2004-0598 Study on Promotion Strategy of Conformity Assessment System of Information Security Promotion of Conformity Assessment Concepts of Assurance of Conformity Government Organizations and Programs Dissemination of CMVP IT Product Evaluation and Certification Government Procurement April 2006 Rheinstraße 75 64295 Darmstadt (Germany) Phone +49 (0)6151 / 869-701 Fax +49 (0)6151 / 869-704 http://www.sit.fraunhofer.de Management Summary This report presents the results of the “Study on Promotion Strategy of Conformity Assessment System of Information Security” performed by SIT on behalf of IPA. The report gives an overview of conformity assessment systems and promotion strategies in different European countries focusing on France, Germany, and the United Kingdom. At first glance it seems that promotion strategies and conformity assessment systems are completely different subjects, since the first one is related to government initiatives and programs, whereas the second one is a technical issue. However, both subjects have one common main goal, namely to increase the business chances of IT products and systems on the national and international markets. In this context promotion strategies are the means to provide the base and framework conditions for the administrative, public, and business sectors. The development and implementation of efficient promotion strategies for IT products and systems is a very complex undertaking, because of their inherent interrelationships with a huge set of laws, regulations, bi-national or multinational agreements, standards, technical specifications, and organizations on the national, European and international level. The growth of world trade, its increasing liberalization as well as the rapid development of new manufacturing and distribution technologies require conformity assessment systems that examine, evaluate and certify a huge number of products, materials, installations, plants, processes, work procedures and services. Especially the IT security products sector shows a fast and continuous development with growing threats in the field of IT technology that requires a continuous adoption of the skills and practice in assessment procedures as well as co-coordinated actions from governmental organizations and business groups. The focus of this document is concentrated on conformity assessment for IT security products and especially on secure signature creation devices in France, Germany, and the United Kingdom. The following topics have been analyzed: • • • • • principles and promotion of conformity assessment, government organizations and programs for IT Security, dissemination of the US cryptographic module validation program (CMVP), evaluation and certification IT products and systems, and government procurement programs and initiatives. The basic principles of evaluation and certification of IT products and systems are described. Relevant technical standards are summarized that specify internationally February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security iii accepted and harmonized security requirements against which IT products and systems have to be tested, evaluated and certified. A comprehensive overview of government initiatives and organizations is given that are involved in the evaluation and certification processes in the European Union, and especially in France, Germany, and in the UK. Some information about the technical and legal requirements for cryptographic modules in the European countries is provided. It should be noted that similar CMVP government programs do not exist in the European countries. On the other hand signature laws and technical regulations exist in all countries that have implemented the European directive on electronic signatures and especially on secure signature creation devices (SSCDs). The evaluation of cryptographic modules embedded in SSCDs is done conforming to the CEN Workshop Agreements. General recommendations on algorithms and parameters have been specified by national authorities. The evaluation and certification schemes that are applied in Germany, France, UK, and in other countries are described. In addition information about accredited testing laboratories and certified IT security products and systems with the focus on smartcards and smartcard devices in these countries is given. Currently 16 accredited evaluation and testing laboratories exist in Germany, 6 in France, and 8 in the United Kingdom. Government procurement in the European Union, Germany, France, UK, and in other countries is described. The government initiatives and programs for the purpose of procurement strategies are presented. Important measures are the legislation, programs and initiatives for e-government portals, electronic citizen cards, and public private partnerships for the water, energy, transport and financial services sectors. The European Parliament, Council and Commission have spent great efforts in order to provide the legal, organizational and technical basis for the European economy and market. Their strong impetus and harmonization force, as well as the national efforts of the European countries have let to the current situation that most countries have started the following activities: • • • • iv implementation of the relevant European directives into national laws, operation of e-government, provision of government portals, and the deployment of public private partnerships. Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Table of Contents Table of Contents List of Figures xv List of Tables xvi Abbreviations and Acronyms xix 1 Introduction 26 1.1 Document Purpose 26 1.2 Document Structure 26 2 Promotion of Conformity Assessment 28 2.1 Objectives of Conformity Assessment 29 2.2 Role and Importance of Conformity Assessment 30 2.3 Standardization and Accreditation Organizations Engaged in Conformity Assessment International Level Joint Committee on Coordination of Assistance to Developing Countries in Metrology, Accreditation and Standardization International Accreditation Forum International Laboratory Accreditation Cooperation World Trade Organization International Standardization Organization, International Electrotechnical Commission and the International Telecommunication Union Canada and USA Canada USA Europe 2.3.1 2.3.1.1 2.3.1.2 2.3.1.3 2.3.1.4 2.3.1.5 2.3.2 2.3.2.1 2.3.2.2 2.3.3 February 28th, 2006 (Final) v Study on Promotion Strategy of Conformity Assessment System of Information Security 30 30 30 31 31 31 32 33 33 33 35 v vi 2.3.3.1 2.3.3.2 2.3.4 2.3.5 2.3.5.1 2.3.5.2 2.3.5.3 2.3.6 2.3.7 2.3.8 2.3.9 2.3.10 2.3.10.1 2.3.10.2 2.3.10.3 2.3.10.4 2.3.10.5 2.3.10.6 European Promotion Strategy of Conformity Assessment European Cooperation for Accreditation France Germany Federal Office for Information Security German Accreditation Council DITR German Information Centre for Technical Rules Italy Netherlands Spain Sweden United Kingdom BSI Standards Group Communications Electronics Security Group Department of Trade and Industry UK IT Security Evaluation and Certification Scheme Commercial Evaluation Facilities CESG Assisted Products Scheme 35 39 40 40 41 41 43 43 44 44 44 44 45 45 45 46 46 47 2.4 Standards for Conformity Assessment 47 3 Concepts of Assurance of Conformity 52 3.1 Trust 52 3.2 Inspection 52 3.3 Evaluation and Certification 53 3.4 Accreditation 54 3.5 Manufacturer Declaration 54 3.6 Mutual Recognition Agreements 54 3.7 Types of Certification 56 3.8 3.8.1 3.8.2 3.8.3 Technical Standards Federal Information Processing Standards Trusted Computer System Evaluation Criteria Information Technology Security Evaluation Criteria 57 58 59 59 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 3.8.4 3.8.5 3.8.6 3.8.6.1 3.8.6.2 3.8.6.3 3.8.7 3.8.7.1 3.8.7.2 Common Criteria Joint Interpretation Library Protection Profiles for Smart Cards Secure Signature-Creation Device Type 1/2/3 Smart Card Security User Group Smartcard IC Platform German Profile Specifications for PKI-Based Applications and Systems ISIS-MTT Specification ISIS-MTT Test Specification 60 63 64 65 65 65 66 66 67 4 Government Organizations and Programs for IT Security 68 4.1 4.1.1 4.1.1.1 4.1.1.2 4.1.2 4.1.2.1 4.1.2.2 4.1.2.3 4.1.3 4.1.4 Canada and USA Canada Communications Security Establishment Industry Programs USA Legal Aspects Procurement Aspects National Information Assurance Partnership Cryptographic Module Validation Program National Voluntary Laboratory Accreditation Program 68 68 68 68 70 70 71 71 71 72 4.2 4.2.1 4.2.2 4.2.2.1 European Union Dissemination of CMVP in the European Union Legal Requirements and Regulations Legal Requirements and Regulations for Accreditation and Certification Legal Requirements and Regulations for Electronic Signatures Legal Requirements and Regulations for the Import and Export of IT Products Legal Requirements and Regulations for Personal Data Protection Legal Requirements and Regulations for Consumer Protection European Organizations and Their Responsibilities Comité Européen de Normalisation CENELEC ETSI European Government CSIRTs Group European Network Information Security Agency 73 73 74 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 4.2.3 4.2.3.1 4.2.3.2 4.2.3.3 4.2.3.4 4.2.3.5 February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 75 76 76 77 77 78 78 78 78 79 79 vii viii 4.2.3.6 4.2.3.7 4.2.3.8 4.2.3.9 4.2.4 4.2.4.1 4.2.4.2 4.2.4.3 4.2.4.4 4.2.4.5 4.2.4.6 EUROCAT EUROLAB EEMA FESA European Initiatives European Electronic Signature Standardization Initiative eEurope 2002 Action Plan eEurope 2005 Action Plan European Society in 2010 New Program on e-Government Good Practice Initiatives 80 80 80 81 81 81 81 82 84 84 86 4.3 4.3.1 4.3.2 4.3.2.1 4.3.2.2 4.3.2.3 4.3.2.4 4.3.2.5 4.3.3 4.3.3.1 4.3.3.2 4.3.3.3 4.3.4 4.3.4.1 4.3.4.2 4.3.4.3 4.3.4.4 4.3.4.5 4.3.5 France Dissemination CMVP in France Legal Requirements and Regulations Legal Requirements and Regulations for Information Systems Legal Requirements and Regulations for Compromise of Signals Legal Requirements and Regulations for Evaluation and Certification Legal Requirements and Regulations for Cryptology Legal Requirements and Regulations for Contracts Organizations and Their Responsibilities CERTA Computer Emergency Response Team Certification Management Board Central Directorate for Information System Security Quality System Quality Policy Certification Body Quality Manager Quality Planning Documentation Government Programs and Initiatives 87 87 87 88 88 89 90 91 91 91 92 92 94 94 95 95 95 95 95 4.4 4.4.1 4.4.2 4.4.2.1 4.4.2.2 4.4.2.3 4.4.2.4 Germany Dissemination of CMVP in Germany Government Programs and Initiatives for the IT Technology Economic Report 2005 Public Private Partnerships Adjustment of German Competition Laws New Legal Framework for Telecommunications 96 96 98 98 99 99 99 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.4.2.5 4.4.2.6 4.4.2.7 4.4.2.8 4.4.2.9 4.4.2.10 4.4.2.11 4.4.2.12 4.4.3 4.4.4 100 101 102 102 103 103 103 104 105 4.4.6.2 4.4.6.3 4.4.6.4 4.4.6.5 4.4.6.6 4.4.6.7 4.4.7 Bund Online 2005 Germany - Online Development of e-Government in the Europe of Regions Signature Alliance e-Card Strategy SAGA TeleTrusT Deutschland e.V. - ISIS-MTT IT Security Made in Germany CERT-Bund Computer Emergency Response Team Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway Commission for Occupational Health and Safety and Standardization Federal Office for Information Security The Role of the Federal Office for Information Security for Conformity Assessment Legal Requirements on Technology Technical Security Measures for Cryptographic Modules Procedures for the Accreditation of Evaluation Facilities International Mutual Recognition of Certificates Industry and Government Administrations Evaluation Criteria and Methodology Good Practice Testing 4.5 4.5.1 4.5.2 4.5.2.1 4.5.2.2 4.5.2.3 4.5.3 4.5.3.1 4.5.3.2 4.5.4 4.5.4.1 4.5.4.2 4.5.4.3 4.5.4.4 4.5.4.5 United Kingdom Dissemination of CMVP in the UK Government initiatives and Programs National Standardization Strategic Framework Identity Card Government Web Portal UK Legal Requirements and Regulations Policy Scheme Organizations and Their Responsibilities UNIRAS Computer Emergency Response Team National Infrastructure Security Co-ordination Centre Critical National Infrastructure UKITSEC Scheme CESG Management Board 114 114 115 115 115 115 115 115 116 117 117 118 118 118 119 4.4.5 4.4.6 4.4.6.1 February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 106 106 106 106 108 109 111 112 113 113 113 ix x 4.5.4.6 4.5.4.7 4.5.4.8 4.5.4.9 4.5.4.10 4.5.4.11 4.5.4.12 UK Certification Body UK Accreditation Service tScheme Limited Sponsor Developer Accreditor Evaluation Criteria and Methodology 119 120 121 121 121 122 122 4.6 4.6.1 4.6.1.1 4.6.1.2 4.6.1.3 4.6.1.4 4.6.2 4.6.2.1 4.6.2.2 4.6.2.3 4.6.2.4 4.6.2.5 4.6.3 4.6.3.1 4.6.3.2 4.6.3.3 4.6.3.4 4.6.4 4.6.4.1 4.6.4.2 4.6.4.3 4.6.4.4 4.6.4.5 Other European Countries Italy Dissemination of CMVP in Italy Legal Requirements and Regulations Government Programs and Initiatives Evaluation and Certification Bodies Netherlands Dissemination of CMVP in the Netherlands Legal Requirements and Regulations Government Programs and Initiatives GOVCERT.NL Computer Emergency Response Team Evaluation and Certification Bodies Spain Dissemination of CMVP in Spain Legal Requirements and Regulations Government Programs and Initiatives Evaluation and Certification Bodies Sweden Dissemination of CMVP in Sweden Legal Requirements and Regulations Government Organization, Programs and Initiatives SITIC Computer Emergency Response Team Evaluation and Certification Bodies 122 122 122 122 123 125 126 126 126 127 129 129 129 129 130 130 132 133 133 133 133 135 135 5 Evaluation and Certification of Protection Profiles and IT Products and Systems in Germany 137 5.1 Evaluation and Certification Bodies 137 5.2 5.2.1 5.2.2 Evaluation and Certification Procedures Involved Parties Certification Requests 137 137 138 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) February 28th, 2006 (Final) 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 Preparation for Security Evaluation Evaluation Certification Certification of Technical SigG Components Certification of New Product Versions Certification of Products Under Development Certification of Baseline Protection 138 139 139 140 140 140 141 5.3 The German IT Security Certificate 141 5.4 Information Technology Security Evaluation Facilities 142 5.5 Certification of Smartcard Protection Profiles 142 5.6 Certification of IT Products 144 5.7 5.7.1 5.7.2 Good Practice Testing of PKI-Based Applications Testing Laboratories Products and Applications Tested with the ISIS-MTT Test Bed 150 150 150 6 Evaluation and Certification of Protection Profiles and IT Products in France 152 6.1 Evaluation and Certification Bodies 152 6.2 6.2.1 6.2.2 6.2.3 6.2.4 Certification Procedures Conditions for Certification Certification Requests Certification Surveillance and Maintenance 152 152 153 153 153 6.3 6.3.1 6.3.2 6.3.3 6.3.4 Information Technology Security Evaluation Facilities Licensing of Evaluation Facilities Licensed Evaluation Facilities Evaluation Sponsors 154 154 154 154 154 6.4 Certification of Smartcard Protection Profiles 155 6.5 Certification of IT Products and Systems 156 Study on Promotion Strategy of Conformity Assessment System of Information Security xi 7 Evaluation and Certification of Protection Profiles and IT Products in United Kingdom 161 7.1 Evaluation and Certification Bodies 161 7.2 7.2.1 7.2.2 7.2.3 7.2.4 7.2.5 7.2.6 Evaluation and Certification Procedures Preparation for Security Evaluation Evaluation and Certification Fast Track Assessment Certificate Maintenance Scheme IT Health Check Assisted Products Scheme 161 161 162 162 163 164 164 7.3 7.3.1 7.3.2 7.3.3 Commercial Evaluation Facilities General Requirements Accredited Commercial Evaluation Facilities CMVP Testing and Certification Laboratories 165 165 165 166 7.4 Certification of Protection Profiles 166 7.5 Certification of IT Products and Systems 167 7.6 Maintenance Assurance and Fast Track Assessment 172 7.7 CAPS Products 173 8 Evaluation and Certification of Protection Profiles and IT Products in Other European Countries 175 8.1 8.1.1 8.1.2 8.1.3 Italy Evaluation and Certification Bodies Information Technology Security Evaluation Facilities Certification of Smartcard Protection Profiles, IT Systems and Products 8.2 8.2.1 8.2.2 8.2.3 8.3 xii Study on Promotion Strategy of Conformity Assessment System of Information Security 175 175 175 175 Netherlands Evaluation and Certification Bodies Information Technology Security Evaluation Facilities Certification of Smartcard Protection Profiles, IT Systems and Products 175 175 176 176 Spain 176 February 28th, 2006 (Final) 8.3.1 8.3.2 8.3.3 8.4 8.4.1 8.4.2 8.4.3 176 176 176 Sweden Evaluation and Certification Bodies Information Technology Security Evaluation Facilities Certification of Smartcard Protection Profiles, IT Systems and Products 177 177 177 9 Government Procurement 178 9.1 General Aspects of Electronic Procurement 178 9.2 9.2.1 9.2.2 9.2.3 9.2.4 9.2.4.1 9.2.4.2 9.2.4.3 9.2.4.4 9.2.4.5 9.2.4.6 9.2.5 European Union International Activities Public Procurement Initiatives Electronic Public Procurement Initiatives Public Procurement and Public Private Partnerships Initiatives General Aspects History of Legislation Green Paper Initiative Consultation Initiative Green Paper Adoption Initiative Future Steps Banking Sector 179 180 181 182 182 182 183 183 183 184 184 184 9.3 9.3.1 9.3.2 9.3.3 9.3.4 9.3.5 9.3.5.1 9.3.5.2 9.3.6 Germany Laws and Ordinances for Procurement Contractual Conditions for the procurement of IT services Programs and Initiatives Related to Electronic Procurement Aspects of Conformity Assessment of Security Products Procurement in the Financial Sector Government Activities and Legislation in the Financial Sector Banking Activities Procurement in the Water, Energy, Transport and Postal Services Sectors 185 185 187 188 190 191 191 191 Government Procurement in France 197 9.4 February 28th, 2006 (Final) Evaluation and Certification Bodies Information Technology Security Evaluation Facilities Certification of Smartcard Protection Profiles, IT Systems and Products Study on Promotion Strategy of Conformity Assessment System of Information Security 177 194 xiii 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 Legislation on Procurement Legal Aspects and Conformity Assessment Related to Procurement Electronic Procurement Activities and Systems Procurement in Financial Organizations Procurement in the Water, Energy, Transport and Postal Services Sectors 197 197 198 199 Government Procurement in the United Kingdom Legal Aspects and Conformity Assessment Related to Procurement Electronic Procurement Activities and Systems Procurement in the Financial Sectors Procurement in the Water, Energy, Transport and Postal Services Sectors 201 201 202 203 9.6 9.6.1 9.6.2 9.6.3 9.6.4 Government Procurement in Other European Countries Italy Netherlands Spain Sweden 206 206 207 208 208 10 References 210 11 Contact Information and Links 220 9.5 9.5.1 9.5.2 9.5.3 9.5.4 xiv Study on Promotion Strategy of Conformity Assessment System of Information Security 199 204 February 28th, 2006 (Final) List of Figures Figure 1: Figure 2: Figure 3: Figure 4: Figure 5: Figure 6: Figure 7: Figure 8: Figure 9: Figure 10: Figure 11: Figure 12: Figure 13: Figure 14: Figure 15: Figure 16: Figure 17: February 28th, 2006 (Final) Scope and Complexity of Promotion Strategy Overview of the Modular Concept Standards for Conformity Assessment Trust in the Security of IT Products Process of Testing and Certification of IT Products Mark for European ITSEC-MRA Label for International CC-MRA International Agreements for Recognition of Common Criteria CC Label Overview of Evaluation Assurance Levels FIPS Mark Mark for IT security certification Mark for German IT Security Certificate Mark for ISIS-MTT Conformance Mark for UKITSEC scheme Certificate CESG Logo Life Cycle of Electronic Procurement Study on Promotion Strategy of Conformity Assessment System of Information Security 28 37 48 52 53 55 55 56 60 62 72 92 107 114 120 173 179 xv List of Tables Table 1: Table 2: Table 3: Table 4: Table 5: Table 6: Table 7: Table 8: Table 9: Table 10: Table 11: Table 12: Table 13: Table 14: Table 15: Table 16: Table 17: Table 18: Table 19: Table 20: Table 21: Table 22: Table 23: Table 24: Table 25: Table 26: Table 27: xvi Study on Promotion Strategy of Conformity Assessment System of Information Security German Accreditation Bodies under DAR Selection of Standards for Conformity Assessment Documents of European JIWG for Evaluation and Certification Documents of European JIWG for Smart Card Evaluations Selection of Smart Card Protection Profiles Technical Specifications and Workshop Agreements Documents of European Community Legislation for Accreditation and Certification Documents of European Community Legislation for Electronic Signature Documents of European Community Legislation for Imports and Exports Documents of European Community Legislation for Personal Data Protection Documents of European Community Legislation for Consumer Protection European Initiatives for Internet Security and Information Society Documents of French Regulations for Information Systems Documents of French Regulations for Compromise of Signals Documents of French Regulations for Evaluation and Certification Documents of French Regulations for Cryptology and Electronic Signatures Documents of UK Legal Requirements and Regulations for Evaluation and Certification Spanish Requirements and Regulations for Accreditation and Certification Protection Profiles Certified by the Evaluation Facility TÜV Informationstechnik GmbH Protection Profiles Certified by the Evaluation Facility BSI Products Certified by the Evaluation Facility TÜV Informationstechnik GmbH Products Certified by the Evaluation Facility T-Systems GmbH Products Certified by the Evaluation Facility debis IT Security Services Products Certified by the Testing Laboratory Secorvo Protection Profiles Certified in France Products Certified by the French Evaluation Facility Serma Technologies Products Certified by the French Evaluation Facility CEA LETI 41 47 63 64 64 74 75 76 76 77 78 85 88 88 89 90 116 132 143 144 144 150 150 151 155 157 158 February 28th, 2006 (Final) Table 28: Table 29: Table 30: Table 31: Table 32 : Table 33: Table 34: Table 35: Table 36: Table 37: Table 38: Table 39: Table 40: Table 41: Table 42: Table 43: Table 44: Table 45: Table 46: Table 47: Table 48: Table 49: Table 50: Table 51: Table 52: Table 53: Table 54: Table 55: Table 56: Table 57: Table 58: Table 59: Table 60: Table 61: Table 62: Table 63: Table 64: February 28th, 2006 (Final) Products Certified by the French Evaluation Facility CEACI Products Certified by the French Evaluation Facility Groupe Silicomp-AQL Products Certified by the French Evaluation Facility Groupe Algoriel Aubagne Products Certified by the French Evaluation Facility CNET Caen Products Certified by the French Evaluation Facility CR2A-DI Products Certified by the French Evaluation Facility CELAR/CASSI Protection Profiles Certified by LogicaCMG in the UK Protection Profiles Certified by IBM Global Services in the UK Products Certified by the UK Commercial Evaluation Facility Admiral Products Certified by the UK Commercial Evaluation Facility EDS Products Certified by the UK Commercial Evaluation Facility IBM Global Services Products Certified by the UK Commercial Evaluation Facility Logica Products Certified by the UK Commercial Evaluation Facility Syntegra Products/Systems under Assurance Maintenance and/or Fast Track Assessment CAPS Products/Systems Certified IT Products that have been Evaluated by the Spanish Evaluation Facility CEST-INTA IT Products that are under Evaluation in Spain Public Procurement Studies, Regulations and Directives Canadian Links Contact Information about Canadian Organizations European Links Contact Information about European Organizations French Links Contact Information about French Organizations German Links Contact Information about German Organizations International Links Italian Links Contact Information about Italian Organizations Japanese Links Netherlands Links Contact Information about Dutch Organizations Spanish Links Contact Information about Spanish Organizations Swedish Links Contact Information about the Swedish Organizations United Kingdom Links Study on Promotion Strategy of Conformity Assessment System of Information Security 159 159 159 160 160 160 166 166 168 169 170 170 171 172 173 176 177 179 220 221 221 223 224 225 226 228 231 232 232 233 233 233 234 235 235 236 236 xvii Table 65: Table 66: Table 67: xviii Study on Promotion Strategy of Conformity Assessment System of Information Security Contact Information about Organizations in the United Kingdom 237 USA Links 239 Contact Information about US Organizations 240 February 28th, 2006 (Final) Abbreviations and Acronyms § ABI ADAE ADELE AEEG AEG AEIF AENOR AES AFNOR AGCOM AiR AIS ANSI APCIMS APEC ARCEP ASQ BaFin BdB BFAI BIPM BMVBS BMVBW BMWA BNetzA BSI BSI February 28th, 2006 (Final) Symbol used in German legislation for paragraph or article L’Associazone Bancaria Italiana, Italian Banking Association Agency for the Development of Electronic Administration, FRA Plan Stratégique/Plan d’Action de l’ADministration ELEctronique, strategic/action plan for electronic administration, FRA Autorita per l’Energia Elettrica e il Gas, Regulatory Authority for Energy Services, ITA Allgemeines EisenbahnGesetz, General Railway Law, GER Association Européenne pour l’Interopérabilité Ferroviaire, European Association for Railway Interoperability Associón Española de NORmalización y Certificación, Spanish Association for Standardization and Certification Advanced Encryption Standard Association Français de NORmalisation, French Standarization Body L'Autorità per le Garanzie nelle COMmunicazioni, Regulatory Authority for Communication, ITA Acquisiti in Rete (Purchases on the Net), ITA Application Notes and Interpretations on the Scheme, GER American National Standards Institute Association of Private Client Investment Managers and Stockbrokers, UK Asia Pacific Economic Cooperation Autorité de Régulation des Communications électroniques et des Postes, Regulatory Authority for Communications and Postal Services, FRA American Society for Quality Bundesanstalt für Finanzdienstleistungsaufsicht, Federal Financial Supervisory Authority, GER Bundesverband deutscher Banken, Association of German Banks Bundesagentur Für AußenwIrtschaft, Federal Agency for Foreign Economy, GER Bureau International des Poids et Mesures, International Office for Weights and Measures, FRA Bundesministerium für Verkehr, Bau und Stadtentwicklung, Federal Ministry for Building and Urban Planning, GER BundesMinisterium für Verkehr- und Bau- und Wohnungswesen, Federal Office for Building and Regional Planning, GER Bundesministerium für Wirtschaft und Arbeit, Federal Ministry for Economics and Labor, GER BundesNetzAgentur, Federal Network Agency, GER British Standards Institute (old abbreviation), National Standards Body, UK Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security, GER Study on Promotion Strategy of Conformity Assessment System of Information Security xix BVDW BVR CAPS CASCO CB CBAP CC CCIMB CCS CEACI CEM CEN CENELEC CEP CERES CERT CESG CESTI CFONB CISSI CITEL CITP CLEF CMT CMT CMVP CNE CNI CNIPA COFRAC CONSIP CPV CRE CSE CSIRT CSN CTCPEC CWA DACH xx BundesVerband Digitale Wirtschaft, Federal Association Digital Economy, GER Bundesverband der Deutschen Volksbanken und Raiffeisenbanken, Central Organization of the Cooperative Banking Group, GER CESG Assisted Product Scheme, UK ISO COuncil Committee on Conformity ASsessment Certification Body Certification Bodies Accreditation Program, CAN Common Criteria CC Interpretations Management Board Common Criteria Evaluation and Certification Scheme, CAN Center of Evaluation of Information Security, FRA Common Evaluation Methodology Comité Européen de Normalisation, European Committee for Standardization Comité Européen de Normalisation Electrotechnique, European Committee for Electro-technical Standardization Cryptographic Endorsement Program, CAN CERtificación ESpañola, Spanish certification authority Computer Emergency Response Team Communications Electronics Security Group, UK Control of Information Security Evaluation Centers Comité Français d'Organisation et de Normalisation Bancaires, National Bank of France Commission Interministérielle pour la Sécurité des Systèmes d’Informatique (joint ministerial commission for information systems security), FRA Inter-American Telecommunications Commission Canadian Industrial TEMPEST Program CommerciaL Evaluation Facility Comision del Mercado de las Telecomunicaciones, Regulatory Authority for Communication, ESP Cryptographic Modules Testing, CAN Cryptographic Module Validation Program, USA Comisión Nacional de Energia, Regulatory Authority for Energy Services, ESP Critical National Infrastructure, UK Centro Nazionale per L’Informatica nella Pubblica Amministrazione, ITA COmité FRançais d’ACcrédition, French Accreditation Committee CONcessionaria Servizi Informativi Pubblici, ITA Common Procurement Vocabulary, EU Commission de Régulation de l’Energie, Regulatory Authority for Energy, FRA Communications Security Establishment, CAN Computer Security Incident Response Team Citizen Service Number, NED Canadian Trusted Computer Product Evaluation Criteria CEN Workshop Agreement, EU Deutsche Akkreditierungsstelle Chemie, German Accreditation Body for Chemistry Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) DAP DAR DBAG DCSSI DES DfT DH DigiD DIN DITR DPAG DSGV DSI DSTL DTC DTE DTI DVGW EA EAL EAPB EC ECDSA EEMA EESSI EFTA EID EMSAP EMV EN ENAC eNIK ENISA ESG ESI ETSI EU EVBIT February 28th, 2006 (Final) Deutsches Akkreditierungssystem Prüfwesen GmbH, German Accreditation System for Testing Deutscher Akkreditierungs Rat, German Accreditation Council Deutsche Bahn AG, German Railway Association Direction Centrale de la Sécurité des Systèmes d’Information, Central Directorate for Information Systems Security, FRA Data Encryption Standard Department for Transport, UK Diffie-Hellmann key exchange Government-wide authentication service, NED Deutsches Institut für Normung e.V., German Institute for Standardization Deutsches Informationszentrum für Technische Regeln, German Information Centre for Technical Rules Deutsche Post AG, German Postal Services Deutscher Sparkassen- und GiroVerband, German Savings Bank Association, GER Digital Signature Card, ITA Defence, Science and Technology Laboratory, UK Dynamic Trade Centre, UK-Scotland Dienst uitvoering en Toezicht Energie, Regulatory Authority for Energy Services, NED Department of Trade and Industry, UK Deutsche Vereinigung des Gas- und Wasserfaches e.V., German Association of the Gas and Water Industry European cooperation for Accreditation Evaluation Assurance Level European Association of Public Banks and Funding Agencies Elliptic Curve Elliptic Curve Digital Signature Algorithm European Electronic Messaging Association European Electronic Signature Standardization Initiative European Free Trade Association Electronic Identity Card, ITA Environmental Managements Systems Accreditation Program, CAN Europay International, Master Card International, Visa International European Norm Entidad Nacional de ACcreditation, National Accreditation Council, ESP Electronic Identity Card, NED European Network Information Security Agency European Society for eGovernment e.V., GER Electronic Signatures and Infrastructures, EU European Telecommunications Standard Institute European Union Ergänzende Vertragsbedingungen für die Beschaffung von InformationsTechnik, Supplementing contractual conditions for the procurement of information technology, GER Study on Promotion Strategy of Conformity Assessment System of Information Security xxi FC FCC FESA FIDEA FIPS FISMA FNMT FOA FSA FTA FUB GEA GPA GPF GTP GWB HMG IACS IAF ICMA ICT ICTSB IDABC IEC IETF IHS ILAC INES IPA ISCOM ISIS ISO ISS ITBPM ITC ITISPS ITSEC ITSEF ITSEM ITSMIG ITSO xxii Federal Criteria, USA Federal Communications Commission, USA Forum of European Supervisory Authorities Federazione Italiana Degli Enti di Accreditamento, Italian Federation for Accreditation Federal Information Processing Standards, USA Federal Information Security Management Act, USA Fábrica Natcional de Moneda y Timbre, National Spanish Mint Futures and Options Association, UK Financial Services Authority, UK Fast Track Assessment, UK Fondazione Ugo Bordoni, ITA Gemenskapen för Elektroniska Affärer, Swedish alliance for electronic commerce Government Procurement Agreement, WTO Good Practice Framework, EU Government Transaction Portal, NED Gesetz gegen WettbewerbsBeschränkungen, law against restraints of competition, GER Her Majesty’s Government, UK Infosec Assurance and Certification Services, UK International Accreditation Forum International Capital Market Association, UK Information and Communication Technologies Information and Communication Technologies Standards Board Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens International Electrotechnical Commission Internet Engineering Task Force InternetHandelsSystem, internet procurement system, SWE International Laboratory Accreditation Cooperation ’Identité Nationale Electronique Sécurisée, electronic ID card project, FRA Information-Technology Promotion Agency, JAP Istituto Superiore delle Communicazioni e delle Techologie dell’Informazione, Institute for Communications and IT-Technology, ITA Industrial Signature Interoperability Specification, GER International Organization for Standardization Information System Security, IT Baseline Protection Manual International Trade Center Information Technology Infrastructure Security and Protection Service, CAN Information Technology Security Evaluation Criteria Information Technology Security Evaluation Facility Information Technology Security Evaluation Manual IT Security Made In Germany Integrated Transport Smartcard Organization, UK Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) ITU ITU-T JCDCMAS JIWG KAN KBA KBSt LVS MINEFI MIT MLA MOU MQV MRA MTT NACLA NCMP NCSC NIAP NISCC NIST NNI NOU NSA NSC NSSF NVCASE NVLAP OFCOM OFGEM OGC OIML OJEU OPTA OSCI PAC February 28th, 2006 (Final) International Telecommunication Union Telecommunications Standardization Bureau of ITU Joint Committee on Coordination of Assistance to Developing Countries in Metrology, Accreditation and Standardization Joint Interpretation Working Group, European Expert Group Kommission Arbeitsschutz und Normung, Commission for occupational health and safety and standardization, GER Kraftfahrt-BundesAmt, Federal Authority of Road Transport Koordinierungs- und BeratungsStelle der Bundesregierung für Informationstechnik in der Bundesverwaltung, Coordination and consulting office of the federal government for information technology in the federal administrations, GER Laboratori per la Valutazione della Sicurezza, IT security evaluation laboratories, ITA MINistère de l'Économie, des Finances et de l'Industrie, ministry of economics, finance and industry, FRA Minister for Innovation and Technology, ITA Multi-Lateral Agreements, EU Memorandum Of Understanding EC variant of DH, UK Mutual Recognition Agreement MailTrusT, TeleTrusT Deutschland e.V., GER National Cooperation for Laboratory Accreditation, USA New Code for the Public Procurement, FRA National Computer Security Center, USA National Information Assurance Partnership, USA National Infrastructure Security Co-ordination Centre, UK National Institute of Standards and Technology, USA Nederlands Normalisatie-Instittuut, National Agency for Standardization in the Netherlands Nämnden för Offentling Upphandling, National Board for Public Procurement, SWE National Security Agency, USA National Service Card, ITA National Standardization Strategic Framework, UK National Voluntary Conformity Assessment System Evaluation Program, USA National Voluntary Laboratory Accreditation Program, CAN, USA Office of COMmunications, Regulatory Authority for Communications, UK Office of Gas and Electricity Markets, Regulatory Authority for Gas and Electricity Markets, UK Office of Government Commerce, UK International Organization of Legal Metrology Official Journal of the European Union Onafhankelijke Post en Telecommunicatie Autoriteit, independent post and telecommunications authority, NED Online Services Communications Interface, GER Pacific Accreditation Cooperation Study on Promotion Strategy of Conformity Assessment System of Information Security xxiii PALCAN PGBO POSTCOMM PP PPP QMSAP RegTP RSA RvA SAGA SBS SCC SEIS SGDN SHA SigBü SigG SigG* SigV SINAL SINCERT SIS SIT SITIC SMS SOF SOG-IS SSCD SSL ST STDR STEM SWEDAC TBT TCSEC TELIN TESTA TGA xxiv Program for the Accreditation of Laboratories-CANada Project Group BundOnline, GER POSTal Services COMMission, Regulatory Authority for Postal Services, UK Protection Profile Public Private Partnerships Quality Management Systems Accreditation Program, CAN REGulatory Authority for Telecommunications and Postal Services RegTP (now Bundesnetzagentur, Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway) Rivest, Shamir and Adleman asymmetric cryptographic algorithm Raad voor Accreditatie, Dutch Accreditation Council, NED Standards and Architectures for eGovernment Applications, GER Small Business Service, UK Standards Council of Canada Secured Electronic Information in Society, SWE Secrétariat Général des la Défense Nationale, General Secretary for National Defense, FRA Secure Hashing Algorithm Signaturbündnis, Signature Alliance, GER Signaturgesetz, German Signatures Law, GER First German Signatures Amendment Law, GER SignaturVerordnung, German Signature Ordinance, GER SIstema Nazionale per l’Accreditamento di Laboratori, national system for the accreditation of laboratories, ITA SIstema Nazionale per l’Accreditamento degli Organismi di CERTificazione e Ispezione, national system for the accreditation of certification and inspection bodies, ITA Standardisieringen I Sverige, Swedish Standards Institute Fraunhofer Institute for Secure Information Technology Swedish IT Incident Centre Short Message Service Strength Of Function Senior Officials Group for Information Security, EU Secure Signature Creation Device, EU Secure Socket Layer Security Target Standards and Technical Regulations Directorate, UK STatens EnergiMyndighet, Regulatory Authority for Energy Services, SWE SWEDish Board for Accreditation and Conformity Assessment Technical Barriers to Trade Trusted Computer System Evaluation Criteria, USA TELematics Institute, NED Trans-European Services for Telematics between Administrations Trägergemeinschaft für Akkreditierung GmbH, German Association for Accreditation TGA Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) TOE UGAP UKAS UKITSEC UKSP UN UNI UNIDO VdP VgV VÖB VOB VOF VOL WTO ZKA February 28th, 2006 (Final) Target Of Evaluation Union des Groupements d'Achats Publics, union of the public buying associations, FRA United Kingdom Accreditation Service United Kingdom Security Evaluation and Certification Scheme United Kingdom Scheme Publication United Nations Ente Nazionale Italiano di Unificazione, Italian National Agency for Standardization United Nations Industrial Development Organization Verband deutscher Pfandbriefbanken, Association of German Pfandbrief Banks VergabeVerordnung, Awarding Ordinance, GER BundesVerband Öffentlicher Banken Deutschlands, Association of German Public Sector Banks Vergabe- und VertragsOrdnung für Bauleistungen, Awarding and Contracting Ordinance for Public Construction Works, GER VerdingungsOrdnung für Freiberufliche Leistungen, Concretization Ordinance for Freelance Services, GER VerdingungsOrdnung für Leistungen, Concretization Ordinance for Products and Services, GER World Trade Organization Zentraler KreditAusschuss, Central Credit Card Board, GER Study on Promotion Strategy of Conformity Assessment System of Information Security xxv 1 Introduction This document presents the results of the “Study on Promotion Strategy of Conformity Assessment System of Information Security”. The style of this document is a high level description of conformity assessment and its related topics such as conformity assessment concepts, engaged organizations, assessment procedures, government strategies, programs and initiatives. 1.1 Document Purpose The topics of this document are “Conformity Assessment Systems” and “Government Procurement”. The focus of this document is concentrated on conformity assessment for IT security products and especially on smartcards in Germany, United Kingdom, and France. 1.2 Document Structure The document is structured into chapters on • • • • • • • promotion of conformity assessment, concepts of assurance of conformity, government organizations and Programs for IT Security, evaluation and certification of protection profiles and IT products in Germany, evaluation and certification of protection profiles and IT products in France, evaluation and certification of protection profiles and IT products in the UK, evaluation and certification of protection profiles and IT products in other European countries, and on • government procurement. The chapter on “promotion of conformity assessment” gives an overview of the objectives, role and importance of conformity assessment. It also summarizes promotion goals and main organizations that are engaged in conformity assessment at the international level, in Canada, USA, Europe, France, Germany, UK, and in other European countries. It finally lists the standards that are relevant for conformity assessment. The chapter on “concepts of assurance of conformity” describes the basic principles of evaluation and certification of IT products and systems. It also summarizes the relevant technical standards that specify requirements against which IT products and systems have to be evaluated. 26 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) The chapter on “government organizations and programs for IT security” provides a comprehensive overview of government initiatives and organizations that are involved in the evaluation and certification processes in Canada, the USA, in the European Union, and especially in France, Germany, and in the UK. It also contains some information related to the dissemination of CMVP in the European countries. The four chapters on “evaluation and certification of protection profiles and IT products in ”Germany, France, UK, and in other European countries describe the evaluation and certification schemes that are applied in these countries. These chapters also provide information about accredited testing laboratories and certified IT security products and systems with the focus on smartcards and smartcard devices in these countries. The chapter on “government procurement” deals with government procurement in the European Union, Germany, France, UK and in other European countries. It presents government initiatives and programs for the purpose of procurement strategies in the financial, industrial, water, energy, transport and postal services sectors. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 27 2 Promotion of Conformity Assessment Our approach to perform the “Study on Promotion Strategy of Conformity Assessment System of Information Security” was based on the following two main questions: • Why promotion strategies? • Why conformity assessment systems of information security? The answers to these questions are illustrated in Figure 1. In many industrial countries of the world the development of promotion strategies of conformity assessment systems of information security and their implementation is a mayor task of politics, as well as its acceptance by the industry and the society. Figure 1: 28 Scope and Complexity of Promotion Strategy Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) A vital and important goal of governmental promotion strategies is to provide a framework under which conditions are established that facilitate and support the growth and distribution of IT products and systems in the national and international markets. In order to achieve this goal, conformity assessment systems as the appropriate technical means are required that evaluate and certify IT products and systems. This process will increase the acceptance of products and systems by users and their business chances in the economic markets (see red arrows in Figure 1). The development and implementation of promotion strategies however do not only have these technical and economical aspects. Instead these processes are of a very complex nature due to their interrelationships with areas of different kind as for example (see green arrows in Figure 1): • • • • national, international and supra-national organizations, laws, regulations, bi-national or multinational agreements, standards and technical specifications, and governmental programs and initiatives. All these dimensions of promotion strategy have been taken into account in this document that provides a high level description of promotion strategy for conformity assessment systems and its related topics such as conformity assessment concepts, engaged organizations, assessment procedures, government programs and initiatives. 2.1 Objectives of Conformity Assessment The main objective of conformity assessment is to give confidence to the users such that requirements applicable to products, materials, installations, plants, processes, work procedures and services have been met. Conformity assessment comprises all activities and procedures that are needed and used to determine that relevant requirements are fulfilled. Examples of typical conformity assessment activities are testing, inspection, assurance of conformity accreditation, mutual recognition agreements, and certification. In particular three main quality objectives for achieving conformity assessment have to be pursued for the final internationally agreed certification of products and systems. These activities include • the compliance of the used assessment procedures with international standards, • the development and provision of methods that are correct, sufficient and neutral, and • the guarantees for the confidentiality of the information provided for the assessment processes. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 29 2.2 Role and Importance of Conformity Assessment The growth of world trade, its increasing liberalization as well as the rapid development of new manufacturing and distribution technologies require conformity assessment systems that examine, evaluate and certify a huge number of products, materials, installations, plants, processes, work procedures and services. Especially the IT security products sector shows a fast and continuous development with growing threats in the field of IT technology that requires a continuous adoption of the skills and practice in assessment procedures as well as coordinated actions from governmental organizations and business groups. The security of IT products or systems is to be achieved by appropriate technical, physical, and by organizational measures. The technical measures realized in IT products and systems are subject to conformity assessment and can lead to certification. 2.3 Standardization and Accreditation Organizations Engaged in Conformity Assessment 2.3.1 International Level 2.3.1.1 Joint Committee on Coordination of Assistance to Developing Countries in Metrology, Accreditation and Standardization The Joint Committee on Coordination of Assistance to Developing Countries in Metrology, Accreditation and Standardization (JCDCMAS) has been established in 2004 with the following members: • • • • • • • • • Bureau International des Poids et Mesures (BIPM), International Accreditation Forum (IAF), International Electrotechnical Commission (IEC), International Laboratory Accreditation Cooperation (ILAC), International Organization for Standardization (ISO), International Trade Center (ITC), Telecommunications Standardization Bureau of ITU (ITU-T), International Organization of Legal Metrology (OIML), and United Nations Industrial Development Organization (UNIDO). Among other topics JCDMAS is also focusing on standardization, conformity assessment and accreditation. JCDMAS is coordinating the technical assistance work programs of its member, and tries to identify synergies among them and with WTO and UN agencies. 30 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 2.3.1.2 International Accreditation Forum The International Accreditation Forum (IAF) is the world association of conformity assessment accreditation bodies in the fields of management systems, products, services, personnel and other similar programs of conformity assessment. The purpose of IAF is to ensure that its accreditation body members only accredit competent bodies and to establish mutual recognition arrangements (IAF-MRA) between its members. A first IAF-MRA for quality management systems has been signed in January 1998 which was also joined by the European Cooperation for Accreditation (see section 2.3.3.2) as regional group. A first IAF-MRA for testing and calibration laboratories has been signed to support international trade. 2.3.1.3 International Laboratory Accreditation Cooperation The International Laboratory Accreditation Cooperation (ILAC) is an international cooperation of laboratory, inspection and accreditation bodies. ILAC is focusing on the • development and harmonization of laboratory and inspection accreditation practices, • promotion of laboratory and inspection accreditation to the industry, governments, regulators, and purchasers, • assistance and support of the development of accreditation systems, and • global recognition of laboratories and inspection facilities via the ILAC mutual recognition arrangement (ILAC-MRA). The ILAC-MRA which was signed in November 2000 involves 37 member bodies from 28 economies. It will enhance the acceptance of technical information accompanying goods crossing national borders by reducing or eliminating the need for re-testing of the goods in the importing country, if these goods are tested by accredited laboratories under a signatory of the ILAC-MRA. 2.3.1.4 World Trade Organization The World Trade Organization (WTO) has developed the agreement called Technical Barriers to Trade (TBT) that recognizes the role of international standardization and conformity assessment systems for improving the efficiency of production and management of international trade. The WTO TBT agreement which came into force in January 1995 explicitly encourages the use of February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 31 international standards, the development of mutual recognition agreements and the harmonization of conformity assessment procedures. The TBT committee has elaborated a list of existing different approaches to facilitate the acceptance of results of conformity assessment in its second triennial review which are: • mutual recognition agreements for conformity assessment to specific • • • • • regulations, cooperative agreements between national and foreign conformity assessment bodies, the use of accreditation to qualify conformity assessment bodies, government designation, unilateral recognition of results of foreign conformity assessment, and manufacturer’s or supplier’s declarations. Japan has also proposed a policy framework for the acceptance of results of conformity assessment procedures (G/TBT/W/194) that was welcomed and supported by the European Commission. Based on an approach proposed by Canada (G(TBT/W/196) the European Commission has addressed the following topics related to conformity assessment (G/TBT/W/217, June 2003) that should be treated by the WTO in its third triennial review (2007): • motivation of greater adoption and use of international standards and guides • • • • 2.3.1.5 by users of conformity assessment, strengthening of global conformity assessment systems, ensuring that an appropriate level of conformity assessment is used, development of guidance and good practices on conformity assessment, and assistance to support developing countries to develop their own conformity assessment system and/or to comply with conformity assessment requirements in exporting countries. International Standardization Organization, International Electrotechnical Commission and the International Telecommunication Union The International Standardization Organization (ISO), the International Electrotechnical Commission (IEC) and the Telecommunication Standardization Bureau of ITU (ITU-T) are responsible for the production of international standards. These organizations cover the following areas: • ITU-T: • IEC: • ISO: • ISO/IEC: 32 Study on Promotion Strategy of Conformity Assessment System of Information Security telecommunications, electro-technology and related conformity assessment, all other technical areas, service sectors, management systems and conformity assessment, and guides and standards in the area of conformity assessment. February 28th, 2006 (Final) The ISO CASCO standardization framework provides information related to the operation of accreditation, testing, inspection and certification bodies that promote the consistent application of the TBT agreement and facilitates mutual confidence between TBT members. Accreditation that operates conformant to international standards can offer suitable mechanisms to promote the acceptance of conformity assessment activities (leading to the acceptance of test reports and certificates issued by accredited conformity assessment bodies) and thus can serve as useful means of trade facilitation. Also regional strategies for the cooperation in the accreditation area can provide main benefits, especially for developing countries. 2.3.2 Canada and USA 2.3.2.1 Canada The Standards Council of Canada (SCC) is in charge of accrediting organizations that provide conformity assessment services and of verifying their capabilities. Based on international ISO/IEC standards and guides SCC has developed the following set of accreditation programs in order to formally recognize organizations as certification bodies: • Certification Bodies Accreditation Program (CBAP): So far about 25 certification bodies have been accredited under CBAP that perform certification in different areas: e.g. automobile products, information technology, health equipment, safety equipment, or wood products. • Program for the Accreditation of Laboratories-CANada (PALCAN): So far more than 300 testing laboratories have been accredited under PALCAN that perform security evaluation and testing in various areas, e.g. calibration, food, forensics, environmental and information technology. • Environmental Managements Systems Accreditation Program (EMSAP) and • Quality Management Systems Accreditation Program (QMSAP): So far more than 20 registration bodies have been accredited under EMSAP/QMSAP that perform registration tasks complying with ISO 90001 for quality management systems and/or with ISO 14001 for environmental managements systems. 2.3.2.2 USA The national conformity assessment and national standards strategy principles of the US can be summarized by the following characteristics: • awareness of all parties involved in conformity to have confidence in the processes of providing conformity assessment, February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 33 • avoidance of the creation of unnecessary barriers to trade compliant with the agreement on TBT within the WTO, • promotion of national and international understanding and recognition of competently conducted US conformity assessment processes, and • increase of acceptance of products within national and international markets. Federal Communications Commission The Federal Communications Commission (FCC) is an independent government agency that is directly responsible to the Congress. It was established by the Communications Act of 1934 and is charged with regulating interstate and international communications by radio, television, wire, satellite and cable. National Cooperation for Laboratory Accreditation The National Cooperation for Laboratory Accreditation (NACLA) is a non-profit, private sector and volunteer organization that was established in 1998 by representatives of public and private-sector organizations with the goal to provide coordination and focus for laboratory accreditation programs in the US. NACLA is primarily responsible for the evaluation and recognition (but not for the accreditation) of laboratory accreditation bodies. It is a stakeholder open organization with representation from the industry, government, laboratories and accreditation bodies. National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is a federal technology agency that works with industry to develop and apply technology, measurements, and standards. It has been established already in 1901. Since 1995 it is responsible for the coordination of federal, state and local conformity assessment activities with the conformity assessment activities of the public sector as regulated by the national technology transfer and advanced act. NIST and NACLA have signed a memorandum of understanding in July 2000 in order to realize a coordinated system for the accreditation of calibration and testing laboratories in the public and private sectors. In 1994 NIST has launched the National Voluntary Conformity Assessment Systems Evaluation (NVCASE) program under which organizations that perform conformity assessment activities can be evaluated and recognized. More information on NVCASE can be found in the “NVCASE Program Handbook” [NVCASE PHB]. Recognized organizations may perform the following conformity assessment activities: • product testing, 34 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • • • • • • product certification, quality system registration, evaluation of testing laboratories, evaluation of certification bodies, management system registrar by an independent body, and recognition of accreditors. In the context of inter-national mutual recognition agreements with foreign nations NIST is a designating authority for conformity assessment bodies. Relevant MRAs are the • US-European (EU-MRA), • Asia Pacific Economic Cooperation (APEC-MRA), and the • Inter-American Telecommunications Commission (CITEL-MRA). American National Standards Institute The American National Standards Institute (ANSI) is recognized by NIST and its NVCASE program. ANSI performs the following activities related to the accreditation of conformity assessment bodies: • provision of accreditation services, particularly for the product and personnel areas, • partnership with the American Society for Quality (ASQ) and provision of an accreditation program for quality and environmental management systems, and • international and regional arrangements for multi-lateral recognition including the IAF, IAA, and the Pacific Accreditation Cooperation (PAC). 