Published: August 02 2011, 10:56 AM | 1 Comment(s)
by Joshua Brickman

The Common Criteria Development Board's (CCDB) draft Vision Statement, published recently was a bold move by an organization that has rarely published anything jointly.  In the white paper, the CCDB expands on the future for Common Criteria (CC) originally offered in Chris Salter's paper last January. Also really encouraging is that it's a draft for which the CCDB is seeking comments, criticism and questions.

To summarize the content:

• Calls for the creation of Collaborative Protection Profiles (CPP), a new term for families of protection profiles (PP).
• Explains the difference between "certificate recognition" vs. "product acceptance." Certificate recognition acknowledges that even if a country that participates in the CC recognizes that the certificate is valid, they have the right to add additional assurance requirements to meet their own national policies (product acceptance)
• Delineates the difference between "PP Recognition" and "PP recommended for use." PP Recognition simply means it's compliant with CC and the Common Evaluation Methodology (CEM). Essentially a PP may or may not meet a customer's specific product requirements. PP recommended for use is self-explanatory.
• Acknowledges they will not be updating the CC itself to recognize the new approach for PP development

The goal of the new vision is to have CPPs for each recognized technology which should lead to easier procurement, better competition and lower costs.

They also propose some rules around creating these CPP's:

1. An approval mechanism whereby a technology area must be accepted by the Common Criteria Recognition Arrangement (CCRA) - the governing board of of the CC which includes a member from each recognizing country.
2. Proposed PP's also would need approval and they would need to meet the "baseline requirements" before being accepted which include a "sufficient supporting community."
3. The communities would then own initial creation and maintenance of the CPPs.

Several requirements are then laid out including that products must be compliant with CC and the CEM, no dependency on national schemes, some rules around crypto, a minimum of EAL1 from an assurance level perspective and some vague guidance on what is required if you want your CPP to be higher assurance than EAL1 (well, it is a draft).

Since the CC has not been revised in several years, this is the first statement from the CCDB on the Protection Profile trend. The big problem as I wrote in March is that very few Protection Profiles are ready and the number of active communities can be counted on one hand. It's clear that the CCDB is looking for industry to do the work. But will the schemes and the CCDB let industry succeed? Or will national policies delay the process? The Enterprise Security Management Protection Profile community, which I lead, has completed the Access Control, Policy Management and Identity/Credential Management PPs, but we have not published them yet as we incorporate new requirements from NSA.  The ESM community is striving to meet the spirit of this new vision, while still meeting the additional requirements of the US government. Our goal is to deliver by the 12^th International Common Criteria Conference in Malaysia in September 2011.  Hopefully this new vision will help the ESM community get over the hump and get these PP's out for use.