Criteria more expensive and time consuming in the short term.