2.3.3 Europe 2.3.3.1 European Promotion Strategy of Conformity Assessment The European promotion strategy of conformity assessment and its related activities and initiatives can be summarized and categorized as follows: • • • • greater adoption of international standards, development of guidance and good practice on conformity assessment system, strengthen of global conformity assessment system, ensuring that the most appropriate level and type of conformity assessment is used, • use of manufacturer’s declaration of conformity combined with effective product liability laws, February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 35 • use of quality assurance techniques compliant with related international ISO standards, • international cooperation for example with WTO, ISO/IEC, IAF and ILAC, and • legislation on procurement. New Approach The European commission has developed a concept in May 1985 called the “New Approach” [NEW APP] in order to • promote the industrial competitiveness and product innovation, • eliminate technical barriers to trade and to • realize the key element of the internal market in the EU, namely the free movement of people, goods, services and capital. In accordance with this new approach the EU has issued various directives (see section 4.2.2) that specify only fundamental requirements in terms of security, safety or functions. These framework regulations have been complemented by more detailed technical regulations in the form of harmonized standards produced by the European standardization organizations CEN CENELEC and ETSI (see sections 4.2.3.1 to 4.2.3.3), on behalf of the European commission. The new approach can be classified as a co-regulatory approach in which main stakeholders of more than twenty industrial sectors have been involved covering areas such as machinery, buildings and construction, information technology and telecommunications. The new approach was based on the following four principles: • limitation of harmonization of legislation regarding the establishment of basic safety requirements that must be met by products at their distribution in order to ensure the free movement of goods, • development of harmonized standards by mandated European standards organizations that specify the minimum requirements for products, • voluntary application of the standards, and • compliance of products with the requirements of related directives, if these products claim to be created in accordance with harmonized standards. The directives on the new approach and the notifications of their development are published in the Official Journal of the European communities (see also Table 48). The requirements that have been specified in related directives are mandatory legally binding obligations. Manufacturers however have the option to choose their appropriate technical means that fulfill the requirements. The member states are obliged by the directives on the new approach to implement these requirements into national health law and to perform market 36 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) surveillance by established inspection authorities as for example departments of industry, labor or health. Products that do not comply with the mandated requirements can be withdrawn from the market. A further essential element of the new approach was the mutual recognition of certificates of conformity from other member states. Global Approach The European conformity assessment system has already been adopted in the form of a so-called “Global Approach” by an EU resolution in December 1989. This overall concept for conformity assessment applies to the EU directives as well as to the non-regulated sector for which national regulations may be adopted, provided that they do not contain any hidden trade barriers. The global approach to certification and testing has resulted in the following two types of conformity assessment procedures: • examination of products, services, processes, systems and persons by inspection bodies, testing laboratories, and certification bodies, and the • examination of these bodies by the member states that are responsible for them. Modular Concept The procedure for conformity assessment of the first type was regulated by the EU in its modular concept that is illustrated in Figure 2. This concept covers eight different procedures, called modules that specify requirements for the assessment of individual products during the design and production phase. The conformity assessment principles of the global approach can be characterized by the following four types of process functionalities: • The internal control of design and production (module A) is performed by a manufacturer himself without any third party being involved through selfcertification. This procedure is only applicable to products with minimum risk to health and safety. Besides self-declaration the manufacture has to prepare technical documentation that indicates the design, production and operation of the product, and he must retain this documentation for possible inspection by national bodies for at least ten years. If these conditions are met the manufacturer can use the CE mark for his product. Figure 2: Overview of the Modular Concept February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 37 • Type testing (module B) covers only the design phase during which a notified body performs minimum assessment for demonstration of conformity of a sample of the planned production. The positive result of this procedure is the issuance of a so-called type-examination certificate by the notified body. However, this procedure must be combined with one of the following four assessment procedures (modules C to F) of the production phase in order to achieve a CE mark for the product: − Conformity to type (module C) assessment is performed by the manufacturer who attests and declares the conformity of his product with the type stated in the type-examination certificate and the requirements of the relevant EU directives. The manufacturer issues a declaration of conformity and can use the CE mark for his product. − Production quality assurance (module D) assessment is performed by the manufacturer who attests and declares the conformity of his product with the type stated in the type-examination certificate and the requirements of the relevant EU directives. The manufacturer provides a quality assurance system (EN ISO 9002) for production, final product inspection and testing that is approved and controlled by a notified body. The manufacturer issues a declaration of conformity and can use the CE mark for his product. − Product quality assurance (module E) assessment is performed by the manufacturer who attests and declares the conformity of his product with the type stated in the type-examination certificate and the requirements of 38 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) the relevant EU directives. The manufacturer provides a licensed quality assurance system (EN ISO 9003) for the final product inspection and testing that is approved and controlled by a notified body. The manufacturer issues a declaration of conformity and can use the CE mark for his product. − Product verification (module F) assessment is performed by a notified body that tests and declares the conformity of the product with the type stated in the type-examination certificate and the requirements of the relevant EU directives. The notified body issues a declaration of conformity and the manufacturer can use the CE mark for his product together with the mark of the notified body. • Unit verification (module G) assessment covers the design and production phase. It is performed by a notified body that performs inspection and that confirms the compliance of all products with the requirements of the relevant EU directives. The notified body issues a declaration of conformity, and the manufacturer can use the CE mark for his products together with the mark of the notified body. • Full quality assurance system (module H) assessment covers the design and production phase. It is performed by the manufacturer who attests and confirms the compliance of all products with the requirements of the relevant EU directives. The manufacturer provides a licensed quality assurance system (EN ISO 9003) for the final product inspection and testing that is approved and controlled by a notified body. The manufacturer issues a declaration of conformity and can use the CE mark for his product together with the mark of the notified body. The procedure for conformity assessment of the second type deals with the examination of bodies that perform the assessment of products, systems, persons, etc. The EU has recommended the creation of central national network for this procedure type, i.e. establishment of accreditation systems both for testing laboratories, monitoring and certification bodies. An overview of relevant international and European standards on conformity assessment is provided in section 2.4. 2.3.3.2 European Cooperation for Accreditation The European Cooperation for Accreditation (EA) is a European organization that is responsible for accreditation of testing, inspection, calibration and certification bodies in order to conclude agreements between accreditation bodies in the form of Multi-Lateral Agreements (MLAs). MLAs are based on related European standards on accreditation and conformity assessment, and the guidance documents developed by EA. Accreditation bodies that comply with the EA rules can achieve membership to the MLAs. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 39 EA is cooperating in the field of accreditation with other international organizations and especially with IAF and ILAC. EA has signed mutual recognition agreements (EA-MLA) with the EU and EFTA states in November 1997. The EU has also integrated the WTO agreements into European law by a council decision in December 1994. 2.3.4 France The Association Français de NORmalisation (AFNO) is the French Standardization Body. The French Government has established a specific organization in 1986 that is responsible for security aspects of information technology. The structure of this organization includes the following groups and their related tasks: • Commission Interministérielle pour la Sécurité des Systèmes d’Informatique (CISSI) the joint ministerial commission for information systems security, responsible for ensuring the collaboration between ministries, • Secrétariat Général de la Défense Nationale (SGDN) the permanent secretariat for national defense, responsible for ensuring the consistency of national policies related to information technology security, and • Direction Centrale de la Sécurité des Systèmes d’Information (DCSSI), the central directorate for information systems security responsible for assessment of the security of information systems and products and for liaisons with foreign assessment bodies. Certification in France is based on evaluation reports produced by information technology security evaluation facilities that are licensed by the French Prime minister and that are accredited by the French accreditation committee (COmité FRançais d’ACcrédition, COFRAC) in accordance with the EN [ISO/IEC 17025] standard. 2.3.5 Germany This section gives a short overview of accreditation bodies in Germany including the federal office for information security, the German accreditation council, and the German information center for technical rules. 40 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 2.3.5.1 Federal Office for Information Security The German Establishment Law (Errichtungsgesetz, [BSI G]) authorized the Bundesamt für Sicherheit in der Informationstechnik (BSI, Federal Office for Information Security) for issuing certificates for information technology products as well as for protection profiles. In this context it should also be mentioned that private non-governmental certification bodies exist in Germany that have been accredited by the German Accreditation Council (see next section). The BSI recognizes ITSEC or CC certificates of these organizations on the basis of particular conditions that have to be agreed via bilateral contracts. 2.3.5.2 German Accreditation Council The German Accreditation Council (DAR, Deutscher AkkreditierungsRat) is the national coordinator of laboratory and product certification and accreditation. Many further accreditation bodies that exist in Germany operate under the control of DAR. These bodies can be classified as private non-governmental accreditation bodies or government bodies for the German industry. The members of DAR and their roles are listed in Table 1. Table 1: German Accreditation Bodies under DAR ACCREDITATION BODY FOR IT SECURITY ROLE BNetzA: Federal Network Agency (Bundesnetzagentur) government regulatory authority for telecommunications and posts, operating as root certification authority as claimed by the electronic signature act, liberalization and de-regulation in the sectors of electricity, gas, telecommunications, postal markets and railway structure DATech: German Accreditation Body for Technology (Deutsche Akkreditierungsstelle für Technik e.V.) private non-governmental accreditation body for testing, inspection and product certification agencies that operate in the sector of electro technology, mechanical engineering, precision engineering, information and technology, optics and related sectors TGA: German Association for Accreditation (Trägergemeinschaft für Akkreditierung GmbH) private non-governmental accreditation body as the coordinator for voluntary accreditation bodies for laboratories and certification February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 41 ACCREDITATION BODY FOR OTHER AREAS ROLE AKS Hannover: Accreditation Body Hannover (Akkreditierungsstelle Hannover) private non-governmental accreditation body located in Hannover for testing, inspection and product certification agencies that operate in the sector of consumer protection, health care and agriculture BDI: Confederation of German Industry (Bundesverband der Deutschen Industrie e.V.) government body BMWA: Federal Ministry for Economics and Labor (Bundesministerium für Wirtschaft und Arbeit) government body DACH: German Accreditation Body for Chemistry (Deutsche Akkreditierungsstelle Chemie) private non-governmental accreditation body for testing, inspection and product certification agencies that operate in the sector of chemistry and in related sectors DAP: German Accreditation System for Testing (Deutsches Akkreditierungs-system Prüfwesen GmbH) legally independent accreditation body for testing, inspection and product certification agencies hat operate in the sector of material testing and in related sectors DASMIN: German Accreditation Body for Petroleum and Related Products (Deutsche Akkreditierungsstelle für Mineralöl GmbH) private non-governmental accreditation body for testing, inspection and product certification agencies that operate in the sector of petroleum and related products DAU: German Accreditation and Approval Body for Environmental Verifiers (Deutsche Akkreditierungsund Zulassungsstelle für Umweltgutachter mbH) private non-governmental accreditation body DIAS: German Institute for Accreditation Systems (Deutsches Institut für Akkreditierungssysteme GmbH) private non-governmental accreditation body for testing, inspection and certification agencies DIN: German Institute for Standardization (Deutsches Institut für Normung) government body for the German industry as the primary German standardization body DKD German Calibration Service (Deutscher Kalibrierdienst) governmental and industrial accreditation body for testing, inspection and certification agencies that operate in the sector of calibration GAZ: Association for Accreditation and Certification (Gesellschaft für Akkreditierung und Zertifizierung mbH) private non-governmental accreditation body KBA: German Federal Office of Road Transport (Kraftfahrt-Bundesamt) government body KL-MESS: German Coordination Body of the Federal States “Measuring Instruments” (Koordinierungsstelle der Länder “Messgeräte”) government body The German association for accreditation (TGA, Trägergemeinschaft für Akkreditierung GmbH) is a very large organization with currently 121 accreditation and certification bodies operating in the scope of quality management systems, environmental management systems, and personnel quality management. 42 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Some examples of TGA members are: • DQS German Society for Quality as the coordinator of national quality aware- ness and implementation, • DVGW German Association of the Gas and Water Industry, or • TÜV Informationstechnik. Under the leadership of DAR the following accreditation bodies have joined the mutual recognition agreement EA-MRA of the European accreditation organization EA: • • • • • • DACH for the scope testing, DAP for the scope testing, certification of products, DASMIN for the scope testing, DATech for the scope testing, certification of products, DKD for the scope calibration, and TGA for the scope certification of quality management systems, certification of personnel, certification of environmental management systems. DAR has also signed the mutual recognition agreement IAF-MRA of the International Accreditation Forum IAF on behalf of TGA. 2.3.5.3 DITR German Information Centre for Technical Rules The German Information Centre for Technical Rules (DITR, Deutsches Informationszentrum für Technische Regeln) is the responsible body for world trade regulation. 2.3.6 Italy The “Ente Nazionale Italiano di Unificazione” (UNI) is the Italian National Agency for Standardization. The “Federazione Italiana Degli Enti di Accreditamento” (FIDEA, Italian Federation for Accreditation), established in May 2004, is the Italian accreditation body for accreditation and certification bodies operating in the scope of quality management systems, environmental management systems, occupational health and safety management systems, and personnel quality management. Members of FIDEA are the following institutions: • SIstema Nazionale per l’Accreditamento degli Organismi di CERTificazione e Ispezione, è stato costituito nel 1991, (SINCERT, national system for the accreditation of certification and inspection bodies, and the • SIstema Nazionale per l’Accreditamento di Laboratori (SINAL, national system for the accreditation of laboratories). February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 43 2.3.7 Netherlands The “Nederlands Normalisatie-Instittuut” (NNI) is the national agency for standardization in the Netherlands. The Raad voor Accreditatie (RvA, Dutch Accreditation Council) has been established in 1995 by the integration of the organizations NKO, STERLAB, STERIN, and RvC. RvA is responsible for the following areas of accreditation in the Netherlands: calibration, inspection, testing, and certification. The accreditation body is a private law organization with the government acting as client, supervisor and negotiating partner. 2.3.8 Spain The Associón Española de NORmalización y Certificación (AENOR, Spanish association for standardization and certification) is an organization operating under the Ministry of Industry and Energy. AENOR is responsible for the development of standardization and certification in all industrial and service sectors. The Entidad Nacional de ACcreditation (ENAC, national accreditation council) is an organization operating under the ministry of science and technology. ENAC is responsible for the following areas of accreditation in Spain: laboratories, inspection, testing, certification, and environmental verification. The accreditation body is a private, independent and non-profit body which specifies the regulations for the industrial quality and safety infrastructure. 2.3.9 Sweden The SWEDish Board for Accreditation and Conformity Assessment (SWEDAC) is a Swedish public authority under the ministry for foreign affairs with its main task to operate as the Swedish national accreditation body. The main task of the “Standardisieringen I Sverige” (SIS, Swedish standards institute) is to support Swedish companies, authorities and organizations by participating in the development of European and international standards. 2.3.10 United Kingdom This section gives a short overview of accreditation and standardization bodies in the United Kingdom including the British Standards group, the communications electronics security group, and the department of trade and industry. 44 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) The United Kingdom accreditation service UKAS is the sole national accreditation body recognized by the government to assess, against internationally agreed standards, organizations that provide certification, testing, inspection and calibration services. 2.3.10.1 BSI Standards Group The “BSI Standards Group” (British Standards Institute, old abbreviation) is organized in the following three subgroups: • BSI British Standards, • BSI Management Systems, and • BSI Product Services. The “BSI British Standards” division is the national standards body of the UK cooperating with the government, businesses and consumers in order to facilitate the development of national, European and international standards. Its subdivision “BSI Business Information” supports the development of business standards, best practice and management systems. The “BSI Management Systems” division provides independent third-party certification of management systems for the following areas: • • • • • environmental management, occupational health and safety, information security, IT service management, and food safety management systems. The “BSI Product Services” division supports the industry in order to develop new and better products compliant with laws and regulations. 2.3.10.2 Communications Electronics Security Group The UK government Communications Electronics Security Group (CESG) as the technical authority for HMG (Her Majesty’s Government) electronic security has established evaluation facilities for carrying out security evaluations of computer systems in 1985. 2.3.10.3 Department of Trade and Industry The Department of Trade and Industry (DTI) has established the Commercial Computer Security Centre to prove the application of formal security evaluation to commercially available IT products and systems in 1987. It’s Standards and Technical Regulations Directorate (STDR) is in charge of related standardization February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 45 and regulation. These activities have resulted in the publication of a set of evaluation criteria and operational scheme that are also known as “The Green Books”. 2.3.10.4 UK IT Security Evaluation and Certification Scheme The UK Government has established a specific body in 1989 called “UK IT Security Evaluation and Certification (UKITSEC)” body that is responsible for the evaluation and certification of IT security products and systems. The UKITSEC scheme was established in 1991 by a joint effort of the DTI and the CESG, in which the UKITSEC body is located. CESG and DTI are responsible for the management of the UKITSEC scheme. The structure of this organization includes the following groups and their related tasks and services: • the Governments Communications Electronics Security Group (CESG) responsible for the operation of the scheme as part of their Infosec Assurance and Certification Services (IACS), • the CESG Assisted Product Scheme (CAPS) responsible for the assessment of cryptographic products for HMG and the Critical National Infrastructure (CNI), • the Fast Track Assessment (FTA) responsible for the assessment of products that are used by HMG and the CNI, and • the IT Security Health Check responsible for the identification of vulnerabilities in systems and networks of HMG and the commerce. The objectives of UKITSEC are to support the government and the industry for the purpose of cost effective and efficient security evaluation and certification of IT products and systems, and to provide a framework for the international mutual recognition agreements of certificates. UKITSEC is embedded in the broader management framework that also covers areas for physical, personnel and procedural security measures [BS 7799]. Under the UKITESC scheme the security features of IT products and systems are tested and evaluated independently of suppliers. These activities are carried out against standardized criteria to a formalized methodology. The criteria themselves define a set of degrees of rigor or assurance levels. Security certificates are issued by the UKITSEC scheme for IT products and systems that fulfill the requirements for a claimed level of assurance. 2.3.10.5 Commercial Evaluation Facilities Certification in the UK is based on evaluation reports produced by CommerciaL Evaluation Facilities (CLEFs, called information technology security evaluation facilities ITSEFs in other European countries) that are accredited by the UK Accreditation Service (UKAS) in accordance with the [ISO/IEC 17025] standard. With respect to the adequacy of testing accredited CLEFS can be considered as 46 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) facilities that also meet the requirements of the ISO standards 9001 and ISO 9002 on quality assurance. 2.3.10.6 CESG Assisted Products Scheme The CESG Assisted Products Scheme (CAPS) has been established by CESG in order to meet the demand of HMG for cryptographic products. Products and systems that have been developed under CESG, respectively approved by CAPS conformant with the HMG cryptographic standards give its vendors higher chances to sell them to the UK government. 2.4 Standards for Conformity Assessment The ISO COmmittee on Conformity ASsessment (CASCO) is responsible for standards on conformity assessment. The consistent use of the international standards and guides that have been developed by ISO/CASCO through international consensus can also provide a basis for achieving the international acceptance of test reports and certificates. Standards and guides on conformity assessment that currently exist or that are in the planning phase are listed in Table 2 and illustrated in Figure 3. Please note that the prefix “EN” stands for “European Norm” and that the combination “EN ISO/IEC” indicates the adoption of an ISO/IEC standard to a European standard. Table 2: Selection of Standards for Conformity Assessment REFERENCE TITLE YEAR ISO/IEC Guide 23 Methods of indicating conformity with standards for third-party certification systems 1982 ISO/IEC Guide 27 Guidelines for corrective action to be taken by a certification body in the event of misuse of its mark of conformity 1983 ISO/IEC Guide 58 Calibration and testing laboratory accreditation systems – General requirements for operation and recognition, corresponds to EN 45 003 (1995) 1993 ISO/IEC Guide 7 Guidelines for drafting of standards suitable for use of conformity assessment 1994 ISO/IEC TR 13233 Information technology – Interpretation of accreditation requirements in ISO/IEC Guide 25 – Accreditation of information technology and telecommunications testing laboratories for software and protocol testing services 1995 ISO/IEC Guide 61 General requirements for assessment and accreditation of certification/registration bodies, corresponds to EN 45 010 (1998) 1996 ISO/IEC Guide 65 General requirements for bodies operating product certification systems, corresponds to EN 45 011 (1998) 1996 Proficiency testing by inter-laboratory comparison 1997 ISO/IEC Guide 43 Part 1: Development and operation of proficiency testing schemes Part 2: Selection and use of proficiency testing schemes by laboratory accreditation February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 47 REFERENCE TITLE YEAR bodies ISO/IEC Guide 62 General requirements for bodies operating assessment and certification/registration of quality systems, corresponds to EN 45 012 (1998) 1997 ISO/IEC Guide 66 General requirements for bodies operating assessment and certification of quality systems, corresponds to EN 45 012 (1998) 1999 ISO/IEC Guide 68 Arrangements for the recognition and acceptance of conformity assessment results 2002 ISO/IEC 17024 Conformity assessment – General requirements for bodies operating certification of persons 2003 ISO/IEC 17030 Conformity assessment – General requirements for third-part marks of conformity 2003 ISO/IEC 17000 Conformity assessment – Vocabulary and general principles 2004 ISO/IEC 17010 General requirements for bodies providing accreditation of inspection bodies 2004 ISO/IEC 17011 Conformity assessment – General requirements for accreditation bodies accrediting conformity assessment bodies 2004 ISO/IEC 17020 General criteria for various types for bodies performing inspection, corresponds to EN 45004 2004 ISO/IEC 17050 Conformity assessment – Supplier’s declaration of conformity 2004 ISO/IEC Guide 28 Conformity assessment – Guidance on a third-party certification system for products 2004 ISO/IEC Guide 60 Conformity assessment – Code of good practice 2004 ISO/IEC Guide 67 Conformity assessment – Fundamentals of product certification 2004 ISO/PAS 17002 Conformity assessment – Confidentiality – Principles and requirements 2004 ISO/PAS 17003 Conformity assessment – Complaints and appeals – Principles and requirements 2004 ISO/IEC 17025 General requirements for the competence of testing and calibration laboratories, corresponds to EN 17025 2005 ISO/IEC 17040 Conformity assessment – General requirements for peer assessment of conformity assessment bodies and accreditation bodies 2005 ISO/IEC Guide 53 Conformity assessment – Guidance on the use of an organization’s quality management system in product certification 2005 ISO/IEC 17021 Conformity assessment - General requirements for bodies operating assessment and certification/ registration of quality or environmental management systems, in preparation Part 1: General requirements, Part 2: Supporting documentation Figure 3: 48 Standards for Conformity Assessment Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) EN ISO/IEC 17000 The standard “Conformity Assessment – Vocabulary and General Principles” [ISO/IEC 17000] provides new terms and definitions related to conformity assessment based on a functional approach (selection, determination, review and attestation) that was taken by a joint ISO/CASCO - CEN/CENELEC project. It replaces part 2 of the present ISO/IEC Guide 2 (1996) or the EN 45020 (1998). ISO/IEC Guide 2 has defined accreditation as a “procedure by which an authoritative body gives formal recognition that a body or person is competent to carry out specific tasks”. It describes conformity assessment as “any activity concerned with determining directly or indirectly that relevant requirements are fulfilled”. Conformity assessment procedures (testing, inspection and certification) yield February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 49 assurance that product meet the requirements defined in standards and regulations. EN ISO/IEC 17011 The standard “Conformity Assessment – General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies” [ISO/IEC 17011] replaces EN 45003 (identical with ISO Guide 58), EN 45010 (identical with ISO Guide 61), and ISO/IEC TR 17010. The purpose of these standards is to describe accreditation systems for laboratories, certification bodies and inspection bodies. EN ISO/IEC 17011 specifies requirements for accreditation bodies. It makes a clear distinction between accreditation and certification and does not allow the accreditation bodies to perform any conformity assessment activities among their accreditation activity. EN ISO/IEC 17020 The standard “General Criteria for the Operation of Various Types of Bodies Performing Inspection” [ISO/IEC 17020] (published by DIN in its German version in November 2004) is identical with the EN 45004. Requirements for inspection bodies as a worldwide standard were approved. EN ISO/IEC 17024 The standard “Conformity Assessment – General Requirements for Bodies Operating Certification of Persons” [ISO/IEC 17024] was already published by the DIN in October 2003. It supersedes the previous EN 45013 (1990). EN ISO/IEC 17040 The standard “Conformity Assessment – General Requirements for Peer Assessment of Conformity Assessment Bodies and Accreditation Bodies” [ISO/IEC 17040] specifies general requirements for the evaluation of accreditation bodies and the peer assessment of certification bodies and other conformity assessment bodies. In the field of mutual recognition it complements the ISO Guide 68 that only describes fundamental terms for mutual recognition EN ISO/IEC 17050 The two-part standard “Conformity Assessment - Suppliers' Declaration of Conformity” with its part 1 “General Requirements” and part 2 “Supporting Documentation” [ISO/IEC 17050] supersede the previous EN 45014 (1998) or the ISO Guide 22 respectively. 50 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) EN ISO/IEC 17025 The standard “General Requirements for the Competence of Testing and Calibration Laboratories” [ISO/IEC 17025] has been accepted by DIN superseding DIN EN 45001. ISO, ILAC, and IAF have recently issued a joint statement on the management system requirements of ISO/IEC 17025 in which they demand that a laboratory has to meet both the technical competence requirements and management system requirements that are necessary for it to consistently deliver technically valid test results and calibrations. EN ISO/IEC 17021 (in Preparation) Currently the development of a standard entitled “Conformity Assessment General Requirements for Bodies Operating Assessment and Certification/ Registration of Quality or Environmental Management Systems” is in preparation. This standard will supersede the ISO Guide 62, the ISO Guide 66 and the EN 45012. There are currently intensive discussions in the responsible working groups; and the standard is not expected to be published before next year. To facilitate the revision of the standards in future, the WG 23 is presently working on the so-called Common Elements, i.e. on text modules to be used by the standards bodies to allocate equal facts in standards with the same equal requirements. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 51 3 Concepts of Assurance of Conformity 3.1 Trust Trust in the security of IT products can be achieved by different way as illustrated in Figure 4. Possible means for achieving or increasing trust in the security of IT products are the usage of • • • • Figure 4: well-proven systems, manufacturer declarations, i.e. trusting the “good” name of a company, open-source technology, i.e. trusting the developers community, or evaluation and certification by independent authorities, i.e. trusting the certification process. Trust in the Security of IT Products well-proven system manufacturer declarations (trust in the good name) evaluation and certification by independent authorities (trust in the certification process open-sourcetechnology (trust in the developers community) The last approach (see the green cloud in Figure 4) is the only technically feasible alternative that provides the highest level of trust in the quality and security of IT products. 3.2 Inspection World-wide hundreds of third-party national and international inspection bodies and organizations exist that examine, evaluate and certify a huge number of products, materials, installations, plants, processes, work procedures and services in the private and public sector. The purpose of inspection is to minimize the risk to the buyer, user, client or consumer of the items being inspected. 52 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 3.3 Evaluation and Certification The process of conformity assessment of IT products is shown in Figure 5. Products of a manufacturer (sometimes also called developer, vendor or sponsor) for which certification and/or a seal of approval (or mark) are intended can be passed to an authorized testing or evaluation laboratory (sometimes also called IT security evaluation facility ITSEF) that itself is under contract with and controlled by a certification authority. Testing is the most common form of conformity assessment and it may include measurement and calibration. Figure 5: Process of Testing and Certification of IT Products certificate/ seal of approval as marketing instrument list of certified products test report ce rti fic at e client/consumer t es qu re product n io at fic rti ce manufacturer control test report testing lab certification authority - The certification authority is responsible for controlling the quality of the tests and evaluations that are performed by testing laboratories. The testing laboratory is in charge of comprehensive testing and produces an evaluation report that is given to the manufacturer as well as to the certification authority. The test client (manufacturer) also has to forward a certification request to the certification authority that after successful testing will return a certificate and/or seal of approval to the manufacturer. Certified products will be published by the certification authority in the form of a list of certified products. The evaluation process means a detailed examination of IT security features by comprehensive functional and penetrating testing to make sure that all claimed and agreed features meet an agreed security target. Evaluations of IT security products or systems are carried out by independent third parties known as Information Technology Security Evaluation Facilities (ITSEFs). ITSEFs shall be independent from product developers and sponsors. They shall solely operate under the control of certification bodies. ITSEFs have to be licensed by the certification body and have to comply with the rules of the related framework. They have to perform the evaluations in accordance with standards and/or specifications that have been foreseen by the certification body. Issued certificates thus confirm the compliance of evaluated products with the requirements specified in these technical documents referred to as security targets. These security targets may themselves be certified in accordance with particular specifications referred to as protection profiles. Protection profiles are used to express high-level requirements that may be commonly used in different areas such as administration, healthcare, industry, transport, banking, etc. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 53 Evaluation results are published in certification reports that contain additional information on how a product or system should be used. The manufacturer can use the certification report, the certificate and/or seal of approval as marketing instruments. The consumers can take into account the published list of certified products as well as the existence of IT products with an seal of approval that contribute to increased trust in the quality of products. The use of certified products and systems gives high confidence that all security claims have been met. 3.4 Accreditation Accreditation is the procedure by which an authoritative body gives formal recognition that a body or person is competent and authorized to carry out specific tasks. In the ISO area accreditation is related to accreditation bodies set up in a number of countries to evaluate the competence of their conformity assessment bodies. The task of an accreditation body is to approve and to accredit a conformity assessment body as competent and authorized to perform ISO 9000 or ISO 17000 evaluation and certification in particular business sectors. Accreditation also requires that conformity assessment bodies including testing and calibration laboratories, inspection bodies, and certification bodies regularly have to be re-assesses and re-audited by an independent accreditation body in order to confirm that these bodies comply with requirement specified in international standards and fulfill the objective criteria of competence and neutrality. 3.5 Manufacturer Declaration A manufacturer declaration is a procedure by which a manufacturer gives written assurance that a product, process or service conforms to specified requirements of related standards, specifications or regulations. In this case the conformity assessment is done by the manufacturer itself. This kind of conformity assessment is called self-assessment. However a manufacturer declaration is normally not adequate in cases where particularly the health, environmental and security risks of the product are classified as higher. 3.6 Mutual Recognition Agreements In the past internationally traded products, goods and services have been subject to repeated conformity assessment steps and control in different countries due to the lack of confidence of consumers regarding the conformity assessment in foreign countries. Confidence can be increased through cross-boarder cooperation among conformity assessment and accreditation bodies by means of Mutual Recognition Agreements (MRAs). MRAs are statements that express an 54 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) agreement of all involved parties to mutually recognize the outcome of the other partners testing, inspection, certification or accreditation. In 1998 the Senior Officials Group for Information Society (SOG-IS) of the European Commission approved the recognition agreement of information technology security evaluation certificates based on ITSEC which came into force in March 1998 as the so-called SOGIS-MRA. The SOGIS-MRA was originally signed by the national certification bodies of Finland, France, Germany, Greece, Italy, the Netherlands, Norway, Portugal, Spain, Sweden, Switzerland, and the United Kingdom. This agreement applies up to the ITSEC E6 level enabling the recognition between the signatory states of certificates issued by their certification bodies. Security certificates that were recognized within the scope of this agreement can be used with the mark shown in Figure 6. The MRA on IT certificates based on CC was extended to cover CC evaluations up to EAL7. Figure 6: Mark for European ITSEC-MRA The government bodies from Canada, France, Figure 7: Label for International CCGermany, the United Kingdom, and the United States MRA have sponsored the related Common Criteria project (see section 3.8.4) that has let to the CC versions 1.0 in 1996, 2.0 in 1997, and finally to the international CC standard [ISO/IEC 15408]. The national certification bodies of these countries have signed a first MRA of IT security certificates based on CC up to the evaluation assurance level EAL4 in October 1998. The achieved CC arrangements can be visualized by the specific mark shown in Figure 7. The arrangement on the recognition of common criteria certificates in the field of information technology security [AR-CCC] also includes a plan for the cooperation between its members and the rules for new memberships. In the following years the following countries joint this MRA (see also Figure 8): • • • • • • • • • February 28th, 2006 (Final) October 1999: Australia and New Zealand, May 2000: Finland, Greece, Italy, the Netherlands, Norway and Spain, November 2000: Israel, February 2002: Sweden, November 2002: Austria, September 2003: Hungary and Turkey, November 2003: Japan, September 2004: Czech Republic, March 2005: Republic of Singapore, and Study on Promotion Strategy of Conformity Assessment System of Information Security 55 • April 2005: India. Figure 8: 3.7 International Agreements for Recognition of Common Criteria Types of Certification The main types of certification are management system certification and product certification. Less well-known examples of certification are personal certification or certification of services. It shall be noted that in this context the terms “certification” and “registration” are sometimes used interchangeably. Management System Certification Main types of management system certification are certification of quality management systems and environmental management system conforming to ISO 9000, respectively to ISO 17000 standards. Product Certification Variants of product testing that exist are for example the initial testing of a product combined with an assessment of its manufacturer’s quality management system, and possibly followed up by surveillance testing. Surveillance testing is based on the manufacturer’s quality management system and the testing of samples taken from the factory and/or the market. Other kinds of product certification include initial testing and surveillance testing, or are simply based on the testing of a sample product (type testing). An issued certificate conforms, on the day of signature that the identified version of a product or system complies with the requirements stated in its security target. 56 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Surveillance Certification Certification bodies may offer a particular certified product surveillance process that can be used in order to extent the life-time of a certificate. This process is associated with the capabilities of a product to withstand attacks over time. It includes the revision and vulnerability analysis of the initial evaluation of the product at regularly intervals. A certificate can be considered to be monitored, if the responsible evaluation facility does not find any new detectable vulnerability. Version Certification A new specific certification process for facilitating the certification of a new version of a certified product is not required. In this case the evaluation facility and the certification body just need to conduct studies related to upgrades documented by the manufacturer in his certification request. The reuse of previous evaluation results thus reduces the costs of new versions of certified products. This document is focusing on product certification of IT security products and especially on smartcard and/or cryptographic modules and devices. 3.8 Technical Standards The increasing use of electronic commerce, online-banking or electronic mail as means for communication has let to increased risks but also to a raising awareness of security. Particular security risks are threats of the integrity and confidentiality of sensitive digital documents and information or the availability of services. There is a strong requirement for the used IT products and system to provide appropriate security measures in order to reduce and limit those risks. The evaluation and certification of IT products and systems based on internationally accepted and harmonized security requirements allow determining if they really have the required and appropriate security capabilities. The conformance assessment process requires specific technical standards that specify requirements against which the functionality of IT security products can be tested, validated and evaluated. Relevant standards for this purpose are [FIPS 1401], [FIPS 140-2], [TCSEC], [ITSEC] and [CC] that are discussed in more detail in the following sections. Numerous criteria for the testing and evaluation of the security of IT systems have been developed and standardized during the last 20 years on the national, European, and the international level. The following list gives a selection of the most important standardized criteria: February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 57 • Trusted Computer System Evaluation Criteria [TCSEC], “The Orange Book”, US Department of Defense Standard DoD 5200.28-STD, December 1985 • Information Technology Security Evaluation Criteria [ITSEC], Harmonized Crite- ria of France, Germany, Netherlands, and United Kingdom, June 1991 • Federal Criteria for Information Technology Security, NIST and NSA, USA, December 1992 • The Canadian Trusted Computer Product Evaluation Criteria, Version 3.0e, Canadian System Security Centre, January 1993 • Information Technology – Security Techniques – Evaluation Criteria for IT Secu- rity, International Standard [ISO/IEC 15408] identical with Common Criteria [CC]), December 1999 With respect to cryptographic modules the document [ISO/IEC 19790] on “Security Requirements for Cryptographic Modules “document is of relevance, and also the proposal for a new work item [ISO/IEC NWI] on “Test Requirements for Cryptographic Modules”. 3.8.1 Federal Information Processing Standards This section summarizes main features of the Federal Information Processing Standards (FIPS) “Security Requirements for Cryptographic Modules” [FIPS 140-1] and [FIPS 140-2] for cryptographic modules. The [FIPS 140-1] standard has been completely replaced by [FIPS 140-2]. However it is still maintained for the purpose of back-ward compatibility. The [FIPS 140-2] standard specifies the security requirements for the secure design and implementation of a cryptographic module within a security system that provides the security of sensitive information. It defines four increasing qualitative security levels (Level 1 to Level 4) for a broad spectrum of applications and environments. The security requirements cover the following areas and aspects: • • • • • • • • • • • 58 cryptographic key management, cryptographic module interfaces, cryptographic module ports, cryptographic module specification, design assurance, electromagnetic interference and electromagnetic compatibility, finite state model, migration of other attacks physical security, roles, services and authentication, and self-tests. Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) NIST has recently announced the development of FIPS 140-3 as a revised version of [FIPS 140-2]. 3.8.2 Trusted Computer System Evaluation Criteria The Trusted Computer System Evaluation Criteria [TCSEC], also commonly known as “The Orange Book”, has been the basis for the security evaluation of operating systems. It was originally published in 1983 and used by the US Department of Defense in the US product evaluation scheme operated by the National Computer Security Center (NCSC). The TCSEC criteria have been defined in order to match the security policy of the US Department of Defense. The policy was primarily concerned with maintaining the confidentiality of nationally classified information. TCSEC is now no longer in use and has been replaced by the criteria of “Information Technology Security Evaluation Criteria” [ITSEC]. 3.8.3 Information Technology Security Evaluation Criteria The European Information Technology Security Evaluation Criteria (ITSEC) activities started by the harmonization of evaluation criteria between France, Germany, the Netherlands and the United Kingdom in 1991.This activity was followed by the development of IT Security Evaluation Manual (ITSEM) in 1995 which specifies the methodology to be taken into account during ITSEC assessment. ITSEC is a structured set of criteria for evaluating IT products and systems. The evaluation includes the detailed examination of IT security features by means of comprehensive functional and penetration testing. The evaluation is performed based on a defined and agreed security target against which the product or system is tested. ITSEC distinguishes the following six evaluation levels (E1 to E6) with ascending level of confidence and their requirements that represent the basis for the evaluation of IT products and systems. The evaluation levels especially require the following types of testing and the production of • E1: security target and informal architectural design, user and administration documentation as guidance for target of evaluation (TOE) identification, delivery, configuration, start-up and operational documentation, use of secure distribution methods, • E2: informal detailed design and test documentation, architecture showing the separation of the TOE into security enforcing and/or other components, penetration testing searching for errors, assessment of configuration control and developer’s security, audit trail output during start-up and operation, February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 59 • E3: source code or hardware drawings, demonstration of correspondence between source code and detailed design, use of acceptance procedures, use of recognized standards for implementation languages, retesting after the observation of errors, • E4: formal model of security and semi-formal specification of security enforcing functions, architecture and detailed design, sufficient testing, configuration control of TOE and tools, audit of changes, documentation of compiler options, protection of security on re-start after failure, • E5: architectural design with explanations of the inter-relationship between security enforcing components, information on run time process and run time libraries, independency of configuration control from developer, identification of security enforcing or security relevant configuration items, and • E6: formal description of architecture and security enforcing functions, formal specification of security enforcing functions and their correspondences with source code and testing, formal definition of different TOE configurations, configuration control of all tools. Despite the importance of ITSEC in the past it should be mentioned that in the meantime the importance of evaluation criteria has been moved form ITSEC towards the “Common Criteria” CC. 3.8.4 Common Criteria The common criteria represent the results of international activities and efforts to align and integrate the developed criteria that exist in Europe and in North America into a single and common standard for performing security evaluations. The related projects have achieved the harmonization of the US Federal criteria (FC), the Canadian criteria (CTCPEC), and the ITSEC criteria into the common criteria for information technology security evaluation (CC). The common criteria are now being used in the evaluation of IT security products and systems by defining security requirements in an internationally standardized way. The CCs are replacing more and more existing national criteria with those defined in the ISO standard Figure 9: CC Label [ISO/IEC 15408]. Security certificates for IT products or systems that have been evaluated in compliance with CC may use the CC label as shown in Figure 9. This chapter gives a comprehensive description of the basics of security evaluation in accordance with the Common Criteria. The following topics are described: • evaluation documents, • security targets, • protection profiles, 60 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • classes and families of functional requirements, • evaluation assurance levels and strength of function, and • recognition of agreements. The Common Criteria Standard contains three parts. These are: • introduction and general model, • security functional components, and • security assurance components. Evaluation Documents Prior to the evaluation of a specific target of evaluation the manufacturer is required to provide evaluation documents that include • • • • the security target, i.e. a description of the security requirements, the functional interface specification, a user manual, and the preliminary design/final design of the target of evaluation depending on the evaluation assurance level. Target Of Evaluation The IT system or product to be evaluated is referred to as the Target Of Evaluation (TOE). Security Target The TOE is evaluated against its security target. The security target is based on protection profiles and is specified and defined by the • IT security requirements that have to be satisfied by the specific security target, and a • specification of security measures that have to be provided by the security target. Classes/Families CC uses the concept of classes and families to structure the functional security requirements. These classes and families are referenced in protection profiles. Functional classes are becoming widely used to identify security functionality. Certification bodies will only confirm that the requirements of a particular functionality class have been met. Protection Profile The concept of protection profiles is an essential innovation that was introduced by CC. The basic purpose and contents of a protection profile can be summarized by the following main features: • A protection profile defines a certain set of implementation-independent security requirements for a category of evaluation targets. • A protection profile is used to express IT security requirements that are needed by many users and that need to be satisfied by many manufacturers. • A protection profile is specified in a general abstract way without referring to a concrete target of evaluation. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 61 The contents of protection profiles is structured and segmented into the following general sections: • It includes an introductory part that contains the identification and an overview of the protection profile. • It describes the target of evaluation. • It contains security aspects of the environment of the target of evaluation, • • • • including all assumptions that have been made about the environment, possible threats, and organizational security policies. It specifies the security aims for the target of evaluation and the environment. It provides the IT security requirements for the IT environment and the target of evaluation. It contains remarks on the related application. It finally includes a declaration of the security aims and the security requirements. The structure of protection profiles corresponds to the structure of the target of evaluation. The effort for the specification of the target of evaluation of a concrete IT product or system can be drastically reduced by the use of a protection profile. In this case the protection profile only needs to be product-specifically or systemspecifically adopted. EAL CC distinguishes seven evaluation assurance levels (EAL1 to EAL7) that represent the different levels of trustworthiness of tested, evaluated and certified systems. The effort for an evaluation increases for higher EALs. Higher EALs on the other hand provide a higher level of trustworthiness. The meaning of the distinct EALs, their evaluation effort and the gained level of trustworthiness is illustrated in Figure 10 which also shows some kind of equivalence between the evaluation levels of ITSEC and the evaluation assurance levels of CC. Attack Potential The EALs can optionally be combined with an indication of the strength of function (SOF) for which the following three categories have been defined. • SOF-basic: provides adequate protection against casual breach of TOE security by attackers possessing a low attack potential, • SOF-medium: provides adequate protection against straight forward or intentional breach of TOE security by attackers possessing a moderate attack potential, and • SOF-high: provides adequate protection against deliberately planned or organized breach of TOE security by attackers possessing a high attack potential. Figure 10: 62 Overview of Evaluation Assurance Levels Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Evaluation Effort EAL 7 EAL 6 EAL 5 EAL 4 EAL2 EAL 1 functionally tested E1 semiformally verified design and tested semiformally designed and tested medthodically designed, tested and reviewed EAL 3 structurally tested formally verified design and tested medthodically tested and checked E2 E3 E4 E5 E6 Evaluation Assurance Levels The potential for a successful attack depends on the • knowledge of the attacker (general and professional knowledge), • resources of the attacker (time, access to the target of evaluation, equipment), and the • motivation of the attacker (interest in the protected values). The “Common Evaluation Methodology” (CEM) provides additional guidance for the evaluation of attack potential. 3.8.5 Joint Interpretation Library The European Joint Interpretation Working Group (JIWG) which is composed of IT certification experts from France, Germany, the Netherlands and the UK has produced a set of documents (see Table 3) as a framework for a common understanding and approach for achieving comparable evaluation results. These documents serve as guidelines for developers, evaluators and certifiers supporting the main principles of evaluation and certification, namely repeatability, reproducibility, impartiality and objectivity. Documents addressing particular items for smart card evaluation are listed in Table 4. Table 3: Documents of European JIWG for Evaluation and Certification DOCUMENT February 28th, 2006 (Final) DATE VERSION Study on Promotion Strategy of Conformity Assessment System of Information Security 63 ITSEC Joint Interpretation Library Table 4: 1998-11 Version 2.0 Collection of Developer Evidence 2000-08 Version 1.0 ETR-lite for Composition 2002-03 Version 1.0 ST-lite for Composition 2002-07 Version 1.1 Security Evaluation and Certification of Digital Tachographs 2003-06 Version 1.12 DOCUMENT DATE VERSION The Application of ITSEC to Integrated Circuits 1999-01 Version 1.0 Integrated Circuit Hardware Evaluation Methodology: Vulnerability Assessment 1999-04 Version 1.3 The Application of Common Criteria to Integrated Circuits 2000-01 Version 1.0 Application of Attack Potential to Smart Cards 2002-03 Version 1.0 ETR-lite for Composition, Annex A Composite Smart Card Evaluation 2002-03 Version 1.2 Guidance for Smart Card Evaluation 2002-03 Version 1.1 Requirement to perform Integrated Circuit Evaluations 2003-07 Version 1.1 Requirement to perform Integrated Circuit Evaluations, Annex A Examples of Smart Card Specific Attacks 2003-07 Version 1.1 Documents of European JIWG for Smart Card Evaluations Different interpretations from different countries related to requirements contained in the security criteria of ITSEC have been harmonized and published in the document “ITSEC Joint Interpretation Library” [ITSEC JIL]. The document “Integrated Circuit Hardware Evaluation Methodology: Vulnerability Assessment” [IC HEM] provides information and interpretations on security features of ICs during their assessment. Different interpretations from different countries related to requirements contained in the security criteria of CC will be harmonized by the special CC Interpretations Management Board (CCIMB). 3.8.6 Protection Profiles for Smart Cards Protection profiles for smart cards are the appropriate means to specify the security requirements for this type of products. A selection of existing smart card profiles, which have been developed by user groups, manufacturer groups or by international organizations is given in Table 5. Table 5: 64 Selection of Smart Card Protection Profiles DOCUMENT DATE VERSION Protection Profile – Secure Signature-Creation Device Type 1 2001-07-28 Version 1.05 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Protection Profile – Secure Signature-Creation Device Type 2 2001-07-25 Version 1.04 Protection Profile – Secure Signature-Creation Device Type 3 2001-07-25 Version 1.05 Smartcard IC Platform Protection Profile 2001-07 Version 1.0 Smart Card Security User Group - Smart Card Protection Profile 2001-09-09 Version 3.0 3.8.6.1 Secure Signature-Creation Device Type 1/2/3 The set of protection profiles “Protection Profile – Secure Signature-Creation Device Type 1”, “Type 2” and “Type 3” has been developed by CEN/ISSS in compliance with the European directive on electronic signatures [EC DIR ES] and its requirements for Secure Signature Creation Devices (SSCD). The type 1 profile specifies the security requirements of a SSCD for the generation of signature creation data (i.e. secret and public signature keys). The type 2 profile specifies the requirements of a SSCD for the secure storing of the signature keys and the generation of qualified electronic signatures. The type 3 profile specifies the requirements of a SSCD for the combination of SSCD type 1 with SSCD type 2 in a technical component. 3.8.6.2 Smart Card Security User Group The protection profile “Smart Card Security User Group - Smart Card Protection Profile“ has been developed by the SCSUG user group that represents the security needs of its user community including American Express, Europay International, JCB Ltd, MasterCard International, Mondex International, Visa International, NIST, and NSA. This protection profile specifies the security requirements for smart cards to be used within sensitive applications in the banking sector. 