The ICCC had two major sections this year: the Pre-Conference Workshop, and the actual conference. Here is the summary of the happenings at the conference.
The big news was when Dag Strohman, the Chair of the Management Committee (MC), outlined during the opening plenary the MC's new vision. Strohman highlighted a Protection Profile (PP) based way of working, focused on "repeatable, testable and objective" evaluations. They've decided that they need higher security without impacting price or time. In order to do that, they want the technical communities to build these PP's. Given those goals they came up with these principles:
- Mutual recognition should be based on achievable evaluations only-- now limited to EAL2 (Evaluation Assurance Level) if there is no PP
- Collaborative Protection Profiles (cPP's) must be at a common level
- Technical communities (TC) should only be created when multiple vendors provide requirements for similar products. One TC per technology type is a principle they intend to enforce.
They did build in an exception to these principles in that if national requirements or other special arrangements require high assurance, evaluations can be conducted; however they will NOT be mutually recognized. An example of special arrangements is the Senior Officers Group for Information Systems, Mutual Recognition Arrangement (Sogis MRA), an EU arrangement for higher assurance of certain products.
One key requirement that they laid out in the vision is that PPs address vulnerability analysis. This explains somewhat why they asked the people who attended the workshop the week before to figure out if there was a standard way for labs to do "fuzzing" since this is one of the few remaining tasks that labs will have in their toolbox as a differentiator. The MC has not figured out how to make this requirement repeatable and objective - a goal that, while admirable, is likely not possible.
All nations agreed with this vision for cPP's. Two nations voiced disagreement on the EAL2 limit for non cPP evaluations. The CCRA will be updated for Q1 2013 to reflect this new vision.
So what do I think of this new Vision? Well it certainly validates all the work I've been driving with the Enterprise Security Management community. But more interesting to me is how the US vision was so suddenly accepted by the rest of the CCRA. As recently as the week before the conference (at the workshop), we witnessed open disagreement between the schemes about the concept of "EAL-less" protection profiles. Then apparently the Monday before the conference a sea change occurred and they had 100% consensus on the cPP concept. What happened to change the rest of the countries' minds? We may never know.
So where do we go from here? Well the CCRA has to be modified to change the mutual recognition arrangement (dropping the maximum EAL recognized from EAL4 to EAL2). There is only one officially recognized cPP (the USB community) and the CCRA is keen to see more created. As I wrote on my last blog, the ESM community will apply to be recognized. This is important because if we are a cPP then any work that comes out of the technical community will be acknowledged by all countries in the CCRA and not just our sponsoring scheme (NIAP).
Speaking of ESM, my talk went well. I laid out for the attendees our multi-year project and the fact that we already had three PP's published, more than any other TC under this new approach. You can download my talk on the conference website (click on Track 1- CHAGALL & VAN DONGEN, Day 2, Brickman).