When Booz Allen announced the release of the first set of Enterprise Security Management Profiles (ESM PP's) earlier this month I felt a tremendous sense of accomplishment. Having co-led this project from its inception, I know what it took to get to this point - the cooperation of multiple entities. To review, here's what's happened over the years:
- Proposed a new set of ESM PP's at the International Common Criteria Conference (ICCC) in JeJu Korea, Sept 2008. Within a few months Booz Allen (BAH) and CA formed the ESM PP Technical Community (co-chaired by Eric Winterton from BAH and me).
- At the Tromso, Norway ICCC in Sept 2009 Eric and I laid out the plan to actually write the first Protection Profile, which was going to include a detailed Threat Analysis (conducted by BAH) and a survey of the buyers of commercially-off-the-shelf products to determine what they wanted in the first ESM PP (Voice of the Customer). The Threat analysis and surveys were all done by the winter of 2010.
- Just before the Antalya, Turkey ICCC in Sept 2010 a progress report on our efforts was posted on this blog. I presented the full survey results at the conference and blogged that the first PP was going to be Access Control in October 2010.
We then got to work actually writing the PPs and discovered we were too far ahead of NIAP and where they were going. While we were busy agreeing on assurance requirements, security functions and other technical details, NIAP was rolling out what they called the Network Device Protection Profile (NDPP). As they describe it:
"...It represents an evolution of "traditional" Protection Profiles and the associated evaluation of the requirements contained within the document."
The key data point that impacted us was that assurance requirements were in the Protection Profile and that all evaluation activities were achievable, testable, objective and repeatable. In other words, anything that a lab does to evaluate claims must not require judgment (pass/fail could not be subjective). So when NIAP looked at what we had completed in the summer of 2011, we were faced with a significant re-write to bring Access Control back in line with the NDPP. Our PP contained assurance components that required expert judgment, and would result in variable evaluations depending on the methods and skills of the evaluators. Eventually we realized that we would either need to break with our sponsor (not really a good option) or rewrite the PP to their requirements. I alluded to this in my blog this past March. The group decided to adopt NIAP's requirements, and looked to NIAP to take an active role in making the revisions.
With the publication of Access Control in February, and now Policy Management in May, I'm now fairly confident we'll have Identity and Credential Management and Authentication Server soon as well. What we don't know is how they'll be received by our customers. Will they provide a level playing field for comparing apples to apples? Are the objective, repeatable, and achievable evaluations going to provide assurance? Only time will tell.
In the meantime, I look forward to providing a progress report on our project at the ICCC in Paris this September.