3.8.6.3 Smartcard IC Platform The protection profile “Smartcard IC Platform Protection Profile” has been developed by a group of IC manufacturers including Atmel Smart Card ICs, Hitachi Europe Limited, Infineon Technologies AG, and Philips Semiconductors. The target of evaluation is a smart card integrated circuit composed of a processing unit, security components, I/O ports, volatile and non-volatile memory, and IC dedicated software. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 65 3.8.7 German Profile Specifications for PKI-Based Applications and Systems This section describes German specifications that are used for conformance assessment of PKI-based applications and products that are not based on ITSEC or CC. The test specification covers the following areas: • • • • • • 3.8.7.1 X.509 certificates and certificate revocation lists, PKI management procedures and data objects, message formats and electronic signature, operational protocols, certification path validation, and cryptographic token interfaces. ISIS-MTT Specification The ISIS-MTT Specification [ISIS-MTT SPEC] covers the needs of many major players within the PKI market place and has been promoted by certification service providers, application developers as well as industry and public sector. One of the main goals was the unification of two existing standards (ISIS and MailTrusT). The unified standard is greatly needed by service providers, application developers and users who want to offer or deploy PKI solutions and wish to benefit from overall interoperability. The coverage of a broad set of PKI interfaces was another major goal in order to provide one common basis for a wide range of PKI-based applications deploying digital signatures, encryption and authentication. The specification aims at interoperability regardless of the aspired security level and of the applied policies. It is the intention that ISIS-MTT compliant applications, possibly working with different security levels and policies, can smoothly work together. So in terms of the EU directive from advanced to qualified certificates everything is covered. ISIS-MTT is intended to fully comply with the existing and broadly accepted international standards like those of PKIX. But to be realistic interoperability needs to be somewhat more specific in some aspects than those general standards. This delta is covered by ISIS-MTT. Special emphasis was laid on the absence of any national interpretations. This has been fully achieved in the core part of ISIS-MTT whose parts are fully compliant with PKIX standards. This has been the main goal of ISIS-MTT and was aimed to enable quick deliverance of compliant products as well as easy adaptation of the standard by international application developers. 66 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) In addition to the core part a separate optional profile has been set up in order to enable users as well as service providers to fulfill the special requirements of the German signature act. 3.8.7.2 ISIS-MTT Test Specification The ISIS-MTT test specification [ISIS-MTT TSPEC] specifies testing procedures to assess the conformity of PKI components with the ISIS-MTT interoperability specification [ISIS-MTT SPEC]. It contains a test suite which is composed of a set of relevant test cases. Each individual test focuses on the testing of products against particular conformance requirements of the ISIS-MTT specification. The test document is intended to be read by test bench implementers and test operators and serves as the basis for the implementation and execution of test cases. It is intended not to rely on a single test bench installation, but to allow application developers and third party testing organizations to build their own test benches. The test specification remains open with regard to the concrete test bench architecture and thus gives freedom to test bench implementers in choosing their testing means. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 67 4 Government Organizations and Programs for IT Security 4.1 Canada and USA 4.1.1 Canada The promotion strategy of the Canadian government recommends the use of CMVP validated cryptographic modules by the federal departments and agencies. 4.1.1.1 Communications Security Establishment The Communications Security Establishment (CSE) was formally established already in 1946 as the “Communication Branch – National Research Council” and renamed in 1975 operating under the national defense department. CSE is supporting a number of Canadian government departments to ensure the security of their communications. It provides the following set of services for information technology security: • • • • • threats and vulnerability analysis, prediction, prevention and responses to cyber-security incidents, IT security services architecture and engineering, training and awareness programs, and support for IT security policy and development of standards. CSE also supports the Canadian industry and economy with respect to • certification and accreditation, and • industry programs for information technology security assurance. 4.1.1.2 Industry Programs CSE has launched and is supporting the following three industry programs: • Cryptographic Endorsement Program (CEP), • Canadian Industrial TEMPEST Program (CITP), and • Information Technology Infrastructure Security and Protection Service (ITISPS) 68 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Cryptographic Endorsement Program The “Cryptographic Endorsement Program” (CEP) is based on a cooperation between CSE and the IT industry for the purpose of evaluating cryptographic features of IT security products and to endorse their use to the Canadian government. In this context CSE is responsible for the evaluation of cryptographic operations of products that include CMVP validated cryptographic modules. CSE is also responsible for the maintenance of a list of endorsed products. Canadian Industrial TEMPEST Program The “Canadian Industrial TEMPEST Program” (CITP) was already launched in 1979 with the goal to support the Canadian industry for the creation of commercial offthe-shelf TEMPEST products and services for the government. CITP covers four categories of operation, namely for products, support services, testing services, and testing instrumentations. The cooperation between CSE and participating companies requires a formal agreement between them. TEMPEST products and services can also to be added to the following two product lists: • US Endorsed TEMPEST Products List (ETPL),and • NATO Recommended Product List (NRPL). CSE also maintains a list of companies that actively participate in CITP. Information Technology Infrastructure Security and Protection Service The “Information Technology Infrastructure Security and Protection Service” (ITISPS) supply arrangements have been established by CSE in August 2002 with four companies with the goal to provide the federal government departments and agencies with a contractual framework that can be used to requisite professional services for Information Technology Security (ITS) and Information Infrastructure Protection (IIP). The arrangements provide tiers of service for risk management services, information infrastructure protection services and for research and development service. Risk Management Services The potential set of government requirements for risk management services may include support for the following issues: • business continuity planning, • development methodologies, policies, procedures, standards and guidelines related to information technology security, • evaluation of IT security products, • impact analysis of new software implementations and configuration changes, • independent verification and validation support for IT based projects, February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 69 • • • • • • • • • • IT security systems installation and operation, network certification and accreditation, network vulnerability analysis, options analysis, PKI engineering, project management support for IT based projects, requirements analysis and studies, security architecture design and engineering support, security audits and security awareness training, and threat risk assessment. Information Infrastructure Protection Services The potential set of government requirements for information infrastructure protection services may include support for the following issues: • • • • analysis of technical trends, analysis of threat agents, analysis of tools or techniques, development methodologies, policies, procedures, standards and guidelines related to information infrastructure protection, • incident analysis, • network vulnerability assessments, and • training and awareness. Research and Development Services The potential set of government requirements for research and development services may include support for the following issues: • analysis of R&D reports, • development methodologies, policies, procedures, standards and guidelines related to research and development, • IT security protocols, • IT software and hardware security products, and • participation in national and international R&D forums. 4.1.2 USA 4.1.2.1 Legal Aspects With the passage of the Federal Information Security Management Act (FISMA) of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory FIPS standards. The waiver provision has been included in the 70 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) “Computer Security Act” of 1987; however, FISMA has overruled that act. Therefore, the references to the "waiver process" contained in many of the FIPS listed below are no longer operative. Another legal requirement specified in the “Information Technology Management Reform Act” (Sec. 5131, public law 104106, 1996) mandates the use of FIPS 140-2 for federal agencies that use cryptographic-based security systems. FIPS 140-1 was a mandatory standard for the protection of sensitive data since January 1994 (after being signed by the secretary of commerce). Now FIPS 140-2 (signed in 2001) is an improved version that completely supersedes and replaces FIPS 140-1, which however is still maintained for the purpose of backward support. The FIPS PUB 140-2 standard shall be used in designing and implementing cryptographic modules that are used in federal departments or agencies. FIPS 140-2 precludes the use of not validated cryptography for the cryptographic protection of sensitive or valuable data within federal systems. If an agency specifies that the information be cryptographically protected, then FIPS 140-2 is applicable. Especially, if cryptography is required, then it must be validated. Private and commercial organizations also may adopt and use this standard. 4.1.2.2 Procurement Aspects Federal agencies may have procurement requirements that vendors have to provide a validation certificate for the purpose evidence of CMVP validation. Purchasers should get information from cryptographic module vendors about products with validated cryptographic modules. 4.1.2.3 National Information Assurance Partnership The National Information Assurance Partnership (NIAP) is a government initiative to promote the development of security requirements for IT products and systems. NIAP provides cooperation between NIST and the National Security Agency (NSA) to perform their responsibilities under the computer security act of 1987. 4.1.3 Cryptographic Module Validation Program The US “National Institute of Standards and Technology” (NIST) and the Canadian “Communications Security Establishment” (CSE) have jointly started the so-called Cryptographic Module Validation Program (CMVP) in July 1995 which validates commercial cryptographic modules against [FIPS 140-1] or [FIPS 140-2]. The goal of CMVP is the promotion of validated cryptographic modules and the support of federal agencies for the procurement of equipment and IT technology that contains validated cryptographic modules. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 71 4.1.4 National Voluntary Laboratory Accreditation Program The National Voluntary Laboratory Accreditation Program (NVLAP) has been launched by NIST in order to accredit independent laboratories that perform the testing of cryptographic modules against the requirements specified in FIPS 140-1 (for back-ward compatibility) and FIPS 140-2. These testing laboratories are called Cryptographic Modules Testing (CMT) Laboratories. CSE is currently also operating under NVLAP, but the development of a Canadian CMT laboratory accreditation process is envisaged under the framework of PALCAN. The specific document “Derived Test Requirements for FIPS 140-2” [FIPS 140-2 DTR] specifies testing requirements for NCLAP CMT laboratories and vendors that have to be taken into account during the execution of a CMVP test campaign. Supplementing information on program policy, technology, cryptographic algorithms and module validation is given in the FIPS 140 implementation guidance [FIPS 140-1 IG] and [FIPS 140-2 IG]. A validation certificate is issued for each validated cryptographic module (see Table 46 for CSE and Table 66 for NIST). Figure 11: FIPS Mark Cryptographic modules that haven been approved by NIST or CSE is issued a certificate including the FIPS mark as shown in Figure 11 that indicates its conformance with FIPS 140-1 or FIPS 140.2. The organizations responsible for CMVP certification are NIST and CSE that also maintain a list of FIPS 140-1 and FIPS 140-2 vendors whose modules have been validated against the requirements of FIPS 140-1 and FIPS 140-2. Contact information about the accredited NVLAP CMT laboratories in the USA is provided in Table 67. Links are provided in Table 66. Contact information about the accredited NVLAP CMT laboratories in Canada is provided in Table 47. Links are provided in Table 46. A list of validated products under NVLAP CMVP can be obtained from the CVMP web page (see Table 46). A further evaluation and certification service of NIST/CSE is an independent thirdparty evaluation and certification service for IT security products compliant with the Canadian “Common Criteria Evaluation and Certification Scheme” (CCS) or the US “Common Criteria Evaluation and Validation Scheme” (CCEVS). 72 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) IT testing laboratories under the CCEVS that are approved by NIAP and accredited by NIST are called Common Criteria Testing Laboratories (CCTL). Contact information about the accredited NVLAP CCTL laboratories in the USA is provided in Table 67. Links are listed in Table 66. A list of validated protection profiles and products compliant with CCEVS can be obtained from the CCEVS web page (link see Table 66). Contact information about the accredited NVLAP CCTL laboratories in Canada is provided in Table 47. Links are given in Table 46. 4.2 European Union This section provides an overview of European legislation, initiatives and organizations that refer to IT security and conformity assessment. For logical reasons aspects of European legislation and initiatives related to electronic procurement are described in section 9.2. 4.2.1 Dissemination of CMVP in the European Union Within the framework of the European EESSI initiative (see section 4.2.4.1) the two groups ETSI/ESI and CEN/ISSS have achieved harmonized results that are published as documents called ETSI Technical Specifications (ETSI TS) and CEN Workshop Agreements (CWAs). These documents are intended for the use by manufacturers, operators, independent bodies, certification service providers, assessors, evaluators and testing laboratories that are involved in conformity assessment. A selection of relevant technical specifications and workshop agreements is provided in Table 6. Among these documents especially the following documents • “Security requirements for trustworthy systems managing certificates for elec• • • • • • February 28th, 2006 (Final) tronic signatures” [CWA 14167], “Secure signature creation devices EAL 4+” [CWA 14169], “EESSI conformity assessment guidance” [CWA 14172], “Security requirements for signature creation applications” [CWA 14170], “Application interface for smart cards used as secure signature creation devices” [CWA 14890], “Policy requirements for certification authorities issuing qualified certificates” [ETSI TS 101 456], and “Policy requirements for certification authorities issuing public key certificates” [ETSI TS 102 042] Study on Promotion Strategy of Conformity Assessment System of Information Security 73 contain requirements and/or guidelines related to the characteristics of cryptographic modules embedded within secure signature creation devices. These cryptographic modules are required to conform to the mentioned European standards. The compliance of cryptographic modules with the US standards [FIPS 140-1], or [FIPS 140-2] is an option and not excluded. Table 6: Technical Specifications and Workshop Agreements DOCUMENT ID DATE TITLE OF DOCUMENT CWA 14167 2003-06 Security requirements for trustworthy systems managing certificates for electronic signatures CWA 14169 2004-03 Secure signature creation devices EAL 4+ CWA 14170 2004-05 Security requirements for signature creation applications CWA 14171 2001-03-13 General guidelines for electronic signature verification CWA 14172 2004-03 EESSI conformity assessment guidance CWA 14355 2001-12-17 Guidelines for the implementations of secure signature creation devices CWA 14365 2002-09-26 Guide on the use of electronic signatures CWA 14890 2004-05 Application interface for smart cards used as secure signature creation devices CWA 14924 2004-03 European guide to good practice in management knowledge ETSI TS 101 456 2005-05 Policy requirements for certification authorities issuing qualified certificates ETSI TS 101 733 2003-12 Electronic signature formats ETSI TS 101 862 2004-03 Qualified certificate profile ETSI TS 102 023 2003-01 Policy requirements for time-stamping authorities ETSI TS 102 042 2005-06 Policy requirements for certification authorities issuing public key certificates ETSI TS 102 047 2005-03 International harmonization of electronic signature formats ETSI TS 102 280 2004-03 X.509 V.3 certificate profile for certificates issued to natural persons 4.2.2 Legal Requirements and Regulations The requirements and regulations in the European Community for information system security and the evaluation and certification of IT security products cover the following areas: • • • • • 74 accreditation and certification, electronic signatures, import and export, personal data protection, and consumer protection. Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.2.2.1 Legal Requirements and Regulations for Accreditation and Certification The requirements and regulations of the European Community concerning accreditation and certification are specified in the document listed in Table 7. Table 7: Documents of European Community Legislation for Accreditation and Certification DOCUMENT ID DATE PURPOSE OF DOCUMENT OJ C 136 1985-05-07 Council resolution on a new approach to technical harmonization and to standardization COM (85) 310 1985-06-14 European Commission: White paper on the completing the internal market Directive 85/374/EEC 1985-07-25 Product liability directive OJ C 267 1989-10-19 European Commission: Global approach to certification and testing OJ C 010 1990-01-16 Council resolution on a global approach to conformity assessment Directive 90/396/EEC 1990-06-29 Criteria for the designation and assessment of notified bodies – appliances burning gaseous fuels OJ L 380 1990-12-31 Council decision concerning the modules for the various phases of conformity assessment procedures which are intended to be used in the technical harmonization directives Directive 92/59/EC 1992-06-29 The general product safety directive Directive 93/42/EEC 1993-06-14 Criteria for the designation and assessment of notified bodies – medical devices Decision 93/465/EEC 1993-07-22 Modules for conformity assessment & rules for CE marking Certif 93/1 rev. 3 1994-02-07 European Commission: Method of coordinating the procedures governing the notification and management of notified bodies OJ L 336 1994-12-23 Council decision Agreement on technical barrier to trade Certif 97/4 EN Draft 1997-04-77 European Commission: Accreditation and the community’s policy in the field of conformity assessment Directive 97/23/EC 1997-05-29 Criteria for the designation and assessment of notified bodies – pressure equipment devices COM (1998) 291 1998 European Commission: Report on efficiency and accountability in European standardization Directive 98/13/EC 1998-02-12 Criteria for the designation and assessment of notified bodies – telecommunications terminal equipment Directive 98/34/EC 1998-06-22 Procedure for the provision of information in the field of technical standards Directive 98/37/EC 1998-06-22 Criteria for the designation and assessment of notified bodies – machinery Certif 97/1 EN rev. 3 1998-07-17 European Commission: Code of conduct for the functioning of the system of notified bodies Directive 98/79/EC 1998-10-27 Criteria for the designation and assessment of notified bodies – in vitro diagnostic medical devices Blue Guide 2000 European Commission: Guide to the implementation of directives based on the new approach and the global approach February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 75 DOCUMENT ID DATE PURPOSE OF DOCUMENT OJ C 141 2000-05-19 Council resolution on the role of standardization SOGGS N326 EN 2000-09-12 European Commission: Role of accreditation and UKAS SOGGS N356 EN 2000-09-12 European Commission: Procedure for the assessment, inspection and monitoring of notified bodies SOGGS N426 EN 2001-01-28 European Commission: Draft DG Enterprise consultation document on the review of the new approach Certif 96/3 EN rev. 6 2001-06-14 European Commission: Procedure for designation of conformity assessment bodies (CAB) under mutual recognition agreements (MRAs) with non-member countries COM (2002) 173 2002-04-19 Council framework decision on attacks against information systems 4.2.2.2 Legal Requirements and Regulations for Electronic Signatures The requirements and regulations of the European Community concerning electronic signatures are specified in the document listed in Table 8. Table 8: Documents of European Community Legislation for Electronic Signature DOCUMENT ID DATE PURPOSE OF DOCUMENT Directive 1999/93/CE 1999-12-13 On a community framework for electronic signatures, European Communities Official Journal L 013, 2000-01-19, p. 12-20 4.2.2.3 Legal Requirements and Regulations for the Import and Export of IT Products The requirements and regulations of the European Community concerning the import and export of products and technology are specified in the documents listed in Table 9. Table 9: 76 Documents of European Community Legislation for Imports and Exports DOCUMENT ID DATE PURPOSE OF DOCUMENT Regulation (CE) No 1334/2000 2000-06-22 Initialization of a community regime for the control of exports of dual purpose items and technology, European Communities Official Journal L 159, 2000-06-30, p. 1 Common action 2000-06-22 Verification of technical support related to some final military destinations, European Communities Official Journal L 336, 2000-12-30, p.14 Council decision 2000-06-22 Removal of decision 94/942/PESC related to common action with regard to the control of exports of dual purpose items, European Communities Bulletin EU 6-2000, Common foreign and security policy (7/19) Regulation (CE) No 2889/2000 2000-12-22 Amending of regulation (CE) No 1334/2000, European Communities Official Journal L 336, 2000-12-30, p. 14 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) The European Commission endeavors to support and facilitate the international trade in its relation with third countries. This is achieved for products subject to legal regulations by the conclusion of MRAs based on article 133 of the contract with third countries that have a comparable technical state of development and an adequate approach to conformity assessment. 4.2.2.4 Legal Requirements and Regulations for Personal Data Protection The requirements and regulations of the European Community concerning the personal data protection are specified in the documents listed in Table 10. Table 10: Documents of European Community Legislation for Personal Data Protection DOCUMENT ID DATE PURPOSE OF DOCUMENT Directive 1995/46/CE 1995-10-24 On the protection of individuals with regards to the processing of personal data and the free movement of such data, European Communities Official Journal L 281, 1995-11-23, p. 31-50 Directive 2002/58/CE 2002-07-11 Processing of personal data and the protection of privacy in the Electronic Communications Sector, European Communities Official Journal 1201/37, 2002-07-32 which is a replacement of the Directive 97/66/CE 4.2.2.5 Legal Requirements and Regulations for Consumer Protection The requirements and regulations of the European Community concerning the consumer protection are specified in the documents listed in Table 11. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 77 Table 11: Documents of European Community Legislation for Consumer Protection DOCUMENT ID DATE PURPOSE OF DOCUMENT Directive 1985/374/CEE 1985-07-25 Approximation of laws, regulations and administrative provisions of the Member States concerning liability of defective products, European Communities Official Journal L 210, 1985-08-07, p. 29-33 Directive 1991/250/CEE 1991-05-14 On the legal protection of computer programs, European Communities Official Journal L 122, 1991-05-17, p. 42-46 Directive 1999/5/EC 1999-03-09 On radio equipment and telecommunication terminal equipment and the mutual recognition of their conformity, European Communities Official Journal L 91, 1999-04-07, p. 10-28 Amendment OJ L 141 399L0034 1999-06-04 Amendment of Directive 1985/374/CEE, 1999-06-04, p. 20 A main element of the European legislation that is covered under the “New Approach Directives” is the assessment of products against agreed and recognized standards or security requirements. 4.2.3 European Organizations and Their Responsibilities 4.2.3.1 Comité Européen de Normalisation The Comité Européen de Normalisation (CEN, European committee for standardization) has been established as a non-profit international association in 1961. CEN is responsible for the development of European standards in all areas except for electro-techniques and telecommunications. 4.2.3.2 CENELEC The Comité Européen de Normalisation ELECtrotechnique (CENELEC, European committee for electro-technical standardization) has been established as a nonprofit international association in 1973. CENELEC is responsible for the development of European harmonized electro-technical standards. 4.2.3.3 ETSI The “European Telecommunications Standards Institute” (ETSI) has been established as a non-profit organization in 1988. ETSI, one of the largest international technical associations, is responsible for the development of telecommunications standards. ETSI’s latest activities have been devoted to the standardization in the area of electronic signatures and infrastructures. 78 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.2.3.4 European Government CSIRTs Group The European Union has established the European Government CSIRTs (Computer Security Incident Response Team) group (EGC) as an informal group of European governmental CSIRTs in order to achieve an effective cooperation between these groups by the following actions: • common development of measures to cope with large-scale and/or regional network security vulnerabilities, • provision of support for information sharing and exchange of technologies related to IT security incidents and vulnerabilities, • identification of areas for collaborative development and research, and • provision of specific knowledge and expertise and its sharing within EGC. 4.2.3.5 European Network Information Security Agency The European Network Information Security Agency (ENISA) has been established within the eEurope action plan as a new agency of the European Union in March 2004. The main objective of ENISA is to achieve a high and effective level of network and information security within the European community for the benefits of its citizens, consumers, and business and public sector organizations. The main role of ENISA within Europe is to support the European market by enabling and promoting co-operations and the exchange of information related to network and information security. ENISA shall become a center of expertise in security. The main tasks of ENISA include: • support for the commission in the technical preparatory work for legislation related to network and information security, • provision of services for member states, the business community and European institutions, • development of high expertise related to network and information security, • prevention, detection and solving of network and information security problems, • sampling and analysis of information on known security incidents and emerging risks in Europe, • promotion of methods for risk assessment and risk management to cope with network and information security threats, • promotion of the cooperation with the public and the private IT security sectors in Europe, and • cooperation with the industry to clarify security-related problems in hardware and software products, and • development of private-public partnerships with the industry in the area of IT security. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 79 4.2.3.6 EUROCAT The European Institute for Certification and Testing EUROCAT is a European organization that operates in the medical and health care sector. The customers of EUROCAT are national and international manufacturers and vendors of medical products and diagnostics. Its main activity is the certification of quality systems in health care facilities. The following German organizations are accredited to EUROCAT: • TGA Trägergemeinschaft für Akkreditierung accredited by DAR (certificate TGA-ZM-24-97-00), • ZLG (Zentralstelle der Länder für Gesundheit bei Arzneimitteln und Medizinprodukten (certificate ZLG-ZQ-684.99.05-46), and • ZLS Zentralstelle der Länder für Sicherheitstechnik (certificate ZLS-ZE-443/04). 4.2.3.7 EUROLAB The “European Federation of National Associations of Measurement, Testing and Analytical Laboratories” (EUROLAB) was created in 1990 on the basis of a MRA, signed by delegations from private and public laboratories of the European Union and the European Free Trade Association (EFTA). EUROLAB provides laboratory and conformity assessment services supporting European technology and trade by the following activities: • cooperation with accreditation bodies related to technical, regulatory and quality management matters, • international harmonization of regulations concerning competence and • • • • 4.2.3.8 performance of laboratories, European multi-sectoral forum for laboratory and conformity assessment, European focus point for laboratory inter-comparisons and proficiency testing, participation in international organizations such as EA or ILAC, and provision of EUROLAB members expertise to customers for the benefit of economy and society. EEMA The European Electronic Messaging Association (EEMA) has been created in 1987 as an independent non-profit trade association for European e-Business. EEMA is active in the development of further e-Business technology and legislation through cooperation with European members, governmental authorities, standards organizations and e-Business initiatives. 80 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.2.3.9 FESA The Forum of European Supervisory Authorities (FESA) for electronic signatures is a forum of national bodies that are responsible for supervision of systems compliant with European signature directive [EC DIR ES]. The task of FESA is to support the cooperation between the countries, and to harmonize main issues with political or technical institutions. FESA provides detailed information about several European countries including links (see Table 48 and Table 49) to electronic signature legislation, contact details of responsible bodies and authorities, and contact details of certification-serviceproviders. 4.2.4 European Initiatives 4.2.4.1 European Electronic Signature Standardization Initiative The European Electronic Signature Standardization Initiative (EESSI) has been launched in 1999 by the European Information and Communications Technologies (ICT) Standards Board (ICTSB) which is composed of CEN, CENELEC and ETSI members, and was supported by the European commission. The aim of EESSI has been the implementation of the European directive on electronic signatures [EC DIR ES] and the development of a European electronic signature infrastructure in the member states. EESSI has been a joint undertaking between experts from the industry, public administrations and research institutions and it was finished in 2004. Within the framework of EESSI the two groups ETSI/ESI and CEN/ISSS have been in charge of carrying out the work program and to develop European wide standards related to the electronic signature framework. The abbreviations ESI and ISSS stand for Electronic Signatures and Infrastructures (ESI), and Information Society Standardization System (ISSS) respectively. 4.2.4.2 eEurope 2002 Action Plan Besides the legislation the EU has taken complementing measures in form of socalled action plans related to the common promotion and encouragement of secure electronic communication in the EU society and in the e-government. So far the action plans eEurope 2002 and eEurope 2005 have been stated and realized. The eEurope initiatives are political initiatives that shall ensure the full use of the potential of the information society in the European Union. The eEurope 2002 action plan which was established in June 2000 had the following three main goals: February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 81 • use of a cost-effective, fast and secure internet, • appropriate investments for the qualification of persons, and • support for the use of the internet. 4.2.4.3 eEurope 2005 Action Plan The eEurope 2005 action plan which was established in June 2002 aimed to promote the development of a knowledge-based economy in Europe. Its twofold targets were the support of services, applications and contents including netbased administration services on the one hand, and the provision of frameworks for the related necessary broadband infrastructures and security issues on the other hand. The activities of this plan include the following action areas: • • • • • • • information society (see section 4.2.4.4), security, eInclusion, eGovernment, eLearning, eHealth, and eBusiness. Security The commission and the member states of the EU have developed a strategy for the issues of network and information security within the eEurope 2005 action plan. The action plan is directed to governments, community bodies, citizens, the industry and public administrations. In this context the cyber security task force has made a proposal for the creation of ENISA (see section 4.2.3.5). In a particular EU council resolution the approach towards a culture of security related to the deployment of information and communication technologies has been outlined. A framework decision on attacks against information systems has been produced in April 2002 (COM 2002) 173) focusing on hacking, viruses, other malicious code and denial-of-service attacks. The framework decision also supports the EU law enforcement bodies to react against these forms of criminal activities. A further activity has been started in 2003 with the goal to enable secure electronic communication between public administrations and with citizens. For this purpose the Trans-European Services for Telematics between Administrations (TESTA) network has been established in the EU member states that provides means for interconnecting EU administrations and member states. eGovernment Activities 82 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) The eGovernment subgroup which is composed of representatives of the national eGovernment initiatives has developed a set of recommendations contributing to the new initiative “eGovernment beyond 2005” related the issue of modernizing and innovating public administrations. Key points of these recommendations can be summarized as follows (more details see [COBRA]): • general recommendations for eGovernment including − focus on citizens and businesses, − modernization and innovation of public administrations, − increase of global competitiveness, and − increase of attractiveness of Europe for life, work and investment. • policy cooperation and coordination including − achievement of interoperation based on recognition of national differences and their consistent removal if significant benefits can be expected, − development of a concrete agenda for the realization of interoperability, electronic identification and authentication in order to enable the crossborder use of eGovernment services, − integration of eGovernment policy into domain specific or sectoral policies, − reduction of administrative burden for citizens and companies, and − development of a common measurement framework addressing efficiency, gains, quality, security, and trust in online public services. • implementation cooperation and coordination including − wide diffusion of good practices in order to support effective transfer mechanisms for the local and regional levels, − development of a shared European resource of building blocks for eGovernment, − development of a joint action plan for Pan-European eGovernment services for citizens, businesses and administrations, and the − realization of synergies between the future framework program for research and technological development, the framework program for competitiveness and innovation, and the structural funds. • transformations including − an assessment of the role of national governments related to their public services and combined with actions needed for possible re-organizations, − support for modernization and innovation of public administrations by highest political leadership and top-level administrative commitment, − development of new EU initiatives that will focus on enabling and sustaining the re-organization at all levels, and the − development of new eGovernment innovation framework. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 83 • financing issues for cost-Savings including − development and use of common metrics on benefits that measure finan− − − − cial returns, development of good practices of public value for prioritizing eGovernment services, development of good practices in realizing benefits by the analysis of business cases, improved information about financing possibilities in the public and private sector, and modernization and innovation of public administration strategy for financial perspectives. The progress of the activities of the eEurope 2005 initiative is controlled by the eEurope advisory group, which is led by the commission and open to stakeholders from member states, accession countries, consumers and the industry. A public consultation on eEurope 2005 initiatives has been carried out and its results have been reflected in the “eEurope 2005 Mid-Term Review” (see Table 48). 4.2.4.4 European Society in 2010 The initiative “European Information Society in 2010” (i2010) that has been launched in 2005 aims at the provision of an integrated approach to information society. It considers the following aspects and activities: • • • • support for audio-visual policies in the EU including regulation and research, deployment of cultural diversity, support for the convergence at the level of networks, services and devices, provision of appropriate framework conditions such that EU citizens, its industries and governments can make the best use of information and communications technologies (ICT), • improvement of industrial competitiveness, • support for the growth and creation of jobs, and • solutions for societal problems and challenges. The focus of i2010 is to increase the efforts for research and investment in Information and Communication Technologies (ICT) and to promote their adoption in the economy. The current EU research activities are organized by the “sixth framework program for Research and Technological Development” (RTD, 2002-2006) which also complements the eEurope 2005 objectives and contributes to the i2010 goals. 4.2.4.5 New Program on e-Government The European commission has launched a new program on e-Government called “Interoperable Delivery of European eGovernment Services to public 84 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Administrations, Businesses and Citizens” (IDABC) in February 2005 with the main goal to improve the efficiency of European public administrations. IDABC will provide services for the electronic communication between national and European administrations and public services for the businesses and citizens in Europe. IDABC is also financing projects that comply with European policy requirements and facilitate the cooperation between administrations across Europe. A reference information source on e-Government issues and developments across Europe is the IDABC e-Government Observatory (see also Table 48). This source provides information for the target groups of e-Government decision makers and experts about e-Government strategies, and European initiatives and projects. Documents related to initiatives of the European Community that cover the areas of internet security and information society are listed in Table 12. IDABC will focus on the following tasks and topics: • support for an efficient and secure exchange of information between public • • • • • Table 12: administrations, support for the community decision process and facilitating communication between the community institutions, support for achieving interoperability based on the European interoperability framework, promotion of good practices, direct support for concrete EU projects related to the creation or enhancement of pan-European e-Government services, and technical support for the development of infrastructure services. European Initiatives for Internet Security and Information Society DOCUMENT ID DATE PURPOSE OF DOCUMENT Communication COM 2000/890 2001-01-26 Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Regions Committee: Initiative to create a more secure information society while improving the security of information infrastructures and fighting against cyber-crime Communication COM 2001 298 2001-06-06 Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Regions Network and Information Security: Proposal for a European Policy Approach Resolution No 15152/01 2001-12-11 Resolution of the European Union Council on networks and information security Communication COM 2002/152 2002 Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Regions Committee: Initiative to adopt a multi-annual community action plan on promoting safer use of the internet by combating illegal and harmful contents on global networks February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 85 DOCUMENT ID DATE PURPOSE OF DOCUMENT Resolution No 2002/C43/02 2002-01-28 Resolution of the European Union Council on a common approach and specific actions in the area of network and information security Action Plan eEurope 2002-2005 2002-06-21 An information society for all prepared by the European Council and Commission Communication COM 2002 173 2002-08-27 Proposed Council Framework Decision related to attacks on information systems, European Communities Official Journal C 203 E, 2002-08-27 Communication COM 2003 567 2003-09-26 Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Regions The Role of eGovernment for Europe’s Future 4.2.4.6 Good Practice Initiatives The European Commission has recently started several initiatives that support the transfer of good practice information on e-government projects across all levels of the European Union. Main activities of this category are the projects “Promote eGovernment Good Practice Portability” and “Good Practice Framework”. Good Practice Portability The “Promote eGovernment Good Practice Portability” (also abbreviated as PPP) is a project that was launched under the European eTEN program in 2005 with the aim to support the development of e-services with a trans-European dimension. Four working groups have been established that perform studies on particular eGovernment good practice in the following four key areas: • electronic identity based on the Belgian e-ID card, • secure infrastructure based on a secure infrastructure supporting legally- binding interchange of electronic documents in France, • cross-border portals based on the information portal which provides official information from the Swedish and Danish authorities, and • citizens portals based on the Liverpool city council’s citizen’s portal. E-government experts from the public and private sector may join these groups and participate in the exchange of information. The project will be finished at the end of 2006. Good Practice Framework The Good Practice Framework (GPF) is an initiative of the European Commission supported by the Modinis Program (see Table 48) of eEurope 2005. The purpose of this framework is to capture, catalogue and to share information on good practice in e-government via a GPF portal. The scope of GPF includes egovernment strategies related to the standardization of e-government processes, concrete solutions, technical issues, interoperability and identity management. The 86 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) GPF portal will contain an intelligent knowledge database, a community platform and transfer support instruments like electronic newsletters. The main goals of GPF include the following activities: • the provision of measures to support the creation of effective e-government services across all levels of the European Union, • the collection of examples of well-defined e-government cases, • the provision of an intelligent knowledge database to make the examples • • • • 4.3 available, the provision of expert know-how on e-government, the provision of easy access to existing communities and expertise centers, the easy and helpful support of transfer of good practices experiences, and the provision of knowledge transfer to providers of public services, to formal and informal networks of e-government stakeholders, and to IT business. France 4.3.1 Dissemination CMVP in France The evaluation of cryptographic modules embedded in SSCDs is done conforming to CWA 14167-2. General recommendations on algorithms and parameters have been specified by DCSSI. Related standards that are published in the Official Journal of the European Commission will be adapted. 4.3.2 Legal Requirements and Regulations The legal requirements and regulations in France for information system security and the evaluation and certification of IT security products cover the following areas: • • • • • • February 28th, 2006 (Final) information systems, compromise of signals, evaluation and certification, cryptology, community legislation, and contracts. Study on Promotion Strategy of Conformity Assessment System of Information Security 87 4.3.2.1 Legal Requirements and Regulations for Information Systems Relevant legal requirements and regulations in France for information systems are specified in the documents listed in Table 13. Table 13: Documents of French Regulations for Information Systems DOCUMENT ID DATE PURPOSE OF DOCUMENT Recommendation No 600 1993-03 Protection of sensitive information for computer workstations not governed by defense secrecy Recommendation No 901 1994-03-02 Protection of information systems using sensitive information that is not classifies as a defense topic Directive 4201/SG 1995-04-13 Information system security Inter-ministerial general instruction No 1300 2003-08-25 Protection of the national defense secret Directive No 1223 2004-12-23 Physical protection of information on protected supports Inter-ministerial Instruction No 920 2005-01-25 Systems processing classified information of defense on a confidential level 4.3.2.2 Legal Requirements and Regulations for Compromise of Signals Relevant legal requirements and regulations in France for compromise of signals are specified in the documents listed in Table 14. Table 14: Documents of French Regulations for Compromise of Signals DOCUMENT ID DATE PURPOSE OF DOCUMENT Recommendation No 400 1991-10-18 Installation of sites and systems using sensitive information not governed by defense secrecy Inter-ministerial Instruction No 300 1997-06-21 Directive No 495 1997-09-19 TEMPEST zoning concept for providing protection against compromise of signals, presentation of the zoning concept, instructions for its implementation, and specification of the monitoring and maintenance process Directive No 485 2000-09-01 Definition of technical security rules that are applicable to the installation of information hardware or systems processing information classifies as defense information Protection against comprising parasite signals Presentation of different security measures that have to be implemented These requirements should be fulfilled by all ministerial departments and public offices that are under the authority of a minister. 88 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.3.2.3 Legal Requirements and Regulations for Evaluation and Certification The evaluation and certification of IT products and security systems is regulated in France by the documents listed in Table 15. Table 15: Documents of French Regulations for Evaluation and Certification DOCUMENT ID DATE PURPOSE OF DOCUMENT Decree No 2001-693 2001-06-31 DCSSI establishment for IT security certification at the permanent secretariat for national defense Order 2002-03-15 Department order that defines the organizations of DCSSI in subdirectorate and teams for information systems security Decree No 2000-535 2002-04-18 Evaluation and certification scheme, specification of rules for signature process certification OJ 132 NOR: ECOI0200314A 2002-06-08 Electronic signature decree Order 2002-09-09 Definition of the delegation of signature of certificates Order 2003-02-28 Definition of the member of the management board AGR-P-01 2004-01 Licensing of evaluation facilities, SGDN/DCSSI/SDR document CER-F-01 2004-01-01 Procedure: certification process from official application to awarding of certificates CPP-P-01 2004-01 Protection profile certification, SGDN/DCSSI/SDR document MAR-P-01 2004-01-01 Rules for the use of IT certification mark SIG-P-01 2004-01 Certification of conformity of electronic signature creation device, CESG UKITSEC document CCN-MQ-01 2004-01-06 Certification body quality manual, version 1-0 CER-P-01 2004-02 Product certification, SGDN/DCSSI/SDR document SUR-P-01 2004-02 Certified product surveillance, SGDN/DCSSI/SDR document The quality manual of the certification body [CCN-MQ-01] provides the framework for the French quality system for certification. It defines the methods, policies and procedures that the certification body has to consider in order to realize and maintain the quality of certification services. The target groups of the quality manual are the members of DCSSI, the employees, and other particularly foreign certification bodies regarding mutual recognition. The quality manual is a document that is subject to yearly revision and multi-level approval including the following instances and related approval steps: • • • • • February 28th, 2006 (Final) editing by the quality manager, validation by the head of the certification body, checking by the sub-director of the regulation sub-directorate, reviewing by the certification management board, and final approval by the DCSSI. Study on Promotion Strategy of Conformity Assessment System of Information Security 89 4.3.2.4 Legal Requirements and Regulations for Cryptology The provision, import and export of cryptology products are regulated in France. The confidentiality is submitted either by the declaration system or the authorization system. Relevant legal requirements and regulations in France for cryptology are specified in the documents listed in Table 16. Table 16: 90 Documents of French Regulations for Cryptology and Electronic Signatures DOCUMENT ID DATE PURPOSE OF DOCUMENT Directive 520 1991-01-15 Encryption of faxes Directive 530 1996-10-18 Infrastructure cryptophony II 500 bis 1996-10-18 Information systems security encryption, non-public document Decree No 98-101 1998-02-24 Definition of conditions under which declarations are made and authorizations are issued concerning cryptology equipment and services, NOR: PRMX9802599D, Official Journal, 1998-02-25, p. 2911 Decree No 98-102 1998-02-24 Definition of conditions under which bodies managing secret cryptology conventions on behalf of others are approved in accordance with article 28 of the law on the telecommunications regulation (Law No 90-1170, 1990-12-29), NOR: PRMX9802602D, Official Journal, 1998-02-25, p. 2915 Order NOR: PRMX9802730A 1998-03-13 Definition of particular provisions that authorizations may specify for the provisions of cryptology equipment or services, Official Journal, 1998-0315, p.3888 Order NOR: PRMX9802731A 1998-03-13 Definition of the form and content of the approval request file for bodies managing secret conventions on behalf of others, Official Journal, 199803-15, p.3888 Order NOR: PRMX9802732A 1998-03-13 Definition of model for prior notification by the provider about the identity of intermediaries used to provide cryptology equipment or services subject to authorization, Official Journal, 1998-03-15, p.3888 Order NOR: PRMX9802733A 1998-03-13 Initiation of a list of approved bodies where secret conventions can be filed, Official Journal, 1998-03-15, p.3891 Order NOR: PRMX9802734A 1998-03-13 Specification of the fixed fee for the use of secret conventions for the benefit of authorities, Official Journal, 1998-03-15, p.3891 Decree No 99-199 1999-03-17 Definition of categories of cryptology equipment and services for which the prior declaration procedure is replaces with the authorization procedure, NOR: PRMX9903476D, Official Journal 66, 1999-03-19, p. 4050 Decree No 99-200 1999-03-17 Definition of categories of cryptology equipment and services for which no prior declaration formality is required, NOR: PRMX9903477D, Official Journal 66, 1999-03-19, p. 4051 Order NOR: PRMX9903475A 1999-03-17 Definition of form and content of the file concerning declarations or requests for authorization related to cryptology equipment and services, Official Journal 66, 1999-03-19, p.4052 Law 2000-230 2000-03-13 Definition of the adoption of the law of proof to information technologies and relating to electronic signatures Decree No 2001272 2001-03-30 Article 1316-4 of French civil code relating to electronic signatures, 200104-30 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) DOCUMENT ID DATE PURPOSE OF DOCUMENT Decree No 20011192 2001-12-13 Control of export, import and transfers of dual purpose items and technology, Official Journal, 2001-12-15, p. 19905 Order 2001 2001-12-13 Control of exports to third party countries and transfers of dual purpose items and technology to European Community Member States, Official Journal, 2001-12-15, p. 19911 Order 2001 2001-12-13 Issuance of an international import certificate and a delivery verification certificate for the import of dual purpose items and technology, Official Journal, 2001-12-15, p. 19914 Decree No 2002688 2002-05-03 Amendment of decree No 98-101, NOR: PRMX0100130D, Official Journal, 2002-05-03, p. 8055 Law 2004-575 2004-06-21 Article 30-I classifies the use of crypto means as free Law No 2004-575 2004-06-21 Confidence in the digital economy, safety in the digital economy, cryptology methods 4.3.2.5 Legal Requirements and Regulations for Contracts Relevant legal requirements and regulations in France for contracts are specified in the Order 2005 document on conditions of protecting the secret and information concerning defense and state safety in contracts. 4.3.3 Organizations and Their Responsibilities 4.3.3.1 CERTA Computer Emergency Response Team The French government has established the organization CERTA (Computer Emergency Response Team) in 2000. The objectives of CERTA are: • • • • • detection of vulnerabilities, removal of incidents related to information system security (ISS), provision of means to protect against future incidents, technical monitoring, and organization of the establishment of a reliable network. CERTA is involved in the TF-CSIRT program that coordinates the European CERTs. It is dedicated to the French government. Besides CERTA there are two more CERTs which are CERT-IST and RENATER CERT. • CERT-IST was created by the four groups ALCATEL, CNES, ELF and France Telecom in 1998. CERT-IST is dedicated to the industry, services and tertiary sector. • RENATER CERT is dedicated to the members of the GIP (public interest group) of the RENATER (national telecommunications network for technology, teaching and research). February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 91 CERTA is organized under the authority of the SGDN (general secretary for national defense) responsible for information security in all state authorities. CERTA is part of the DCSSI (central directorate for information system security) of SGDN complementing the actions and security measures performed by DCSSI. The French Decree 2002-535 defines the organization responsible for the evaluation and certification of IT security products and systems. These organizations are the certification management board and the DCSSI. 4.3.3.2 Certification Management Board The tasks of the certification management board are specified in article 15 of Decree 2002-535. They include • • • • 4.3.3.3 formulation of opinions on the certification policy, standards and procedures, formulation of opinions on the licensing of evaluation facilities, analysis of disputes on certification for conciliation, and approval of mutual recognition agreements with foreign certification bodies. Central Directorate for Information System Security The Central Directorate for Information System Security (DCSSI) was established by the French government in 2001 (per decree 2001-693) as the focal center for information system security. DCSSI is operating under the authority of the permanent secretary for national defense. It has to perform the following tasks: • definition and specification of government policy in terms of information system security for the ministries, • national regulation authority for information system security, • issuance of approvals, guarantees and certificates for national information systems, crypto processes and products, • provision of support for public bodies and public services, • control of information security evaluation centers (CESTI), • development of scientific and technical expertise in information system security for the benefit of the administration and public services, • evaluation of threats to information systems, • development of security measures in order to prevent these threats, • collaboration with CERTA for future prevention of vulnerabilities, and • provision of training and increase of awareness of the importance of IT security which is done by the information system security training centre (CFSSI). The main task of DCSSI is the examination of certifica- Figure 12: Mark for IT security certification tions according to the decree 2002-535 (French certification framework for security products and systems, 92 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) see Table 15) of the certification management committee. Certificates issued by the DCSSI may use the IT security certification mark shown in Figure 12. Concerning cryptology products the DCSSI records declarations and investigates requests for the authorization of cryptology equipment and services in accordance with the French legislation and the European Community legislation. Declarations and authorization requests are described in a file archived by the DCSSI. DCSSI has signed the two mutual recognition agreements European ITSECMRA and CC-MRA (see 3.6). DCSSI complies with the requirements stated in the European directive on secure signature creation devices [EC DIR SSCD]. DCSSI is not contractually bound to other parties involved in the certification process and it does not provide advisory or training services in order to satisfy the purpose of neutrality. FIPS 140 validated modules may be required by some CC protection profiles and can in this case be used as components within security products. The French certification has foreseen the following roles and responsibilities within DCSSI: • the central director that is responsible for information systems security that is delegated by the prime minister for signing certificates, • the sub-director regulation that has authority over the certification body, • the head of the certification body that is responsible for the operational management of the certification body including − recruiting of staff and checking of their skills, − maintenance of an actual staff record related to its training and experiences, − definition of licensing procedures for evaluation facilities, − recognition of foreign certificates, − liaison with foreign certification bodies, − management of evaluation and certification criteria, − preparation of certification reports, and the − quality system of DCSSI. • the technical manager that is responsible for managing the technical certification operations including − training of certifiers, − approval of their skills, − managing of work plans, − analysis of applications for certification, and − analysis of certification reports from a technical point of view. • the licensing manager that is responsible for audits, monitoring, and training of evaluation facilities, February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 93 • the quality manager that is responsible for the maintenance of the quality system including the training of the members of the certification body, • the certifiers that are responsible for oversight of evaluations approving that relevant standards and procedures for the certification have been applied without being involved neither in the evaluation tasks nor in the decisions for issuing certificates, • the secretary (attached to the sub-director regulation) that is responsible for the participation in procedures for receiving and distribution of correspondence for the certification center, and • the management of personal that is subject to a specific procedure on “Enrolment and Qualification of Personal” [PER-P-01]. The ministry of economics, finance and industry (MINEFI, MINistère de l' Économie, des Finances et de l'Industrie) is the responsible body for voluntary accreditation compliant with the European electronic signature directive [EC DIR ES]. The DCSSI is the responsible body for supervision and the evaluation of SSCDs compliant with the European electronic signature directive [EC DIR ES]. Both DCSSI and MINEFI are members of the Forum of European Supervisory Authorities. 4.3.4 Quality System The French quality system is defined in chapter 5 of [CCN-MQ-01]. It includes the aspects of • • • • • 4.3.4.1 quality policy, tasks of the certification body, quality manager, quality planning, and documentation. Quality Policy The main objectives of the quality policy are to increase trust in the certification at the national level, and to be able to perform mutual recognition agreements at the international level. The quality policy specifies requirements for the certification body covering the aspects of traceability, continuity, homogeneity, and confidentiality. The certification scheme has to be implemented in the certification body and in the evaluation facilities. 94 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.3.4.2 Certification Body The quality system defines the set of tasks that the certification body DCSSI has to perform. It is conformant to the standard NF [EN 45011] and the national regulation rules. Concerning the licensing of evaluation facilities only evaluation facilities conformant to [ISO/IEC 17025] can be accredited. 4.3.4.3 Quality Manager The quality system describes the tasks for which the quality manager is responsible. These include ensuring the: • • • • 4.3.4.4 complete definition and implementation of the quality system, conformance of the quality system with the relevant standards, quality of the staff, and the production of reports that reflect the effectiveness of the quality system to the management for the purpose of review procedures and further improvements. Quality Planning The planning of quality is regulated by the procedures for management review [QUA-P-01], the quality steering group [QUA-P-02], and the internal audits [QUAP-03]. 4.3.4.5 Documentation DCSSI maintains a stack of documents accordingly to the procedure for creation and management of documents [ITSEM] that cover all certification activities. This set of documents distinguishes organizational and application-oriented documents. The first type of documents is hierarchically ordered with respect to their priorities into the categories decree/order (highest), quality manual, general procedures, and instructions, application notes, lists and forms (lowest). The second type of documents distinguishes documents related to licensing and certification (certification requests, evaluation reports, reviews of evaluation reports, licensing reports, certificates) and documents related to the quality system (minutes of management reviews, internal audit reports). The application-oriented documentation is managed by paper and/or electronic records. 4.3.5 Government Programs and Initiatives A new law on the exchange of electronic information between citizens and government agencies, and between government agencies came into force in January 2006. The new law regulates the equivalence of paper-based documents and manual signatures with electronically signed documents. A testing phase for the new service will start in 2006. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 95 The France government has publicated its e-government activities and initiatives for electronic administration in a strategic and an action plan called ADELE “Plan Stratégique/Plan d’Action de l’ADministration ELEctronique” in February 2004 for the period 2004-2007. The strategic plan defines the following main goals: • the simplification of administrative procedures for citizens, businesses and local administrations, • the guarantee for data security and confidentiality, and • the modernization of public administration. The action plan defines 140 individual initiatives for the implementation of about 300 electronic services in order to achieve the objectives of the strategic plan. The French government “Agency for the Development of Electronic Administration” (ADAE) has published an e-signature policy framework in October 2003 that has been gradually improved after public consultation since its original version. The policy provides the framework for organizations that provide electronic services related to the use and the acceptance of certificates. The French government has launched the electronic ID card project “’Identité Nationale Electronique Sécurisée” (INES) in 2005. This card shall allow the secure access of citizens to e-government and e-commerce services and transactions complying with the legal framework as defined in the new e-ID card bill of 2006 mentioned before. The French e-government portal initiative for citizens and businesses has already been launched in October 2000. This portal www.service-public.fr delivered by France Telecom provides access to public information and services for citizens, and for businesses. 4.4 Germany 4.4.1 Dissemination of CMVP in Germany The German legislation does not provide specific laws for cryptographic devices or modules that can be directly compared with the US legislation on cryptography in its cryptographic module validation program (CMVP). However, the use and assessment of cryptographic modules and devices is regulated by the German signature law [SigG], the signature amendment law [SigG*], and its signature 96 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) ordinance [SigV]. Details and consequences of these documents can be found in chapter 4 of the study “Electronic Signature Laws and PKI Projects in European Union and Germany” [IPA 05]. The German promotion strategy and its related programs and initiatives are focused on the German electronic signature act [SigG] and its ordinance [SigV] in order to develop applications, technology and services for the government, public and industrial sectors that make use of electronic signatures. For this context the German electronic signature act and its ordinance only specify legal requirements for technical components related to conformity assessment of IT security products and systems (see “Legal Requirements on Technology” in section 4.4.5). The German federal government has already fixed the following corner stones related to German crypto politics in June 1999 that have also been confirmed by a publication of the federal ministry of the interior in May 2001. Basic aspects of the German crypto politics are: • there is no intention to regulate or to limit the free availability of encryption • • • • • products in Germany, i.e. encryption procedures and encryption products can be developed, produced, marketed and used freely in Germany, the application of secure encryption is considered as a major precondition for privacy of citizens, the development of e-Business and the protection of sensitive information of enterprises, withdrawal of the export controls of cryptographic products within the European market area, active support for the dissemination of secure encryption mechanisms and products, focus on the international cooperation in the area of encryption politics, and support of open standards and interoperable systems that have been developed at the market The testing and evaluation of FIPS 140 cryptographic modules compliant with CMVP can be performed in Germany by the accredited NVLAP CMT laboratory “TÜV Informationstechnik GmbH” (contact information see Table 53, link see Table 52). These validated modules are required by several CC protection profiles and can be used as components of security products. The conformity assessment of cryptographic modules, e.g. of smart cards conformant with the German signature act, has to satisfy the • legal requirements of the signature act and the signature ordinance on technology (see section 4.4.6.2), and the related • technical security measures for cryptographic modules (see section 4.4.6.3). February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 97 General recommendations on algorithms and parameters have been specified by the competent authority BNetzA after being proposed by the BSI and yearly reviewed in cooperation with the industry. Related standards that are published in the Official Journal of the European Commission are considered as satisfying the requirements of the German signature act with the exception of systems and products under voluntary accreditation. 4.4.2 Government Programs and Initiatives for the IT Technology 4.4.2.1 Economic Report 2005 Many of the German government programs and initiatives for the IT technology are mentioned in the annual economic report for 2005 [AER 05]. The promotion of the stability and growth of economy is treated in the German Act to promotion of the stability and growth of economy also called “Agenda 2010” that was established in 2004 in order to improve the economic framework conditions. In accordance with this law the German government has published its annual economic report for 2005 [AER 05] that also contains aspects of the promotion strategy including initiatives to increase or improve the: • international competitiveness for the purpose of raising the standard of living and reducing the level of unemployment, • national market by economic policy both on the national and the European level, flexibility on the market, openness for enterprises and industry, efficiency of the social security system, modification of the tax reform 2000 that started this year as a stimulus to increase private consumption and the interest of companies for investments, and the • promotion strategy for public procurement (see section 9.2). • • • • A further German initiative is the initiative “Partners for Innovation” in which the government offers cooperation with partners in the business, research and trade unions sectors with the aim to − remove barriers for innovation, − increase the technological efficiency of companies, and to − promote efforts for new developments. 98 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.4.2.2 Public Private Partnerships In 2004 the federal government has started an initiative for the commercial exploitation of Public Private Partnerships (PPPs). This initiative aims to realize gains in efficiency and to increase the investment capacity in the public sector. Cooperation in partnership between private companies and public authorities can offer advantages to both parties if the risks are properly shared. PPPs can contribute to the modernization of the state to improve the competitiveness of German companies with respect to an international comparison. One example of PPPs is the initiative in federal long-distance road construction and the rail system. A PPP task force was established in July 2004 for public constructions. Its main tasks are the monitoring of pilot projects, the coordination and the knowledge transfer in cooperation with the federal states and the implementation of the legal framework conditions for PPP measures. 4.4.2.3 Adjustment of German Competition Laws A new amendment law against restraints of competition came into force in 2005. The reason for this amendment law and its main objective was to adjust the German competition law to the European competition law of May 2004. The implementation of the European competition law into the German legislation has the following effects: • the removal of registration and approval system for agreements that restrict competition, so taking a considerable amount of the bureaucracy out of the application of the law for companies, • the provision of greater responsibility for the companies, and • the adjustment of powers under the cartel legislation by improving the scope for legal protection for market participants and associations in civil law, and making sanctions under the legislation on fines more stringent. The new amendment of the act to prevent distortion of competition that came into force in July 2004 has been liberalized and adapted it to the present needs and interests of consumers and companies. The new legislation has given companies a contemporary base for creative and undistorted competition that also considers the needs of consumers. Restraints of competition that are not necessary to protect either competitors or consumers have been removed. 4.4.2.4 New Legal Framework for Telecommunications The implementation of the related European directives on the telecommunications sector in national law has let to an amendment law of the German telecommunications legislation that came into force in June 2004. The goal of this amendment law is to enable competition on the telecommunications market. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 99 The amended telecommunications law regulates which markets need to be regulated under the telecommunications law or are subject to the general competition law. It also assigns greater importance to promoting infrastructure competition in the telecommunications sector. The access to national networks from companies with considerable market power will be limited to those services that are essential for competition on the following end-customer market. On the basis of the new telecommunications law nine further ordinances have been defined this year among which the ordinance on telecommunications customer protection and the ordinance on telecommunications numbering are of main importance by improving the position of consumers in civil law. To open up additional growth potential for companies in the German telecommunications industry the federal government is supporting the liberalization of telecommunications markets worldwide and promoting commitments in foreign markets. In this context it can be assumed that the European Commission will produce proposals for the further development of the regulation of the telecommunications sector in 2006. The German government has already started a strategy debate in this area which focuses on adequate forms for competition, supervision and regulation. 4.4.2.5 Bund Online 2005 One of the specific measures to reduce bureaucracy in the federal administration is the federal e-government program BundOnline 2005 which was launched by the German government in 2001. The coordination and control of the egovernment initiative was performed by the BundOnline2005 project group (PGBO) under the federal ministry of the interior (BMI, Bundesministerium des Inneren). The BundOnline 2005 program is being specifically expanded by the federal government to offer national and foreign companies an efficient and modern administration. The BundOnline 2005 program has been completed this year. At this time 379 internet-enabled services offered by more than 100 federal administration bodies are available online. Of these about 250 are for businesses purposes. The successful completion of the BundOnline 2005 projects this year now allows the federal administrations to offer their services online and more efficient to the public. It is also an import stimulus factor for potential investors in Germany. The success of Germany in e-Government is also confirmed by an international comparison within a study in the eEurope 2005 program of the European Union. Currently the PGBO is studying alternatives of financing concepts and of the implementation of BundOnline services beyond 2005. In this context PPPs 100 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) between the private financial sector and government administrations are planned that could achieve the public tasks more efficiently and economically. Primary keys that are used for the evaluation of appropriate PPPs include the number of users, the frequency of the services, and additional benefits of the offered online services. 4.4.2.6 Germany - Online With the joint strategy “Germany Online” (started in June 2003) in which the federal government, the federal states and the municipalities are realizing an integrated e-government in Germany. The federal government is promoting the modernization of all these three levels of Germany's federal administration structure. Meanwhile 24 projects based on the e-government initiatives of the federal government have been started to modernize main branches of the public administration such as motor vehicle registration, citizens’ place of residence registration or commercial registers. The federal government has supported the federal states and the municipalities by offering the electronic knowledge management system of BundOnline to these organizations. The partners of Germany Online have adopted the common standard “Online Services Communications Interface” (OSCI) for the secure exchange of information via the joint e-government infrastructures. OSCI has been classified as a mandatory specification for the e-government infrastructures. The specific “MEDIA@Komm” pilot project supported by the ministry of economics and labor focuses on the exchange of information between citizens and municipalities. The activities of all three administrative levels include the: • • • • provision of common administration online services, linking of their internet portals, development of common infrastructures and standards, and the improvement of mutual know-how transfer. The following four milestones have been decided by the German government and the federal states in June 2004: • all administrations of the federal government, the federal states and the municipalities will provide an access for electronic communication until the end of 2005, • all applications negotiated in 2003 will be online accessible until the end of 2006, • government authorities will communicate electronically until the end of 2007, and • all administrative procedure will be online available until the end of 2008. The initiative Germany Online is being continuously realized and shall finally lead to a completely integrated e-government until 2010. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 101 Details of these and other German government programs and initiatives can also be found in [IPA 05]. The specific e-Procurement initiative is described in section 9.3.3. 4.4.2.7 Development of e-Government in the Europe of Regions The association “European Society for eGovernment e.V.” (ESG) is the German approach to the new European program on e-Government (see section 4.2.4.5). Members of ESG are leading national and international enterprises of the telecommunications sector, and project leaders from all areas of federal and municipal administrations. ESG can be considered as a moderator that aims to bundle all personal and material efforts that exist in a variety of related projects. ESG also represents a forum for the exchange of information and ideas across administrations and economy in the form of public private partnerships. ESG can also be considered as a communications forum for enterprises and agencies aiming at a European wide strategy. 4.4.2.8 Signature Alliance The public-private partnership to promote the use of electronic signatures [PPP PUDS] in Germany “signature alliance” (SigBü, SignaturBündnis) has been established in April 2003 as a joint initiative of the industry and the government. The aim of the PPP signature alliance is that all citizens will be able to use a chip card based on a standardized technical infrastructure and issued by various providers. With this card citizens will be enabled to perform a wide variety of electronic operations involving government agencies and the private sector for authentication and encryption as well as signing documents. It is intended that the used certificates fulfill the requirements of advanced or qualified signatures, thus also complying with German and European law. The alliance is open to all providers of e-government and e-business services, administration authorities and chip card manufacturers. Currently the alliance has about 40 members that comply with the terms of reference for the alliance [PPP TRCO]. Main objectives of the alliance include: • standard conformity of systems in order to achieve the conformity of PKI services, chip cards, chip card readers and PKI applications, • security measures to ensure that multifunctional chip cards that can be used for various applications, • development of uniform security levels, and • propagation of chip cards that are able to store cryptographic keys for qualified electronic signatures. The objectives of the alliance shall be achieved by the end of 2005. There is a strong requirement for a mutual adoption of the standards of the signature alliance and of SAGA. 102 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.4.2.9 e-Card Strategy The German federal government has developed an e-Card strategy under the leadership of the ministry of finances and the ministry of the interior that supports and triggers an area-wide introduction of electronic cards and procedures. The aim of this strategy is to provide electronic services at a high security level by costeffective, secure and simple means. The federal cabinet has fixed the corner stones of its e-Card strategy in March 2005. These are the: • electronic authentication and qualified electronic signatures by using chip cards with different characteristics, • equivalence between manual and electronic signatures, and the • equivalence between authentication and identification of a person. The German government will adopt the standards of the signature alliance in all projects of signature cards for the federation. The implementation of the-Card strategy covers the realization of the electronic health card (see also section 5.2 of [IPA 05]), the electronic JobCard and the digital identity card that will also include an electronic authentication function within the cards. The purpose of the JobCard is the central storage of employees’ data (certificates of work). The central storage concept has been developed in a pilot project that started in autumn 2002 and has been tested since October 2003. In a following pilot project income statements of employees were centrally stored since the end of 2004. Currently investigations are made that examine if the JobCard could also be used as a social identity card and for registration of employer-employer relationships. The actual plan for the introduction of the JobCard is January 2006. 4.4.2.10 SAGA The technical basis for the e-Government initiative Bund Online 2005 is provided by the “Standards and Architectures for e-Government Applications” [SAGA] that has been initiated and sponsored by the federal ministry of the interior. SAGA identifies the necessary set of standards, formats, procedures methods and specifications that have to be taken into account within Bund Online 2005. It also specifies conformity rules related to their importance and usage. Key objectives of SAGA are interoperability, reusability, openness, scalability and security of egovernment applications. 4.4.2.11 TeleTrusT Deutschland e.V. - ISIS-MTT TeleTrusT Deutschland e.V. was established in 1989 as a non-profit, politically and economically independent organization for the promotion of trustworthiness of information and communication technology with about 90 members from February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 103 research, development and politics and essential fields of application. It provides collaboration with the most important producers of security solutions. ISIS-MTT Specification In September 2001 the federal ministry of economics and technology has commissioned TeleTrusT e.V. to develop a uniform interoperability standard [ISISMTT SPEC] for electronic signatures in co-operation with the key partners in the commercial sector. The project aims to develop a harmonized specification, to feed this into the international standardization process, and to design a specification for compatibility tests [ISIS-MTT TSPEC]. The unrestricted interoperability between signature applications even with different security requirements forms the basis for bringing together the existing isolated solutions into an overall solution. The project on the interoperability of electronic signatures aims to close a technological gap which has so far proved a great obstacle to the widespread use of electronic signatures. The uniform interface is of great economic significance: any signature applications and certificates can then be used throughout electronic commerce for communication, interaction and transactions with any partners in government, commercial and private life. The German government will use ISIS-MTT-compatible signatures as soon as possible. Fields of application will include BundOnline 2005. ISIS-MTT is a joint multi-part specification of TeleTrusT and T7 Group for electronic signatures, encryption and public key infrastructures. It consists of a basic specification, which includes: • • • • • • • • Part 1: Certificate and CRL Profiles, Part 2: PKI Management, Part 3: Message Formats, Part 4: Operational Protocols, Part 5: Certificate Path Validation, Part 6: Cryptographic Algorithms, Part 7: Cryptographic Token Interface, Part 8: XML Signature and Encryption Message Formats, and an optional SigG profile, which includes: • Optional Profile: SigG-Profile, • Optional Profile: Optional Enhancements to the SigG-Profile. ISIS-MTT has been classified by SAGA as mandatory specification for data security in the e-government. 4.4.2.12 IT Security Made in Germany The Federal Ministry of Economics and Labor (BMWA) and the Fraunhofer Institute for Secure Information Technology SIT have started the public-private 104 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) partnership “IT Security Made in Germany” (ITSMIG) in September 2005. ITSMIG is supported by the BMWA and managed and organized by SIT. It will be continued by the participating enterprises. The main goal of ITSMIG is to support the cooperation between German suppliers of IT security technology products and systems (e.g. biometrics, smart card, cryptography or PKI) and partners in foreign countries. The ITSMIG is an association that operates as a network of manufacturers, system integrators, service providers, research institutions and public services. The cooperation network with currently more than 60 companies, offers access to the German IT security branch. The ITSMIG portal provides information about members of the initiative, best practices, services and products, and projects. ITSMIG is a synergetic network that covers the entire scope of the IT security branch. The network offers contract work, research projects and joint developments in various fields as e-business, e-government, e-health, telecommunications, mobile communication, science and defense. It also supports the efficient use of existing public services for the development of foreign markets in the regions of Middle East, Southeast Asia, Central and Eastern Europe. The network is currently only open for German enterprises that are involved in crypto technology, trusted PKI services, secure service providers, biometrics and system integration. In the future the network will also be open for further IT security companies. 4.4.3 CERT-Bund Computer Emergency Response Team The German government has established the organization CERT-Bund (Computer Emergency Response Team for Bundesbehörden (federal departments)) in 2001. The objectives of CERT-Bund are: • detection of potential security gaps in computer systems of the federal bodies, • provision of services to react immediately on attacks, • provision of technical means to establish countermeasures in the short term, and • realization of 24 hours per day and 7 days per week service. CERT-Bund is involved in the European government group CSIRT that coordinates the European CERTs. It is dedicated to the German government as a self-standing organization. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 105 4.4.4 Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway A main concern of the federal government has been and is the opening of regulated markets and the reducing of bureaucracy. A next initiative after the post and telecommunications markets have been opened has been the provision of non-discriminatory access to the electricity and gas markets. Draft legislation has recently let to the establishment of the new Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway that replaces the former RegTP (regulation authority for telecommunications and posts) with a higher level of competence and a broader scope of responsibility. A main goal of this initiative is to ensure greater transparency in the system and supervise network operators. It should ensure that the network is permanently maintained and constantly being improved, while also securing undistorted competition in transmission charges. 4.4.5 Commission for Occupational Health and Safety and Standardization The commission for occupational health and safety and standardization (KAN, Kommission Arbeitsschutz und Normung) has been established in 1994 with the main goal to represent German interests in these areas and to influence relevant standardization projects. Members of KAN are representatives from the government, the social partners, the federal states, the German federation of institutions for statutory accident insurance and prevention, and the German standards institute DIN. In the context of conformity assessment systems KAN has performed the study “Accreditation of Testing and Certification Bodies” [KAN REP] in 2003 which provides a comprehensive overview and details about the following topics: • principles of German accreditation and designation systems, • principles of the accreditation and designation systems of European countries, and • international framework agreements. 4.4.6 Federal Office for Information Security 4.4.6.1 The Role of the Federal Office for Information Security for Conformity Assessment The German Establishment Law (Errichtungsgesetz) [BSI G] authorized the Bundesamt für Sicherheit in der Informationstechnik BSI (Federal Office for Information Security) for issuing certificates for information technology products as well as for protection profiles. The BSI has also been recognized as a confirmation body responsible for the evaluation and certification of technical components under the framework of the German digital signature act by the Regulatory Authority for Telecommunications 106 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) and Postal Services RegTP (now Bundesnetzagentur BNetzA, Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway). IT products or systems for which a certificate has been awarded can use the German IT certification mark as a proof of certification (see Figure 13). Figure 13: Mark for German IT Security Certificate The BSI performs its certification tasks following the certification procedures accordingly to the criteria laid down in the following documents: • Act setting up the Bundesamt für Sicherheit in der Informationstechnik (BSI- Errichtungsgesetz) [BSI G], Certification Ordinance [BSI CO], Schedule of Costs, [BSI SoC] Proclamation of the Ministry of Interior, [BMI PRO], BSI Certification – Description of the Procedure [BSI 7125], Procedure for the Issuance of a PP certificate by the BSI [BSI PP], Common Criteria for Information Technology Security Evaluation, Version 2.15 [CC], and • Common Methodology for IT Security Evaluation [CEM], Part 1 Version 0.6, Part 2 Version 1.0 • • • • • • The governmental guideline for the recognition of evaluation and attestation bodies under the signature act [REAB SA] defines further concrete requirements for the • attestation bodies for technical components of accredited certification service providers, and the • evaluation and attestation bodies for security concepts of accredited certification service providers. The main requirements for recognition and accreditation of evaluation and certification bodies state that • accreditation as an attestation and/or certification body for IT security products and systems complying with [ITSEC] or [CC] has to be done in accordance with the standard DIN [EN 45011], February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 107 • recognition by BSI of the equivalence of IT security certificates issued by the attestation body with those issued by the BSI, recognition of equivalence is subject to contractual obligations, proof of legal knowledge regarding the signature law and its ordinance, roof of extensive knowledge of information technology, proof of cooperation with qualified evaluation bodies, accreditation of evaluation bodies as testing laboratories for IT security in accordance with DIN EN [ISO/IEC 17025], • BSI licensing for tests compliant with [ITSEC] or [CC], and • documented evaluation and certification scheme for security concepts. • • • • • 4.4.6.2 Legal Requirements on Technology Legal requirements, related to conformity assessment of IT security products and systems, are related to the assessment of technical components that claim conformance with the German digital signature act and ordinance. The signature law (see [SigG] §15) and the signature ordinance (see [SigV] §11 and annex I) specify the following set of requirements and/or options related to the testing of products for qualified electronic signatures: The basis for testing shall be either the • “Common Criteria for Information Technology Security Evaluation” [CC], or the • “Information Technology Security Evaluation Criteria” [ITSEC] in their current version. The level of evaluation that is required for conformity assessment depends on the type of the target of evaluation which can be classified as follows. • Technical components for certification services for − generation and transfer of signature keys: − The testing must cover at least the evaluation level EAL4 or E3. − managing qualified certificates outside a specially secured area (trust centre): The testing must cover at least the evaluation level EAL4 or E3. managing qualified certificates inside a trust centre: The testing must cover at least the evaluation level EAL3 or E2. generation of time stamps outside a trust centre: The testing must cover at least the evaluation level EAL4 or E3. generation of time stamps inside a trust centre: The testing must cover at least the evaluation level EAL3 or E2. • Secure signature creation devices − The testing must cover at least the evaluation level EAL4 or E3. − − − − − − − 108 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • Signature application components for signing and verification − The testing must cover at least the evaluation level EAL3 or E2. The assessment has to include an evaluation against a high attack potential and a full misuse analysis shall be done for products with level E3 and E2. The strength of security mechanisms shall be categorized as “high” for products with level E3 and E2. The strength of mechanism for the purpose of identification with biometrical characteristics shall be categorized as “mean” for products with level E3 and E2 if these are used in addition to knowledge-based data. Specific requirement for secure signature creation devices have to be met. Therefore, the minimum requirements for the trustworthiness of signature cards with qualified electronic signatures impose at least a demand for an evaluation of secure signature creation devices with an evaluation assurance level EAL4. This evaluation has to be complemented by an • independent weak-point analysis that proves the resistance against penetration attacks with high attack potential (assurance component AVA_VLA.4), and a • complete misuse analysis (assurance component AVA_MSU.3). For biometric authentication mechanisms an evaluation of the strength of function categorized as “mean” is sufficient, if these mechanisms are used in addition to knowledge-based authentication mechanisms. Similar requirements have to be regarded in other fields of application. More details on legal requirements defined by the German digital signature act can be found in the study “Electronic Signature Laws and PKI Projects in European Union and Germany” [IPA 05] that has been produced by SIT on behalf of IPA. 4.4.6.3 Technical Security Measures for Cryptographic Modules The BNetzA as the competent authority under the signature act and ordinance has specified technical security measures for technical components [SMTC] and has published suitable algorithms [SALG] in cooperation with the BSI. The security measures include the following categories of components: • • • • generation and loading of signature keys, storage and use of private signature keys, displaying of data to be signed, verification of digital signatures, The conformity assessment of cryptographic modules, for which conformance with the signature act is claimed, focuses on tests that prove the correct February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 109 functioning of the required security measures. The security measures related to cryptographic modules include the following requirements and items: • generation, storage and use of private signature keys for which the related tests have to confirm that − with high probability any given key can occur only once, − the private key cannot be derived from the public key, − the private signature key cannot be derived from the signature, − the signature cannot be forged without detection by any other means, − the secrecy of the private key is assured, − the private key cannot be duplicated, − the private signature key can only be used after the identification of the key holder based on the principle of possession and knowledge, − the private key is not disclosed during its use; − biometrical characteristics may be used for identification of the signature key holder, − the identification data are not revealed and stored only on the data storage medium with the private signature key, and that − any security-relevant changes in technical components are indicated to the user. • cryptographic components have to provide the following main characteristics: − suitable algorithms and associated parameters for key generation, hashing of the data to be signed, or for the generation of digital signatures are used, − key generator by which created signature keys are unique with high probability, − key generation either in a data storage medium of the private signature key. − − − − − e.g. smart card, or in a separate key generation unit from which the generated key is loaded onto a data storage medium in a secure environment guaranteeing the secrecy of the private signature key and the exclusion of key duplication, allowance to use the private signature key only after the identification of the signature key holder on the basis of possession and knowledge, and optionally an additional biometrical characteristic, e.g. fingerprint, non-removal of the private signature key from the data storage medium during its use, securing of the identification data that it cannot be derived from the data collection terminal, along the transmission path, or from the storage device, protection of the identification data against disclosure during input by suitable precautions, and alerting mechanisms that become active after the occurrence of any security-relevant changes that might have affected a required security level. Currently the BNetzA considers the following algorithms as suitable until the end of 2010: 110 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • suitable algorithms and associated parameters for key generation • suitable hash functions: − current-term security: RIPEMD-160 [ISO/IEC 10118-3], SHA-1 [FIPS 180-2], [ISO/IEC 10118-3], − long-term security: SHA-224, SHA-256, SHA-384, SHA-512 [FIPS 180-2] • suitable signature procedures − RSA [ISO/IEC 14888-3] with basic modulus minimum bit length 1024, 1280,1563 and 1728 until the end of 2007, 2008, 2009, and 2010 respectively, − DSA [FIPS 186-2], [ISO/IEC 14888-3] with prime number parameter p minimum bit length 1024, 1280,1563 and 2048 until the end of 2007, 2008, 2009, and 2010 respectively, and with prime number parameter q minimum bit length 160, 160,160 and 224 until the end of 2007, 2008, 2009, and 2010 respectively, − DSA based on elliptic curves ECDSA [FIPS 186-2], [IEEE P1363], [ANSI X9.62], [ISO/IEC 15946-2], ECKDSA, ECGDSA [ISO/IEC 15946-2], and Nyberg-Rueppel signatures [ISO/IEC 15946-4], [ISO/IEC 9796-3]. • generation of random numbers − physical random generator (P2 generator) with mechanism strength high as defined in [AIS 31], or − pseudo random generator (K3-DRNG generator) with mechanism strength high as defined in [AIS 20]. 4.4.6.4 Procedures for the Accreditation of Evaluation Facilities The German accreditation body BSI which is responsible for the accreditation of IT security evaluation facilities performs its accreditation procedures based on the following requirements and tasks: • use of an internationally agreed accreditation procedure that itself is based on international norms and standards, e.g. on DIN EN 45000 series and/or on DIN EN [ISO/IEC 17025], • provision of “Application notes and Interpretations of the Scheme” (AIS) in cooperation with the evaluation facilities in order to achieve comparable evaluation results among the different evaluation facilities, • evaluation, licensing and advising of commercial evaluation facilities that operate in conformance with internationally agreed criteria [ITSEC] and/or [CC], and • proof of conformance with the basic evaluation principles of neutrality, reproducibility, reproducibility and objectivity. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 111 BSI accreditation has the following benefits for an accredited evaluation facility: • an internationally recognized confirmation of its correctly working quality management system conformant with DIN EN [ISO/IEC 17025], • a recognized proof of competence for IT security evaluations compliant with internationally recognized criteria [ITSEC] and/or [CC], • guarantee for efficient execution of evaluations by permanent collaboration with the BSI, • external quality protection by the advisory board of the BSI, • provision of up-to-date knowledge via mutual information exchange, • provision of legal framework conditions that regulate the execution of IT security evaluations, and an • increased market-change for the accredited evaluation facility. The BSI accreditation scheme covers the following procedural steps and activities: • preliminary phase during which an applicant contacts the BSI, receives relevant information about accreditation requests from the BSI, and return the completed accreditation request together with an actual record of the trade register to the BSI, • signing of an appropriate examination contract that contains the plan of milestones for the ongoing tasks, and • start of accreditation tasks by BSI including basic accreditation, training of evaluators, licensing, accreditation contract, issue of evaluation facility certificate, and regularly quality controls of the accredited facility. The BSI confirms the status of an accredited evaluation facility by a certificate after an accreditation contract has been signed both parties. All evaluation facilities have the obligation to guarantee the confidentiality of sensitive information of the certification applicants. 4.4.6.5 International Mutual Recognition of Certificates The German accreditation and certification body BSI is also in charge of international mutual recognition agreements for certificates with foreign countries. The goal is that certificates issued under the German scheme should also be recognized through the European Union and European Economic Area, and North America. A further goal is to extend this kind of recognition to the wider international context. BSI is also a member of the SOG-IS of the European Commission for [ITSEC] and [CC], and the CC mutual recognition arrangement [CC MRA]. The BSI has signed the following mutual recognition agreements and memoranda of understanding: 112 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • the SOGIS-MRA on mutual recognition of ITSEC certificates in March 1998, • the mutual recognition agreement on CC certificates up to and including the evaluation assurance level EAL4 in October 1998, and • the memorandum of understanding with the Federal Agency for Informatics in Switzerland 4.4.6.6 Industry and Government Administrations The collaborative activities between the German government, the Federal Office for Information Security BSI and the German industry have resulted in a series of documents and standards for the IT security area in Germany. Among these publications is the document “IT Baseline Protection Manual (ITBPM)” [ITBPM] of major importance that can be considered as the standard in industry and government administrations in Germany. Currently more than 4000 registered users in Germany and in other European countries apply ITBPM. The guidelines presented in ITBPM provide a comprehensive description of IT security measures for typical IT applications and IT systems focusing on organizational safeguards and that can be easily and quickly implemented especially by small and mediumsized organizations with limited financial and personnel resources. ITBPM is structured into different modules that handle different specific IT areas and related security measures, such as: • security safeguards for typical IT products and systems with normal security requirements, • analysis of global threat scenarios, • detailed safeguard descriptions and assistance for their implementation, or • processes required in order to achieve and to maintain an appropriate level of security. 4.4.6.7 Evaluation Criteria and Methodology The German evaluation scheme recognizes evaluation criteria and related methodologies of the international standards [CC], [CEM], [ITSEC], and [ITSEM] in their latest version (see also section 3.8.3 and 3.8.4). 4.4.7 Good Practice Testing TeleTrusT has developed an initial test bed that was based on the ISIS-MTT test concept [ISIS-MTT TCON] and the ISIS-MTT test specification [ISIS-MTT TSPEC]. This test bed is open and can be used by testing laboratories to build an ISIS-MTT conformity test service or by manufacturers to aid in their development process. The first prototype of this test bed is available on CD and can be obtained from marion.gutsell@teletrust.de. An ISIS-MTT compliance label (as shown in Figure 14) has been developed to confirm that a product of a specific February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 113 functionality class has been proven to conform to the ISIS-MTT specification. Only approved testing laboratories may award these labels to tested products. The requirements for the compliance label are described in the ISIS-MTT compliance criteria. 4.5 Figure 14: Mark for ISIS-MTT Conformance United Kingdom 4.5.1 Dissemination of CMVP in the UK The assessment of crypto modules embedded in SSCD is not mandated. Specific algorithms have not been specified. There is no presumption of conformity to requirements for related standards that are published in the Official Journal of the European Commission. No other standards are mandated or recommended. The dissemination CMVP, i.e. the applicability of FIPS to the UK, covers the following areas: • Protection of privacy via cryptography means: • • • • • 114 CESG recommends the use of [FIPS 140-1] / [FIPS 140-2] approved products, if their use is for sensitive information classified as PRIVATE but below RESTRICTED. The US standard FIPS-140 has been recognized in the UK and a first laboratory has been established and accredited. Protection of sensitive information classified as RESTRICTED: CAPS assessment of products or a CESG approved alternative is required, if the use of these products is for sensitive information classified as RESTRICTED. Algorithms for products with baseline protection: CESG approved products that require baseline protection can incorporate the following approved algorithms: Triple-DES, AES, and TETRA. Digital signatures: CESG has approved the signature algorithms DSA, RSA and ECDSA of the digital signature standard FIPS 186-2 provided that appropriate size parameter and curves are used. Hashing: CESG has approved the hash algorithm SHA-1 (FIPS 180-1, FIPS 180-2) for use in baseline and ENHANCED level. Key exchange: CESG has approved the key exchange algorithm DH (Diffie-Hellmann) and MQV (EC version of DH) for use in baseline level. Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • Random number generation: CESG mandates the use of FIPS 186-2 random number generation, if FIPS 140 applies, for use in baseline level. 4.5.2 Government initiatives and Programs 4.5.2.1 National Standardization Strategic Framework The National Standardization Strategic Framework (NSSF) has been established by the UK government in 2003 in order to promote the use of standards and their implementation for the advantage for UK businesses. So far NSSF has developed a strategy plan and an implementation framework under which several implementation projects have already been launched. 4.5.2.2 Identity Card The UK government has launched the ID Card initiative with the goal that the first ID cards shall be issued in 2008 together with the creation of a national database that contains personal identification information of every citizen and resident, including fingerprints and iris scan. 4.5.2.3 Government Web Portal The UK government has planned the realization of a government web portal that was recommended in a council public procurement report in 2003. The Small Business Service (SBS) and the Office of Government Commerce (OGC) expect benefits for a large number of companies in the UK that have got direct access to the local and central government web portal and its opportunities. 4.5.3 UK Legal Requirements and Regulations 4.5.3.1 Policy The basis of the work of CESG is its information assurance policy. CESG has developed a HMG policy for the protection of sensitive data and guidelines for its implementation. The information assurance policy is managed as “common-good” activity on behalf of all UK government departments and agencies. CESG issues policy requirements and guidance for the following areas: • • • • • February 28th, 2006 (Final) protection of security for electronic government services to the citizens, protection of security for government access to the internet, protection of security for the connections of business domains, assessment of security needs for systems, products and networks, protection against hacking and computer viruses, Study on Promotion Strategy of Conformity Assessment System of Information Security 115 • • • • assessment of the security of governmental IT products and systems, disposing of computer media for sensitive information, authentication methods, and the interpretation and implementation of the national information assurance policy and standards. The information assurance policy developed by CESG is issued to the government users under the auspices of the Cabinet Office either as part of the manual of protective security, or in the HMG information security standards series. 4.5.3.2 Scheme The UKITSEC scheme [UKSP 01] provides evaluation and certification services for the following groups and their related objectives: • vendors to demonstrate the security claims of their IT products and services, • procurers to convince themselves that their security objectives are met by their IT products and systems, and • accreditors to ensure themselves that their security threats are coped with by the countermeasures realized in the IT products and systems. Relevant legal and technical requirements and regulations in the UK for the evaluation and certification of IT security products and systems are specified in the documents listed in Table 17. Table 17: Documents of UK Legal Requirements and Regulations for Evaluation and Certification DOCUMENT ID 116 DATE PURPOSE OF DOCUMENT HMG 1 Assurance requirements for IT systems (HMG Infosec standard, CESG publications department) HMG 2 Accreditation documents (HMG Infosec standard, CESG publications department) UKSP 05 1997-10 Manual of computer security evaluation, evaluation procedures, evaluation techniques and tools, UK scheme publication UKSP 12 1999-07 Relationship between accreditation document set and security targets for evaluation, UK scheme publication UKSP 16 2000-01 UK certificate maintenance scheme, description of the CMS, impact analysis and evaluation methodology, DSA reference manual, UK scheme publication UKSP 01 2002-07 Description of the scheme, UK scheme publication UKSP 04 2002-11 Developer’s guide UKSP 02 2003-04 Appointment of commercial evaluation facilities, UK scheme publication UKSP 11 2003-10 Scheme information notices folder, UK scheme publication unclassified 2003-12 Security standards for smartcards UKSP 01 * 2005-07 Description of the scheme, UK scheme publication, version for use with revised certification process Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) DOCUMENT ID DATE PURPOSE OF DOCUMENT UKSP 03 2005-07 Sponsor’s guide, role of sponsor in IT security evaluation and certification, UK scheme publication Certain IT security products and systems may only be made available to government departments, quasi-governmental bodies and certain UK firms. They may also be made available, on a case-by-case basis only to certain foreign government users and international organizations. However, all such cases must be cleared in advance by the CESG. There is a government policy that states not to use published or publicly available cryptographic algorithms for government confidentiality applications. All uses of cryptography to protect HMG protectively marked and other HMG sensitive data must be approved by CESG which normally requires the use of CESG specific algorithms. There is a range of CESG algorithms available for integration in commercial products and systems, both for hardware and software implementations. Advice on the suitability of IT products and systems for satisfying government requirements must be sought from CESG. The government Infosec requirements for cryptographic protection of data (since 30th June 1994) demand that only products or systems with verified cryptographic functionality and formal approval by CESG have to be used within the government. The document “Applied Security Technologies - Security Standards for Smartcards” provided by CESG [AST-SSS] is a procurement guidance for the UK government. It gives an overview of specific standards on smartcard technology and its relevance for UK IT security products and systems. Since July 2005 CESG offers its customers the option of using a revised certification process [UKSP 01 *]. For an interim period customers have the option of either choosing the established or the revised assessment process before the revised process has been adopted for all new evaluations. 4.5.4 Organizations and Their Responsibilities 4.5.4.1 UNIRAS Computer Emergency Response Team The UK government has established the organization UNIRAS (Computer Emergency Response Team) in 1999. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 117 UNIRAS is involved in the European government group CSIRT that coordinates the European CERTs. It is dedicated to the UK government. 4.5.4.2 National Infrastructure Security Co-ordination Centre Within UNIRAS the National Infrastructure Security Co-ordination Centre (NISCC) is responsible for minimizing the risk of electronic attacks to the UK’s CNI by providing extra protection to essential systems and services. It is an interdepartmental organization which was set-up in 1999 cooperating with many governmental bodies as for example with the Cabinet Office, CESG, the Defence, Science and Technology Laboratory (DSTL), and the DTI. NISCC does not have any regulatory, legislative or law enforcement roles. The main activities of NISCC include: • threat assessment by using a wide range of resources for investigation, assessment and disruption of threats, • support of protection and assurance by information sharing, consulting and sponsoring of best practice techniques, • warning of new threats and supporting CNI in the investigation and recovery from attacks, and • research and development of advances techniques and methods to support all areas of CNI. NISCC publishes information about alerts that should be acted on immediately. It also distributes instructions for software vulnerabilities and patches, and redistributes briefings from other CERT groups concerned with IT security. 4.5.4.3 Critical National Infrastructure The Critical National Infrastructure (CNI) is a national UK organization that focuses on all elements of the government and the industry that are of vital importance for the whole country. CNI covers a broad range of sectors including, communications, emergency services, energy, financial, food, government and public services, health, public safety, transport and water. 4.5.4.4 UKITSEC Scheme In the UK process of security evaluation and certification the following main organizations and individuals are involved under the UKITSEC scheme: • • • • • 118 management board and senior executive, certification body, accreditation service, commercial evaluation facility, sponsor, Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • developer, and • accreditor. 4.5.4.5 CESG Management Board The UKITSEC body as part of the Communication-Electronics Security Group (CESG) is controlled by the CESG management board. The CESG management board is cooperating with the Department of Trade and Industries DTI in order to ensure that their needs have been properly addressed. The tasks of the CESG management board include the: • provision of top level direction to the certification body, • specification of objectives for the operation of the scheme taking into account identified requirements of vendors, procurers, and accreditors, definition and reviewing of evaluation and certification policy, resolution of disputes, monitoring of the performance of the UKITSEC scheme, approval and review of rules for the operation of the scheme and the certification body, • approval and review of rules for the appointment of CLEFs which is in general left open to the market forces, • analysis of short and long term needs of specific customer groups., and the • review of annual reports from the certification body on its operation. • • • • The UKITSEC policy is the outcome of intensive interaction with the government and stakeholders, as for example with: • • • • • • Inter Departmental Infosec Committee, IT Security Officers Forum, Defense Infosec Product Cooperation Group, CLEF Progress Meetings, Common Criteria Executive Sub-committee, or UK CC Support Group. The DTI is the responsible body for supervision compliant with the European electronic signature directive [EC DIR ES]. DTI is also a member of the Forum of European Supervisory Authorities FESA. 4.5.4.6 UK Certification Body The UK Certification Body (CB) is responsible for the evaluation and certification operations in all sectors of the industry and the government. The UK CB and its ITSEC scheme have been accredited to the European Standard for Certification Bodies [EN 45011]. The CB was granted a certificate by UKAS in March 2000. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 119 Figure 15: Mark for UKITSEC In particular the CB is responsible for achieving a conscheme Certificate sistent use of the evaluation criteria and evaluation reports across all CLEFs and evaluations, and for the support of the evaluation process. CB performs its activities in accordance with [EN 45011] that is equivalent to [ISO/IEC G65]. Products for which a certificate has been awarded can use the certification mark shown in Figure 15. The UK certification body is also in charge of international mutual recognition agreements for certificates with foreign countries which is a strong aim of the UK government. The goal is that certificates issued under the UK scheme should also be recognized through the European Union and European Economic Area, and North America. A further goal is to extend this kind of recognition to the wider international context. UK is also a member of the SOG-IS of the European Commission for [ITSEC] and [CC], and the CC mutual recognition arrangement [CC MRA]. In particular the CB has to perform the following main tasks: • the appointment and review of CLEFs accredited by the UK accreditation service, provision of advice, support and standards for the training of CLEF staff, registration of evaluation qualifications of CLEF staff, confirmation of the suitability of security targets, agreement of evaluation work plans for certification purposes, registration of evaluations, certification of the results of evaluations, provision of details of certified products or systems, provision of details of CMS approved products or systems, approval of press releases relating to the scheme, liaisons with appropriate national and international agencies responsible for mutual recognition of certificates, • production of an annual operation report for the management board, and the • development and maintenance of the UK methodology for achieving consistency with international criteria and methodologies. • • • • • • • • • • 4.5.4.7 UK Accreditation Service UKAS is the UK accreditation service which has to supervise the work done by any of the commercial evaluation facilities (CLEFs). It performs its tasks in accordance with [ISO/IEC 17025]. UKAS has limited its scope of CLEF accreditation to those facilities that meet the basic UKAS requirements for impartiality, objectivity, repeatability and reproducibility. UKAS operates under a memorandum of understanding with the Department of Trade and Industry DTI which recognizes 120 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) UKAS as the sole national body for the assessment and accreditation of conformity assessment bodies. UKAS is licensed by DTI to use and transfer the national accreditation marks that symbolize the government recognition of the accreditation process. UKAS accredited certification bodies and companies are listed in the UK register of quality assessed companies. 4.5.4.8 tScheme Limited The non-profit organization tScheme Limited is the responsible body for voluntary accreditation compliant with the European electronic signature directive [EC DIR ES]. It is also a member of the Forum of European Supervisory Authorities FESA. tScheme Limited provides an independent assurance for all types of e-business and e-government transactions by approval of the services provided by Trust Service Providers. 4.5.4.9 Sponsor Sponsor refers to a person or organization that has made an evaluation request and that is authorized to get the Evaluation Technical Report (ETR). The following categories of sponsors are distinguished with respect to the relationship of a sponsor to a target of evaluation: • vendor of an IT product, • procurer of an IT system, • developer under contract with a procurer required to deliver a secure system, and • consortium with a single point of contact representing a set of developers and vendors. Conditions and requirements for sponsors are defined in the UKITSEC scheme document [UKSP 03]. 4.5.4.10 Developer Developer means an organization that has produced the target of evaluation. The Sponsor and developer, if not identical, have to cooperate in supporting the evaluation and providing technical deliverables to the CLEF. Conditions and requirements for developers are defined in the UKITSEC scheme document [UKSP 04] parts II and III. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 121 4.5.4.11 Accreditor Accreditor refers to a person or organization that is responsible for the security of an IT system with respect to the physical, procedural and personnel security capabilities during the following states of the system’s lifecycle: • initial definition of the security requirements fixing the scope of evaluation, • need for approval before becoming operational, and • changes or upgrades of the system or its environment. Conditions and requirements for accreditors are defined in the UKITSEC scheme documents [HMG 02] and [UKSP 12]. 4.5.4.12 Evaluation Criteria and Methodology The UKITSEC scheme recognizes evaluation criteria and related methodologies of the international standards [CC], [CEM], [ITSEC], and [ITSEM]. 4.6 Other European Countries 4.6.1 Italy 4.6.1.1 Dissemination of CMVP in Italy The evaluation of cryptographic modules embedded in SSCDs requires ITSEC E3 high or CC EAL4 for key generation and private key protection in smart cards. Requirements on algorithms and parameters are specified by CNIPA in technical rules. Related standards that are published in the Official Journal of the European Commission will be adapted. 4.6.1.2 Legal Requirements and Regulations The following latest Italian laws are relevant for secure communication and IT technology, and e-government applications: • adoption of a law on the replacement of paper ID documents by electronic ID cards in March 2005, requiring that all new ID documents issued after the end of 2005 will be in electronic form, 122 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • law on the digital administration code which entered into force in January 2006, • adoption of a new directive on the guidelines for the digitization of public • • • • • • • • 4.6.1.3 administration defining operational priorities which entered into force in January 2005, adoption of a decree that gives registered electronic mail the same legal status as recorded delivery letters which entered into force in March 2004, adoption of a decree on the introduction of the national services card which entered into force in February 2004, directive on administrative transparency and the management of document flows (IT protocol) which entered into force in January 2004, and ensured the use of electronic signatures in document exchange between government offices, decree establishing the regulation for the implementation and coordination of electronic signatures, completing the legislative framework for the use of esignatures which entered into force in January 2003, law on data protection code which entered into force in January 2004, and which complied with European directive on data protection and on privacy and electronic communications, decree on electronic commerce which entered into force into force in May 2003, and which implemented the EU directive on e-commerce, decree on electronic communications code which entered into force in September 2003, and the decree on electronic signatures which entered into force in 2002 and which complied with the EU directive on electronic signatures. Government Programs and Initiatives The “Department for Innovation and Technologies” has developed a strategic reference model for e-government focusing on the following topics: • service provision to citizens and businesses, • digital identification for adopting the electronic ID card, the national services • • • • card and digital signatures, access channels for accessing services, service provision agencies, interoperability and cooperation, and communication infrastructure for interconnecting all government departments. It also has defined policies in the “Government Guidelines for the Development of the Information Society” in June 2002 harmonizing the initiatives for government departments. Services and Portals February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 123 The e-government services (some are already operational) shall provide services for citizens and businesses. The e-government portal for citizens (www.italia.gov.it) has been launched in 2002. Another portal for online services to businesses, (www.impresa.gov.it), has been launched in March 2005. Smartcard Projects The Italian government has defined biometric guidelines in October 2004, regarding the integration of biometric technologies in e-government projects. It has initiated and supported several smartcard projects comprising the: • National Service Card (NSC), • Electronic Identity Card (EID), and the • Digital Signature Card (DSI). NSCs have been designed to support citizens with secure access to the different egovernment services, and about 9.3 million cards of this type have been issued up to now. EIDs have been designed to replace the paper-based ID cards within five years from 2006 on. First experiments started already in 2001, and about 2 million cards of this type have been issued up to now. The Italian government has signed an agreement with nine smart card providers in May 2003 in order to adopt a new unique standard ensuring interoperability of cards distributed across Italy and to increase the take-up of e-government services. Main characteristics of the EIDs related to their use are: • • • • • identification of citizens in order to use online e-government services, possible storing of date by government offices for access to advanced services, possible storing of digital signature certificates, issuance by municipalities, and personal data exchanges among municipalities and local authorities, Main characteristics of the NSCs related to their use are: • • • • • 124 identification of citizens in order to use online e-government services, authenticity certificate, possible storing of digital signature certificates, possible use as national health services card, and possible use for e-payment. Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) DSCs have been designed for the purpose of enhancing the security of online transactions and electronic document exchange. About 1.8 million cards of this type have been issued up to now. The production and issuance of NSCs have to be done conformant with the technical specifications that are defined by the “Centro Nazionale per L’Informatica nella Pubblica Amministrazione” (CNIPA, national centre for information technology in government) which was created in July 1993. CNIPA is also responsible for the implementation of the e-government plans and policies defined by the Minister for Innovation and Technologies. 4.6.1.4 Evaluation and Certification Bodies The establishment of an Italian certification body has been done in accordance with the European legislation, satisfying the requirements that have been specified in the • council resolution on a common approach and specific actions in the area of network and information security [EC SEC], and in the • commission decision on the minimum criteria to be used by member states in relation to a community framework for electronic signatures [EC DIR SSCD]. The decree on the “national scheme for evaluating and certifying systems and product security“ has designated the Istituto Superiore delle Comunicazioni e delle Tecnologie dell’Informazione (ISCOM) as the responsible evaluation and certification body for security in ICT in October 2003. This decree also established the “Organismo di Certificazione della Sicurezza Informatica (OCSI, Evaluation and Certification Organization for IT Security) as the responsible evaluation and certification department within ISCOM. The Italian evaluation and certification scheme recognizes evaluation criteria and related methodologies of the international standards [CC], [ISO/IEC 15408], [CEM], [ITSEC], and [ITSEM]. In addition, a national technical committee on ICT security in the public administration area (Comitato Tecnico Nazionale per la sicurezza informatica Nelle PA) has been established in 2003 that has the task to define the framework and the organizational and technical means required to implement and improve the security in governmental agencies. So far this committee has published preliminary concepts for the national security plan and an organizational model (March 2004). OSCI performs its certification tasks in cooperation with the Fondazione Ugo Bordoni (FUB), which is an Italian non-profit organization founded in 1952 that February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 125 supports and promotes scientific and applied research in the areas of telecommunications, computing, electronics, and postal services. ISCOM has already been established as a governmental organization in 1907. Its main areas within the Ministry of Communications are the: • provision of services and knowledge transfer for the Italian administration, industry and the public sector, • research and testing, and • standardization. CNIPA is the responsible body for voluntary accreditation and supervision compliant with the European electronic signature directive [EC DIR ES]. CNIPA is also a member of the Forum of European Supervisory Authorities FESA. 4.6.2 Netherlands 4.6.2.1 Dissemination of CMVP in the Netherlands The evaluation of cryptographic modules embedded in SSCDs requires conformance with [CWA 14167], [FIPS 140-2] L3, or [ISO/IEC 15408] EAL 4. Requirements on algorithms and parameters are not specified. There is no presumption of conformity to requirements for related standards that are published in the Official Journal of the European Commission. 4.6.2.2 Legal Requirements and Regulations The following Dutch laws are relevant for secure communication and IT technology, and e-government applications: • personal data protection act: coming into force in September 2001, and specifying the requirements for recording and using of personal data, and implementing the EU data protection legislation, • e-commerce law: coming into force in May 2004, implementing the European e-commerce directive, and providing a series of amendments to existing laws and regulations, • new telecommunications act: coming into force in May 2004, adapting the new EU regulatory framework for electronic communications (framework directive, the access directive, the universal services directive, the authorization directive and the privacy directive), and supervised by the national regulatory authority OPTA (see section 4.6.2.5), and the • electronic signature act: coming into force in May 2003, implementing the European electronic signature directive, providing a firm legal basis for the 126 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) deployment and use of electronic signatures in e-commerce and egovernment. 4.6.2.3 Government Programs and Initiatives E-Government Program The Netherlands government has initiated and supported several programs that have been realized in cooperation with the industry, comprising: • • • • • • e-government, e-procurement, business support desk, ICT network infrastructure, government transaction portal, and the establishment of a standardization council and forum. The e-government program of the Netherlands has been defined in a policy statement in September 2004, providing an agenda for the next few years for the following main areas: − − − − − − − electronic access to government, electronic authentication, unique identification numbers for citizens and businesses, key registers, electronic personal identification (smart cards), electronic information exchange, and fast connections between government organizations. The implementation of an ICT network infrastructure has been a main activity that shall realize the communication between the main locations of the governmental departments (so-called “Hague Ring”). The Ring is expected to become operational in spring 2006. Currently efforts are being made in order to establish a standardization council (government officials) and a standardization forum (business and government experts) in order to promote the interoperability of electronic data exchange between government departments and services, and between these, citizens and companies. The organization “Overheid” (link see Table 58) is the central access point to get information about the Dutch governmental organizations. The non-profit organization ECP.NL, which was founded by the Dutch Ministry of Economic Affairs and the Dutch Employees Association in 1998, provides an independent and open forum for public and private organizations. Its main goal is February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 127 the development of the Dutch information society. ECP.NL includes a number of expert groups, especially in the security area, that work on open issues in different projects. Services and Portals The e-government services (some are already operational) shall provide services for citizens and businesses. An e-government portal has been realized in March 2003 that provides access to information and services for citizens, businesses and public administrations. The portal has integrated about 1200 existing governmental websites up to date. It also provides an e-Counter as a one-stop shop for a number of on-line and transactional services specifically realized for the needs of citizens. The business support desk project has been launched to provide relevant information that is available from services and government bodies to companies. The “Government Transaction Portal” (GTP) has been realized as the government electronic post office. GTP operating via rented lines is operational. For GTP operating via the Internet pilots have been set up and are being performed. a number of prospects have been identified. GTP is temporarily managed by the tax and customs administration before being will be incorporated in the government shared services for ICT. Smartcard Projects The Dutch government has also initiated and supported several smartcard projects comprising the: • government-wide authentication service (DigiD), and the • electronic identity card (eNIK). The government-wide authentication service (DigiD), based on a user name/ password for citizens, has been launched for authorities to use their electronic services in January 2005. In addition to this activity, a DigiD authentication method for businesses is being investigated in cooperation with the chambers of commerce. The mid-term goal for e-services is to enable at least 65% of all central, provincial and local government services by 2007. A biometric passports and ID cards pilot has been started in September 2004 with about 50 municipalities and 6 implementing bodies being connected. The creation of a unique identification number for Dutch residents (CSN, Citizen Service Number) has been decided in May 2004 which shall to be introduced in 2006. 128 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) The introduction of an electronic identification card (eNIK) has been planned for August 2006, as well as the use of biometrics in passports. A further trial project on internet banking methods using the eNIK for electronic identification and signature has been planned. 4.6.2.4 GOVCERT.NL Computer Emergency Response Team GOVCERT.NL is the Dutch computer emergency response team that supports the government related to the prevention and occurrence of ICT security incidents. 4.6.2.5 Evaluation and Certification Bodies “TNO Certification”, a department within “TNO Information and Communication Technology”, is an independent institution accredited by the Dutch Council for Accreditation (RvA). TNO Certification performs evaluation and certification of products and systems also in the area of information and communication technology. Accordingly to the Dutch law on electronic signatures that implements the European requirements of [EC DIR ES], the Minister of Economic Affairs may designate certification bodies. Requirements for evaluation and accreditation have been defined within the voluntary accreditation scheme, called [TTP.NL]. Currently only the “Independent Post and Telecommunications Authority“ OPTA has been designated as a supervisory body. No organization responsible for accreditation in this area has been designated so far by the Ministry. The ECP.NL is the responsible body for voluntary accreditation compliant with the European electronic signature directive [EC DIR ES]. The independent post and telecommunications authority OPTA (Onafhankelijke Post en Telecommunicatie Autoriteit) is the responsible body for supervision compliant with the European electronic signature directive [EC DIR ES]. OPTA is also a member of the Forum of European Supervisory Authorities FESA. 4.6.3 Spain 4.6.3.1 Dissemination of CMVP in Spain The mandatory assessment procedure in Spain is specified in the document “IT security evaluation and certification regulations” [ITSECR ESP]. A list of permitted algorithms has been published by the Ministry of Finance. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 129 There is a presumption of conformity to requirements for related standards that are published in the Official Journal of the European Commission. Cryptographic modules that are embedded in secure signature creation devices are evaluated version the protection profile [CWA 14169]. 4.6.3.2 Legal Requirements and Regulations The following Spanish laws and decrees are relevant for the areas of secure communication and IT technology, and e-government: • e-government legislation decrees that are regulating generic aspects of the • • • • • 4.6.3.3 development of e-government including the royal decrees − decree 263/1996 on the use of electronic and telematic techniques in the state administration, − decree 209/2003 as a modification of the previous decree on the use of telematic registers and notifications and of electronic certificates, and the royal decree − decree 589/2005 on the organizations in charge of electronic administration. law on rules for public administration (1992) that provides for access to government records and documents by Spanish citizens and for access of persons in administrative proceedings, law on the protection of personal data (1999) enforced by the Data Protection Agency, and complying with the European data protection directive (1995/46/EC), law 34/2002 on information society services and electronic commerce that complies with the European e-commerce directive (2000/31/EC). law 32/2003 on Telecommunications that implements the new EU regulatory framework for electronic communications, law 59/2003 on electronic signatures that replaces the decree of 1999 on digital signatures, implements the European electronic signatures directive 1999/93/EC, promotes a widespread use of digital signatures for e-commerce and e-government, and establishes a legal framework for the development of the national electronic ID card. Government Programs and Initiatives E-Government Strategy The Spanish e-government strategy has been presented in the “Public Administration Technological Modernization Plan 2004-2007” (Plan Conecta) in September 2004. The strategic plan was designed to improve the quality of services provided by the central administration to citizens and businesses by using new technologies. This plan has been updated in January 2006 by a new egovernment action plan (Plan Moderniza) that focuses on the realization of full 130 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) on-line services to Spanish citizens. Key measures of the action plan for the period 2006-2008 and the previous action plan include the following main tasks: • the establishment of an electronic system for the secure interchange of data between administrations, • the launching of a new e-government portal (www.ciudadano.es) for citizens the distribution of electronic identification cards, • the creation of an integrated network of information sources, • the successive introduction of e-payment, and • the creation of a single one-shop portal service for citizens. The inter-ministerial organization “Higher Council for Electronic Administration” has been created by a royal decree in May 2005. It is responsible for the preparation and development of the e-government strategy and policy for the Spanish central administration. Electronic ID Cards A revised schedule for the introduction of electronic ID cards (eDNI) has been adopted in 2005. A pilot on electronic ID cards will be launched in the beginning of 2006. The countrywide distribution of the new biometric identity documents will start in late 2007 or early 2008. A new e-ID inter-ministerial committee will be in charge of driving the project forward, defining the first e-services to be supported by e-ID, organizing a communication campaign, and providing technical support to users. Services and Portals The Spanish Government has launched a secure electronic notification service (CERTIFICA) in October 2003 in order to enable public administrations to communicate notifications to citizens and businesses electronically. The citizen portal project has already been launched in September 2001. The portal (www.administracion.es) has been realized in May 2003 providing an online gateway to public information and services, as well as a guide to public administrations and a directory of public bodies. Since October 2003 it also provides access to a secure electronic notification service, designed to enable public administrations to communicate notifications to citizens and businesses electronically. As part of its “Plan Conecta” for the development of e-government over the period 2004-2007, the Spanish Government intends to set up a new e-government portal (www.ciudadano.es) that aimed to bring the administrations closer to the citizen. The new portal will provide access to interactive and transactional services and a set of new services for communicating with public administrations. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 131 The e-government services (some are already operational) shall provide full on-line services for citizens and businesses. 4.6.3.4 Evaluation and Certification Bodies The Organismo de Certificación (OC, certification body) of Centro Criptológico Nacional (CCN, National Cryptologic Center) is the Spanish certification body that performs its tasks in accordance with the Esquema Nacional de Evaluación y Certificación de la Seguridad de las Tecnologías de la Información (ENECSTI, Spanish evaluation and certification scheme). CCN supports private and public organizations that want to achieve the status of an accredited evaluation laboratory, as well as private and public system or product developers that want to achieve security certificates for their IT products or systems. The requirements for the accreditation of an evaluation laboratory include technical accreditation compliant with [ISO/IEC 17025] by a recognized accreditation body, e.g. ENAC (see section 2.3.8). The requirements for accreditation and certification have been published in different parts of the document “IT security evaluation and certification regulations, v.3” [ITSECR ESP] listed in Table 18. Table 18: Spanish Requirements and Regulations for Accreditation and Certification # LINK TITLE OF DOCUMENT 1 http://www.oc.ccn.cni.es/01org_en.html Organization of the Certification 2 http://www.oc.ccn.cni.es/02reqlab_en.html Requirements for the Accreditation of Laboratories 3 http://www.oc.ccn.cni.es/03procacrd_en.html Laboratories Accreditation Procedure 4 http://www.oc.ccn.cni.es/04proccert_en.html Product Certification Procedure 5 http://www.oc.ccn.cni.es/05uso_en.html Conditions of Use of Accredited Laboratory Status and Certified Product Status 6 http://www.oc.ccn.cni.es/06normas_en.html Evaluation Criteria and Methodologies The state secretariat for telecommunications and for the information society (SETSI, Secretaría de Estado de Telecomunicaciones y para la Sociedad de la Información) within the ministry of science and technology (MCYT, Ministerio de Ciencia Y Tecnología) is the responsible body for voluntary accreditation compliant with the European electronic signature directive [EC DIR ES]. SETSI is also a member of the Forum of European Supervisory Authorities. 132 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 4.6.4 Sweden 4.6.4.1 Dissemination of CMVP in Sweden The assessment of cryptographic modules embedded in SSCD is mandated. However an assessment body has yet not been designated. The Swedish certificate policy only requires that private keys are stored in smart cards, with general security requirements, but without requiring a specific assurance level. Requirements on algorithms and parameters have not been specified. There is a presumption of conformity to requirements for related standards that are published in the Official Journal of the European Commission. Other standards neither are mandated nor recommended. 4.6.4.2 Legal Requirements and Regulations The following Swedish laws and regulations are relevant for the areas of secure communication and IT technology, and e-government: • the personal data act which came into force in 24 October 1998 as a replacement of the Swedish data act from 1973, and which is based on European directive 95/46/EC on the processing of personal data, • the act on electronic commerce and other information society services (2002) which specifies the obligations of service providers to their customers, and the treatment of information that is provided online, • the act on electronic communication (2003) which provide the legislation for citizens and public authorities on access to safe and efficient e-communications, and • the act on qualified electronic signatures which entered into force in January 2001 implementing the European directive on electronic signatures (1999/93/EC). 4.6.4.3 Government Organization, Programs and Initiatives Swedish E-Government Strategy and Policy The main goal of the Swedish e-Government strategy and policy is the development of a 24-hour/7-days service for public information and public administrations. The main intention of this strategy is the realization of a so-called multichannel approach, which allows citizens to choose between different service channels. The government is focusing on a strong cooperation between the different government authorities and between the different levels of national responsibilities. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 133 All public agencies provide websites and all public officials can be reached by email. The most popular agency websites are the national labor market board for job searchers and the national tax board for tax-payers. The agency for public management has been authorized by the government to initiate and support the development of the 24-hour public administration service. The government has also commissioned the national tax board to co-ordinate the administration of certificates for electronic identification and electronic signatures to ensure high security in the electronic communication. A framework agreement has been reached with several banks and other actors offering services for electronic signatures in order to establish an open solution in cooperation with the private sector. These measures aim to offer the citizen a single electronic identity for all kinds of electronic services. Responsible Organizations The Ministry of Finance is responsible for e-government in Sweden. The “24/7 Agency Delegation” has been established in June 2003 with the task to promote the development and use of electronic services in the public sector and to increase the cooperation between the state, regional and local authorities, focusing especially on e-services for the benefits for the public and businesses. The Government Interoperability Board (GIB) has been created in January 2004 with the task to define common standards and guidelines for electronic information exchange within government. The Swedish agency for public management has been put in charge by the government in June 2003 with the providion of supporting the government and government bodies. Its main tasks include to conduct studies and evaluations at the request of the government and to modernize public administration through the use of IT technology. The agency has signed framework agreements with suppliers who will offer citizens certificates for e-signatures. The certificates will be supplied by six of the largest banks in Sweden, as well as by the Swedish Post and telecommunications company Telia. The government also has created an IT policy strategy group which shall advise the government on issues concerning IT policy. The main tasks of the Swedish national audit office are to carry out financial audits of government agencies and administration and performance audits to prove the effectiveness and efficiency of government operations. The Swedish data inspection board has been charged with the protection of the privacy of individuals in the information society. 134 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Programs and Initiatives The Swedish government has launched the new e-government portal “sverige.se” in October 2004 which provides links and contacts for the Swedish parliament, government, county councils, municipalities and authorities, social insurance offices and universities. The Swedish government has launched a framework agreement on infrastructure services in April 2004, with the goal to provide government agencies with a set of standard e-infrastructure services. The Swedish Standards Institute (SIS) has approved standards regarding electronic ID as proposed by the Secured Electronic Information in Society (SEIS) association in 1998. Electronic ID cards based on these standards are sold by the telecom company TeliaSonera. Due to a framework agreement signed between the Swedish agency for public management and digital certificates suppliers, software-based electronic IDs (BankID developed by the largest Swedish banks) can also be used for certain e-government services. The government also plans the introduction of electronic ID cards containing biometric identifiers. 4.6.4.4 SITIC Computer Emergency Response Team Swedish IT Incident Centre (SITIC) is the Swedish computer emergency response team that supports the society related to the prevention and occurrence of ICT security incidents. 4.6.4.5 Evaluation and Certification Bodies The Swedish Board for Accreditation and Conformity Assessment (SWEDAC) provides a list of accredited certification bodies and a phone contact (+46 33 17 7700) for information on other certification authorities that are not included in this list. The accredited certification bodies that have been mentioned in SWEDAC’s list are in charge of the evaluation, testing and certification of goods, materials and services, but not of IT products and systems. Evaluation and certification laboratories for IT products and systems do currently not exist in Sweden. SWEDAC is the responsible body for voluntary accreditation compliant with the European electronic signature directive [EC DIR ES]. The national post and telecom agency (PTS, Post- och TeleStyrelsen) is the responsible body for supervision compliant with the European electronic signature directive [EC DIR ES]. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 135 Both SWEDAC and PTS are members of the Forum of European Supervisory Authorities FESA. 136 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 5 Evaluation and Certification of Protection Profiles and IT Products and Systems in Germany 5.1 Evaluation and Certification Bodies Conformity assessment and certification is carried out either by the BSI itself or by an evaluation body that has been recognized by the BSI. The BSI offers services for the evaluation and certification of IT products, IT systems, protection profiles, and IT baseline protection. A specific service is related to the evaluation and certification of technical components that claim to conform to the German digital signature act. The German scheme supports the assessment and certification of IT products and systems that are under development, already on the market or that require re-certification. The scheme is described in the document “BSI Certification and BSI Product Confirmation” [BSI CPC]. The focus of the following chapter is on smartcards and smartcard devices and protection profiles related to this kind of technology. However the evaluation and certification services of evaluation facilities also cover other important areas of technology as for example PC security products, data bases, operating systems, firewalls, or digital tachographs. Besides BSI the following institutions that are recognized by the BSI are responsible for the certification of IT products In Germany: • Bundesamt für Sicherheit in der Informationstechnik BSI, • T-Systems GmbH, and • TÜVIT GmbH. 5.2 Evaluation and Certification Procedures 5.2.1 Involved Parties The German certification scheme is based on certification procedures in which the following parties and their related roles are involved: • the manufacturer or vendor of an IT product or system in the role of an applicant for certification, • the BSI (or another certification body) in the role of a certification body, and • an evaluation facility selected by the applicant in the role of a testing laboratory that has been accredited by the certification body compliant with DIN EN 45001 or DIN EN [ISO/IEC 17025], and also licensed by the same certification February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 137 body. These standards specify general criteria regarding the operations of testing facilities and are therefore independent of particular test domains. The accreditation of evaluation facilities conformant to these standards is jointly carried out in Germany by the BSI, the Federal Network Agency BNetzA and the German Accreditation Body for Technology DATech (see Table 1). 5.2.2 Certification Requests The certification body BSI provides particular application templates that an applicant for certification has to complete and forward to the certification body in order to initiate the certification procedure. Four alternative templates have been foreseen for the following four types of certification: • • • • product certification in parallel to its development, existing product certification, product re-certification for new product version, and protection profile certification. The information needed for the completion of an application template contains the following categories and items: • administrative information including the name and address of the applicant, its • • • • • • • • 5.2.3 relationship to the IT product or system (vendor, manufacturer) and contact information on certification matters, IT product or system information with full identification of its name, version and type of product, security level information by selecting the desired type of criteria and the evaluation level, IT product or system status information i.e. under development or completed, type of certification i.e. initial or re-testing with a description of the modifications, selection of evaluation facility with evaluation agreement preceding tests including the name of the evaluation facility and the evaluation reports, archiving of test documents either by the BSI or by an alternative archiving procedure, and publication of test results related to disclosure prior to the completion of the certification process and to announcement after successful completion. Preparation for Security Evaluation The first step of the preparation phase of the evaluation scheme is based on the documentation of the target of evaluation provided by the developer. It also covers a first examination of the specification of the security target and a milestone plan by the certification body and the accredited evaluation facility. 138 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) The second step of the certification scheme refers to contractual agreements that the applicant can make with the evaluation body based on the agreed security target. The third step includes the forwarding of the completed certification request by the applicant to the certification body, and the return of a formal confirmation from the BSI with a notification of the registered certification ID and the name of the certifier. If allowed in the certification request the product to be certified will be added to the published list of certificates. The pre-evaluation phase is finished after the product to be certified and the relevant documentation has been given to the selected evaluation facility and which in turn has appointed its evaluators. During the pre-evaluation phase the evaluation body will also produce the cost estimates for the whole evaluation phase. 5.2.4 Evaluation The BSI and the other private-sector evaluation facilities accredited and licensed by the BSI perform the testing of the IT products and systems under certification against the relevant security criteria. This service is provided for the German industry but also for companies world-wide. During the first step of the evaluation phase the evaluation body performs the technical evaluation of the IT system or product in different testing steps in accordance with the evaluation aspects of the related framework of criteria. During the second step the outcomes of testing will be documented and commented by the evaluation body in form of testing reports. The last step of an evaluation is concerned with the production of a final evaluation report created by the evaluation body which contains the results of the evaluation of all claimed evaluation aspects. 5.2.5 Certification The certification body (BSI or other accredited certification body) is responsible to ensure the equivalence of evaluation results received from different evaluation bodies. In order to achieve this goal the certification body is also involved in the previous phases concerning the approval of the security target, the creation and the approval of interpretations, as well as the acceptance of testing reports. The result of the certification procedure will be summarized by the certification body in a certification report that will also be published if the applicant accepts its February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 139 publication. The applicant will also be awarded a German IT Security Certificate (Deutsches IT-Sicherheitszertifikat). Depending on the type of evaluation, i.e. whether conforming to ITSEC, CC and/or conforming to a MRA the applicant may use the related certification marks (see Figure 6, Figure 9, Figure 7) together with the German certification mark (see Figure 13). The costs for certification (small fraction of the total costs) arise at the end of the certification phase as regulated by the official cost ordinance [BSI SoC]. 5.2.6 Certification of Technical SigG Components This specific service is related to the evaluation and certification of technical components that claim to conform to the German digital signature act SigG, or that are mandated by SigG (see also section 4.4.6.2). It distinguishes the following categories of SigG components: • components for CA services, • secure signature creation devices, and • signature application components. The conformity assessment of this class of products also includes the assessment of cryptographic material and mechanisms. The evaluation and certification of cryptographic mechanisms in other “non-SigG” conformant components is also possible, if these are part of a security function within the IT product or system under assessment. 5.2.7 Certification of New Product Versions Normally the evaluation and certification procedures refer to an actual version of an IT product or system. This is achieved by a detailed specification that distinguishes those parts of the product that are relevant for its security aspects from those that are not. Every change of the certified product or system that leads to a new version has to be communicated to the certification body. A re-evaluation of a new version is not required, if the changes only affect those parts of the product or system that are not of relevance for the security aspects. On the other hand a re-evaluation of the new version is required and has to be performed, during which only the changed parts and their interfaces will be subject to evaluation. 5.2.8 Certification of Products Under Development BSI recommends to start as early as possible with the request for certification in order to achieve an early assessment of the security targets already during the development of a product. Such type of a progressive certification procedure 140 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) provides advantages compared with the certification of a completed product, since the financial and personnel efforts are lower. 5.2.9 Certification of Baseline Protection BSI has developed a specific certification scheme for IT baseline protection which is applicable for security concepts of IT systems with normal security requirements and for which security measures have been described in the BSI document IT Baseline Protection Manual [ITBPM] (see also 4.4.6.6). In this context BSI has developed the GrundSchutz-TOOL (GSTOOL, IT Baseline Protection Tool) that assists its users with the creation, administration and improvement of IT security concepts based on ITBPM. The GSTOOL also contains an embedded crypto module that can be used for data encryption and it provides support for the following activities: • • • • • • • • • • • gathering of information about IT systems, analysis of the structure of IT systems, gathering of information about applications, assessment of security requirements, modeling of IT baseline security, safeguard implementation, cost evaluation, report generation, audit, basic security checks, and certification of IT baseline protection. An ITBPM certificate can be used to show that main requirements from ITBPM have been met for a set of IT assets. BSI issues a certificate of this type if a related audit report has been successfully examined by the BSI that contains the outcomes of independent test performed a licensed auditor against the BSI test scheme. 5.3 The German IT Security Certificate The German IT security certificate provides benefits both for the consumers and the vendors of IT products and/or systems. The user of a certified product or system can be sure that the IT product or system • matches the security profile of his application and operational environment, • can be directly used, since its administrative and operational environment is specified, and any vulnerabilities are identified together with an advise on how to prevent potential negative effects, • has been assessed focused on its security performance and its strength of security functions against threats, and February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 141 • provides protection of its security goals for integrity, confidentiality, authenticity and availability. The vendor/manufacturer of a certified product or system can be sure that his IT product or system • has been assessed focused on its security features that are needed for secure operation in order to prevent damaging effects that might occur during future commercial operation and that might have a negative effect on reputation, • has also been subject to additional quality assurance processes and provides an improved product or system quality, and • has a higher change for business in international markets. 5.4 Information Technology Security Evaluation Facilities In Germany the BSI and the following private-sector facilities (ITSEF, information technology security evaluation facilities) are responsible for the testing and evaluation of IT products: • • • • • • • • • • • • • • • • 5.5 atsec information security GmbH, Atos Origin GmbH Bundesamt für Sicherheit in der Informationstechnik BSI, CSC Ploenzke AG, datenschutz nord GmbH, debis IT Security Services, Deutsches Forschungszentrum für künstliche Intelligenz GmbH, Industrieanlagen-Betriebsgesellschaft mbH, media transfer AG, secunet SWISSiT AG, SRC Security Research & Consulting GmbH, Tele Consulting GmbH, TNO-ITSEF BV, T-Systems GEI GmbH, TÜV Informationstechnik GmbH, and TÜV Nord SysTec GmbH & Co. KG. Certification of Smartcard Protection Profiles Protection profiles provide the means to specify security requirements for classes of IT products and systems. They also can be subject to evaluation and certification. A certificate will be issued for a protection profile that has been successfully evaluated against the common criteria at the instigation of the author, (also called the sponsor). 142 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) A certification report that reflects the results of an evaluation contains the certificate which is a summary of the assessment and the detailed certification results. So far mainly protection profiles related to smartcards, integrated circuits and smartcard devices have been developed. Protection profiles for smartcards and smartcard devices that have been certified are listed in Table 19 and Table 20. The last column in these chronologically ordered tables contains − in the first line the date of certificate issuance in the form YYYY-MM-DD and its related evaluation assurance level, and in − the second line the protection profile certificate ID. Table 19: Protection Profiles Certified by the Evaluation Facility TÜV Informationstechnik GmbH SPONSOR PROTECTION PROFILE DATE /EAL/CERTIFICATE Europay International S.A. (on behalf of the Smart Card Security User Group). Smart Card Security User Group Smart Card Protection Profile Version 3.0 2001-10-10 EAL4+/high BSI-PP-0003-2001 CC CEN/ISSS – Information Society Standardization System, Workshop on Electronic Signatures Protection Profile – Secure Signature-Creation Device Type 1, Version 1.05 2002-04-03 EAL4+/high BSI-PP-0004-2002 CC CEN/ISSS – Information Society Standardization System, Workshop on Electronic Signatures Protection Profile – Secure Signature-Creation Device Type 2, Version 1.04 2002-04-03 EAL4+/high CC CEN/ISSS – Information Society Standardization System, Workshop on Electronic Signatures Protection Profile – Secure Signature-Creation Device Type 3, Version 1.05 2002-04-03 EAL4+/high February 28th, 2006 (Final) BSI-PP-0005-2002 CC BSI-PP-0006-2002 Study on Promotion Strategy of Conformity Assessment System of Information Security 143 Table 20: 5.6 Protection Profiles Certified by the Evaluation Facility BSI SPONSOR PROTECTION PROFILE DATE /EAL/CERTIFICATE Informationszentrum der Sparkassenorganisation GmbH Schutzprofil SIZ-PP Schutzprofil Sicherheit für IT-Gesamtsysteme der Finanzdienstleister, Version 2.0 2000-08-25 EAL4+/high BSI-PP-0001-2000 CC Atmel Smart Card ICs, Hitachi Europe Limited, Infineon Technologies AG, Philips Semiconductors Hamburg Smart IC Platform Protection Profile Version 1.0 2001-07-11 EAL4+/high BSI-PP-0002-2000 CC Bundesamt für Sicherheit in der Informationstechnik BSI Common Criteria Protection Profile Biometric Verification Mechanisms Version 1.04 2005-08-17 BSI-PP-0016 Certification of IT Products A certificate will be issued for a product that has been successfully evaluated against the requirements of a protection profile. A certification report that reflects the results of an evaluation contains the certificate which is a summary of the assessment and the detailed certification results. Security products (smartcards, smartcard devices, etc.) that have been certified are listed in the following tables: • Table 21: evaluation facility TÜV Informationstechnik GmbH, • Table 22: evaluation facility T-Systems GmbH), and in • Table 23: evaluation facility debis IT Security Services). Table 21: Products Certified by the Evaluation Facility TÜV Informationstechnik GmbH MANUFACTURER PRODUCT / SYSTEM DATE /EAL/CERTIFICATE Deutsche Telekom AG PKS-Card, Version 1.0, signature card 1998 Deutsche Telekom AG TC-SG, Version 1.01, key generator ITSEC E4/high TUVIT.09301.TE.09.1998 1998-12-14 ITSEC E4/high TUVIT.09308.TE.12.1998 Deutsche Telekom AG Deutsche Telekom AG function library TCrypt-TCM, Version 1.1 1999-01-20 PKS-Card, Version 2.0, signature card 1999-06-25 ITSEC E2/high TUVIT.09313.TU.01.1999 ITSEC E4/high TUVIT.09319.TE.06.1999 144 ORGA Kartensysteme GmbH HML 5010/20/21/22 Version 1.0 Chipcard reader with display and keyboard 1999-11 ORGA Kartensysteme HML 5010/20/21/22, Version 1.0, chipcard reader 1999-11-30 Study on Promotion Strategy of Conformity Assessment System of Information Security ITSEC E2/low TUVIT-DSZ-ITSEC-9109-1999 ITSEC E2/high February 28th, 2006 (Final) MANUFACTURER PRODUCT / SYSTEM DATE /EAL/CERTIFICATE GmbH TUVIT.09320.TE.11.1999 Deutsche Telekom AG TCrypt-SigG, Version 1.2, function library Deutsche Telekom AG TC-SG, Version 1.11, key generator 1999-12-22 ITSEC E2/high TUVIT.09307.TE.12.1999 1999-9-16 ITSEC E4/high TUVIT.09322.TU.09.1999 Deutsche Post AG Signtrust SK-DPAG, Version 1.0, signature component 2000-01-31 Deutsche Post AG Signtrust SEA-Card, Version 1.0, signature card Cherry GmbH Card reader G80-1501 HAD Index/11 PC keyboard with integrated chipcard reader 2000-07 Deutsche Post AG Signtrust eTrust Mail für Microsoft Outlook, Version 1.01, user component 2000-07-18 Deutsche Post AG Signtrust TSS-DPAG, Version 1.1, time stamping service 2000-11-29 Deutsche Post AG Signtrust DIR-DPAG, Version 1.3, directory service timeproof TIME SIGNATURE SYSTEMS GmbH TSS 400, Version 1.0, time stamping system timeproof TIME SIGNATURE SYTEMS GmbH Time Signature System TSS 400 Version 1.0 Deutsche Telekom AG ÖVTC, Version 1.12, directory service ITSEC E2/high TUVIT.09312.TE.01.2000 2000-02-14 ITSEC E4/high TUVIT.09326.TE.02.2000 ITSEC E2/low BSI-DSZ-ITSEC-0160-2000 ITSEC E2/high TUVIT.09328.TE.07.2000 ITSEC E2/high TUVIT.09338.TU.11.2000 2000-11-29 ITSEC E2/high TUVIT.09337.TU.11.2000 2000-11-29 ITSEC E2/high TUVIT.09324.TE.11.2000 2000-11-29 ITSEC E2/high TUVIT-DSZ-ITSEC-9110 2000-12-08 ITSEC E2/high TUVIT.09340.TU.12.2000 Deutsche Telekom AG PKS-Card, E4KeyCard, E4NetKeyCard, Version 3.0, 3.01, signature card 2000-12-15 ITSEC E4/high Deutsche Telekom AG ÖVTC, Version 1.02, directory service 2000-12-18 SECUDE GmbH SECUDE 6.0.1, function library 2000-12-22 ITSEC E24/high TUVIT.09339.TE.12.2000 ITSEC E2/high TUVIT.09323.TU.12.2000 TUVIT.09321.TE.12.2000 DATEV eG DATEV Signierkomponente DVSigE2, Version 1.0, function library 2001-03-05 Secunet OCSP-Responder Version 1.0, OCSP responder 2001-03-05 DATEV eG e:secure-Card, Version 1.0, 1.10, 1.20, signature card 2001-03-05 DATEV eG DATEV Signierkomponente DVSigE2, Version 1.1, function library 2001-03-08 Deutsche Post AG eTrust Mail für Lotus Notes R5, Version 1.01, user 2001-03-19 Secunet AG ITSEC E2/high TUVIT.09332.TE.03.2001 ITSEC E2/high TUVIT.09333.TE.03.2001 ITSEC E4/high TUVIT.09341.TE.03.2001 February 28th, 2006 (Final) ITSEC E2/high TUVIT.09342.TE.03.2001 ITSEC E2/high Study on Promotion Strategy of Conformity Assessment System of Information Security 145 MANUFACTURER PRODUCT / SYSTEM Signtrust component DATE /EAL/CERTIFICATE TUVIT.09329.TE.03.2001 Deutsche Post AG Signtrust eTrust Mail für Microsoft Outlook, Version 1.11, user component 2001-03-19 Infineon Technologies AG Smart Card IC (security controller) SLE 66CX322P version m1422a16 and m1422a17 2001-03-23 CC EAL4+/high Deutsche Post AG Signtrust SEA-Card, Version 2.0, signature card 2001-03-25 Deutsche Post AG Signtrust KG-DPAG, Version 1.5, key generator Deutsche Telekom AG TCrypt-SigG, Version 1.3, function library 2001-04-30 timeproof TIME SIGNATURE Systems GmbH TSS400, Version 1.1, time stamping service 2001-07-09 Secunet AG SECUNET Signierkomponente, Version 1.0, function library 2001-10-23 D-TRUST GmbH D-TRUST Card, Version 1.0, 1.1; D-TRUST Card_MS, Version 1.0, signature creation device 2001-10-232 ITSEC E4/high G83-6700LPZxx/00, G83-6700LQZxx/00, G817015LQZxx/00, G81-8015LQZxx/00, G8112000LTZxx/00, G81-12000LVZxx/00, keyboard with chipcard terminal 2001-10-24 DATEV eG DATEV Signierkomponente DVSigE2, Version 1.2, function library 2001-10-24 Secunet AG Secunet OCSP-Responder, Version 2.0, OCSP responder 2001-10-24 TC TrustCenter AG TC-SigPK, Version 1.0, function library 2001-11-13 ITSEC E2/high TUVIT.09335.TU.03.2001 TUVIT-DSZ-ITSEC-9130 ITSEC E4/high TUVIT.09346.TE.02.2001 2001-03-25 ITSEC E4/high TUVIT.09345.TU.02.2001 ITSEC E2/high TUVIT.09347.TU.04.2001 Cherry GmbH ITSEC E2/high TUVIT.09348.TU.07.2001 ITSEC E2/high TUVIT.09344.TE.10.2001 TUVIT.09361.TE.10.2001 ITSEC E2/high TUVIT.09327.TE.10.2001 ITSEC E2/high TUVIT.09353.TU.10.2001 ITSEC E2/high TUVIT.09343.TU.10.2001 ITSEC E2/high TUVIT.09314.TE.11.2001 TC TrustCenter AG TC-DIR, Version 1.1, directory service 2001-11-14 ITSEC E2/high TUVIT.09315.TE.11.2001 Deutsche Post Signtrust GmbH eKurier für Microsoft Outlook, Version 2.0.1, application component 2001-12 ITSEC E2/high TUVIT.09357.TE.02.2002 E2 / high/2002-02-21 KAAN Standard Plus, FW.-Version 02121852; SecOVID Reader Plus, FW.-Version 02121812, chipcard terminal (class 2) 2001-12 Deutsche Post Signtrust GmbH Signtrust Zeitstempeldienst TSS-DPAG, Version 1.3, time stamping service 2001-12-21 Deutsche Post Signtrust GmbH Signtrust Verzeichnisdienst DIR-DPAG, Version 1.4, directory service 2001-12-21 KOBIL Systems GmbH 146 Study on Promotion Strategy of Conformity Assessment System of Information Security ITSEC E4/high TUVIT.09354.TE.05.2003 E2 / high/2003-05-28 ITSEC E2/high TUVIT.09365.TU.12.2001 ITSEC E2/high TUVIT.09364.TU.12.2001 February 28th, 2006 (Final) MANUFACTURER PRODUCT / SYSTEM DATE /EAL/CERTIFICATE Gemplus GemXplorepresso - Java Card Platform Embedded Software V3 (Core) Java Card 2.1.1-Platform 2002 Deutsche Post Signtrust GmbH eKurier für Lotus Notes R5, Version 2.0.1, application component 2002-02-21 Deutsche Post Signtrust GmbH SignTrustMail für Microsoft Outlook, Version 2.0.1, application component 2002-02-21 Deutsche Post Signtrust GmbH SignTrustMail für Lotus Notes R5, Version 2.0.1, application component 2002-02-21 KOBIL Systems GmbH KAAN Professional und B1 Professional, HW-Version KCT100, FW-Version 2.08 GK 1.04, chipcard reader 2002-03-15 SECUNET Signierkomponente, Version 1.1, function library 2002-03-27 Secunet OCSP-Responder, Version 2.01, OCSP responder 2002-03-27 Deutsche Telekom AG ÖVTTC , Version 2.0, directory service 2002-04-29 Reiner Kartengeräte GmbH & Co. KG cyberJack pinpad, Version 2.0, chipcard reader 2002-05-24 Deutsche Post Signtrust GmbH SMTP-Proxy für eKurier, Version 2.0.1, application component 2002-05-31 Reiner Kartengeräte GmbH & Co. KG cyberJack e-com, Version 2.0, chip card reader 2002-06-03 ORGA Kartensysteme GmbH MICARDO Elliptic Version 2.3 136/32 R1.0 Signaturkarte Version 1.0, signature card 2002-08-29 Cherry GmbH G83-6700LPZxx/01, G83-6700LQZxx/01, G817015LQZxx/01, G81-8015LQZxx/01, G8112000LTZxx/01, G81-12000LVZxx/01, keybords with chipcard terminal 2002-11-19 SECUNET Signierkomponente , Version 1.2, function library 2002-12-06 SECUNET OCSP-Responder , Version 2.1, OCSP responder 2002-12-17 SECCOS ZKA-Signaturkarte V5.01 /signature card) Chipcard operating system platform with signature application 2003 ZKA-Signaturkarte, Version 5.01, signature creation device 2003-01-14 CC EAL4+/high IT Solution GmbH trustview, Version 2.1.0, application component 2003-03-04 CC EAL3+/high SCM Microsystems SPR132, SPR332, SPR532, Firmware Version 4.15, 2003-03-11 CC EAL3+ /high Secunet AG Secunet AG CC EAL5+ BSI-DSZ-CC-0171-2002 ITSEC E2/high TUVIT.09358.TE.02.2002 ITSEC E2/high TUVIT.09355.TU.02.2002 ITSEC E4/high TUVIT.09356.TE.02.2002 ITSEC E2/high TUVIT.09331.TE.03.2002 ITSEC E2/high TUVIT.09368.TU.03.2002 ITSEC E2/high TUVIT.09369.TU.03.2002 ITSEC E2/high TUVIT.09350.TU.04.2002 Secunet AG Secunet AG Gemplus Gemplus-mids GmbH ITSEC E2/high TUVIT.09362.TE.05.2002 ITSEC E2/high TUVIT.09359.TE.05.2002 ITSEC E2/high TUVIT.09363.TE.06.2002 ITSEC E4/high TUVIT.09351.TE.08.2002 ITSEC E2/high TUVIT.09380.TU.11.2002 ITSEC E2/high TUVIT.09375.TU.12.2002 ITSEC E2/high TUVIT.09374.TU.12.2002 CC EAL4+/high TUVIT-DSZ-CC-9203-200309-2 TUVIT.09349.TE.01.2003 TUVIT.09366.TE.03.2003 February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 147 MANUFACTURER PRODUCT / SYSTEM GmbH chipcard reader DATE /EAL/CERTIFICATE TUVIT.09370.TE.03.2003 KOBIL Systems GmbH KAAN Standard Plus, FWVersion 02121852; SecOVID Reader Plus, Version 02121812 2003-05 ITSEC E2/high TUVIT-DSZ-ITSEC-9135-2003 chipcard terminal (class 2) 148 timeproof TIME SIGNATURE SYSTEMS GmbH TSS 400, Version 3.0, time signature system T-Systems International GmbH, T-TeleSec ÖVTC, Version 3.0, directory service timeproof TIME SIGNATURE SYSTEMS GmbH TSS 400, Version 3.01, time signature system Infineon Technologies AG Infineon Smart Card IC (security controller) SLE66CX322P 2003-10 Regulierungsbehörde für Telekommunikation und Post RegTP-Card, Version 3.0, signature creation device 2003-11-27 T-Systems International GmbH, T-TeleSec TC-SG, Version 1.02, key generator DATEV eG DATEV-Signierkomponente Trustcenter DVSigKompTC, Version 1.0, function library 2003-11-28 timeproof TIME SIGNATURE SYSTEMS GmbH TSS 400, Version 3.02, time signature system 2004-04-16 Giesecke & Devrient GmbH ZKA Banking Signature Card, Version 6.2, Type 3, signature creation device 2004-04-23 CC EAL4+/high Stiftung Secure Information and Communication Technologies SIC, Austria IAIK-JCE CC Core , Version 3.1, function library 2004-06-08 CC EAL3+/high Infineon Technologies AG Infineon Smart Card IC (security controller) SLE88CX720P/m1491b13 2004-07 Giesecke & Devrient GmbH ZKA Banking Signature Card, Version 6.2 NP, Type 3, signature creation device 2004-07-09 CC EAL4+/high Gemplus-mids GmbH ZKA-Signaturkarte, Version 5.02, signature creation device 2004-09-06 CC EAL4+/high ORGA Kartensysteme GmbH HML 5010, 5020, 5021 und 5040, Software Version 1.21, chipcard reader 2004-11-17 Deutsche Post COM GmbH Zeitstempeldienst (TSS) des Trust Centers der DPAG, Version 1.5, time stamping system 2004-11-18 Giesecke & Devrient GmbH ZKA Banking Signature Card, Version 6.3 NP, Type 3, signature creation device 2004-11-26 CC EAL4+/high REINER Kartengeräte cyberJack pinpad, Version 3.0, chipcard reader 2004-11-26 Study on Promotion Strategy of Conformity Assessment System of Information Security 2003-06-06 ITSEC E2/high TUVIT.09379.TU.06.2003 2003-08-11 ITSEC E2/high TUVIT.09377.TU.08.2003 2003-09-08 ITSEC E2/high TUVIT.09386.TU.09.2003 CC EAL5+ BSI-DSZ-CC-0223-2003 ITSEC E4/high TUVIT.09390.TE.11.2003 2003-11-27 ITSEC E4/high TUVIT.09389.TU.11.2003 ITSEC E2/high TUVIT.09383.TU.11.2003 ITSEC E2/high TUVIT.09394.TU.04.2004 TUVIT.09396.TE.04.2004 TUVIT.09387.TE.06.2004 CC EAL4 BSI-DSZ-CC-0215-2004 TUVIT.93101.TU.07.2004 TUVIT.09385.TU.09.2004 ITSEC E2/high TUVIT.93102.TU.11.2004 ITSEC E2/high TUVIT.93109.TU.11.2004 TUVIT.09398.TU.11.2004 ITSEC E2/high February 28th, 2006 (Final) PRODUCT / SYSTEM DATE /EAL/CERTIFICATE Giesecke & Devrient GmbH ZKA Banking Signature Card, Version 6.2b NP & 6.2f NP, Type 3, signature creation device 2005-01-21 CC EAL4+/high DATEV eG DATEV Anwendungskomponente GERVA , Version 1.32, application component 2005-01-27 Giesecke & Devrient GmbH ZKA Banking Signature Card, Version 6.31, Type 3, signature creation device 2005-03-11 CC EAL4+/high NKL Nordwestdeutsche Klassenlotterie Signier- und Verifikations-Anwendung SVA, Version 1.3, signature software product 2005-03-21 Giesecke & Devrient GmbH STARCOS 3.1 ECC with Electronic Signature Application V4.0, Version 1.0, signature creation device 2005-04-05 CC EAL4+/high TC TrustCenter AG TC-DIR, Version 2.0, directory and timestamping service 2005-04-15 TC TrustCenter AG Signier- und Prüfkomponente TC-SigPK, Version 1.1, function library 2005-04-15 Infineon Technologies AG Smart Card IC (security controller) SLE 66CX322P/ m1484b14 and m1484f18,,with RSA 2048 V1.30 and specific IC Dedicated Software 2005-04-22 Secunet Security Networks AG SECUNET Signierkomponente , Version 1.3, function Library 2005-06-23 CV Cryptovision GmbH cv act doc/verifier V1R1, function library 2005-08-11 MANUFACTURER GmbH & Co. KG TUVIT.93107.TU.11.2004 TUVIT.09395.TU.01.2005 ITSEC E2/high TUVIT.93108.TU.01.2005 TUVIT.09397.TU.03.2005 ITSEC E2/high TUVIT.09393.TE.03.2005 TUVIT.93110.TE.04.2005 ITSEC E2/high TUVIT.93104.TU.04.2005 ITSEC E2/high TUVIT.93103.TU.04.2005 CC EAL5 BSI-DSZ-CC-0266-2005 ITSEC E2/high TUVIT.93112.TU.06.2005 ITSEC E2/high TUVIT.93115.TE.08.2005 Giesecke & Devrient GmbH ZKA Banking Signature Card, Version 6.5, signature creation device 2005-09-08 CC EAL4+/high Giesecke & Devrient GmbH STARCOS 3.0 with Electronic Signature Application V3.0, signature creation device 2005-09-16 CC EAL4+/high DATEV eG DATEV Anwendungskomponente GERVA, Version 1.33, application component 2005-09-23 February 28th, 2006 (Final) TUVIT.93120.TU.09.2005 TUVIT.93100.TE.09.2005 ITSEC E2/high TUVIT.93122.TU.09.2005 Study on Promotion Strategy of Conformity Assessment System of Information Security 149 Table 22: Products Certified by the Evaluation Facility T-Systems GmbH MANUFACTURER PRODUCT / SYSTEM DATE /EAL/CERTIFICATE Giesecke & Devrient STARCOS SPK 2.3 V7.0 mit digitaler Signaturanwendung (with digital signature application) StarCert V2.2, Chipcard operating system platform for native code with signature application 2001-12 Siemens AG Österreich (Austria) Table 23: Signa@tor Version 2.0 (EVG) ITSEC E4/high T-System-DSZ-ITSEC-040752001 2002-04-30 ITSEC E2/high T-Systems-DSZ-ITSEC-040802002 Products Certified by the Evaluation Facility debis IT Security Services MANUFACTURER PRODUCT / SYSTEM DATE /EAL/CERTIFICATE Utimaco Safeware AG CardMan Products 1998-04-20 ITSEC E2/high BSI-ITSEC-0406-1998 A complete list of certified IT products and systems can be found in the document “German IT Security Certificates” [GITSC]. Actual information can be downloaded from the web pages of German certification bodies (see Table 52). This document also includes IT products and systems from foreign countries (Australia, Canada, France, Japan, UK, and USA) whose certificates have been recognized by German certification bodies within the scope of mutual recognition agreements or memoranda of understanding. 5.7 Good Practice Testing of PKI-Based Applications 5.7.1 Testing Laboratories Companies that want to obtain an ISIS-MTT compliance label for their product may contact one of the following testing laboratories that are recognized by TeleTrusT: • • • • 5.7.2 DATEV Trust Center, Secorvo Security Consulting GmbH, TÜV Informationstechnik GmbH, or T-Systems. Products and Applications Tested with the ISIS-MTT Test Bed Products that have been certified by ISIS-MTT testing laboratories are listed in Table 24. All products with the exception of “DATEV Trustcenter“ have been tested by 150 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) the testing laboratory Secorvo. The “DATEV Trustcenter” has been tested by DATEV itself. The related test reports can be downloaded from the TeleTrusT web pages. Table 24: Products Certified by the Testing Laboratory Secorvo COMPANY PRODUCT / PRODUCT TYPE DATE REPORT ID DATEV DATEV Trustcenter (Certification Authority) / CA Server 2003-09-25 Entrust Securing Digital Identities & Information Entrust AuthorityTM Security Manager 7.0 for Windows / CA Server 2003-10-27 Microsoft Deutschland GmbH Microsoft Windows Server 2003 Certificate Service / CA Server 2004-03-10 SmartTrust Certificate Manager Version 5.3 / CA Server 2004-04-30 DATEVe:secure MAIL V1.1 / E-Mail Client 2004-07-08 Technology Nexus AB DATEV Secorvo-00002-AR_03 Secorvo-00003-AR_02 Secorvo-00004-AR_04 Secorvo-00005-AR_17 T-Systems International GmbH, T-TeleSec, Public Key Service / SigG-Profile Compliant CSP 2004-10-29 Business Unit ITC Security T-Systems International GmbH, T-TeleSec, Public Key Service / OCSP Server 2004-10-29 Deutscher Sparkassen Verlag GmbH, Geschäftssparte SKartensysteme S-TRUST / CSP 2005-10-10 Deutscher Sparkassen Verlag GmbH, Geschäftssparte SKartensysteme S-TRUST / SigG-Profile Compliant CSP Business Unit ITC Security February 28th, 2006 (Final) Secorvo-00006-AR_03 Secorvo-00007-AR_03 Secorvo-00008-AR_03 2005-10-10 Secorvo-00008-AR_03 Study on Promotion Strategy of Conformity Assessment System of Information Security 151 6 Evaluation and Certification of Protection Profiles and IT Products in France A summary of the legal requirements for the evaluation and certification of protection profiles and IT products in France has already been given in chapter 4.3.2. The evaluations have to be done by ITSEFs in accordance with the specifications or standards specified by the DCSSI. 6.1 Evaluation and Certification Bodies DCSSI is the French certification body which has to supervise the work done by any of the information technology security evaluation centers. It performs its tasks in accordance with the procedures as laid down in the quality manual [CCN-MQ01] and in the certification procedures document for IT products and systems [CER-P-01] and for Protection Profiles [CPP-P-01] covering • • • • • • • • 6.2 conditions for certification, certification requests, evaluation, certification, use of certificate, surveillance and maintenance, protection of information, and complaints and appeals. Certification Procedures 6.2.1 Conditions for Certification The certification services offered by DCSSI are open for all developers, sponsors and suppliers of IT products and systems or protection profiles guaranteeing fairness of evaluation of IT products and systems or protection profiles. Certification is carried out in a strict manner obeying the public operating rules of the certification scheme and the evaluation criteria that have been approved by the management body. A specific procedure concerning the evolution of certification requirements [MOD-P-01] should be taken into account, if the international evaluation criteria evolve or if technical requirements for technical components have to be coped with. 152 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 6.2.2 Certification Requests DCSSI keeps a list of recognized evaluation facilities in France. Every sponsor has the option to select one of the evaluation facilities included in this list. DCSSI provides a specific application form [CER-F-01], that already contains text on the terms and conditions for certification, and that has to be used by any certification requestor, and after its completion has to be forwarded to DCSSI. Information that is required from the sponsor includes the description of an IT product or system, in particular its security target level, and a provisional work plan. Certification requests are reviewed by DCSSI and either rejected due to observed deficiencies or accepted and registered by appointment of a certifier responsible for evaluation. The progress of an evaluation (certification report, security target) will only be made public on the DCSSI website, if a sponsor gives his explicit agreement. 6.2.3 Certification A certification report will be produced after the examination of an evaluation technical report (see section 6.3.3) and sent together with the security target to the DCSSI for final issuance of a certificate that together with the certification report will be signed by the Prime Minister. DCSSI has the power to withdraw, i.e. to invalidate certificates, if the evaluation procedures were performed based on untrue information. 6.2.4 Surveillance and Maintenance DCSSI offers two specific services for surveillance of certified products and maintenance of certificates for which procedures have been specified in the documents [SUR-P-01], and [MAI-P-01] respectively. Surveillance allows to extent the life time of certificates. It requires regular updates of the vulnerability analysis of certified products and possibly the repetition of tests. With the exception of electronic signature creation devices it is an optional procedure that will only be performed upon request from sponsors. Maintenance of certificates is an optional procedure that allows the certification of new versions of certified products or systems. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 153 6.3 Information Technology Security Evaluation Facilities 6.3.1 Licensing of Evaluation Facilities Evaluation facilities need to be accredited by the French accreditation committee COFRAC in accordance with the requirements as specified in the general requirements for competence of testing and calibration laboratories [ISO/IEC 17025], and with the additional requirements defined in [AGR-P-01] 6.3.2 Licensed Evaluation Facilities The control of information technology security evaluation facilities (ITSEFs) is called in France CESTI (control of information security evaluation centers). The following licensed CESTI are responsible for the testing and evaluation of IT products (contact information is provided in Table 51): • • • • • Algoriel, information technology and network area, CEACI (TES-CNES), electronic component and embedded software fields, CEA-LETI, electronic component and embedded software fields, OPPIDA, information technology and network area, SERMA Technologies, electronic component and embedded software fields, and • SILICOMP-AQL, information technology and network area. 6.3.3 Evaluation The evaluation of IT products and systems is carried out along the chosen evaluation methodology and the evaluation working plan. It comprises the analysis of the product/system and its documentation. After the completion of an evaluation the evaluator forwards a so-called end-of-task report to the sponsor and to the certifier. Finally the evaluator produces an evaluation technical report ETR including the performed tasks and the outcomes that goes to the sponsor and the certification body. The confidentiality of an ETR is guaranteed by the certification body. 6.3.4 Sponsors The quality manual specifies requirements that sponsors have to take into account regarding information of certified products and systems that they provide for users and purchasers. These requirements state that a sponsor shall • give the certification report and the security target upon request of the user, • clearly inform the user about the status of the product evaluation (certified or under evaluation), 154 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • provide information about any known potential security issue and new vulnerabilities of the product/system to the users. 6.4 Certification of Smartcard Protection Profiles French protection profiles have to be certified according to the procedure CPP-P01 providing compliance with the requirements specified in the Common Criteria. Protection profiles for smartcards and smartcard devices that have been certified in France are listed in Table 25. Table 25: Protection Profiles Certified in France SPONSOR TITLE OF PROTECTION PROFILE PP CERTIFICATE Bull, Dassault AT, Diebold, NCR, Siemens Nixdorf, Wang Global Automatic cash dispenser /Teller machines 1999-04-19 Délégation Générale pour l’Arment Configurable security guard (CSG) 1999-04-19 PP/9907 PP/9906 Délégation Générale pour l’Arment Firewall à exigencies élevées v2.2 Firewall à exigencies réduites v2.2 GIE Cartes Bancaires CB, Société Financière du PMEI Intersector electronic purse and purchase device (version for pilot schemes) v1.2 1999-04-19 GIE Cartes Bancaires CB, Société Financière du PMEI Intersector electronic purse and purchase device v1.2 1999-04-19 Délégation Générale pour l’Arment Profil de protection pour carte à puce billettique avec et sans contact v1.2 1999-04-19 Smartcard embedded software v1.2 1999-04-19 PP/9908 PP/9909 PP/9903 PP/9810 Motorola Semiconductors, Philips Semiconductors, Siemens AG Semiconductors, STMicroelectronics Smartcard Integrated Circuit Protection Profile v2.0 1999-04-19 Eurosmart Smart card integrated circuit with embedded software v2.0 1999-07-16 Transactional smart card reader v2.0 2000-02-10 Cyber-COMM PP/9806 Eurosmart Smart card IC with multi-application secure platform v2.0 2001-01-05 SFPMEI Intersector electronic purse and purchase device (version without last purchase cancellation) Version 1.3 2001-03-12 Smart card security user group, smart card 2001-10-22 February 28th, 2006 (Final) CC 2.0/ CC 2.0/ CC 2.1/ CC 2.0/ CC 2.0/ CC 2.0/ PP/9911 PP/0002 Mondex International CC 2.0/ 1999-04-19 PP/9904 Schlumberger CC 2.0/ 1999-04-19 PP/9905 Délégation Générale pour l’Arment CC 2.0/ PP/0010 PP/0101 CC 2.1 CC 2.1/ CC 2.1/ CC 2.1/ Study on Promotion Strategy of Conformity Assessment System of Information Security 155 SPONSOR TITLE OF PROTECTION PROFILE PP CERTIFICATE protection profile (SCSUG-SCPP) PP/0103 JICSAP ver2.0 protection profile part1, multiapplication secure system LSI chip protection profile version 2.5 2003-06-27 JavaCard system defensive configuration protection profile version 1.0b 2003-09-30 Sun Microsystems, Inc. JavaCard system minimal configuration protection profile version 1.0b 2003-09-30 Sun Microsystems, Inc. JavaCard system standard 2.1.1 configuration protection profile version 1.0b 2003-09-30 Sun Microsystems, Inc. JavaCard system standard 2.2 configuration protection profile version 1.0b 2003-09-30 Cryptographic module for CSP signing operations with backup version 0.28 2003-12-18 Cryptographic module for CSP signing operations without backup version 0.28 2003-12-18 Profil de protection pour services bancaires et / ou financiers sur Internet 2004-10-07 ECSEC Sun Microsystems, Inc. Bull Bull Comitè Français d’Organisation et de Normalisation Bancaire 6.5 PP/0301 PP/0306 PP/0303 PP/0304 PP/0305 PP/0308 PP/0309 PP/0401 CC 2.1/ CC 2.1/ CC 2.1/ CC 2.1/ CC 2.1/ CC 2.1/ CC 2.1/ CC 2.1/ CC 2.1/ Certification of IT Products and Systems The French certification procedures are specified in the document CER-P-01. The French IT security evaluation facilities provide evaluation services for the following areas: • • • • • • • • • integrated circuits, smart cards, network products, readers, terminals, PC products, systems, digital tachographs, motion sensors, and tachograph cards. Security products (smartcards, smartcard devices, etc.) that have been certified in France are listed in the following tables: • Table 26: evaluation facility Serma Technologies, • Table 27: evaluation facility CEA LETI, • Table 28: evaluation facility CEACI, 156 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • • • • • Table 26: Table 29: evaluation facility Groupe Silicomp-AQL, Table 30: evaluation facility Algoriel Aubagne, Table 31: evaluation facility CNET Caen, Table 32: evaluation facility CR2A-DI, and in Table 33: evaluation facility CELAR/CASSI. Products Certified by the French Evaluation Facility Serma Technologies DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Philips Semiconductors Gemplus, Oberthur Card Systems, Visa Int., Groupement Carte Bleue Plate-forme Javacard/VOP GemXpresso 211 (microcircuit Philips P8WE5032/MPH02) avec applets Oberthur B0' v0.32 et Visa VSDC v1.08 1999-12-31 Philips Semiconductors Gemplus / Groupement Carte Bleue Javacard/VOP GemXpresso 211 platform V2 (Philips Integrated circuit P8WE5032/MPH02) 2000-05-17 Philips Semiconductors Gemplus / Groupement Carte Bleue Javacard/VOP GemXpresso 211 platform V2 (Philips P8WE5032/MPH04 embedded component, A000000018434D card manager) 2000-10-20 Oberthur Card Systems, Gemplis, Trusted Logic / Groupement Carte Bleue Oberthur B0’ application v1.0.1 loaded on Javacard/VOP GemXpresso platform 211 V2 2001-02-09 SchlumbergerSema, Infineon Technologies / SchlumbergerSema Palmera Protect Platform V2.0 JavaCard (SLE66CX320P/SB62 embedded component) 2001-08-03 IBM, STMicroelectronics / BMS MONEO/CB hybrid card: MONEO electronic purse application and B4/B0’ V3 bank application (reference: ST19SF04AB/RCU version B312/B024) and trader SAM security Module (reference: ST19SF16CC/RCQ version C112) 2001-04-27 Oberthur Card Systems / Oberthur Card Systems VOP 2.0.1 / Javacard 2.1.1 JPH33V2 Operating system version 1 installed on Integrated circuit PHILIPS P8WE5033 2001-06-07 ASK / ASK CT2000 embedded component (reference: ST16RFHD50/RSG-A) 2001-09-06 Philips, Gemplus / Gemplus Gemplus CB-B0’/EMV: Composant P8WE6004 V0D Component embedded by MPH021 application (référence P8WE6004 V0D/C017D) 2002-04-22 Oberthur Card Systems / Oberthur Card Systems COSMOPOLIC 2.1 V4 JavaCard Open Platform embedded Software Version 1 2002-05-30 SchlumbergerSema, Infineon Technologies SA / SchlumbergerSema JavaCard 32K CRISTAL (référence M256LCAC2) 2002-06-17 SchlumbergerSema, Infineon Technologies SA / SchlumbergerSema JavaCard 32K CRISTAL (référence M256LCAC2) NTTDATA Corporation / STMicroelectronics Plate-forme Xaica-alpha version V150i_alpha7rs3_ SM032 sur micro-circuit ST19XR34 F February 28th, 2006 (Final) 1999/07 2000/02 2000/06 2001/03 2001/06 2001/10 2001/13 2001/16 2002/04 2002/05 2002/07 CC 2.1 EAL1+ CC 2.1 EAL1+ CC 2.1 EAL1+ CC 2.1 EAL1+ CC 2.1 EAL1+ CC 2.1 EAL4+/PP CC 2.1 EAL1+ CC 2.1 EAL1+ CC 2.1 EAL4+/PP CC 2.1 EAL4+ CC EAL4+/PP 2002-06-17 2002/12 CC 2.1 EAL4/PP 2005-03-08 Study on Promotion Strategy of Conformity Assessment System of Information Security 157 DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE 2005/04 Table 27: 158 CC 2.1 EAL4+ Products Certified by the French Evaluation Facility CEA LETI DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE IBM, STMicroelectronics / BMS MONEO/CB hybrid card: MONEO electronic purse application and B4/B0’ V3 bank application (reference: ST19SF16CC/RCQ version B312/B023) and SAM retailer security module (reference ST19SF16CC/RCQ versionC112) 2001-04-27 STMicroelectronics, Bull CP8 / GIE Cartes Bancaires ST19F04 component embedded by the B4/B0’ V3 application (reference ST19SF04AB/RVK 2001-04-30 ASK, CP8, STMicroelectronics / BMS MODEUS electronic purse: MODEUS carrier card v1.1 (reference ST16RF58/RSE+) and SAM TC/C v1.1 retailer security module (reference: ST19SF16FF/RVN) 2001-12-05 STMicroelectronics, Oberthur Card Systems / Oberthur Card Systems ST19F02AD component embedded by O.C.S. B0’ V3 application (référence ST19SF02AD/RRR 2002-06-04 SchlumbergerSema, ATMEL Smart Card ICs / SchlumbergerSema AT05SC1604R component embedded by IGEA 340 application 2002-08-142002/17 E3/medium Schlumberger Système SA, STMicroelectronics / Schlumberger Système SA ST19XS04D component embedded by IGEA 440 application 2003-02-19 Axalto, STMicroelectronics / Axalto Composant ST19XS04D masqué par l'application IGEA 440 (référence ST19XS04\PIL) 2004-01-16 Study on Promotion Strategy of Conformity Assessment System of Information Security 2001/05 CC 2.1 EAL4+/PP 2001/09 ITSEC E3/high 2001/20 CC 2.1 EAL1+ 2002/06 CC 2.1 EAL4+/PP 2003/03 ITSEC ITSEC E3/high 2004/01 ITSEC E3/medium February 28th, 2006 (Final) Table 28: Table 29: Table 30: Products Certified by the French Evaluation Facility CEACI DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Mondex International / Crédit Mutuel Mondex Purse 2 electronic purse version 0203 component SLE66CX160S, MULTOS V4.1N operating system) 1999-11-01 Gemplus / Gemplus UniSAM v2.0 operating system embedded on ST16SF48D / QDF component 2000-12-12 Mondex International / Crédit Mutuel Mondex Purse 2 version 0203 Applet for Multos 4 2001-04-24 Oberthur Card Systems / Crédit Mutuel Oberthur B4-B0’ V3 version 1.0 applet for Multos 4 2001-04-24 Keycorp Ltd / Crédit Mutuel MULTOS V4.02 operating system release 1N’+AMD 0013V002 2001-08-01 Mondex International Ltd / Mondex International Ltd Application M/Chip Select v2.0.5.2 2001-10-22 Mondex International Ltd / Mondex International Ltd Application M/Chip 4 version 1.0.1.1 pour MULTOS (sur émulateur) 2003-09-08 Keycorp Limited Infineon Technologies AG / Crédit Mutuel Plate-forme MULTOS I4C (1-1-1) incluant le patch AMD 0029v002masquée sur SLE66CX322P/m1484 a24 2004-12-04 1999/09 CC 2.1 EAL1+ 2000/07 ITSEC E3/medium 2001/07 CC 2.1 EAL4+ 2001/08 CC 2.1 EAL4+ 2001/15 ITSEC E3/high 2001/22 CC 2.1 EAL1+ 2003/10 CC 2.1 EAL4+ 2003/14 CC 2.1 EAL4+ Products Certified by the French Evaluation Facility Groupe Silicomp-AQL DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Gemplus /Gemplus, STMicroelectronics GemVision SmartD/C application embedded on ST19SF08AC/RMY component 2000-02-14 Gemplus /Gemplus, STMicroelectronics GemVision SmartD/C application embedded on ST19SF08AC/RMY component 2000-02-14 2000/08 CC 2.1 EAL4+/PP 2000/14 CC 2.1 EAL4 Products Certified by the French Evaluation Facility Groupe Algoriel Aubagne DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Schlumberger / STMicroelectronics ST16SF48C component embedded for the SAMFLEX ALLIANCE application v1.0 (reference ST16SF48C/ROJZ) 1999-12-31 Oberthur Card Systems / Crédit Mutuel Oberthur B0’ application v1.0 and Routeur v1.0 designed for Multos v4.02 2000-11-20 February 28th, 2006 (Final) 1999/11 ITSEC E3/medium 2000/05 CC 2.1 EAL4+ Study on Promotion Strategy of Conformity Assessment System of Information Security 159 Table 31: Table 32 : Table 33: 160 Products Certified by the French Evaluation Facility CNET Caen DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE CP8 Transac, STMicroelectronics PC2.3 version 2 operating system embedded on ST16SF48A component (reference: ST16SF48A/RHBB) 1997-01-21 SOLAIC Schlumberger Group MICRO-SAMFLEX mask version 1.0 for ST16601 G component 1997-03-28 STMicroelectronics / Bull CP8 ST16SF44A component embedded for the SCOT400 application version 1 (reference: ST16SF44ARHQ) 1998-04-20 MOTOROLA / Bull CP8 MC68HC05SC0401 component embedded for the SCOT300 application (reference: ZC438408) 1998-06-29 STMicroelectronics / Schlumberger ST16C54B component embedded for the professional health card application (reference: ST16CF54N CPS2 V3.3) 1998-10-26 Bull CP8 / STMicroelectronics PC2.3 version 2 operating system embedded on ST16SF48A component (reference: ST16SF48A/RHBC, RHBE, RHBF) 1998-11-02 Société Européenne de Monnaie Electronique B4/B0’V2 bank application of the MONEO/CB hybrid card (reference: ST19SF16B RCL version B303/B002) 1999-09-01 Société Européenne de Monnaie Electronique MONEO electronic wallet card carrier (ST19SF16B RCL v.B303) and PSAM retailer security module (ST19SF16B RCL v. C103) 1999-09-29 Schlumberger / STMicroelectronics RSA calculation software for health professional card ST16CF54NSOV 2000-03-01 1997/01 ITSEC E3/high 1997/02 ITSEC E3/medium 1998/01 ITSEC E3/high 1998/02 ITSEC E3/medium 1998/03 ITSEC E3/high 1998/04 ITSEC E3/high 1999/04 CC 2.1 EAL1+ 1999/03 CC 2.1 EAL1+/PP 2000/03 ITSEC E3/medium Products Certified by the French Evaluation Facility CR2A-DI DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE STMicroelectronics, CP8 Transac, Philips Cartes et Systèmes GIE CB ST16601G/SKG component embedded for B4/B0’ V2 bank application 1996-05-09 SOLAIC / Schlumberger Group UNISAM mask version 1.0 for ST16SF48C/RMH component 1999-10-28 1996/02 ITSEC E3/high 1998/05 ITSEC E3/medium Products Certified by the French Evaluation Facility CELAR/CASSI DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE STMicroelectronics, ST16601 H/SKG component embedded by B4/B0’ V2 bank application 1998-01-23 Bull CP8, GIE CB SOLAIC Schlumberger Group MICRO-SAMFLEX mask version 1.0 for ST16601 H component 1997/05 ITSEC E3/medium Study on Promotion Strategy of Conformity Assessment System of Information Security 1997/04 ITSEC E3/high February 28th, 2006 (Final) 7 Evaluation and Certification of Protection Profiles and IT Products in United Kingdom 7.1 Evaluation and Certification Bodies UKAS is the UK accreditation service used by the certification body (see chapter 4.5.4) which has to supervise the work done by any of the commercial evaluation facilities. It performs its certification tasks in accordance with [ISO/IEC 17025]. The evaluations of IT products and services have to be done by commercial evaluation facilities CLEFs (called ITSEFs in the other European countries) in accordance with the specifications or standards specified by UKITSEC, and especially with the CLEF requirements defined in [UKSP 02]. The use of evaluation and certification services has to be organized by contracts between the sponsors and with the CESG (Communications-Electronics Security Group), or with the CLEFs as sub-contractors of CESG. 7.2 Evaluation and Certification Procedures The UKITSEC scheme [UKSP 01] considers the following two phases for the process of evaluation and certification: • Preparation for security evaluation, and • Evaluation and certification. The objective of the first phase is to check the suitability and usability of the target of evaluation for testing before the testing and evaluation phase will be started. The objective of the second phase is to prove whether the target of evaluation meets its security target culminating in the issuance of a certificate. 7.2.1 Preparation for Security Evaluation The preparation phase is to be performed in order to reduce the risk of unsuccessful, expensive and time-consuming full evaluation. It includes the following chronologically ordered activities that have to be done by the involved participants in accordance with the UKITSEC scheme documents [UKSP 01], [UKSP 03] and [UKSP 04]: February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 161 • production (by the sponsor) and assessment (by the CLEF) of the security target, • identification of the required input deliverables (agreement between sponsor and CLEF), • production (by the CLEF) and agreement(between sponsor and CLEF) of an evaluation work program, and a • formal confirmation of the certification request into the scheme by means of a Task Initiation Notice TIN from the CLEF to the certification body. 7.2.2 Evaluation and Certification The evaluation and certification phase is to be performed in order to prove whether the target of evaluation meets its security target and to issue a certificate that confirms the claimed security features of an IT product or system. It includes the following chronologically ordered activities that have to be done by the involved participants in accordance with the UKITSEC scheme documents [UKSP 01], [UKSP 03] and [UKSP 04]: • the evaluation (by the CLEF) of the target of evaluation following the evaluation work program, • the interactions between the involved parties (sponsor, CLEF, CB) for performing effective evaluation operations, • the production of the evaluation technical report (by the CLEF), • the production and acceptance of the draft certification report (by the sponsor, CLEF and CB), and • the issue of the final certification report (by the CB) and the certificate (by the CB). The certification report confirms that the assessment of an IT product or system has been done in conformance with the UKITSEC scheme and has achieved its claimed assurance level. 7.2.3 Fast Track Assessment CESG has launched a specific Fast Track Assessment (FTA) service at Infosec Assurance and Certification Services (IACS) in 2001 which is applicable where time is limited and where the results don’t need international recognition. This type of evaluation is suitable for products or systems in the sponsor’s environment only. FTA has the following main features: • • • • • 162 reduction of formal evaluation requirements, addressing of specific product and environment, cost and or time limited process based on prioritized evaluation activities, focus on sampling of evidence, focus on functional and penetrating testing to detect errors and vulnerabilities, Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • assessment report for use by sponsor, and • no formal assurance level awarded. The FTA service provides an independent assessment of products or systems against a defined security target compliant with [CC]. The observed outcomes of the assessment are presented in a FTA report (FTAR) that confirms the security functionality of the tested product or system as claimed by its related security target. 7.2.4 Certificate Maintenance Scheme The UK certification body offers a specific service for the maintenance of certificates that is based on the Certificate Management Scheme (CMS). Evaluation results apply to a specific version of a given product or system. Any change to that product may invalidate the achieved evaluation results. CMS has been defined in order to cope with the problem of developmental evolution of certified products or systems. Maintenance of certificates is an optional procedure that allows the certification of new versions of certified products or systems thus avoiding full re-evaluation by a CLEF. The status of such successfully re-evaluated IT products or systems is “CMS Approved”. CMS Approved versions provide the same level of confidence into an IT product or system as the original certified versions. A new version of a TOE can only be assessed by CMS, if the TOE has been certified, a certificate maintenance plan has been approved by the certification body, and if the sponsor has appointed a developer security analyst for the TOE responsible for ensuring that assurance in the TOE is granted within CMS. This means that the security analyst has to assess the security impact of all changes that may affect the certified product or system. Observed potential security problems need to be identified and rectified at an early step with a consequential streamlining of the assurance process. Further details of the CMS can be found in chapter V of the UKITSEC Scheme [UKSP 01] and in [UKSP 16]. The new revised certification process [UKSP 01 *] offered by the certification body since July 2005 has the following main features: • • • • • February 28th, 2006 (Final) focus on the technical aspects of IT products or systems, clear approvals at defined checkpoints during the evaluation cycle timely contributions of the certification body, assessment of evaluation scope before review of security target, improved risk management service, Study on Promotion Strategy of Conformity Assessment System of Information Security 163 • faster confirmation of certification after completion of evaluation work, • non-rising costs for customers, • demonstration of ITSEC and CC assurance levels including conformance with protection profiles, and • mutually recognized certification. 7.2.5 IT Health Check CESG provides a further specific so-called “IT Health Check service” at IACS which can be used to ensure the correct implementation of security functions in IT health products, systems and networks. The IT health check service is directly provided by CESG personnel for HMG or CNI systems that process information marked as SECRET or above. The service can be provided by CESG-approved companies in the public sector for HMG or CNI systems that process less sensitive information marked as CONFIDENTAIL or below. The minimum requirements for the IT health check service are defined in the Infosec standard [ISN 01]. The IT health check service is not based on formal assurance levels and certificates will not be issued as a result of the execution of the checking procedures and activities. The outcomes of an IT health check is a report that contains details about any vulnerabilities and that recommends appropriate and effective security countermeasures. 7.2.6 Assisted Products Scheme The UK certification body offers a specific service called “CESG’s Assisted Products Scheme” service (CAPS) for the assessment of IT products and systems that mainly or very significantly include cryptography security measures. IT products or systems that only contain limited cryptography can be tested within the scope of FTA (see section 7.2.3). CAPS supports companies in the private sector for their development of cryptographic products intended for use by the HMG and other governmental bodies. The CAPS scheme has been established for companies that are interested in commercial risk developments for the UK government. On the basis of a consultancy and advice contract these companies can get access to the knowledge, skills, experience and documentation of CESG. CAPS vendors are allowed to integrate CESG cryptographic algorithms or public domain algorithms into their products for which CESG assessment is desired. Successfully CAPS approved products and systems have an increased chance for purchase by HMG and the public UK sector. 164 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 7.3 Commercial Evaluation Facilities 7.3.1 General Requirements Commercial evaluation facilities have the tasks to carry out the evaluations of IT security products and systems and to establish appropriate and approved techniques and procedures. CLEFs are required to perform their tasks in accordance with policies and procedures in order to ensure the protection of commercially sensitive information such as design and source code. They operate under the UKITSEC scheme by contract with CESG. The details of the requirements for the appointment and operating procedures for CLEFs are specified in the UKITSEC scheme documents [UKSP 02] and [UKSP 05] part I. CLEF appointments are either provisional appointments or full appointments. CLEFs with provisional appointments are granted to allow the execution or monitoring of evaluations in order to achieve the UKAS quality accreditation [ISO/IEC 17025]. CLEFs with full appointments are granted to perform all evaluations where the related assurance levels fall into the scope of the UKAS accreditation. CLEFs have to obey the following conditions of their appointment: • • • • • • • • 7.3.2 quality and management, security and confidentiality, staff qualifications and training, observance of the rules of the UKITSEC scheme defined by the management board, accreditation as a testing laboratory by the UK accreditation service UKAS in conformance with [ISO/IEC 17025], observance of highest standards commercial confidentiality, recognition of the status of each evaluator by the certification body, and scrutiny by the certification body and UKAS. Accredited Commercial Evaluation Facilities Information Technology Security Evaluation Facilities (ITSEFs) are called Commercial Evaluation Facilities (CLEFs) in the UK. The following CLEFs have been accredited by the certification body that are responsible for the testing and evaluation of IT products and systems (see also [UKSP 06]): • • • • • • • February 28th, 2006 (Final) Admiral Management Services Ltd, BT, CMG, EDS Ltd, IBM Global Services, Logica UK Ltd, SiVentiure, and Study on Promotion Strategy of Conformity Assessment System of Information Security 165 • Syntegra. 7.3.3 CMVP Testing and Certification Laboratories Contact information about the accredited independent laboratories that perform the NVLAP CMVP testing of cryptographic modules (BT Cryptographic Module Testing Laboratory, and Logica IT Security Laboratory) against the requirements specified in FIPS 140-1 (for back-ward compatibility) and FIPS 140-2 in the UK is provided in Table 65 (links see Table 64). A list of validated products under CMVP has not been published. 7.4 Certification of Protection Profiles UK protection profiles have to be certified according to the procedures providing compliance with the requirements specified in the Common Criteria [CC]. Protection profiles for IT products and systems that have been certified in the UK are listed in Table 34 (by LogicaCMG) and in Table 35 (by IBM Global Services). Table 34: Protection Profiles Certified by LogicaCMG in the UK SPONSOR TITLE OF PROTECTION PROFILE PP CERTIFICATE National Institute of Standards and Technology NIST Role-Based Access Control Protection Profile Oracle Corporation Oracle Commercial DBMS Protection Profile 1998-09 Oracle Corporation Oracle Government DBMS Protection Profile 1998-10 National Security Agency NSA Controlled Access Protection Profile Version 1.d 1998-09 PP001 PP002 PP003 Labeled Security Protection Profile Version 1.b APACS PIN Entry Device for Protection Profile CC 2.0/EAL3 CC 2.0/EAL3 1999-10 PP007 Associates for Payment Clearing CC 2.0/EAL3 1999-10 PP006 National Security Agency NSA CC 2.0/EAL2 CC 2.0/EAL3 2003-07 CC 2.0/EAL4 Oracle Corporation Oracle DBMS Protection Profile Safelayer Communications S.A PKI Secure Kernel Protection Profile 1.1 2000-05 PP008 CC 2.0/EAL3 2002-04 CC 2.0/EAL4 Table 35: Protection Profiles Certified by IBM Global Services in the UK SPONSOR 166 Study on Promotion Strategy of Conformity Assessment System of Information Security TITLE OF PROTECTION PROFILE PP CERTIFICATE February 28th, 2006 (Final) Authorsizor Ltd Privilege Directed Content Protection Profile 2001-01 PP009 7.5 CC 2.0/EAL4 Certification of IT Products and Systems Under the UKITSEC scheme products and systems are evaluated either against [ITSEC] or [CC] to the appropriate level of assurance based on the claims made by the vendor for this product or system. Certification reports are available either from the product vendors or in some cases from the UK certification body web site. The UK certification procedures are specified in the document UKITSEC scheme documents [UKSP 01], [UKSP 03] and [UKSP 04]. The UK CLEFs provide evaluation services for the following areas: • • • • • • smart cards, communications, data bases, networking, operating systems, and PC access control Security products (smartcards, smartcard devices, etc.) that have been certified in the UK are listed in the following tables: • • • • • Table 36: commercial evaluation facility Admiral, Table 37: commercial evaluation facility EDS, Table 38: commercial evaluation facility IBM Global Services. Table 39: commercial evaluation facility Logica, and Table 40: commercial evaluation facility Syntegra. IT security products and systems that may only be made available to government departments, quasi-governmental bodies and certain UK firms in the UK have been indicated in the second column by the text “CESG controlled”. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 167 Table 36: Products Certified by the UK Commercial Evaluation Facility Admiral DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Racal Security & Payments Racal RAMBUTAN SAFE X.25, Product Type: Communications, CESG controlled 1994-02 Racal Security & Payments Racal RAMBUTAN SAFE 64K Versions 1.00, 1.09 and 1.10, Product Type: Communications, CESG controlled 1994-07 Informix Software Ltd INFORMIX-OnLine/Secure B1 and OnLine/Secure C2 Version 5.0 Release UD7, Product Type: Database 1995-04 BrainTree Technology Ltd BrainTree AUDITOR Plus Version 1.4-03 revision S, Product Type: Miscellaneous 1996-10 Argus Systems Group Inc Argus Systems Group Release 1.2 of the B1/CMW and C2/TMW for Solaris 2.4 on Specified SPARCstation, IntelX86 and Pentium Platforms, Product Type: Operating System 1996-12 Concurrent Computer Corporation Ltd MAXION/OS, Version 1.2, Product Type: Operating System 1996-12 Banyan Systems Incorporated Banyan VINES Version 7.0, Product Type: Networking Racal Security & Payments Racal SafeDial Version 1.27, Product Type: Communications Informix Software Ltd INFORMIX-OnLine Dynamic Server Version 7.23, Product Type: Database 1998-03 Hewlett Packard Ltd HP-UX, Version 10.20, Product Type: Operating System 1999-02 The Software Box KILGETTY Version 1.2h, KILGETTY PLUS Version 1.2h, Product Type: PC Access Control 1999-02 Check Point Software Technologies Ltd Check Point FireWall-1, Version 4.0, Product Type: Networking 1999-03 Racal Security & Payments Datacryptor 2000 (Synchronous Line Encryptor), Product Type: Communications 1999-07 Argus Systems Group Inc Argus Systems Group Release 1.3 of the C2/TMW and B1/CMW and for Solaris 2.4 on a range of SPARC and Intel Platforms, Product Type: Operating System 1999-09 Remote Management Centre, Product Type: Networking 1999-09 94/31 94/37 95/46 96/70 96/73 96/67 97/79 98/90 98/95 P105 P107 168 Study on Promotion Strategy of Conformity Assessment System of Information Security Omega Version 7.12 Increment 19, Product Type: Communications, CESG controlled ITSEC E3 ITSEC E1 ITSEC E3 ITSEC E3 ITSEC E2 1998-01 P126 98/89 P121 ICL Defence ITSEC E3 1997-04 P111 IBM ITSEC E3 ITSEC E3 ITSEC E2 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 2000-01 P134 ITSEC E3 February 28th, 2006 (Final) Table 37: Products Certified by the UK Commercial Evaluation Facility EDS DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Sun Microsystems Federal Sun Solaris Version 2.4SE for a range of SPARC and Intel platforms, Product Type: Operating System 1995-11 Microsoft Ltd Microsoft Windows NT Workstation and Windows NT Server, Version 3.51, Product Type: Operating System 1996-10 BEST-X/B1 (Bull Enhanced Security Technology), Version 1.1.1.9, Product Type: Operating System 1997-04 BEST-X/C2 (Bull Enhanced Security Technology), Version 1.1.1.9, Product Type: Operating System 1997-06 EDS Ltd Trusted EDI on Trusted Solaris 1.2, Product Type: Miscalleneous 1997-07-03 Oracle Corporation Trusted Oracle7 Release 7.1.5.9.3, Product Type: Database 1998-03 Bull S. A. Bull S. A. 95/56 96/71 97/81 97/83 97/85 98/96 EDS Ltd CERBERUS Guard Processor, Product Type: Communications SCO UnixWare 2.1.0 on Fujitsu-ICL C530i and G550i Teamservers with consoles, Product Type: Operating System 1999-02 The Software Box KILGETTY PLUS NT4, Version 1.0, Product Type: PC Access Control 1999-02 Network Associates Ltd Gauntlet Firewall V3.01 for Windows NT, Build 113, Product Type: Networking 1999-06 SCO CMW+ Release 3.0.1 running on Elonex PC590/1, Elonex PC575/1 and Unisys SMP 5400 workstations, Product Type: Operating System 1999-09 Safegate Version 2.0.2, Product Type: Firewall 2000-03 SCO Fujitsu Ltd ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 1998-04 98/99 SCO ITSEC E2 P119 P112 P127 P131 ITSEC E4 ITSEC E2 ITSEC E3 ITSEC E3 ITSEC E3 CC EAL3 February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 169 Table 38: Products Certified by the UK Commercial Evaluation Facility IBM Global Services DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Baltimore Technologies (UK) Ltd ED2048R3 RAMBUTAN Data Encryption Unit, Product Type: Communications, CESG controlled 1996-04 MIS – Corporate Defence Solutions SeNTry 2020, Product Type: PC Access Control 1998-07 Calluna Technology Limited HARDWALL, Version 7.01, Product Type: PC Access Control 1999-02 Computer Associates CA-Open INGRES and Open INGRES/Enhanced Security Release 1.1, Product Type: Communications 1999-02 VCS FIREWALL, Version 3.0, Product Type: Networking 1999-03 The Knowledge Group 96/60 P100 P120 ITSEC E3 CC EAL1 Products Certified by the UK Commercial Evaluation Facility Logica DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE International Computers Ltd (ICL) VME Operating System with High Security Option, Version SV294, running on Series 39 Processors, Product Type: Operating System 1994-09 International Computers Ltd (ICL) VME Operating System with Government Security Option, Version SV294, running on Series 39 Processors, Product Type: Operating System, CESG controlled 1994-09 Oracle Corporation Oracle7 and Trusted Oracle7 Release 7.0.13.6, Product Type: Database 1994-09 Sun Microsystems Federal Sun Trusted Solaris Version 1.2 ITSEC(E) running on specified models of SPARCstations 5.10 and 20, Product Type: Operating System 1995-11 Netlexis Ltd STOPLOCK V Version 2.23a, STOPLOCK V/SC Version 2.23, STOPLOCK V SCenSOS Version 2.23a, Product Type: PC Access Control 1996-09 Sequent Computer Systems Ltd Sequent DYNIX/ptx Unix Version 4.1 SLS and 4.1a SLS on Symmetry 5000 Systems (Models SE30 and SE 70), Product Type: Operating System 1997-02 CyberGuard Europe Ltd CyberGuard Firewall, Version 2.2.1e, Product Type: Networking 1997-03 94/38 94/39 94/33 95/58 Oracle Corporation Oracle7 Release 7.2.2.4.13, Product Type: Database 97/74 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 1998-02 98/94 CESG CASM CryptServe Version 1.02, Product Type: Communications, CESG controlled 1998-03 Sun Microsystems Sun Solaris 2.5.1SE, Product Type: Operating System 1998-03 Study on Promotion Strategy of Conformity Assessment System of Information Security ITSEC E3 96/65a ITSEC E3 97/78 170 CC EAL1 ITSEC E3 P123 Table 39: ITSEC E3 98/94 ITSEC E3 ITSEC E3 February 28th, 2006 (Final) DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Oracle Corporation Oracle7 Release 7.2.2.4.13, Product Type: Database 1998-09 Reflex Magnetics Limited Disknet NT, Version 1.70, Product Type: PC Access Control 1998-09 Federal 98/97 P103 ITSEC E2 CC EAL4+ P125 Sun Microsystems Federal Sun Trusted Solaris Version 2.5.1, Product Type: Operating System 1998-09 Oracle Corporation Oracle7 Release 7.3.4 on NT 4.0, Product Type: Database 1998-12 P104 P109 CyberGuard Europe Ltd CyberGuard Firewall for UnixWare 4.1, Product Type: Networking 1999-01 CyberGuard Europe Ltd CyberGuard Firewall for Windows NT 4.1, Product Type: Networking 1999-01 Sun Microsystems Federal Sun Solaris 2.6SE, Product Type: Operating System 1999-01 Storage Tek Network Systems Group DXE Router, Product Type: Networking Hitachi Data Systems Multiple Logical Processor Facility, Version 3.3.0, Product Type: PC Access Control 1999-03 Microsoft Ltd Microsoft Windows NT Workstation and Windows NT Server, Version 4.0, Product Type: Operating System 1999-03 Trusted Oracle7 Release 7.2.3.0.4, Product Type: Database 1999-07 Oracle Corporation P117 P118 P101 P113 P116 P121 Mondex Purse Release 2.0 on MULTOS v3 and Hitachi H8/3112 ICC, Product Type: Smartcard 1999-08 Mondex International MULTOS v3 on Hitachi H8/3112 ICC, Product Type: Smartcard 1999-08 Sequent Computer Systems Ltd Sequent DYNIX/ptx Version 4.4.2 running on Symmetry 5000 Systems and NUMA-Q 2000, Product Type: Operating System 2000-01 Data Track Technology plc Tracker 2650 Data Collection Unit, Product Type: Networking 2000-03 P129 P130 Table 40: ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 1999-02 P124 Mondex International ITSEC E2 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E3 ITSEC E6 ITSEC E6 P108v2 ITSEC E3 P133 ITSEC E2 Products Certified by the UK Commercial Evaluation Facility Syntegra February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 171 DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Baltimore Technologies (UK) Ltd ED2048R RAMBUTAN Data Encryption Unit, Product Type: Communications, CESG controlled 1994-07 Baltimore Technologies (UK) Ltd ED600 RAMBUTAN Data Encryption Unit, Product Type: Communications, CESG controlled 1995-02 Baltimore Technologies (UK) Ltd ED2048RU RAMBUTAN Data Encryption Unit, Product Type: Communications, CESG controlled 1995-03 Racal Security & Payments Racal RAMBUTAN SAFE 2M Version 2.01, Product Type: Communications, CESG controlled 1995-05 Baltimore Technologies (UK) Ltd ED600RTS RAMBUTAN Synchronous Link Encryptor, Product Type: Communications, CESG controlled 1995-09 IBM United Kingdom Ltd IBM Processor Resource Systems Manager, Product Type: Operating System 1995-09 Baltimore Technologies (UK) Ltd Network Security Workstation Automated Security Management, Product Type: Communications, CESG controlled 1997-01 Baltimore Technologies (UK) Ltd ED8000RL RAMBUTAN LAN Interconnect IP Encryptor, Product Type: Communications, CESG controlled 1997-12 Portcullis Computer Security Ltd GUARDIAN ANGEL, Version 5.01D!, Product Type: Operating System, CESG controlled 1998-01 Entrust Technologies Limited Entrust/Admin 4.0 Entrust/Authority 4.0, Product Type: Miscalleneous 1999-03 BorderWare Technologies Inc BorderWare Version 6.1.1 Firewall Server, Product Type: Networking 2000-01 Entrust Technologies Limited Entrust 5.0, Product Type: Miscellaneous 2000-03 NetGuard Ltd Guardian PRO Version 5.0, Product Type: Networking 2000-03 94/36 92/17ITSEC UKL2 95/42 ITSEC E3 95/51 ITSEC E3 95/55 ITSEC E3 95/53 ITSEC E4 97/75 ITSEC E3 97/92 ITSEC E3 98/93 P122 ITSEC E2 CC EAL3+ P136 P141 P141 7.6 ITSEC E3 CC EAL4 CC EAL3+ CC EAL3+ Maintenance Assurance and Fast Track Assessment Products or systems under assurance maintenance or fast track assessment that may be used by more than one government department are listed publicly by IASEC. The current status of these activities is given in Table 41. Table 41: Products/Systems under Assurance Maintenance and/or Fast Track Assessment SERVICE PROVIDER 172 Study on Promotion Strategy of Conformity Assessment System of Information Security SERVICE DESCRIPTION EXPIRY DATE / EAL February 28th, 2006 (Final) BT 7.7 MPLS VPN 2006-03-31 EAL2 Cable&Wireless MPLS VPN under maintenance assessment Global Crossing MPLS VPN under maintenance assessment Energis MPLS VPN 2005-10-31 EAL2 Fujitsu MPLS VPN 2006-06-27 EAL2 CAPS Products Cryptographic products or systems under CAPS assessment are classified in terms of the three cryptographic protection levels baseline, enhanced and high. CESG recommends the use of CESG approved products, if their use is for sensitive information classified as PRIVATE but below RESTRICTED. The US standard FIPS140 has been recognized in the UK and a first laboratory has been established and accredited. A product approved by CESG is issued a certificate including the CESG logo as shown in Figure 16 that indicates its level of cryptographic protection. The results of CAPS cryptographic testing can be used for further formal ITSEC or CC evaluations. Figure 16: CESG Logo A list of products and systems under CAPS assessment is given in Table 42. Table 42: CAPS Products/Systems COMPANY PRODUCT/SYSTEM AEP Systems SureWare EC20M, Product Type: communications security BASELINE AEP Systems SureWare Net EC100M, Product Type: communications security BASELINE AEP Systems SureWare Net ED100M, Product Type: communications security ENHANCED AEP Systems SureWare Net ED20M, Product Type: communications security ENHANCED Barron McCann Technology Ltd X-Kryptor Network Encryption Gateway & VPN Client, Product Type: communications security BASELINE BeCrypt Ltd BeCrypt DISK Protect Baseline, Product Type: data encryption BeCrypt Ltd BeCrypt DISK Protect Enhanced, Product Type: data encryption BeCrypt Ltd BeCrypt PDA Protect, Product Type: data encryption Hewlett Packard Ltd HP Protect Tools Authentication Services, Product Type: February 28th, 2006 (Final) PROTECTION LEVEL BASELINE Study on Promotion Strategy of Conformity Assessment System of Information Security 173 COMPANY PRODUCT/SYSTEM PROTECTION LEVEL access control 174 Hewlett Packard Ltd Security Enhancements for Microsoft PocketPC-PocketPC(SE), Product Type: access control Hewlett Packard Ltd Security Enhancements for Microsoft Windows 2000 – Windows 2000(SE), Product Type: access control Hewlett Packard Ltd Security Enhancements for Microsoft Windows Server 2003 – Windows Server 2003(SE), Product Type: access control Hewlett Packard Ltd Security Enhancements for Microsoft Windows XP – Windows XP(SE), Product Type: access control n-Crypt n-Crypt disk TM, Product Type: data encryption Portcullis Computer Security Ltd Guardian Angel version 7.0 Under cryptographic evaluation Reflex Magnetics Data Vault (HMH) v2.3 for MS Windows NT/2000/XP, Product Type: data encryption Reflex Magnetics MailSafe, Under cryptographic evaluation BASELINE Sectra Communications Ltd Sectra Radio Blocker Pouch, Product Type: miscellaneous none SELEX Communications Ltd Dial Thru Crypto, Product Type: communications security BASELINE Serco Technology, marketed by Hewlett Packard KILGETTY 2K, Product Type: data encryption Stonewood Electronics Limited FlagStone Baseline/Baseline Plus, Product Type: data encryption Stonewood Electronics Ltd FlagStone Enhanced, Product Type: data encryption Thales e-Security Crypto Manager, Product Type: communications security BASELINE Thales e-Security Crypto Manager, Product Type: communications security ENHANCED Thales e-Security Datacryptor 2000, Product Type: communications security BASELINE Thales e-Security Datacryptor 2000, Product Type: communications security ENHANCED Thales e-Security Datacryptor Model 3, under cryptographic evaluation HIGH GRADE SECRET Thales e-Security Datacryptor® AP, Product Type: communications security BASELINE Thales e-Security Datacryptor® AP, Product Type: communications security ENHANCED Thales e-Security Guardisk, Product Type: data encryption Thales e-Security Safe Dial+, Product Type: communications security Thales e-Security SGSS, Product Type: communications security TRL Technology Ltd IP CATAPAN, under cryptographic evaluation W L Gore and Associates Ltd Temper Respondent Technology, Product Type: misc. Study on Promotion Strategy of Conformity Assessment System of Information Security ENHANCED none February 28th, 2006 (Final) 8 Evaluation and Certification of Protection Profiles and IT Products in Other European Countries 8.1 Italy 8.1.1 Evaluation and Certification Bodies OCSI (see section 4.6.1.4) is the institution that is responsible for the evaluation and certification of IT products and systems in Italy. 8.1.2 Information Technology Security Evaluation Facilities ITSEFs are called “Laboratori per la Valutazione della Sicurezza” (LVS) in Italy. Up to now the following LVSs, that are responsible for the testing and evaluation of IT products and systems, have been accredited by OSCI: • Consorzio R.E.S.: • IMQ/LPS: • Proge-Sec: 8.1.3 via dell’Indiustria 4, 00040 Pomezia, via Quintiliano 43, 20138 Milano, and via Mentore Maggini 50, 00143 Roma Certification of Smartcard Protection Profiles, IT Systems and Products Currently information on the evaluation and certification of smartcard protection profiles, IT products and system in Italy is not available. 8.2 Netherlands 8.2.1 Evaluation and Certification Bodies TNO, OPTA and ECP.NL (see section 4.6.2.5) are the organizations that are responsible for the evaluation and certification of IT products and systems in the Netherlands. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 175 8.2.2 Information Technology Security Evaluation Facilities Currently accredited testing and evaluation facilities do not exist in the Netherlands. One exception is TNO which has been accredited by the German accreditation body BSI). 8.2.3 Certification of Smartcard Protection Profiles, IT Systems and Products Currently information on the certification of smartcard protection profiles, IT products and system is not available for the Netherlands. 8.3 Spain 8.3.1 Evaluation and Certification Bodies CCN (see section 4.6.3.4) is the institution that is responsible for the evaluation and certification of IT products and systems in Spain. 8.3.2 Information Technology Security Evaluation Facilities The following laboratories that have been accredited by CCN are responsible for the testing and evaluation of IT products and systems: • CESTI-INTA (ITSEC-E3,CC-EAL4), and • LGAI (under accreditation, CC-EAL4) 8.3.3 Certification of Smartcard Protection Profiles, IT Systems and Products Currently information on the certification of smartcard protection profiles and IT systems is not available for Spain. IT security products that have been certified by CEST-INTA are shown in Table 43. Table 43: 176 Certified IT Products that have been Evaluated by the Spanish Evaluation Facility CEST-INTA DEVELOPER /SPONSOR PRODUCT / SYSTEM CERTIFICATE Safelayer Secure Communications S.A. KEY ONE 2.1, Public Key Infrastructure Software Solution 2005-03-11 Safelayer Secure Communications S.A. KEY ONE 3.0, Public Key Infrastructure Software Solution 2006-01-20 Microelectrónica Española S.A: Tarjeta Electrónica del Ministerio de Defensa TEMD 1.0 (secure signature creation device) 2006-01-19 Study on Promotion Strategy of Conformity Assessment System of Information Security 2004-1-INF-25 v1 2004-2-INF-65 v1 2004-3-INF-71 v1 CC EAL 4+ CC EAL 4+ CC EAL 4+ February 28th, 2006 (Final) IT security products that are under evaluation in Spain are shown in Table 44. Table 44: 8.4 IT Products that are under Evaluation in Spain DEVELOPER /SPONSOR PRODUCT / SYSTEM STANDARD / EVALUATION LEVEL FNMT e-DNI 1.0 (secure signature creation device) CC EAL 4+ Secuware Secuware Security Framework (SSF) 4.1.0 CC EAL 4+ Datatech Sistemas Digitales Avanzados S.L. Crypto Token USB CC EAL 3 Sweden 8.4.1 Evaluation and Certification Bodies SWEDAC and PTS (see section 4.6.4.5) are the organizations that are responsible for the evaluation and certification of IT products and systems in Sweden. 8.4.2 Information Technology Security Evaluation Facilities Currently certified testing and evaluation facilities do not exist in Sweden. 8.4.3 Certification of Smartcard Protection Profiles, IT Systems and Products Currently information on the certification of smartcard protection profiles, IT products and system is not available for Sweden. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 177 9 Government Procurement Governmental procurement is of main importance for all countries in order to improve the conditions for their markets and also for international markets related to the purchasing of goods, technologies and service by governmental bodies. This chapter provides an overview of legislation on procurement and the current status of activities and programs for electronic procurement in the European Union (see section 9.2), Germany (see section 9.3), France (see section 9.4), United Kingdom (see section 9.5), Italy (see section 9.6.1), the Netherlands (see section 9.6.2), Spain (see section 9.6.3) and Sweden (see section 9.6.4). The national legislation in these countries intents to gradually adopt the European directive on procurement procedures of entities operating in the financial, water, energy, transport and postal services sectors [EC DIR PPO]. 9.1 General Aspects of Electronic Procurement E-procurement requires practices and activities for the following four categories of aspects: • organizational support in order to assist administration in developing national e-procurement programs, • procedural rules to be followed during all phases of e-procurement, • technical support for the design and realization of e-procurement systems that comply with national or even European legislation on electronic procurement, and • operational support for contracting authorities. These measures are required in order to enable • equality of treatment which means that all tenders will receive an equal amount of information at the same time, • confidentiality such that the contracting partners keep sensitive information confidential, • security by using technologies that ensure the secure communication and storage of information, • effectiveness of systems operation in order to improve the conditions for the users, • interoperability by using electronic technologies that are based on international standards in order to avoid discriminatory technologies that could restrict free access to the procurement procedures, and 178 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • general availability by using technologies that are widely available at the market at reasonable costs, and that use adequate mechanisms to ensure the continuous operation of the procurement system. E-Procurement systems cover procedures for individual contracts, repetitive purchasing and electronic auctions. The process of electronic procurement can be broken down into a set of different disjoint phases with characteristic events as illustrated in Figure 17 Figure 17: 9.2 Life Cycle of Electronic Procurement European Union The European Union has recently undertaken several activities in order to improve and align the European legislation of procurement issues. This section gives an overview of the initiatives, the new regulations and directives on public procurement, electronic public procurement and public procurement for public private partnerships. A list of relevant European case studies, regulations and directives on public procurement is given in Table 45. Table 45: Public Procurement Studies, Regulations and Directives February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 179 DOCUMENT TITLE DATE 92/13/EEC Council Directive coordinating the laws, regulations and administrative provisions relating to the application of Community rules on the procurement procedures of entities operating in the water, energy, transport and telecommunications sectors 1992-02-25 93/38/EEC Council Directive coordinating the procurement procedures of entities operating in the water, energy, transport and telecommunications sectors 1993-06-14 98/4/EC Directive amending Directive 93/38/EEC coordinating the procurement procedures of entities operating in the water, energy, transport and telecommunications sectors 1998-02-16 2001/78/EC Directive on the standard forms in the publication of public contract notices 2001-09-13 EC No. 2151/2003 Regulation amending regulation EC 2195/2002 of the European parliament and of the council on the Common Procurement Vocabulary (CPV) 2003-12-16 A report on the functioning of public procurement markets in the EU: benefits from the application of EU directives and challenges fort he future 2004-02-03 2004/17/EC Directive coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors 2004-04-30 2004/18/EC Directive on the coordination of procedures for the award of public work contracts, public supply contracts and public service contracts 2004-04-30 COMM(2004) 327 Commission of the European Communities, Green Paper on Public-Private Partnerships and Community Law on Public Contracts and Concessions 2004-04-30 State of the Art Report – Case Studies on European Electronic Public Procurement Projects 2004-07 EC No. 1874/2004 Commission regulation amending Directives 2004/17/EC and 2004/18/EC of the European Parliament and of the Council in respect of their application thresholds for the procedures for the award of contracts 2004-10-28 2004/51/EC Decision on the detailed rules for the application of the procedures provided for in article 30 of directive 2004/17/EC coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors 2005-01-07 2004/51/EC Directive amending annex XX to directive 2004/17/EC and annex VIII to 2004/18/EC on public procurement 2005-09-07 EC No. 1564/2005 Regulation establishing standard forms for the publication of notices in the frame work of public procurement procedures pursuant to directives 2004/17/EC and 2004/18/EC 2005-09-07 COMM(2005) 569 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Public-Private Partnerships and Community Law on Public Procurement and Concessions 2005-11-15 9.2.1 International Activities The WTO committee on government procurement has approved the required modifications of its “Government Procurement Agreement” (GPA) in May 2004 which since then extends the GPA to the new EU member states. 180 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 9.2.2 Public Procurement Initiatives In December 2003 the Council and the European Parliament have reached an agreement on proposed directives on the coordination of • procedures for the award of public supply contracts, public service contracts, and public works contracts [EC DIR PCO], • procurement procedures of entities operating in the water, energy, transport and postal services sectors [EC DIR PPO], and on • amending regulation on the Common Procurement Vocabulary (CPV). In January 2005 the Council and the European Parliament have made a decision on the detailed rules for the application of the procedures provided for in article 30 of the EU Directive 2004/17/EC coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors. The member states are required to implement the European directives into their national laws until January 2006. The new European procurement regulations contain the following three new optional procurement procedures: • Competitive Dialogue: This procedure has to be used by the procurer for complex orders for which he is objectively not able to fully specify the technical means, the legal requirements, or the financial conditions of the undertaking. In these cases the procurer has the possibility to develop negotiated solutions in bi-lateral discussions with enterprises prior to the tendering process and for which the enterprises can submit a binding offer. • Dynamic Procurement System: This procedure can be classified as a fully electronic department store in which the procurement offices install a set of bidders for particular goods or groups of goods with whom they can arrange contracts. • Electronic Auction: This procedure, also known as inverse auction, is a repetitive procedure during which the offers after a first complete evaluation can be modified and improved within a predefined time frame or a predefined number of auction phases. This kind of controlled decreasing auction is useful for standard products were the price is the key criterion for awarding. The new European procurement regulations also have increased the monetary threshold values for construction works and services. The CPV provides a European wide standardization of the description of targets of tenders which is assigned a unique code number. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 181 9.2.3 Electronic Public Procurement Initiatives Electronic procurement is considered by the EU as a key sector of the EU economy, for which the EU has provided the legal framework in its related directives (see Table 45). The European Commission has specified the requirements related to the legal aspects of electronic procurement within the new directives on public procurement [EC DIR PCO]and [EC DIR PPO] in March 2004. The goal of these directives is to provide the legal framework in order to support electronic procurement procedures especially for the awarding of electronic contracts and electronic purchasing techniques. The explanatory directive also provides comprehensive guidance for • member states in order to adopt the directive into national laws, and for • contracting authorities in order to implement them. Preceding activities in the area of electronic public procurement was the conduction of the report “Functioning of Public Procurement Markets in the EU: Benefits from the Application of EU Directives and Challenges for the Future” [EC REP PP] and the study “Case Studies on European Electronic Public Procurement Projects” [EC REP EPP] on behalf of the commission. The European commission has issued an action plan for electronic procurement in January 2005 which was based on the results of the preceding e-procurement activities. The action plan outlines how the member states can implement the eprocurement aspects of the new directives on public procurement. It also provides support for the member states in order to develop and/or to adopt national eprocurement products and services within three years (2005-2007). In this context the commission has specified the requirements for conducting public procurement using electronic means in conformance with the new directives [EC DIR PCO] and [EC DIR PPO] in July 2005. 9.2.4 Public Procurement and Public Private Partnerships Initiatives 9.2.4.1 General Aspects Public private partnerships (PPPs) are seen by the European Union as forms of cooperations between public authorities and the business area which aim to carry out infrastructure projects or provide services to the public sector. These PPP activities normally involve complex legal frameworks and financial arrangements. Private partners and public authorities need to cooperate in different areas of the 182 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) public sector and these arrangements are widely used in the EU, e.g. in transport, public health, public safety, waste management and water distribution. A specific kind of PPPs is institutionalized PPPs (IPPPs) which are public-service undertakings jointly held by both a public and a private partner. 9.2.4.2 History of Legislation Under Community law there was no specific legal system governing the many different possible forms of PPPs. Contracts for these partnerships signed by public authorities with private companies are not covered by the EC Treaty rules on the single market. They could be subject to the detailed provisions of the directives on public procurement, and also concessions were not covered. The legal framework was subject of more or less intensive Community coordination at several levels. 9.2.4.3 Green Paper Initiative The first EU initiative, identified by the Commission in its internal market strategy for 2003-2006, was the production of the “Green Paper” document [EC GP PPP] that addresses various topics of public procurement aspect of PPPs, in particular: • information about the applicability of the rules and principles from the • • • • • • • 9.2.4.4 Community law on public contracts and concessions for the case that a private partner has been selected, set of questions intended to find out more about how these rules and principles work in practice, the framework for the procedures for selecting a private partner, setting up of PPPs on the initiative of the private sector; the contractual framework and contract amendments during the life of a PPP; subcontracting, PPPs created on the basis of purely contractual links ("contractual PPPs"),and arrangements involving the joint participation of a public partner and a private partner in a mixed-capital legal entity IPPPs. Consultation Initiative The second EU initiative was the PPP Green Paper consultation during which the EU has collected comments from all interested parties (July 2004). Both the European Economic and Social Committee and the Committee of the Regions adopted opinions on the PPP Green Paper. The following two main results have been achieved: • strong support by the participating members for an EU initiative on concessions (which are currently not subject to the detailed EU public procurement rules) in order to clarify the term “concessions” and the rules that apply to their award, and February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 183 • many questions on how EU rules should apply for the selection of private partners in IPPPs. 9.2.4.5 Green Paper Adoption Initiative The third EU initiative based on the received contributions was the clarification of the EU rules on PPPs in the communication document [EC COM PPP] (November 2005) including • the adaptation of the Green Paper, • the support of policy options to address problems related to Community legis- lation on public procurement, i.e. options for the effective competition among PPPs and for liberate flexibility for the design of innovative and complex programs, • the clarification of contractual aspects, − PPPs that can be qualified as "public contracts" under the directives coordinating procedures for the award of public contracts must comply with the detailed provisions of these directives [EC DIR PCO] and [EC DIR PPO], − PPPs qualifying as "works concessions" are covered only by a few scattered provisions of secondary legislation, and − PPPs qualifying as "service concessions" are not covered by the "public contracts" directives at all, and • all contracts in which a public body awards work involving an economic activity to a third party, whether covered by secondary legislation or not, must be examined in the light of the rules and principles of the EC Treaty, in particular transparency, equal treatment, proportionality and mutual recognition. 9.2.4.6 Future Steps The EU has started an initiative “interpretative communication on IPPPs” in order to clarify to what extent community law applies to the attribution of tasks to public bodies, and which forms of co-operation remain outside the scope of internal market provisions. This interpretative communication should be published during 2006. 9.2.5 Banking Sector The European Association of Public Banks (EAPB), founded on May 2000, combines the interests of public or public owned banks, development banks and funding agencies at the European level, professional organizations, and the general public. The members of EAPB are financial institutions, funding agencies, public banks, and associations of public banks. EAPB supports the direct crossborder cooperation and networking among public sector banks in Europe. EAPB itself is a member of the European Banking Industry Committee (EBIC) through 184 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) which the European banking associations represent their interests collectively towards the European institutions. EAPB is in charge of the following topics: • • • • • • • • • • • banking and banking supervision law, capital markets and securities law, accounting and company law, consumer affairs, taxation, payment systems, civil law, European regional policy and structural funds, state aid and competition, European enterprise policy, and general services. The integration progress of financial markets through the ongoing harmonization (including all relevant banking issues ) of the European financial markets is not only driven by the European Commission but also by the EAPB committees for the areas of security, banking- and insurance supervision. More information about important topics can bed found in the annual EAPB reports [EAPB AR]. 9.3 Germany 9.3.1 Laws and Ordinances for Procurement The current German legislation on procurement includes the following laws and ordinances that specify the requirements for public authorities related to the procurement of goods, construction works and services: • law against restraints of competition ([GWB], Gesetz gegen Wettbewerbs- Beschränkungen) whose fourth part provides the procedural requirements, • amendment of law against restraints of competition ([GWB *] Gesetz gegen WettbewerbsBeschränkungen), • awarding ordinance ([VgV], VergabeVerordnung), • amendment of awarding ordinance ([VgV *], VergabeVerordnung), • concretization ordinance for products and services ([VOL], VerdingungsOrdnung für Leistungen), • concretization ordinance for freelance services ([VOF], VerdingungsOrdnung für Freiberufliche Leistungen), and • awarding and contracting ordinance for public construction works ([VOB], Vergabe- und VertragsOrdnung für Bauleistungen). The GWB awarding law is only of relevance for awarding procedures above a particular monetary threshold specified in §2 of VgV. It distinguishes the following types of awarding: February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 185 • public awarding procedure with the invitation of an unrestricted number of suppliers to offer their tenders, • non-public awarding procedure with the invitation for participation of an unrestricted number of suppliers, followed by the invitation of a selected subset of the participating suppliers to offer their tenders, • freelance awarding procedure that is either based on a public invitation or without a public invitation, and during which contracts will be negotiated with the selected enterprises. In principle the public awarding procedure has to be performed. Exceptions are only allowed for those cases that are explicitly by the awarding law. Awarding procedures below a particular monetary threshold of the awarding law are not subject to GWB and instead regulated by administrative regulations of the federal states. The electronic awarding procedure is regulated in §15 of VgV as an option for organization that produce call for tenders. Currently the German legislation on public procurements aims to draft a law and ordinance to simplify the legislation in this area and to make it more efficient by eliminating bureaucracy barriers based on the decision on the key points of May 2004. The aim of the amendment of the ordinance on public procurement is to make public procurement more transparent, investment- and application-friendly and less vulnerable to corruption. The current complexity and unmanageable structure of the legislation on public orders and the large number of regulations to be applied prevent the understanding and acceptance of the law on public orders. The German federal government intents to implement the new and revised European directives on public orders (see Table 45), and especially [EC DIR PCO] and [EC DIR PPO]) including the three new optional European procurement procedures (competitive dialogue, dynamic procurement system and electronic auction). Meanwhile the new European “competitive dialogue” has been adopted into the German procurement law (§101 of GWB and §6a of VgV). A further recently started initiative of the government is the adoption the law against restraints of competition GWB related to public private partnerships. The current status of the adoption of the new European directives on procurement to German law is reflected in the amendment law [GWB *] and in the amendment ordinance [VgV *]. Above the threshold figures laid down in European law in future only one uniform ordinance will apply to tenders for public orders, instead of the present three ordinances. Below the thresholds certain regulations in the ordinance on public orders will also apply to the supplies and services segment through the budget law, so that the contents of the regulations will nearly be the same as in the first case. 186 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) For construction orders below the EU threshold the ordinance on public orders and contracts for building will be retained in a reduced form as a separate set of regulations. The transparency requirements in the ordinance on public orders will be made much more mandatory. A register of unreliable companies will also be set up to provide public authorities with information on which companies have already been excluded from public orders due to corruption and similar misbehavior. The new electronic procedures envisaged in procurement will increase the possibilities for faster, less costly and so more effective processing of public orders. The federal government has also proposed the introduction of a pre-qualification procedure for public construction orders in Germany. So far companies had to present a large number of references with every application for a public construction order. In future this will be replaced by a single pre-qualification that is valid for a limited period and will cover the suitability requirements for a company. If all the necessary proof has been given the pre-qualified companies will be listed in a register that is generally available for inspection. The German legislation on federal electronic procurement requires that offers must be encrypted and signed in compliance with the German signature law [SigG]. In addition the compliance of German procurement regulations with the European directive on electronic commerce has to be achieved. 9.3.2 Contractual Conditions for the procurement of IT services The coordination and consulting office of the federal government for information technology in the federal administrations (KBSt, Koordinierungs- und BeratungsStelle der Bundesregierung für Informationstechnik in der Bundesverwaltung) has been established by the Federal Ministry of the Interior in 1968. In the context of procurement the KBSt is responsible to provide the framework for particular contractual conditions related to the procurement of IT services and projects. Contractual framework conditions for the federal administrations have been specified in the “Particular Contractual Contract Conditions” (BVB, Besondere VertragsBedingungen) which is currently being successively replaced by the new “Supplementing Contractual Conditions for the Procurement of Information Technology” (EVBIT, Ergänzende Vertragsbedingungen für die Beschaffung von InformationsTechnik). EVBIT can be used as a set of suitable contract forms in the federal administrations and in the private economy. The following types of contracts have been introduced: • sale of hardware, February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 187 • • • • • • 9.3.3 maintenance of hardware, services, sale of standard software, leasing of standard software, maintenance of standard software, and maintenance of individual software. Programs and Initiatives Related to Electronic Procurement The German Federal Government has taken a decision on December 2002 which requires that all federal authorities have to use e-tendering (“e-Vergabe” in German) and one-stop e-government shop (“Kaufhaus des Bundes” in German). The deadline for the implementation of this policy is the end of 2005. It represents the implementation of the new European procurement procedure “dynamic procurement system” into the German procurement legislation. A first piloting project of electronic procurement has already been started in May 2002. The Federal Ministry of Economics and Labor has initiated and sponsored the egovernment project e-procurement whose aim was the development of an internet platform for federal procurement. E-Procurement is one of the most important projects within BundOnline 2005 (see section 4.4.2). The federal government, the federal states and the municipalities spent about 260 billions € per year for procurement purposes. The aim of e-Procurement is to reduce the administrative procurement efforts by 10 per cent. The German Procurement Agency (Beschaffungsamt) of the ministry of the interior is responsible for the technical realization of the standard contracting terms for products and services (VOL) and freelance services (VOF). The German Procurement Agency has finished its “Public Purch@sing Online” project within the BundOnline 2005 government initiative at the end of 2002. Other federal authorities, the federal states and the municipalities have made use of the services that are provided by “Public Purch@sing Online” since 2003 including • The tendering module DOMEA with − system coverage for individual contracts, − coverage of e-procurement phases e-tendering and e-awarding, − support for government procurement officers, − workflow system including document and operations management, − public advertisement of contract notices on a central internet platform in the form of a public invitation that corresponds to the open procedure at the EU level, − support for the management of large contracts by multi-step public invitation and call for tender procedures, 188 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) − support for selective invitation that corresponds to the restricted procedure at the EU level, and − support for discretionary awarding that corresponds to the negotiated procedure at the EU level. • The e-tendering service with − system coverage for individual contracts, − coverage of e-procurement phases e-notification, − multi-client solution for many awarding authorities, − internet platform including web and application servers which the customer authorities from the public sector and the participants from the private sector can use for communication, − provision of information for the tendering process via databases that are connected to web and application servers, − advertisement of contract notices on a central internet platform, − provision of information about investment plans of the federal authorities, − dispatching of companies’ offers to respective contracting authorities, − exclusive use of Adobe Acrobat version 5.0 or 6.0 for the tendering process, − storage and transfer of documents in PDF format, − legally binding procurement transactions, − compliance with all relevant legal contracting regulations, − secure and confidential submission of offers, − tender evaluation and return of contract confirmations, − transparency of the tendering process, in particular permanent access to the decisions of contract awarding, − compliance with national and European procurement legislation, − free of charge offer assistant for suppliers, − tender opening assistant for ensuring the correct and fair evaluation of offers, − online procurement assistant for procurement officers that support them to perform all procedural operations electronically, and − e-learning program that provides explanations and guidance for suppliers about the e-tendering system. • The one-stop e-government shop (virtual market place) with − system coverage for individual contracts, − coverage of e-procurement phases e-ordering and e-invoicing, − benefits for the federal administrations and the business sector, − processing of orders in four phases including login of registered users, selection of goods or services from the electronic catalogue, electronic approval of order request, and automated submission of the approved order to the supplier, − provision of an internal public sector electronic catalogue, − provision of a framework agreement with suppliers, − registration of users of the government shop, − secure and confidential transactions, − registration and storing of details of orders, and February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 189 − communication with the e-tendering system of the procurement agency, if an item cannot be found in the shop. The Federal Office for Building and Regional Planning (BMVBW, BundesMinisterium für Verkehr- und Bau- und Wohnungswesen) is responsible for the technical realization of the standard contracting terms for public construction works (VOB). It is also connected to the e-tendering platform. Detailed information about the e-tendering process can be found in the guidance for e-tendering (“Leitfaden e-Vergabe”) [GET]. Meanwhile there exist a number of further procurement platforms as for example • ava-online: an awarding platform for notification, tendering and awarding of • • • • • 9.3.4 construction works and services in Germany and in Europe that also allows the participation of private authorities, bi-online: a platform for public tenders in the area of construction works, logistics and services in Germany, Europe and world-wide, Medienpool (media pool): a notification and tender platform for public and private authorities, as well as for enterprises as applicants, my-con AG: a procurement platform for work and other services, products and devises for the public and private construction industry, Subreport ELVISTM: a uniform electronic tendering platform covering notification, tendering and awarding, or workXL: a platform for public, commercial and private tenders. Aspects of Conformity Assessment of Security Products Many application areas in the public sector, in the industry and in the governmental organizations require the procurement and use of IT products and systems that have been successfully evaluated and certified. This mainly refers to IT products and systems that will be used in the framework of the German Electronic Signature Law. IT products and systems that are used by governmental bodies for the exchange and processing of confidential matter require an evaluation and certification by the BSI certification body. Applicants for such types of IT products or systems can only be governmental personnel. All parties involved in electronic procurement are required to use evaluated certified signature cards and card readers, and to use qualified X.509 certificates that have been issued by accredited trust centers. 190 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 9.3.5 Procurement in the Financial Sector 9.3.5.1 Government Activities and Legislation in the Financial Sector With its agenda 2010, the German government has launched the “2006 financial market promotion plan” in 2003. The goal of this plan is the further development of the financial markets, including the following laws and measures: • law on securities acquisitions and takeovers (2002), • restructuring of the federal bank (Bundesbank), • creation of the federal financial supervisory authority (BaFin, Bundesanstalt • • • • • • 9.3.5.2 für Finanzdienstleistungsaufsicht) as a private-law entity under the ministry of finance that is responsible for ensuring the proper functioning, stability and integrity of the entire financial system in Germany, law on transparency and disclosure requirements, implementing an internationally accepted corporate governance code, financial market promotion law, investment modernization law, securities prospectus law (2005), law implementing the European Directive on the supervision of complex financial conglomerates comprising banking, securities and insurance entities financial conglomerates (2005), and the law to promote small undertakings and to improve corporate financing (2003). Banking Activities The German banking industry can be grouped into the following three types of banking business: • private commercial banks, • cooperative banks, and • public sector banks. The activities of banks related to procurement include the following main topics: • consolidation of the legal framework related to the European security markets, • integration of the financial markets in the European Union, • public private partnership as a chance for the modernization of the infrastructure and administration, • improvement of regulations and financial positions, and the • market integration and improvement of market access. The “Zentraler KreditAusschuss” (ZKA, central credit card board), is a joint committee of the following five leading German banking associations: February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 191 • Bundesverband der Deutschen Volksbanken und Raiffeisenbanken e. V. (BVR, central organization of the cooperative banking group), • Bundesverband deutscher Banken e. V.” (BdB, association of German banks), • BundesVerband Öffentlicher Banken Deutschlands e. V. (VÖB, association of German public sector banks), • Deutscher Sparkassen- und GiroVerband e. V. (DSGV, German savings bank association), and • Verband deutscher Pfandbriefbanken e. V (VdP, association of German pfandbrief banks). The ZKA is an organization that is responsible for important technical issues of the banking sector. A main goal of ZKA is to achieve a common consensus of legal, political and technical questions, including smart card technology, through cooperation between its associated members. Permanent working groups of the ZKA are the central committee on competition, the tax working group, and the board on bancomats. The positions of the ZKA are decision by consensus representing the common standpoints of the associations against the legislating organizations, the government, administrations, banking and financial institutions of the national and European level. With respect to the harmonization of payment transactions in the European market the ZKA sees the problem of over-regulation in this area. The credit services sector offers technological support for enterprises operating in the health-care sector for the generation and deployment of the electronic health card. The intention of the ZKA is to augment its technical specification of the chip card platform, which is used within the credit services sector, in order to comply with the requirements of the electronic health card. The new card will cope with the additional requirements of international payments systems, the federal network agency related to signature applications, as well as with public transport enterprises. Further information about procurement issues of financial organizations can be found in the following documents: • • • • European Security Markets [EU SMLF], Banking Survey [BASU], Continuing the Integration of European Markets for Financial Services [IEMFS], Improving Market Access for German Banks Worldwide, German Banking Association [IMAGBW], • Financial Services Policy 2005-2010 [FSP], and the • EAPB Annual Report 2004-2005 [EAPB AR]. The main consensus of the banks with respect to government procurement can be characterized by the following statements. Public administrations should focus on their main tasks, and make efficient use of their limited financial resources. They 192 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) should proof of how they can use private capital and know-how for the procurement and deployment of public infrastructures. In this context the banking sector sees an important approach in PPPs in order to realize public investments and to modernize the state. The banks themselves are in the role to collect and mediate private capital for public investments. PPP allows a broad spectrum of forms for cooperation that expand over the whole project life cycle including the planning, installation, operation and exploitation. The banking sector considers three organizational models and also hybrid forms for procurement. In the operational model the public administration leaves operation of an establishment to private organization that is responsible for financing, construction and operation. The sovereignty for fulfillment of public task for the citizens remains in public administration. The financing includes payment of fees by citizens to the PPP service provider, and of public administrations fees to the operating company. In the concession model the service provider has the right to get the complete payments directly from the users. In the cooperation model the public administration and the private company establish a common enterprise with private legal form. The main characteristics and advantages of PPP models are: • consideration of the complete project life cycle, • risk minimization between public administration and private companies, and • service-oriented payments. The decision of administrations to prefer PPP instead of conventional approaches is also subject to framework conditions of budget law, and the PPP solution must be at least as economically efficient as the conventional realization. Nationally accepted economic criteria for comparison assessment do currently not exist in Germany but are in preparation. The realization of PPP is principally possible in all sectors of public infrastructures including transport, energy, water, and building sectors. The competences of banks related to PPP include the following activities: • • • • • • • financing of projects, creation of feasibility studies, consulting of PPP projects, realization of comparison assessment, realization and control of PPP projects, search for investors and service providers and realization of privatization. The federal government and the public banks support the broad application of PPP in Germany since 2004. The federal ministry of transport, building and regional planning (BMVBW) and the association of German public sector banks February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 193 VÖB intend to remove critical bottlenecks for the broad distribution of PPP in Germany. The common aim is the mobilization of the required capital as the most important pre-condition fort the effectiveness of PPP. 9.3.6 Procurement in the Water, Energy, Transport and Postal Services Sectors The German legislation has been amended (and will further be amended) in order to adopt the European directive on procurement procedures for entities that operate in the water, energy, transport and postal services sectors [EC DIR PPO]. The following entities are contracting organizations: • sector of transport or distribution of gas or heat, and sector of production, • • • • • • transport or distribution of electricity: − local authorities, public law bodies, associations of public law bodies, or state-controlled enterprises under the national law on supply of electricity and gas sector of production, transport or distribution of water: − entities under law of the federal states, − entities under the laws of municipal joint efforts, or the laws on federal states cooperation, − entities under the law of water- und ground associations, − publicly-owned companies under municipal laws, and − enterprises under the German stock companies law, GmbH-law, or with the status of a limited partnership on the basis of special contracts with local or regional authorities. sector of rail services: − Deutsche Bahn AG, and − other enterprises under the general law on railways. sector of urban railway, tramway, trolleybus or bus services: − authorized undertakings under the law on transport of persons sector of exploration for and extraction of gas, oil, coal and other solid fuels: − enterprises under the law on mining sector of maritime, inland port or other terminal facilities: − seaports owned by federal states, regions, or municipalities, − inland ports under the port ordinance and the laws of the federal states on water sector of airport installations including airports − under the ordinance on air traffic permission. The BNetzA is the supervisory authority for these sectors. Ordinances related to electricity, gas, telecommunications, postal and railway laws are published in its official gazette. The legal sources concerning the electricity, gas, telecommunications and post are provided by the federal ministry of economics and labor (BMWA). The legal sources concerning the railway sector are provided by the federal ministry of transport, building and regional planning (BMVBW). 194 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Energy Sector The German energy law (July 2005) reflects a transition from negotiated to regulated network access. It implements the European directives on the internal markets in electricity and natural gas into national legislation. An example of an association operating in the gas and water sectors is the “Deutsche Vereinigung des Gas- und Wasserfaches e.V.” (DVGW, German Technical and Scientific Association for Gas and Water) DVGW is of main importance for the German industry self-regulation in the gas and water supply industry. It defines technical rules for national and European standards that aim to provide the security and availability of water and energy in high quality. Postal Sector The German postal law extended competition to other parts and provides the scope for a fully liberalized market from the beginning of 2003. Postal services are provided in Germany as private sector services by Deutsche Post AG (DPAG) and other private operators (everyone has the right to offer postal services in the market). February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 195 Telecommunications The liberalization of the telecommunications market is the central task of German regulation in this sector. Railway Sector The Federal Network Agency BNetzA is in charge of monitoring rail competition and is responsible for ensuring non-discriminatory access to railway infrastructures due to the amendment of the “Allgemeines EisenbahnGesetz” (AEG, general railway law, April 2005). Supervision in railway regulation is the task of the Federal Ministry of Transport, Building and Urban Development (BMVBS). The main goal of the Deutsche Bahn AG (DBAG, German Railway Association) and German politics is to get more traffic onto the rail by an appropriate realignment of both the fiscal and regulatory framework for the transport market. The federal cabinet has adopted the Federal Transport Infrastructure Plan (FTIP) in 2003 as a framework investment plan and a planning tool. The amendment railway infrastructure upgrading law (July 2004) specifies the requirement plans for the federal railway infrastructure. Within the framework of a joint European transport policy, regulations have been approved to open up the railway transport markets in order to ensure the interoperability of high-speed and conventional rail systems, and to provide access to the network. These national and European processes still need to be completed. Transport Sector The Federal Ministry of Transport, Building and Urban Development (BMVBS) is the most important resort for investments of the federal government with responsibility for transport and building infrastructures. The BMVBW has established the PPP Task Force with representatives from politics, service providers and industry in 2005. It also has started a set of research studies and programs in the transport sector, e.g. the research programs on city traffic or federal major roads. The FTIP and the trunk road upgrading laws (July 2004) specify the requirement plans for the federal trunk roads. FTIP describes procedures for the macroeconomic evaluation of investment measures under consideration for transport infrastructure as a basis for PPP. The German government has issued several PPP projects in 2005 related to the improvement measurements of high-ways. Building Sector In the building constructions and underground engineering sectors the German government plans to improve the legal framework conditions for PPP, to increase the number of PPP projects and to support the work of the existing PPP task force. The main goal is the development of unique contract structures and the introduction of commonly accepted economic criteria for comparison assessment. A further government activity in this area was the creation of a procedure for prequalification of construction companies in public procurement and seal of approval in January 2006. In accordance with this procedure companies can undergo a voluntary approval of their competence at the beginning of every year. 196 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) A list of approved companies will be published in a list in the Internet, which is also accessible by all public building authorities. Study on the Dissemination of Public Private Partnership The BMVS and the German institute for Urbanity have performed a project study on the dissemination of PPP in the government administrations, federal administrations and in the municipalities between 2001 and 2005. The main results of this study can be summarized as follows: • PPP infrastructure projects have been nationally-wide established in Germany, • meanwhile more than 300 PPP projects currently exist with about 80 % municipality projects, • doubling of PPP contracts in 2004 and 2005 compared with 2001 to 2004, and • main reason for the increase of PPP projects are the expectations of the project groups to achieve efficiency profits and accelerated project handling. 9.4 Government Procurement in France 9.4.1 Legislation on Procurement In France the so-called “new code for the public procurement” (NCMP) came into force in 2002. The French Ministry of Finance announced the establishment of a central purchasing body to assist contracting authorities for electronically purchasing under centrally arranged framework contracts. NCMP requires that all contracting authorities must be able to process electronic tenders since January 2005. NCMP supports the following four categories of procedures for contract awarding: • • • • 9.4.2 call for tenders by open or restricted procedures, competition with or without notification by negotiated procedure, simplified competitive dialogue, and contracts with prior formalities. Legal Aspects and Conformity Assessment Related to Procurement In France the security certification is a voluntary action by a manufacturer or private or public body, to demonstrate that a product that it is developing or using is trustworthy. The approach taken is comparable to the ISO 9000 quality approach with the advantage of proven quality. However, security certification is not obligatory in France. On the other hand certification of products is an official process in France as regulated by the decree no 2002-253 (see Table 15). February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 197 Therefore there may be mandatory conditions that have to be met prior to obtaining a contract or prior to responding to an invitation to tender. 9.4.3 Electronic Procurement Activities and Systems The state of the art report “Case Studies on European Electronic Public Procurement Projects” [EC REP EPP] also provides useful information on French activities related to electronic procurement. In this context e-procurement in the French Ministry of Defense has been examined. The main results of the evaluation of its e-procurement platform “Defense Public Service Marketplace” (DPSM) can be summarized as follows: • system coverage for individual contracts, repetitive purchasing and e-auction, • coverage of e-procurement phases with DPSM for e-notification and e- tendering, DPMS e-auctions for e-auctions and DPMS e-catalog for e-ordering, • use of electronic messages to automate publication in the official journal of the • • • • • • • • • • • • • • • • • • • • • 198 European Union, offer of multiple methods of registration, matching supplier profile to business opportunities, mechanisms for encrypting and locking submitted tenders, mechanisms for allowing suppliers to update their tenders before the expiration of the e-tendering phase, use of GUIs to assist suppliers during the tender submission phase, provision of electronic forms for the submission of tenders by suppliers, automatic processing and evaluation of tenders, support for the opening of tenders in different phases, were each phase focuses on a different document type (proof documents, technical offer, financial offer, etc.), transformation of non-price criteria into monetary values, use of Secure Socket Layer (SSL) for ensuring minimum level of communication security, secure communication between e-procurement and external systems, limited use of electronic signatures only for critical activities, safe storage of systems logs, virus check tenders upon submission, support for multilingualism and parameterization of the application, support of all widely used electronic document standards, workflow management for assisting the preparation of call documents, organization of training events for suppliers, definition of security level with the technology providers, implementation of a two-phase submission process (hash of electronically signed tender documents, complete tender documents), and the allowance for downloading of submitted and encrypted tenders prior to etendering deadline. Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) The new e-procurement platform “marches-publics.gouv.fr” has become operational in 2005. It has been commercialized by the inter-ministerial service Union des Groupements d'Achats Publics (UGAP, union of the public buying associations) and offers public sector organizations electronic tenders and electronic bids services. This service can also be used by local authorities. 9.4.4 Procurement in Financial Organizations The French committee for banking organization and Standardization (CFONB, Comité Français d'Organisation et de Normalisation Bancaires) has adopted the electronic signature framework policy of ADAE (see section 4.3.5) for the banking sector. Citizens and businesses thus have the possibility to use the certificates issued by the banks for a secure access to e-banking, as well as to e-government services. 9.4.5 Procurement in the Water, Energy, Transport and Postal Services Sectors The legislation in France intents to gradually adopt the European directive on procurement procedures for entities that operate in the water, energy, transport and postal services sectors [EC DIR PPO]. The following entities are contracting organizations: • sector of transport or distribution of gas or heat: − Société nationale des gaz du Sud-Ouest (gas), − Gaz de France (gas), − entities under the national law on electricity and gas (gas), − Compagnie français du méthane (gas), and − local authorities or associations of local authorities (heat). • sector of production, transport or distribution of electricity: − Électricité de France, − entities under the national law on electricity and gas, and − Compagnie nationale du Rhône. • sector of production, transport or distribution of water: − regional or local authorities, − and public organizations • sector of rail services: − Société nationale de chemnis de fer français, and − Réseau ferré de France. • sector of urban railway, tramway, trolleybus or bus services: − entities under the national law on transport, − Régie autonome des transports parisiens − Société nationale de chemnis de fer français, and − Réseau ferré de France. • sector of postal services: − La Poste February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 199 • sector of exploration for and extraction of gas or oil: − entities under the national law on mining. • sector of exploration for and extraction of coal and other solid fuels: − entities under the national law on mining. • sector of maritime, inland port or other terminal facilities: − Port autonome de Paris, − Port autonome de Strasbourg, − Ports autonome under the see ports law, and − Ports non autonomes under see ports law. • sector of airport installations, including airports operated − by state-owned companies under national law, − on the basis of government concessions under national law, − on the basis of government concessions under national law, and − airports established by a public authority under the national law. The regulatory authority for communications and postal services in France is the Autorité de Régulation des Communications électroniques et des Postes (ARCEP). The regulatory authority for energy services in France is the Commission de Régulation de l’Energie, Regulatory Authority for Energy (CRE). A new legal framework for PPP has been issued by the French government in June 2004 through its PPP ordinance. This ordinance has been a strong impetus for the growth in the French PPP market. More than 35 major government projects have been launched under the new legislation in 2005. Further major railway projects are planned for the year 2006. The new legislation will also facilitate the development of PPP projects in the defense, education local government, health and transport sectors. The new law allows the French Government to use private financing to realize public projects. The PPP ordinance provides the partnership contract form which enables the public sector to contract with the private sector for the financing, construction, maintenance and operation or management of facilities required for public services. The ordinance requires that the public sector is only allowed to use the new procedure if it can justify the specific technical, functional or economic characteristics of the planed facility or service by means of a comparative analysis of the realization options. 200 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) 9.5 Government Procurement in the United Kingdom 9.5.1 Legal Aspects and Conformity Assessment Related to Procurement The Office of Government Commerce (OGC) which was established in 1999 as an independent Office of the Treasury Public was primarily in charge of developing rules, guidelines and standards for electronic procurement in the UK. The main activities of OGC include the following tasks: • the development of government market in UK for local and foreign suppliers, • the definition of guidelines and establishing of standards from existing e- procurement practices in order to achieve e-procurement platforms for the public sector regarding the principles of equal treatment and openness, • the provision of effective IT services for the support of contracting authorities, and • the assistance to public administrations for the development of e-procurement systems compliant with UK procurement legislation. Mutual recognition agreements and memoranda of understanding regulate the use of foreign certificates for the procurement of IT products and systems in the UK. However, in each of these documents there is a clause which states that certificates issued by other countries will not necessarily be recognized in cases where the national UK security is at stake. Therefore UK departments and bodies that want to purchase foreign certified IT products or systems of this class are advised to consult the CESG. Successfully CAPS approved products and systems have an increased chance for purchase by HMG and the public UK sector. In the UK the sale of CAPS approved cryptographic products and systems is subject to approval by CESG. There is a legal requirement that cryptographic products and systems are only going to appropriate recipients, and that the implementation of required cryptographic functionality complies with the technical requirements. Procurement guidance for UK government project managers related to security components and especially to smartcard technology is given in the CESG document “Applied Security Technologies – Security Standards for Smartcards” [AST-SSS]. This document also specifies procurement requirements for the approval of cryptographic and smart card products for the following different standard areas: − government mutually recognized and published standards for which third party evaluation based on ITSEC and CC is required, February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 201 − FIPS 140 that can deliver third-party evaluation of symmetric public-domain cryptography against the published criteria, or approval of UK cryptography in commercial products by CAPS, − ITSO (Integrated Transport Smartcard Organization) security sub system specification for point of service terminals, and the authenticated exchange between smartcard and terminal, or terminal and back office, − ETSI security standards, and − EMV (Europay International, Master Card International, Visa International) integrated circuit security specifications, accredited laboratories and type approval procedures. Finally, government departments may use protection profiles to state the level of security of IT product and systems they expect from their suppliers and contractors. 9.5.2 Electronic Procurement Activities and Systems In the UK the initiative “e-procurement Strategy” was launched in October 2002. In Scotland a similar initiative called Electronic Procurement Scotland (ePS) was launched in 2001. The state of the art report “Case Studies on European Electronic Public Procurement Projects” [EC REP EPP] also provides useful information on UK activities related to electronic procurement. In this context e-procurement in the Office of Government Commerce OGC (UK) and in the Dynamic Trade Centre DTC (UKScotland) has been examined. The main results of the evaluated systems can be summarized as follows: UK Systems • “5 e-auction services” with system coverage for e-auction and coverage of the e-procurement phases e-awarding including − offer of multiple methods of registration, − offer of multiple methods of registration, − use of secure socket layer (SSL) for ensuring minimum level of communication security, − support of all widely used electronic document standards, and − definition of security level with the technology providers. • “e-sourcing services (in progress)” with system coverage for individual contracts and coverage of the e-procurement phases e-notification, e-tendering, and eawarding, including − use of electronic messages to automate publication in the official journal of the European Union, − short message service notification as an alerting mechanism, − offer of multiple methods of registration, − use of secure socket layer for ensuring minimum level of communication security, 202 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) − support of all widely used electronic document standards, and − definition of security level with the technology providers. UK-Scotland Systems • DTC with system coverage for individual contracts and coverage of the e- procurement phases e-notification and e-tendering, including − secure notification using email, − moderate question and answer session to ensure confidentiality, − pre-qualification questionnaire for short-listing suppliers, − mechanisms for allowing suppliers to update their tenders before the expiration of the e-tendering phase, − offer of multiple methods of registration, − allowance for suppliers to perform e-procurement activities offline, − use of secure socket layer for ensuring minimum level of communication security, − support of all widely used electronic document standards, − provision of legal support to contracting authorities, − provision of consultancy services to contracting authorities, − definition of security level with the technology providers, and − methods for dealing with volume capacity problems during the deadline of the submission phase. • PECOS with system coverage for repetitive purchasing and coverage of the eprocurement phases e-ordering and e-invoicing, including − offer of multiple methods of registration, − use of secure socket layer for ensuring minimum level of communication security, − support of all widely used electronic document standards, and − definition of security level with the technology providers. Meanwhile OGC has developed procurement solutions for the central civil government and the public sector (link see Table 64). 9.5.3 Procurement in the Financial Sectors The British Bankers' Association (BBA) is the principal trade association for banks operating in the UK and a leading representative body in the financial services sector. The BBA covers a wide variety of European and international issues, the operation of international capital markets, and the involvement in UK legislation. The following main trade associations have launched a joint industry-driven program for the implementation and simplification of the UK “Markets in Financial Instruments Directive” (MiFID, 2005). • Association of Private Client Investment Managers and Stockbrokers (APCIMS), • the British Bankers' Association (BBA), • the Futures and Options Association (FOA), February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 203 • and the International Capital Market Association (ICMA) The Financial Services Authority (FSA) has been established as an independent non-governmental body with legal powers by the financial services and markets law (2000). FSA is responsible for the MiFID policy and its legal implementation in the UK. The MiFID IT Joint Working Group (APCIMS, BBA, FOA and ICMA) has developed a work program for defining an industrial approach towards implementing MiFID including the development of a set of industry guidelines and documentation as support for companies regarding MiFID implementation. In the context of PPP the banks in UK apply accepted economic criteria for comparison assessment by means of a public sector comparator (PSC) with components for investment, financing, maintenance, operational, transaction and risk costs. The cash value of cash flow of the PPP variant is compared with the costs of conventional realization. 9.5.4 Procurement in the Water, Energy, Transport and Postal Services Sectors The legislation in the UK will be gradually amended in order to adopt the European directive on procurement procedures for entities that operate in the water, energy, transport and postal services sectors [EC DIR PPO]. The following entities are contracting organizations: • sector of transport or distribution of gas or heat: − public gas transporter under the gas law, − persons declared as undertakers for the supply of gas under the gas law, − local authorities, − persons licensed under the electricity law, and the − Northern Ireland Housing Executive. • sector of production, transport or distribution of electricity: − persons licensed under the electricity law, and the − persons licensed under the electricity ordinance of Northern Ireland. • sector of production, transport or distribution of water: − companies with appointments as water undertakers under the water industry law, − water and sewerage authorities established under the local government law, and the − Northern Ireland department for regional development. • sector of rail services: − Railtrack plc, − Eurotunnel plc, − Northern Ireland Transport Holding Company, and − Northern Ireland Railways Company Limited. • sector of urban railway, tramway, trolleybus or bus services: − London Regional Transport, 204 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) − − − − − − − − − − − − • • • • London Underground Limited, Transport for London, subsidiary of Transport for London under the Greater London Authority law, Strathclyde Passenger Transport Executive, Greater Manchester Passenger Transport Executive, Tyne and Wear Passenger Transport Executive, Brighton Borough Council, South Yorkshire Passenger Transport Executive, South Yorkshire Supertram Limited, Blackpool Transport Services Limited, Conwy County Borough Council, Persons providing London local service under the Greater London Authority law, − Northern Ireland Transport Holding Company, and − Persons holding road service licenses under the Northern Ireland Transport law. sector of exploration for and extraction of gas or oil: − persons licensed under the petroleum law, and − persons licensed under the Northern Ireland petroleum law. sector of exploration for and extraction of coal and other solid fuels: − license operators under the coal industry law, − Horth Ireland Department of Enterprise, Trade and Investment, and − Persons operating by virtue of licenses under the Northern Ireland mineral development law. sector of maritime, inland port or other terminal facilities: − local authorities, − harbor authorities under the harbors law, − british waterways board, and − harbor authorities under the Northern Ireland harbors law. sector of airport installations, including airports operated − local authorities, − airport operators under the airports law, and − airport operators under the Northern Ireland airports ordinance. The regulatory authority for gas and electricity markets in the United Kingdom is the Office of Gas and Electricity Markets (OFGEM). The regulatory authority for communications in the United Kingdom is the Office of COMmunications (OFCOM). The regulatory authority for Postal Services in the United Kingdom is the Postal Services Commission (POSTCOMM). The regulatory authority for radio communications in the United Kingdom is the Radiocommunications Agency. New requirements related to issues of financing and PPPs for the transport and railway sector have been specified within the financial framework (2003) of the “Strategic Rail Authority” (SRA). This financial framework was based on the transport law of 2000. SRA itself has been in charge of legal aspects of the February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 205 transport sector in the UK until 2005, and especially in the development of a community rail strategy. SRA has launched several PPP pilot projects in the transport sector. Since 2005 the UK government “Department for Transport” (DfT) is responsible for the control and delivery of reliable, safe and secure transport systems to individuals and businesses. Its main task is the further development of the strategy and policy for the transport sector, and to organize the relationships with the delivery agencies and public private partnership groups. A new DfT procurement portal is operational that provides information to suppliers about purchasing arrangements and contacts. The community rail development strategy is being implemented by local communities, about 40 community PPPs, and the rail industry in order to prove different aspects of the strategy. 9.6 Government Procurement in Other European Countries 9.6.1 Italy A government decree on e-Procurement, published in April 2002, has specified requirements on the criteria and procedures for the use of electronic means by public administrations in the acquisition of goods and services, including rules for communication, storage of data, e-auctions, e-catalogues and marketplaces. The Italian Ministry of Economy and Finance has started an e-procurement program in 2000 that aimed to reduce the total public costs for goods and services. The governmental e-procurement program was organized and executed by CONSIP (a company owned by the ministry) within its department “Acquisity in Rete” (AiR, purchases on the Net) for e-procurement. AiR represents the Italian contact point for the public sector e-procurement market place. The platform facilitates the use of three main tools for public e-procurement: electronic shops, reversed online auctions, and marketplace. Furthermore the platform provides information on e-procurement activities as well as newsletters, best practice cases and community on e-procurement. The system can be used by central as well as local administrations. CONSIP developed solutions in order to achieve the following main goals: • provision of better services for buyers and suppliers, • improvement of the visibility and accountability of public sector contracts, 206 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) • reinforcement of the government to satisfy the goals of e-Europe, and the • reduction of transaction costs through standardization. More information about e-Procurement in Italy can be found in the documents “The Use of E-Procurement to Rationalize the Expenditure of Public Administrations” [CONSIP CS], “Innovation in E-Procurement: The Italian Experience” [IBM REP], and at the MIT web site (see section 9.6.1). CNIPA and the L’Associazone Bancaria Italiana (ABI, Italian Banking Association) have signed an agreement in June 2004 on the use of NSCs (see section 4.6.1.3) for e-payment for taxes and government services. Field trials are performed in Bologna and Verona with the aim to extend the e-payment system in following steps to the whole country. The regulatory authority for energy services in Italy is the Autorita per l’Energia Elettrica e il Gas (AEEG). The regulatory authority for communication in Italy is the L'Autorità per le Garanzie nelle COMmunicazioni (AGCOM). 9.6.2 Netherlands The use of electronic means in the public procurement process is not currently regulated by national legislation. Implementation of the new EU Directives on public procurement (2004/17/EC and 2004/18/EC), including their eprocurement provisions, is expected to take place in 2005. Currently there is no e-procurement infrastructure for the public sector in the Netherlands, and the use of electronic means in the public procurement process is currently not regulated by Dutch legislation. With respect to the implementation of the new EU Directives on public procurement the government is developing a strategy for the introduction of operational electronic public procurement that should be operational within a timeframe of 10 years. E-procurement was supported by the industrial EP.NL project with respect to standardization and information provision. In this area the TELematics INstitute (TELIN) produced a set of guidelines for the implementation of electronic catalogue and ordering systems for technical materials. The regulatory authority for energy services in the Netherlands is the Dienst uitvoering en Toezicht Energie (DTE). The regulatory authority for communication and postal services in the Netherlands is the Onafhankelijke Post en Telecommunicatie Autoriteit (OPTA). February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 207 9.6.3 Spain The ministerial order of April 2005 regulates the use of electronic means in the procurement process of central administrations. It represents a modification of the law on public administration contracts of 2000, the general regulation of public administration contracts of 2001, and it implements the European e-procurement directives on public procurement. The ministry of economy and finance is responsible for public procurement. The centralized procurement system in Spain which was developed and which is operated by a sub-directorate of the ministry of economy and finance provides access to catalogues of generic products and services used by multiple public bodies. The system can be used by central, regional and local administrations to purchase online from any computer with login and advanced e-signature. Currently about 2200 public institutions have access to this system, which also enables businesses to respond to tenders online. The government program SIMPLIFICA (2004-2007) is aiming at the simplification and rationalization of public management, with key projects including the development of electronic procurement. The regulatory authority for energy services in Spain is the Comisión nacional de Energia (CNE). The regulatory authority for communication in Spain is the Comision del Mercado de las Telecomunicaciones (CMT). 9.6.4 Sweden The Swedish public procurement law, adopted in 1992 and regularly amended, specifies requirements on the use of electronic means in the public procurement process, including rules for electronic communication, storage of data and the use of security means such as electronic signatures. A new public procurement law is currently in preparation that shall also comply with the European public procurement directives (2004/17/EC and 2004/18/EC). The new law is expected to come into force in 2006. All governmental, regional and local public authorities have to comply with the procurement regulations that are controlled by the “Nämnden för Offentling Upphandling” (NOU, national board for public procurement). The Swedish government does not provide and operate a central electronic public procurement portal since. This service is designated to private operators, e.g. Opic and Ajour. 208 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) A public procurement information portal is maintained by the Swedish agency for public management that provides information on tenders and tender procedures for suppliers and authorities in the governmental, regional and local area. Public procurement in Sweden is subject to framework agreements between public buyers and a huge number of suppliers on specific conditions and negotiated pricing policies and terms. The Swedish e-procurement system “InternetHandelsSystem” (IHS, internet procurement system) has been launched by “Kammarkollegiet” (legal, financial and administrative services agency) with a pilot in 2002 and has been gradually increased since that year. The agencies involved in procurement have access to purchasing products via the Internet. The system provides access to the databases of the suppliers, and a direct transfer of invoices from the suppliers to the financial systems. The IHS services are provided by a special portal “avropa.nu”. Small and medium sized companies are supported by the “Gemenskapen för Elektroniska Affärer” (GEA, Swedish alliance for electronic commerce) in order to implement electronic business applications and to join the national e-procurement system. The regulatory authority for communications and postal services in Sweden is the Post- och TeleStyrelsen (PTS). The regulatory authority for energy services in Sweden is the STatens EnergiMyndighet (STEM, Swedish Energy Agency). The Swedish Energy Agency supervises net companies in accordance with electricity regulations as well as supervising the natural gas market. Internationally collaboration takes place in several forums, as for example within the EU. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 209 10 References [AER 05] Annual Economic Report for 2005, Federal Ministry of Economics and Labor, Germany [AGR-P-01] France: SGDN/DCSSI/SDR: Licensing of Evaluation Facilities, January 2004 [AIS 20] Funktionalitätsklassen und Evaluationsmethodologie für deterministische Zufallszahlengeneratoren (functionality classes and evaluation methodology for deterministic random number generators), Version 1, 2.12.99, with mathematical appendix (Version 2.0, 2.12.99), http://www.bsi.bund.de/zertifiz/zert/interpr/aisitsec.htm [AIS 31] Funktionalitätsklassen und Evaluationsmethodologie für physikalische Zufallszahlengeneratoren (functionality classes and evaluation methodology for physical random number generators), Version 1, 25.9.2001, with mathematical appendix, (Version 3.1, 25.09.2001,) http://www.bsi.bund.de/zertifiz/zert/interpr/aisitsec.htm [ANSI X9.62] ANSI X9.62-1998: Public Key Cryptography for the Financial Service Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1998 [AR-CCC] Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security, May 2005 [AST-SSS] Applied Security Technologies - Security Standards for Smartcards, CESG, December 2003 [BASU] Banking Survey, German Banking Association, May2004 [BMI PRO] Proclamation of the Ministry of Interior, September 2000 [BS 7799] BSI Distributed Compliance Software for BS ISO 17799 [BSI 7125] BSI Certification – Description of the Procedure [BSI 7148] BSI Certification German IT Security Certificates 210 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) [BSI CO] Bundesgesetzblatt (Federal Law Gazette) I p. 1230: Ordinance on the Procedure for Issuance of a Certificate by the Bundesamtes für Sicherheit in der Informationstechnik (BSI-Zertifizierungsverordnung, BSIZertV), July 1992 [BSI CPC] BSI Certification and BSI Product Confirmation, BSI, Germany, August 2004 [BSI G] Bundesgesetzblatt (Federal Law Gazette) I p. 2834: Act setting up the Bundesamt für Sicherheit in der Informationstechnik (BSI-Errichtungsgesetz), December 1990 [BSI PP] Procedure for the Issuance of PP certificate by the BSI [BSI SoC] Bundesgesetzblatt (Federal Law Gazette) I p. 1838: Schedule of Cost for Official Procedures of the Bundesamt für Sicherheit in der Informationstechnik (BSIKostenverordnung, BSI-KostV), October 1992 [CC MRA] SOG-IS Arrangement of the Mutual Recognition of Common Criteria Certificates in the Field of Information Technology Security, 1999 [CC] Common Criteria for Information Technology Security Evaluation, Version 2.1, identical with ISO/IEC 15408, August 1999 [CCN-MQ-01] France: SGDN/DCSSI/SDR: Quality Manual of the Certification Body, Version 1.0, January 2004 [CEM] Common Methodology for Information Technology Security Evaluation, Part 1, Version 0.6, January 1999, Part 2 Version 1.0, August 1999 [CER-F-01] France: Application Form for Certification [CER-P-01] France: SGDN/DCSSI/SDR: Certification of the Security Provided by IT Products and Systems, February 2004 [COBRA] CoBrA Recommendations to the eEurope Advisory Group: “eGovernment beyond 2005 – Modern and Innovative Public Administrations in the 2020 Horizon”, September 2004 [CONSIP CS] CONSIP Case Study: The Use of E-Procurement to Rationalize the Expenditure of Public Administrations, 2002 [CPP-P-01] France: SGDN/DCSSI/SDR: Certification of Protection Profiles, January 2004 [CWA 14167] Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures, June 2003 February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 211 [CWA 14169] Secure Signature Creation Devices EAL 4+, March 2004 [CWA 14170] Security Requirements for Signature Creation Applications, May 2004 [CWA 14172] EESSI Conformity Assessment Guidance, March 2004 [CWA 14890] Application Interface for Smart Cards Used as Secure Signature Creation Devices, May 2004 [DOC-P-01] France: Procedure for Creation and Management of Documents [EAPB AR] European Association of Public Banks: Annual Report 2004-2005, 2006 [EC CD PP] Council Directive 98/4/EC amending Directive 93/38/EEC coordinating the procurement procedures of entities operating in the water, energy, transport and telecommunications sectors, February 1998 [EC CO PP] Council Directive 93/38/EEC coordinating the procurement procedures of entities operating in the water, energy, transport and telecommunications sectors, June 1993 [EC COM PPP] Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Public-Private Partnerships and Community Law on Public Procurement and Concessions, November 2005 [EC DIR AM] Commission regulation EC No. 1874/2004: amending Directives 2004/17/EC and 2004/18/EC of the European Parliament and of the Council in respect of their application thresholds for the procedures for the award of contracts, October 2004 [EC DIR ES] EC Directive: Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community Framework for Electronic Signatures, December 1999 [EC DIR PCO] Directive 2004/18/EC of the European Parliament and of the Council on the coordination of procedures for the award of public work contracts, public supply contracts and public service contracts, March 2004 [EC DIR PP] Council Directive 92/13/EEC coordinating the laws, regulations and administrative provisions relating to the application of Community rules on the procurement procedures of entities operating in the water, energy, transport and telecommunications sectors, February 1992 212 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) [EC DIR PPO] Directive 2004/17/EC of the European Parliament and of the Council coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors, March 2004 [EC DIR SSCD] EC Decision: 2000/709/EC of the European Commission of relating to national bodies designated as responsible for the conformity assessments of secure signature creation devices, November 2000 [EC GP PPP] Commission of the European Communities, Green Paper on Public-Private Partnerships and Community Law on Public Contracts and Concessions, March 2004 [EC REP EPP] State of the Art Report – Case Studies on European Electronic Public Procurement Projects, July 2004 [EC REP PP] A report on the functioning of public procurement markets in the EU: benefits from the application of EU directives and challenges fort he future, February 2004 [EC SEC] Council resolution on a common approach and specific actions in the area of network and information security, January 2002 [E-FORM] Bundesgesetzblatt (Federal Law Gazette) No. I, p 3322: Third Law Amending the Administrative Procedural Requirements, August 2002 [EN 45011] General Requirements Relating for Bodies Operating Product Certification Systems, 1998 [ETSI TS 101 456] Policy requirements for certification authorities issuing qualified certificates, May 2005 [ETSI TS 102 042] Policy requirements for certification authorities issuing public key certificates, June 2005 [EU SMLF] European Securities Markets – Consolidation of the Legal Framework, German Banking Association, January 2006 [FIPS 140-1 IG] NIST: Implementation Guidance for FIPS PUB 140-1 and the Cryptographic Module Validation Program, last update: January 2002 [FIPS 140-1] NIST: Security Requirements for Cryptographic Modules [FIPS 140-2 DTR] NIST: Derived Test Requirements for FIPS PUB 140-2, March 2004 February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 213 [FIPS 140-2 IG] NIST: Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program, initial release March 2003 [FIPS 140-2] NIST: Security Requirements for Cryptographic Modules, May 2005 [FIPS 180-2] NIST: FIPS Publication 180-2: Secure Hash Standard (SHS-1), August 2002 [FIPS 186-2] NIST: FIPS Publication 186-2: Digital Signature Standard (DSS), January 2000, and Change Notice 1, October 2001 [FSP] Financial Services Policy 2005-2010, German Banking Association, July 2005 [GET] Federal ministry of economics and labor, Leitfaden e-Vergabe (Guidelines for etendering), GER [GITSC] German IT Security Certificates, BSI, Germany, August 2005 [GWB *] Amendment of the Law Against Restraints of Competition (Gesetz gegen WettbewerbsBeschränkungen), March 2005, GER [GWB] Law Against Restraints of Competition (Änderung des Gesetzes gegen WettbewerbsBeschränkungen), February 2002, GER [HMG 01] HMG Infosec Standard No 1: Assurance Requirements for IT Systems, CESG Publications Department [HMG 02] HMG Infosec Standard No 2: Accreditation Documents for IT Systems, CESG Publications Department [IBM REP] Mita Marra, IBM Centre for the Business of Government: Innovation in EProcurement: The Italian Experience, November 2004 [IC HEM] Integrated Circuit Hardware Evaluation Methodology – Vulnerability Assessment, Version 1.3, April 1999 [IEEE P1363] Standard specification for public key cryptography, 2000 [IEMFS] Continuing the Integration of European Markets for Financial Services, German Banking Association, March2004 [IMAGBW] Improving Market Access for German Banks Worldwide, German Banking Association, December 2005 214 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) [IPA 05] SIT Fraunhofer Study for IPA on “Electronic Signature Laws and PKI Projects in European Union and Germany, February 2005 [ISIS] Industrial Signature Interoperability Specification ISIS, Version 1.2, December 1999, T7 i.Gr. [ISIS-MTT CC] T7&TeleTrusT Specification: Common ISIS-MailTrusT Specifications for Interoperable PKI Applications – Common Criteria, July 2003 [ISIS-MTT SPEC] T7&TeleTrusT Specification: Common ISIS-MailTrusT Specifications for Interoperable PKI Applications – Specification, March 2004 [ISIS-MTT TCON] T7&TeleTrusT Specification: Common ISIS-MailTrusT Specifications for Interoperable PKI Applications – Test Concept, February 2002 [ISIS-MTT TSPEC] T7&TeleTrusT Specification: Common ISIS-MailTrusT Specifications for Interoperable PKI Applications – Test Specification, March 2004 [ISN 01] Infosec Standard Number 1, Infosec Assurance and Certification Services [ISO/IEC 10118-3] (FDIS): Information technology – Security techniques – Hash functions – Part 3: Dedicated hash functions, 2004 [ISO/IEC 14888-3] Information technology – Security techniques – Digital signatures with appendix – Part 3: Certificate-based mechanisms, 1999 [ISO/IEC 15408] Information Technology – Security techniques – Evaluation criteria for IT security, identical to [CC], 1999 [ISO/IEC 15946-2] Information technology – Security techniques – Cryptographic techniques based on elliptic curves – Part 2: Digital signatures, 2002 [ISO/IEC 15946-4] (FDIS): Information technology – Security techniques – Cryptographic techniques based on elliptic curves – Part 4: Digital signatures giving message recovery, 2004 [ISO/IEC 17000] Conformity Assessment – Vocabulary and General Principles, 2004 [ISO/IEC 17011] Conformity Assessment – General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies, 2004 [ISO/IEC 17020] General Criteria for Various Types for Bodies Performing Inspection, 2004 February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 215 [ISO/IEC 17024] Conformity Assessment – General Requirements for Bodies Operating Certification of Persons, 2003 [ISO/IEC 17025] General Requirements for the Competence of Testing and Calibration Laboratories, 2005 [ISO/IEC 17040] Conformity Assessment – General Requirements for Peer Assessment of Conformity Assessment Bodies and Accreditation Bodies, 2005 [ISO/IEC 17050] Conformity Assessment – Supplier’s Declaration of Conformity, Part 1: General Requirements, Part 2: Supporting Documentation, 2004 [ISO/IEC 19790] (FDIS): Information Technology -- Security Techniques -- Security Requirements for Cryptographic Modules, 2006 [ISO/IEC 9796-3] Information technology – Security techniques – Digital Signature schemes giving message recovery – Part 3: Discrete logarithm based mechanisms, 2000 [ISO/IEC G65] ISO/IEC Guide 65: General Requirements for Bodies Operating Product Certification Systems, 1996 [ISO/IEC NWI] Proposal for a New Work Item: Test Requirements for Cryptographic Modules, April 2005 [ITBPM] IT Baseline Protection Manual (ITBPM), BSI, 2004 [ITSEC JIL] ITSEC Joint Interpretation Library (ITSEC JIL), Version 2.0, November 1998 [ITSEC] Information Technology Security Evaluation Criteria, Commission of the European Communities, Version 1.2, June 1991 [ITSECR ESP] IT security evaluation and certification regulations, v.3, http://www.oc.ccn.cni.es/reg-001_en.html [ITSEM] IT Security Evaluation Manual, Commission of the European Communities, Version 1.0, June 1995 [KAN REP] Federal Ministry of Economics and Labor: Accreditation of Testing and Certification Bodies, June 2003 [MAI-P-01] France: Procedure for: Maintenance of Certificates, February 2004 [MOD-P-01] France: Procedure for Evolution of certification Requirements 216 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) [MTT] MailTrusT Version 2, March 1999, TeleTrusT Deutschland e.V. [NEW APP] Council Resolution: A New Approach to Technical Harmonization and to Standardization, OJC 136, June 1985 [NVCASE PHB] NIST: NVCASE Program Handbook – Procedures for Obtaining NIST Recognition as an Accreditor, 2004 [PER-P-01] France: Enrolment and Qualification of Personal [PPP PUDS] Federal Ministry of the Interior, Federal Ministry of Economics and Labor: PublicPrivate Partnership to Promote the Use of Digital Signatures, March 2003 [PPP TRCO] Federal Ministry of the Interior, Federal Ministry of Economics and Labor: Terms of Reference and Convergence Objectives for the Public-Private Partnership to Promote the Use of Digital Signatures, Version 1.2, March 2003 [QUA-P-01] France: Procedure for management review [QUA-P-02] France: Procedure for the quality steering group [QUA-P-03] France: Procedure for internal audits [REAB SA] Guidelines for the Recognition of Evaluation and Attestation Bodies under the Signature Act, May 2001, Germany [SAGA] Federal Ministry of the Interior: Standards and Architectures for e-Government Applications, December 2003 [SALG] Bundesgesetzblatt (Federal Gazette) No. 59, pp 4695-4696: Notification in accordance with the Electronic Signature Act and the Electronic Signature Ordinance – Suitable Algorithms, March 2005 [SigBü] Signature Alliance: Specification of the Application Programming Interface to the Signature Card, October 2004 [SigG*] Bundesgesetzblatt (Federal Law Gazette) No. 1, p 2: First Law Amending the Signature Law, (Entwurf eines Ersten Gesetztes zur Änderung des Signaturgesetzes 1. SigÄndG), please note that currently an English version of this amendment law is not available, January 2005 [SigG] Bundesgesetzblatt (Federal Law Gazette) No. 22, p 876: Law Governing Framework Conditions for Electronic Signatures (Signature Law — SigG), May 2001. February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 217 [SigV] Bundesgesetzblatt (Federal Law Gazette) No. 59, p 3074: Ordinance on Electronic Signatures (Signatures Ordinance — SigV), November 2001. [SMTC] Bundesgesetzblatt (Federal Law Gazette) No. 204a: Security Measures for Technical Components under the Digital Signature Act, July 1998. [SUR-P-01] France: SGDN/DCSSI/SDR: Surveillance of Certified Products, February 2004 [TCSEC] US DoD: Trusted Computer Security Evaluation Criteria (TCSEC), Orange Book, 1985 [TTP.NL] ECP.NL: Scheme for Certification of Certification Authorities against ETSI TS 101 456, November 2002 [UKSP 01 *] UK IT Security Evaluation and Certification Scheme, Description of the Scheme, July 2002 [UKSP 01] UK IT Security Evaluation and Certification Scheme, Description of the Scheme, July 2002 [UKSP 02] UK IT Security Evaluation and Certification Scheme, CLEF Requirements, April 2003 [UKSP 03] UK IT Security Evaluation and Certification Scheme, Sponsor’s Guide, Role of Sponsor in IT Security Evaluation & Certification [UKSP 04] UK IT Security Evaluation and Certification Scheme, Developers’ Guide [UKSP 05] UK IT Security Evaluation and Certification Scheme, Manual of Computer Security Evaluation [UKSP 06] UK IT Security Evaluation and Certification Scheme, Certified Product List, 2000 [UKSP 11] UK IT Security Evaluation and Certification Scheme, Scheme Information Notices Folder [UKSP 12] UK IT Security Evaluation and Certification Scheme, Relationship between Accreditation Document Set and Security Targets for Evaluation [UKSP 16] UK IT Security Evaluation and Certification Scheme, UK Certification Maintenance Scheme [VgV *] Amendment of the Awarding Ordinance, (Vergabeverordnung), March 2005, GER 218 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) [VgV] Awarding Ordinance, (Vergabeverordnung), February 2003, GER [VOB] Awarding and Contracting Ordinance for Public Construction Works, GER [VOF] Concretization Ordinance for Freelance Services, GER [VOL] Concretization Ordinance for Products and Services (Verdingungsordnung für Leistungen), September 2002, GER February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 219 11 Contact Information and Links This chapter contains a set of pairs of tables with each pair for a specific country or supra-national organization that provides links for distinct objectives and organizations, and contact information respectively. Table 46: 220 Canadian Links TOPIC ORGANIZATION LINK Industry Program ITISPS AEPOS Technologies Corporation http://www.aepos.com CCTL Testing Laboratory CGI Information Systems and Management Consultants Inc. http://www.cgi.com Industry Program ITISPS CGI Information Systems Management Consultants http://www.infosec.cgi.com Industry Program ITISPS Cinnabar Networks Inc. http://www.cinnabar.ca Certification body CSE Communications Security Establishment http://www.cse.dnd.ca Industry Program CITP Industry Program CMVP Industry Program TISPS CSE Communications Security Establishment CITP@cse-cst.gc.ca CMVP@cse-cst.gc.ca ITISPS@cse-cst.gc.ca CCTL/CVMP Testing Laboratory DOMUS IT Security Laboratory http://www.domusitsl.com CCTL/CVMP Testing Laboratory EWA – Canada IT Security Evaluation & Test Facility http://www.ewa-canada.com Accreditation and Standardization body SCC Standards Council of Canada http://www.scc.ca Standardization Body SCC Standards Council of Canada http://www.trm.ca Industry Program ITISPS TRM Technologies Inc. http://www.trm.ca Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Table 47: Table 48: Contact Information about Canadian Organizations ORGANIZATION PHONE FAX ADDRESS / E-MAIL CGI Information Systems and Management Consultants Inc. Xxx Communications Security Establishment CSE +1 613 9917600 DOMUS IT Security Laboratory +1 613 247 5698 +1 613 739 4936 2220 Walkley Road, Ottawa, Ontario K1G 5L2, Canada info@domusitsl.com EWA – Canada IT Security Evaluation & Test Facility +1 613 230 6067 613 230 4933 55 Metcalfe Street, Suite 1600, Ottawa, Ontarion K1P 6L5, Canada EWAinfo@ewa-canada.com labdirector@ewa-canada.com SCC Standards Council of Canada +1 613 238 3222, Ext. 480 +1 613 569 7808 270 Albert Street, Suite 200, Ottawa, Ontario K1P 6N7, Canada info@scc.ca TOPIC ORGANIZATION LINK Conformity Assessment AEIF http://www.aeif.org Standardization Body CEN http://www.cenorm.be/cenorm/index.htm P.O. Box 9703, Terminal Ottawa, Ontario K1G 3Z4, Canada European Links Standardization Body CENELEC http://www.cenelec.org/Cenelec/Homepage.htm Initiative i2010 Commission http://europa.eu.int/information_society/eeurope/2005 /index_en.htm Community Legislation Council http://europa.eu.int/eur-lex/en/index.html Directives, Decisions, Regulations Council, Commission and Parliament http://www.europa.eu.int/ Procurement Council, Commission and Parliament http://www.europa.eu.int/comm/dg15/de http://www.europa.eu.int/comm/internal_market/inde x_en.htm http://europa.eu.int/comm/internal_market/publicproc urement/ppp_en.htm http://www.curia.eu.int/index.htm CERT Initiative CSIRT http://www.cert.org/csirts/csirt_faq.html February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 221 222 TOPIC ORGANIZATION LINK Accreditation Body EA http://www.european-accreditation.org Banking Sector EAPB http://www.eapb.be E-Business Association EEMA http://www.eema.org Standardization Initiative EESSI http://www.ictsb.org/EESSI_home.htm European Initiative eEurope 2002 http://europa.eu.int/information_society/eeurope/2002 /index_en.htm European Initiative eEurope 2005 http://europa.eu.int/information_society/eeurope/2005 /index_en.htm http://europa.eu.int/information_society/eeurope/2005 /doc/all_about/acte_en_version_finale.pdf Trade Association EFTA http://www.efta.int European Agency ENISA http://www.enisa.eu.int/ Standardization Body ETSI http://www.etsi.org European Program EU http://europa.eu.int/information_society/eeurope/2005 /all_about/modinis/index_en.htm Good Practice Framework EU http://www.egov-goodpractice.org Lists of Notified Bodies EU http://europa.eu.int/comm/enterprise/newapproach/le gislation/nb/notified_bodies.htm Public Private Partnership EU http://europa.eu.int/comm/internal_market/ppp Official Journal EurLex http://europa.eu.int/eur-lex/en/oj Quality Assessment Body EUROCAT http://www.eurocat.de/en/text/portraet.html Accreditation Body EUROLAB http://www.eurolab.org European Federation EUROLAB http://www.eurolab.org Supervisory Authority FESA http://www.fesa.rtr.at Standardization Board ICTBS http://www.ictsb.org eGovernment Program IDABC http://www.europa.eu.int/idabc European Initiative TESTA http://europa.eu.int/idabc/en/document/2097/5644 Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Table 49: Contact Information about European Organizations ACCREDITATION BODY PHONE FAX ADDRESS / E-MAIL AEIF European Association for Railway Interoperabiliy +32 2 626 1265 +32 2 626 1261 221 Avenue Louise, 1050 Bruxelles, Belgium CEN European committee for standardization +32 2 550 0811 +32 2 550 0119 Rue de Stassatr 36, 1050 Brussels, Belgium / cen@cenclcbel.be CENELEC European committee for electro-technical standardization +32 2 519 6871 +32 2 519 6919 Rue de Stassart 35,1050 Brussels, Belgium EA European Cooperation for Accreditation +33 1 44 68 8225 +33 1 44 68 9606 secretariat.EA@cofrac.fr EAPB European Association of Public Banks and Funding Agencies + 32 2 286 90 62 + 32 2 231 03 47 Avenue de la Joyeuse Entrée 1-5, 1040 Brussels, Belgium postmaster@eapb.be EEMA European Electronic Messaging Association +44 1386 793028 +44 1386 793268 Alexander House High Street Inkberrow, Worcester WR7 4DT, UK ENISA European Network Information Security Agency +30 28 1039 1280 +30 28 1039 1410 Science and Technology Park of Crete (ITE), Vassilika Vouton, 70013 Heraklion, Greece info@enisa.eu.int ETSI European Telecommunications Standards Institute +33 4 9294 4200 +33 4 9365 4716 650 Route des Lucioles, 06291 Sophia Antipolis Cedex, France secretariat@etsi.fr EUROCAT European Institute for Certification and Testing GmbH +49 6151 50035 0 +49 6151 50035 50 Wittichstraße 2, 64295 Darmstadt, Germany / info@eurocat.de EUROLAB European Federation of National Associations of Measurement, Testing and Analytical Laboratories +33 1 4043 3923 February 28th, 2006 (Final) 1, rue Gaston Boissier, 75724 Paris Cedex 15, France / eurolab@lne.fr Study on Promotion Strategy of Conformity Assessment System of Information Security 223 Table 50: 224 French Links TOPIC ORGANIZATION LINK Standardization Body AFNOR http://www.afnor.fr/portail.asp Testing Laboratory Algoriel http://www.algoriel.fr Regulatory Authority ARCEP http://www.arcep.fr Testing Laboratory CEACI (CNES) http://www.cnes.fr Testing Laboratory CEA-LETI http://www-leti.cea.fr Testing Laboratory CELAR/CASSI, CNET Caen, CR2ADI http://www.ssi.gouv.fr/fr/confiance/certificats.html CERT Body CERTA http://www.certa.ssi.gouv.fr Banking Sector CFONB http://www.cfonb.org Accreditation Body COFRAC http://www.cofrac.fr Regulatory Authority CRE http://www.cre.fr Certification Body DCSSI http://www.ssi.gouv.fr Regulation Authority DCSSI http://www.ssi.gouv.fr/en/dcssi/index.html Smart Card Certificates DCSSI http://www.ssi.gouv.fr/fr/confiance/certificats.html Smart Card PP Certificates DCSSI http://www.ssi.gouv.fr/fr/confiance/pp.html Cryptological Products Government http://www.ssi.gouv.fr/en/regulation/regl_crypto.html European Legal Context Government http://www.ssi.gouv.fr/en/regulation/europe.html Evaluation and Certification Government http://www.ssi.gouv.fr/en/regulation/regl.html#certif Industrial relationships Government http://www.ssi.gouv.fr/en/regulation/rid_contact.html Portal Government http://www.services-public.fr http://www.marches-publics.gouv.fr Regulation Government http://www.ssi.gouv.fr/en/regulation/regl.html#crypto Ministry of Economics, Finance and Industry MINEFI http://www.minefi.gouv.fr Testing Laboratory Oppida http://www.oppida.fr Testing Laboratory SERMA Technologies http://www.serma.com/serma_technologies/cesti/cesti. php Testing Laboratory SILICOMP-AQL http://www.aql.fr/AQL_SSI_CESTI.htm Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Table 51: Contact Information about French Organizations ORGANIZATION PHONE FAX ADDRESS / E-MAIL ADAE Agency for the Development of Electronic Administration +33 1 4275 5200 AFNOR Association Français de NORmalisation +33 1 42 91 5555 +33 1 42 91 5656 Tour Europe, 92049 Paris La Defense Cedex 7 Algoriel +33 1 45 38 36 00 +33 1 45 38 36 20 Tour Maine Montparnasse 33, avenue du Maine, 75755 PARIS Cedex 15, France / cesti@algoriel.fr CEACI (TES-CNES) +33 5 61 27 40 29 33 5 61 27 47 32 18, avenue Edouard Belin, 31401 Toulouse Cedex 4, France / ceaci@cnes.fr CEA-LETI +33 4 38 78 40 87 +33 4 38 78 51 59 17, rue des martyrs, 38054 Grenoble Cedex 9, France /alain.merle@cea.fr CERTA Computer Emergency Response Team +33 1 71 7584 50 +33 1 71 7584 70 51, boulevard de La Tour-Maubourg, 75700 Paris, France certa-svp@certa.ssi.gouv.fr 85 Boulevard du Montparnaesse, 75006 Paris, France / support@achatpublic.com CFONB Comité Français d'Organisation et de Normalisation Bancaires 18 rue La Fayette, 75009 Paris cfonb@fbf.fr COFRAC Comite Francais d'Accreditation +33 1 4468 8224 +33 1 4468 8221 37, rue de Lyon, 75012 Paris, France / daniel.pierre@cofrac.fr DCSSI Central Directorate for Information System Security +3314146372 0 +331414637 01 18, rue du Docteur Zamenhof 92 131 IssyLes-Moulieaux, France / resptech@scssi.gouv.fr OPPIDA +33 1 30 14 19 00 +33 30 14 19 09 6 avenue du Vieil Etang Bât B, 78180 Montigny Le Bretonneaux, France / cesti@oppida.fr SERMA Technologies +33 5 57 26 08 64 +33 5 57 26 08 98 30, avenue Gustave Eiffel, 33608 Pessac Cedex, France m.dus@serma.com SILICOMP-AQL +33 2 99 12 50 00 +33 2 99 63 70 40 1 rue de la Châtaigneraie CS 51766, 35517 Cesson Sevigne Cedex, France / cesti@aql.fr UGAP Union of the Public Buying Associations +33 1 64 73 20 00 +33 1 64 73 20 20 1 Archimedes Boulevard, The Field-onMarne, 77444 Marne-the-Valley, Cedex 2, France / contact@ugap.fr February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 225 Table 52: German Links TOPIC 226 ORGANIZATION LINK Accreditation Body AKAS http://www.aks-hannover.de Banking Portal Association of German Banks http://www.germanbanks.org http://www.german-banks.com Laboratory Atos Origin GmbH http://www.atosorigin.de IT Security Evaluation Facility atsec information security GmbH http://www.atsec.com Federal Ministry BaFin http://www.bafin.de Accreditation Body BDI http://www.bdi-online.de Procurement Office BeschA http://www.bescha.bund.de Procurement of IT services BFAI http://www.bfai.de Federal Ministry of Finance BFM http://www.bundesfinanzministerium.de Procurement Platform bi-online http://www.bi-online.de Federal Ministry BMI http://www.bmi.bund.de Federal Ministry BMVBW http://www.bmvbw.de Federal Ministry BMWA http://www.bmwa.bund.de Government Agency BNetzA http://www.bundesnetzagentur.de Official Gazette BNetzA http://www.bundesnetzagentur.de Certification Authority BSI http://www.bsi.bund.de Certification Authority Testing Laboratory BSI http://www.bsi.bund.de Procurement of IT Services BVDW http://www.bvdw.org Banking Sector BVR http://www.bvr.de Procurement in the Military Area BWB http://www.bwb.org CERT Body CERT-Bund http://www.bsi.de/certbund Testing Laboratory CSC Ploenzke AG http://www.de.csc.com Accreditation Body DACH http://www.dach-gmbh.de Accreditation Body DAP http://www.dap.de Accreditation Body DAR http://www.dar.bam.de/dau.html Accreditation Body DASMIN http://www.dasmin.de Accreditation Body DATech http://www.datech.de Testing Laboratory datenschutz nord GmbH http://www.datenschutz-nord.de Accreditation Body DAU http://www.dar.bam.de/dau.html German Railway AG DBAG http://www.db.de Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) TOPIC ORGANIZATION LINK Testing Laboratory debis IT Security Services http://www.itsec-debis.de Procurement Platform Deutscher Auftragsdienst http://www.workxl.de Testing Laboratory DFKI http://www.dfki.de CERT Body DFN-CERT http://www.cert.dfn.de Accreditation Body DIAS http://www.dias-acc.de Standardization Body DIN http://www.din.de Accreditation Body DKD http://www.dkd.de Banking Sector DSGV http://www.dsgv.de Accreditation Body DVGW http://www.dvgw.de eGovernment Initiative ESG http://www.egov-europe.de Publication of Tenders Federal Administration http://www.bund.de/ausschreibungen.de Publication of Tenders Federal Gazette for Tenders http://www.bundesausschreibungsblatt.de Bund Online 2005 Federal Government http://www.bundesregierung.de/en Government Services Federal Government http://www.bund.de/nn_174028/EN/Homepa ge-knoten.html__nnn=true Procurement Platform Federal Government http://www.evergabe.bund.de http://www.evergabe-online.de Accreditation Body GAZ http://www.gaz-online.de Accreditation Body GAZ http://www.gaz-online.de Testing Laboratory IABG http://www.iabg.de Private-Public Partnership ITSMIG http://www.itsmig.de German Initiative KAN http://www.kan.de Government Body KBA http://www.kba.de Procurement of IT services KBSt http://www.kbst.bund.de Government Body KL-MESS http://www.dar.bam.de/structure.html Testing Laboratory media transfer AG http://www.mtg.de Procurement Platform Medienpool Köln http://www.medienpool.de Procurement Platform my-con http://www.my-con.com Government Initiative PPP http://www.ppp.bund.de ISIS-MTT Test Laboratory Secorvo Security Consulting GmbH http://www.secorvo.de Testing Laboratory secunet SWISSiT AG http://www.swiss-it.ch Public-Private Partnership Signature Alliance http://www.signaturbuendnis.de/englisch/inde x.htm Testing Laboratory SRC Security Research & Consulting GmbH http://www.src-gmbh.de Procurement Platform subreport ELViS http://www.subreport-elvis.de Testing Laboratory Tele Consulting GmbH http://www.tele-consulting.com Association TeleTrusT Deutschland e.V. http://www.teletrust.de February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 227 TOPIC Table 53: 228 ORGANIZATION LINK Accreditation Body TGA http://www.tga-gmbh.de/ Testing Laboratory TNO-ITSEF BV http://www.commoncriteria.nl ISIS-MTT Test Laboratory T-Systems http://www.t-systems-itc-security.com Certification Authority T-Systems GEI GmbH http://www.t-systems-zert.de Testing Laboratory T-Systems GEI GmbH http://www.t-systems-itc-security.com Certification Authority CVMP Testing Laboratory ISIS-MTT Testing Laboratory TÜV IT GmbH http://www.tuvit.de Testing Laboratory TÜV Nord SysTec GmbH & Co. KG http://www.tuev-nord-systec.de Banking Sector VdP http://www.pfandbrief.de Procurement Platform ventasoft GmbH http://www.ventasoft.de Banking Sector VÖP http://www.voeb.de Contact Information about German Organizations ORGANIZATION PHONE FAX ADDRESS / E-MAIL Associacion of German Banks +49 30 1663 0 +49 30 1663 1399 Burgstraße 28, D-10178 Berlin, Germany / bankenverband@bdb.de Atos Origin GmbH +49 5931 805 221 +49 5931 805 221 Lohberb 10, 49716 Meppen, Germany christoph.cordes@atosorigin.com atsec information security GmbH +49 89 442 498 30 +49 89 442 498 31 Steinstraße 70, 81667 München gerald@atsec.com BaFin Federal Financial Supervisory Authority +49 228 4108 0 +49 228 4108 1550 Graurheindorfer Str. 108, 53117 Bonn, Germany poststelle@bafin.de BeschA Procurement Office of the Federal Ministry of the Interior +49 1888 610 1210 BFM Federal Ministry of Finance +49 1888 682 0 +49 1888 682 3260 Wilhelmstraße 97, 10117 Berlin, Germany BMI Federal Ministry of the Interior +49 1888 681 0 +49 1888 681 2926 Alt-Moabit 101 D, 10559 Berlin, Germany poststelle@bmi.bund.de BMVBS +49 30 2008 3060 +49 30 2008 1942 Robert-Schuman-Platz 1, 53175 Bonn, Germany buergerinfo@bmvbs.bund.de BNetzA Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway +49 228 140 +49 228 14 8872 Tulpenfeld 4, 53113 Bonn, Germany Poststelle@BNetzA.de BSI Federal Office for Information Security +49 228 9582 141 +49 228 9582 455 P.O.Box: 200363, 53133 Bonn Germany BVR Central Organization of the Cooperative Banking +49 3020 21 0 +49 3020 21 1900 Schellingstraße 4, 10785 Berlin, Germany / info@bvr.de Study on Promotion Strategy of Conformity Assessment System of Information Security Sankt Augustiner Straße 86, 53225 Bonn, Germany / info@bescha.bund.de February 28th, 2006 (Final) ORGANIZATION PHONE FAX ADDRESS / E-MAIL Group CERT-Bund +49 1888 9582 222 CSC Ploenzke AG +49 89 5908 6504 +49 89 5908 6503 Sandstraße 7-9, 80335 München, Germany / goswin.eisen@csc.com DACH German Accreditation Body Chemistry +49 69 6637 19 0 +49 69 6637 1920 Gartenstr. 6, 60594 Frankfurt/M., Germany / dach@dach-gmbh.de DAP German Accreditation System for Testing +49 030 67059 120 +49 30 67059 115 Ernst-Augustin-Str. 15, 12489 Berlin, Germany / zentrale@dap.de DAR German Accreditation Council +49 30 8104 3713 DASMIN German Accreditation System for Petroleum and Related Products +49 69 663719 19 +49 69 663719 20 Gartenstraße 6, 60594 Frankfurt/M., Germany stefan.schramm@dasmin.de DATech DIAS German Institute for Accreditation Systems GmbH +49 711 7811 624 +49 711 7811 625 Liebknechtstr. 33, 70565 Stuttgart, Germany / datech@datech.de datenschutz nord GmbH +49 471 300 1119 +49 471 300 1111 Schifferstraße 10-14, 27568 Bremerhaven, Germany / smaseberg@datenschutz-nord.de DATEV Trust Center +49 911 2760 +49 911 2763196 Paumgartnerstr. 6-14, 90329 Nürnberg, Germany / info@datev.de DAU German Accreditation Body of Environmental Verifiers +49 228 28052 0 +49 228 28052 28 Dottendorfer Str. 86, 53129 Bonn, Germany / info@dau-bonn.de Deutsches Forschungszentrum für künstliche Intelligenz GmbH +49 681 302 5276 +49 681 302 2235 Im Stadtwald, Gebäude 6, 66123 Saarbrücken, Germany / keller@dfki.de DIAS Deutsches Institut für Akkreditierungssysteme GmbH +49 711 78 11 624 +49 711 78 11 625 Liebknechtstraße 33, D – 70565 Stuttgart, Germany / joerg.trappe@dias-acc.de sekretariat@dias-acc.de DIN Deutsches Institut für Normung +49 3026 01 0 +49 3026 01 1231 Burggrafenstraße 6, 10785 Berlin DKD German Calibration Service +49 531 592 1900 +49 531 592 1905 Bundesallee 100, 38116 Braunschweig, Germany / dkd@ptb.de DVGW German Technical and Scientific Association for Gas and Water +49 228 91 88 807 +49 228 9188 993 Josef-Wirmer-Straße 1-3, D-53123 Bonn, Germany / info@dvgw.de / zert@dvgw.de EGOV European Society for eGovernment e.V. +49 228 383 511 +49 228 383 555 Südstraße 133, 53175 Bonn, Germany / info@egov-europe.de Federal Ministry of Finance +49 1 888 682 0 +49 1 888 682 3260 Bundesministerium der Finanzen, Wilhelmstraße 97, 10117 Berlin, Germany GAZ Association for Accreditation and Certification +49 211 6707 442 +49 211 6707 474 Sohn-Str. 68, 40237 Düsseldorf, Germany /gaz-zentrale@t-online.de February 28th, 2006 (Final) certbund@bsi.bund.de Unter den Eichen 87; D-12205 Berlin, Germany / office@deutscherakkreditierungsrat.org Study on Promotion Strategy of Conformity Assessment System of Information Security 229 ORGANIZATION PHONE FAX ADDRESS / E-MAIL German Accreditation Body for Technology 49 69 610943 51 +49 69 610943 55 Gartenstraße 6, 60594 Frankfurt/M, Germany German Association for Accreditation TGA +49 69 610943 11 +49 69 610943 44 Gartenstrasse 6, 60594 Frankfurt/M. / Germany IndustrieanlagenBetriebsgesellschaft mbH +49 89 6088 3634 +49 89 6088 2873 Einsteinstraße 20, 85521 Ottobrunn, Germany sicherheit@iabg.de KAN Commission for Occupational Health and Safety and Standardization +49 2241 231 03 +49 2241 231 3464 Alte Heerstraße 111, 53757 Sankt Augustin, Germany / info@kan.de KBA Federal Authority of Road Transport +49 351 47385 0 +49 351 4738536 Bernhardstraße 62, 01187 Dresden, Germany / AkkrStelle@kba.de media transfer AG +49 6151 8193 16 +49 6151 8193 43 Dolivostraße 11, 64293 Darmstadt, Germany / Tmartin@mtg.de Secorvo Security Consulting GmbH +49 721 255171 0 +49 721 255171 100 Ettlinger Straße 12-14, 76137 Karlsruhe, Germany / info@secorvo.de SRC Security Research & Consulting GmbH +49 228 2806 122 +49 228 2806 199 Graurheindorfer Straße 149a, 53117 Bonn, Germany / bertolt.krueger@src-gmbh.de Tele Consulting GmbH +49 7032 9758 13 +49 7032 74750 Siedlerstraße 22-24, 71126 Gräufelden, Germany / mwolf@tele-consulting.com TeleTrusT Deutschland e.V. +49 361 3460 531 +49 361 3453 957 Chamissostraße 11, 99096 Germany / info@teletrust.de TGA German Association for Accreditation +49 69 6109 4311 +49 69 6109 4344 Gartenstraße 6, D-60594 Frankfurt/M, Germany tga@tag-gmbh.de TNO-ITSEF BV +31 15 269 2525 +31 15 269 2555 Delftechpark 1, 2628 XJ Delft, The Netherlands / out@itsef.com Traffic Policy 230 Potsdamer Platz 2, 10785 Berlin, Germany verkehrspolitik@bahn.de T-Systems +49 228 9841 0 +49 228 9841 60 Rabinstraße 8, 53111 Bonn, Germany wolfgang.killmann@t-systems.de TÜV Informationstechnik GmbH +49 201 8999 624 +49 201 8999 666 Langemarckstraße 20, 45141 Essen, Germany / w.peter@tuvit.de TÜV Nord SysTec GmbH & Co. KG. +49 40 8557 2288 +49 40 8557 2429 Große Bahnstraße 31, 22525 Hamburg, Germany / klaue@tuev-nord.de VdP Association of German Pfandbrief Banks +49 3020 91 5100 +49 3020 91 5101 Georgenstr. 21, 10117 Berlin, Germany / info@pfandbrief.de VÖB Association of German Public Sector Banks +49 3081 92 0 +49 3081 92 222 Lennéstraße 11, 10785 Berlin, Germany Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Table 54: International Links TOPIC ORGANIZATION LINK Standardization Body Common Criteria http://www.commoncriteria.org Accreditation Forum IAF http://www.iaf.nu Standardization Body IEC http://www.iec.ch Accreditation Body ILAC http://www.ilac.org Standardization Body ISO http://www.iso.org Standardization Body ITU http://www.itu.int/home February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 231 Table 55: Italian Links TOPIC Table 56: 232 ORGANIZATION LINK Banking Association ABI http://www.abi.it Regulatory Authority AEEG http://www.agcom.it Regulatory Authority AGCOM http://www.agcom.it Government Body CNIPA http://www.cnipa.gov.it Government Body CONSIP http://www.consip.it Government Procurement CONSIP http://www.acquistinretepa.it Accreditation Body FIDEA http://www.federaccreditamento.it Certification Body FUB http://www.fub.it Portal for Businesses Government http://www.impresa.gov.it Portal for Citizens Government http://www.italia.gov.it Government Body ISCOM http://www.iscom.gov.it Government Body MIT http://www.innovazione.gov.it Evaluation and Certification Body OCSI http://www.ocsi.gov.it/ Accreditation Body SINAL http://www.sinal.it Accreditation Body SINCERT http://www.sincert.it National Agency for Standardization UNI http://www.uni.com Contact Information about Italian Organizations ORGANIZATION PHONE FAX ADDRESS / E-MAIL CNIPA National centre for Information Technology in Government +39 06 852641 +39 0685264255 Via Isonzo 21 b, 00198-Roma, Italy / comunicazione@cnipa.it FIDEA Federazione Italiana degli Enti di Accreditamento +39 06 84409951 +39 06 884 1199 Piazza Mincio, 00198 Roma info@federaccreditamento.it FUB Fondazione Ugo Bordoni +39 06 54801 +39 06 5480 4400 Via Baldassarre Castiglione, 59, 00142 Roma ISCOM Istituto Superiore delle Communicazion e delle Technologie dell’ Informazione +39 06 5444 4370 +39 06 5410 904 Viala America 201, 00144 Roma, Italy / iscom@istsupcti.it SINAL Sistema Nazionale per l’Accreditamento di Laboratori +39 06 8440991 +39 06 884 1199 Piazza Mincio 2, 00198 ROMA info@sinal.it SINCERT Sistema Nazionale per l’Accreditamento degli Organismi di Certificazione e Ispezione +39 02 2100961 +39 02 21009637 Via Saccardo 9, 20134 Milano / sincert@sincert.it Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Table 57: Table 58: Table 59: ORGANIZATION PHONE FAX ADDRESS / E-MAIL UNI Ente Nazionale Ytaliano di Unificazione +39 2 700 241 +39 2 701 06149 Via Battistotti Sassi 11b, 20133 Milano Japanese Links TOPIC ORGANIZATION LINK IT Promotion Body IPA-ISEC http://www.ipa.go.jp/security/jisec/jisec_e/indexhtml Certification Body NITE http://www.nite.go.jp/index-e.html Netherlands Links TOPIC ORGANIZATION LINK Regulatory Authority DTE http://www.dte.nl National e-Platform ECP http://www.ecp.nl CERT Body GOVCERT http://www.govcert.nl Netherlands Standardization Institute NNI http://www.nni.nl Regulatory Authority OPTA http://www.opta.nl Government Bodies Overheid http://www.overheid.nl/guest Accreditation Council RvA http://www.rva.nl Telematics Institute TELIN http://www.telin.nl Accredited Certification Body TNO http://www.tno.nl Contact Information about Dutch Organizations February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 233 Table 60: 234 ORGANIZATION PHONE FAX ADDRESS / E-MAIL Dutch Accreditation Council RvA +31 30 23 94 500 +31 30 23 95 539 Council RvA, Mariaplaats 21 D, 3511 LK UTRECHT, Netherlands Jan.vander.Poel@rva.nl ECP.NL +31 70 4190 309 +31 70 4190 650 Postbus 262, 2260 AG Leidschendam, Netherlands / info@ecp.nl GOVCERT.NL +31 70 888 78 51 +31 70 888 78 15 Postbus 84011, 2508 AA Den Haag, Netherlands / info@govcert.nl NNI Nederlands NormalisatieInstittuut +31 15 2 690 390 +31 15 2 690 190 P.O.Box: 5059, Kalfjeslaan 2, 2600 GB Delft, Netherlands OPTA Independent Post and Telecommunications Authority +31 70 315 35 00 +31 70 315 35 01 P. O. Box 90420, 2509 LK Den Hague, Netherlands / ttp@opta.nl TNO Certification +31 55 549 34 68 +31 55 549 32 88 P. O. Box 541, 7300 AM Apeldoorn, Netherlands /certification@certi.tno.nl Spanish Links TOPIC ORGANIZATION LINK Standardization and Certification Body AENOR http://www.aenor.es Regulatory Authority CMT http://www.cmt.es Regulatory Authority CNE http://www.cne.es Certification Body CNI http://www.oc.ccn.cni.es Accreditation Body ENAC http://www.enac.es National Mint FNMT http://www.fnmt.es Adminstration Portal Government http://www.administracion.es Citizens Portal Government http://www.ciudadano.es Government Portal Government http://www.la-moncloa.es Government Strategy Government http://www.map.es/iniciativas/mejora_de_la_admi nistracion_general_del_estado/plan_conecta.html http://www.moderniza.com Ministries Government http://www.gksoft.com/govt/en/es.html Testing Laboratory LGAI http://www.appluscorp.com http://www.lgai.es Regulatory Authority SETSI http://www.setsi.mcyt.es Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Table 61: Contact Information about Spanish Organizations ORGANIZATION PHONE FAX ADDRESS / E-MAIL AENOR Associón Española de Normalización y Certificación +34 91 432 60 00 +34 91 310 10 32 Génova 6, 28004 Madrid, Spain aenor@aenor.es CESTI-INTA +34 91 520 1200 +34 91 675 5263 Centro de Evaluación del la Seguridad de las Tecnologias de la Información, Instituto Nacional de Técnica Aerospacial / info@inta.es ENAC Entidad Nacional de Accreditation +34 91 457 3289 +34 91 458 6280 Serrano 240, 28016 Madrid, Spain / enac@enac.es LGAI Technological Center S.A., info@appluscorp.com OC Organismo de Certificación SETSI State Secretariat for Telecommunications and for the Information Society Table 62: +34 91 346 1597 +34 91 372 58 08 Avenida del Padre Huidobro s/n, 28023 Madrid, Spain organismo.certification@cni.es +34 91 346 1577 C/ Alcalá, 50. 28071 Madrid, Spain Swedish Links TOPIC ORGANIZATION LINK Portal Avropa http://www.avropa.nu Electronic Commerce GEA http://www.gea.nu Government Portal Government http://www.sweden.gov.se Ministry of Finance Government http://www.regeringen.se E-Procurement Kammarkollegiet http://www.kammarkollegiet.se Procurement NOU http://www.nou.se Post and Telecommunications Agency PTS http://www.pts.se Standardization Body SIS http://www.sis.se CERT Body SITIC http://www.sitic.se/eng/index.html Regulatory Authority STEM http://www.stem.se Accreditation and Certification Body SWEDAC http://www.swedac.se Telecommunications Company TeliaSonera http://www.teliasonera.com February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 235 Table 63: Table 64: 236 Contact Information about the Swedish Organizations ORGANIZATION PHONE FAX ADDRESS / E-MAIL NOU Procurement +46 8 454 44 40 +46 8 791 72 81 Vasagatan 44, 111 20 STOCKHOLM, Sweden / registrator.nou@nou.se PTS Post and Telecommunications Agency +46 8 678 55 00 +46 8 678 55 05 P.O.Box: 5398, 102 49 Stockholm, Sweden / pts@pts.se SIS Swedish Standards Institute +46 8 555 520 00 +46 8 555 520 01 Sankt Paulsgatan 6, 118 80 Stockholm, Sweden / info@sis.se forum@sis.se SITIC Swedish IT Incident Centre Tel +46 8 678 57 99 Fax +46 8 678 55 05 Box 5398, 102 49 Stockholm, Sweden Tel +46 8 678 57 99 Fax +46 8 678 55 05 SREM Swedish Energy Agency +46 16-544 2000 +46 16-544 2099 Kungsgatan 43, 631 04 Eskilstuna, Sweden / stem@stem.se SWEDAC Swedish Board for Accreditation and Conformity Assessment +46 8 406 8300 +46 8 791 8929 P.O. Box: 2231, 103 15 Stockholm, Sweden / registrator@swedac.se United Kingdom Links TOPIC ORGANIZATION LINK Banking Association BBA http://www.bba.org.uk Standarization Body BSI Business support http://www.bsiglobal.com/News/Information/Business+Information.xalter Standarization Body BSI Management Systems http://www.bsiglobal.com/News/Information/Management+Systems.xalte r Standarization Body BSI Standards http://www.bsiglobal.com/News/Information/British+Standards.xalter CVMP Testing Laboratory BT http://www.bkpsecurity.com Testing Laboratory BT http://www.bt.com/consulting Certification Body CESG http://www.cesg.gov.uk http://www.cesg.gov.uk/indexNS.cfm Testing Laboratory CMG http://www.logicacmg.com Government Procurement DfT http://www.dft.gov.uk Procurement Portal DfT http://dft.g2b.info Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) Table 65: TOPIC ORGANIZATION LINK Government Body DTI http://www.dti.gov.uk Government Initiative DTI http://www.dti.gov.uk/strd/nssf.html http://www.dti.gov.uk/innovation-group/pressrel271102.htm Testing Laboratory EDS Ltd http://www.eds.com Banking Association FOA http://www.foa.co.uk Financial Services Authority FSA http://www.fsa.gov.uk Testing Laboratory IBM Global Services http://www.ibm.com Banking Association ICMA http://www.icma-group.org Smartcard Organization ITSO http://www.itso.org.uk CVMP Testing Laboratory Logica IT Security Laboratory http://www.logicacmg.com Testing Laboratory Logica UK Ltd http://www.logicacmg.com Government body NISCC http://www.uniras.gov.uk/niscc/index-en.html Standarization Body NSSF http://www.nssf.info http://www.nssf.info/index.xalter Regulatory Authority OFCOM http://www.ofcom.org.uk Regulatory Authority OFGEM http://www.ofgem.gov.uk Government Procurement OGC http://www.ogcbuyinsolutions.gov.uk Regulatory Authority POSTCOMM http://www.postcomm.gov.uk Regulatory Authority RADIOCOM http://www.open.gov.uk/radiocom Testing Laboratory SiVenture http://www.siventure.co.uk Standards and Technical Regulations STRD of DTI http://www.dti.gov.uk/strd/certify.html Supervision Body tScheme Limited http://www.tscheme.org Certification Body UKITSEC http://www.itsec.gov.uk CERT Body UNIRAS http://www.uniras.gov.uk/niscc/index_en.html Contact Information about Organizations in the United Kingdom ORGANIZATION PHONE FAX ADDRESS / E-MAIL Admiral Management Services Ltd CLEF +44 1276 68 6678 +44 1276 69 1028 Kings Court 91-93 High Street, Camberley Surrey GU15 3RN, UK / worsw_r@admiral.co.uk APCIMS Association of Private Client Investment Managers and Stockbrokers +44 20 7247 7080 +44 20 7377 0939 114 Middlesex Street, London E1 7JH, UK BBA British Bankers’ Association BSI British Standards February 28th, 2006 (Final) inners Hall, 105-108 Old Broad Street, London EC2N 1EX, UK +44 181 996 +44 181 389 Chiswick High Road, GB London W4 4Al, UK Study on Promotion Strategy of Conformity Assessment System of Information Security 237 ORGANIZATION PHONE FAX Institution 9000 996 7400 BT Cryptographic Module Testing Laboratory NVLAP (CMVP) +44 1252 778 845 +44 1252 811 635 Sentinel House, Harvest Crescent Ancells Park Fleet, Hamshire GU51 2UZ, United Kingdom CESG Communications Electronics Security Group +44 1242 221491 ext 39365 +44 1242 221491 ext 39365 Hubble Road, Cheltenham Gloucestershire GL51 OEX, UK iacs@cesg.gsi.gov.uk (Fast Track Assessment) CESGweb@cesg.gsi.gov.uk (Portal) caps@cesg.gsi.gov.uk (CAPS) policy@cesg.gsi.gov.uk (Policy) CESG UKITSEC Body +44 1242 238 739 +44 1242 235 233 Priors Road, Cheltenham Gloucestershire GL52 5AJ, UK / iacs@cesg.gsi.gov.uk CMG CLEF (CC) +44 1276 68 6678 +44 1276 69 1028 Kings Court 91-93 High Street, Camberley Surrey GU15 3RN, UK /Ralph.worsw@cmgpic.uk +44 207 944 9643 Great Minster House 76 Marsham Street, 76 Marsham Street, London SW1P 4DR Department for Transport DfT Department of Trade and Industry DTI +44 171 215 1962 +44 171 931 7194 Response Centre 1 Victoria Street, London SW1H 0ET, UK / dti.enquiries@dti.gsi.gov.uk EDS Ltd CLEF +44 1908 284 324 +44 1908 284 393 Wavendon Tower, Wavendon Milton Keynes, Bucks MK17 8LX, UK Trevor.hutton@edl.uk.eds.com EDS Ltd CLEF (CC) +44 1908 284 324 +44 1908 284 393 Wavendon Tower, Wavendon Milton Keynes, Bucks MK17 8LX, UK /richard.selby@.eds.com FAO Futures and Options Association +44 20 7929 0081 +44 20 7621 0223 36-38 Botolph Lane, London EC3R 8DE, UK FSA Financial Services Authority +44 20 7066 1000 +44 20 7066 1099 25 The North Colonnade, Canary Wharf, London E14 5HS, UK consumerhelp@fsa.gov.uk IBM Global Services CLEF +44 1252 558 081 +44 1252 558 001 Meudon House, Meudon Avenue, Farnborough Hants GU14 7NBB, UK /bob_finlay@uk.ibm.com IBM Global Services CLEF (CC) +44 1252 558 472 +44 1252 558 001 Meudon House, Meudon Avenue, Farnborough, Hants GU14 7NBB, UK / clef@uk.ibm.com Rigistrasse 60, 8033 Zurich, Switzerland ICMA International Capital Market Association 238 ADDRESS / E-MAIL Logica IT Security Laboratory NVLAP (CMVP) +44 1372 369 831 +44 1372 369 834 Chaucer House, The Office Park Springfield Drive, Leatherhead Surrey, UK KT22 7LP, United Kingdom Logica UK Ltd CLEF +44 1932 869 118 +44 1932 869 119 Cobham Park Downside Road Cobham Surrey KT11 3LG, UK / smithn@logica.com Logica UK Ltd CLEF (CC) +44 1372 369 831 +44 1372 369 834 Chaucer House, The Office Park, Springfield Drive, Leatherhead Surrey KT22 7LP, UK MilfordS@logica.com OGC Buying Solutions +44 870 268 2222 +44 151 227 3315 Royal Liver Building, Pier Head, Liverpool L3 1PE, United Kingdom / custcare@ogcbs.gsi.gov.uk STRD Standards & +44 208 996 Study on Promotion Strategy of Conformity Assessment System of Information Security NSSF Programme Manager, NSSF British February 28th, 2006 (Final) Table 66: ORGANIZATION PHONE Technical Regulations Directorate Department of Trade and Industry 7370 FAX ADDRESS / E-MAIL Syntegra CLEF +44 1252 777 000 +44 1252 777 111 Guidon House Harvest Crescent Ancells Park, Fleet Hants GU13 8UZ, UK / clef@syntegra.com Syntegra CLEF (CC) +44 1252 778 837 +44 1252 811 635 Guidion House, Harvest Crescent Ancells Park, Fleet Hants GU13 8UZ, UK /clef@syntegra.com tScheme Limited +44 8702 417 497 +44 8700 056 311 2nd Floor, Russell Square House, 10-12 Russell Square, London, WC1B 5EE, UK info@tScheme.org Standards House, 389 Chiswick High Road, London W4 4AL, UK / contactus@nssf.info USA Links TOPIC ORGANIZATION LINK Accreditation Board ANAB http://www.anab.org Accreditation and Standardization Body ANSI http://www.ansi.org CCTL Testing Laboratory Arca http://www.savvis.net/corp/Products+Services/S ecurity/ARCA+CCTL.htm CCTL Testing Laboratory CVMP Testing Laboratory Atlan Laboratories http://www.atlanlabs.com CCTL Testing Laboratory atsec information security http://www.atsec.com/01/index.php CVMP Testing Laboratory BKP Security Labs http://www.bkpsecurity.com CVMP Testing Laboratory CEAL http://www.cygnacom.com/labs/ceal.htm CCTL Testing Laboratory CVMP Testing Laboratory COACT Inc. CAFÉ Laboratory http://www.coact.com CCTL Testing Laboratory Computer Sciences Corporation http://www.csc.com/solutions/security/offering s/1093.shtml CCTL Testing Laboratory Criterian Independent Labs http://www.criterianlabs.org CCTL Testing Laboratory CygnaCom http://www.cygnacom.com Government Agency FCC http://www.fcc.gov.aboutus.html CCTL Testing Laboratory CVMP Testing Laboratory InfoGard Laboratories, Inc http://www.infogard.com Accreditation Body NACLA http://www.nacla.net Certification Body NIAP http://www.niap.nist.gov CMVP NIST http://www.nist.gov/cmvp February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 239 Table 67: 240 TOPIC ORGANIZATION LINK CVMP Val. Module List NIST http://csrc.nist.gov/cryptval/1401/1401vend.htm FIPS 140-1 Impl. Guidance NIST http://csrc.nist.gov/cryptval/1401/FIPS1401IG.pdf FIPS 140-2 Impl. Guidance NIST http://csrc.nist.gov/cryptval/1401/FIPS1402IG.pdf NVCASE Handbook NIST http://ts.nist.gov/ts/htdocs/210/gsig/ir6440.pdf NVCASE Program NIST http://ts.nist.gov/htdocs/210/gsig/nvcase.htm NVLAP Accreditation Body NIST http://ts.nist.gov/ts/htdocs/210/214/214.htm Standards and Regulations NIST http://www.nist.gov Certification Authority NSA http://www.nsa.gov CCTL Testing Laboratory SAIC http://www.saic.com Contact Information about US Organizations ORGANIZATION PHONE FAX ADDRESS / E-MAIL ANAB American National Accreditation Board +1 414347 9858 +1 414 765 8661 PO Box 586, Milwaukee, Wisconsin 53201-0586, USA / rking@anab.org ANSI American National Standards Institute xxx Arca Common Criteria Testing Laboratory 703-6676074 877-2434713 45901 Nokes Boulevard, Sterling, VA 20166, USA arca-cctl@savvis.net Atlan Laboratories 703 748 4551 (ext. 205) 703 748 4552 6849 Old Dominion Drive, Suite 360, Mc Lean, VA 22102, USA atsec information security 512 615 7300 512 615 7301 9130 Jollyville Road, Suite 260, Austin, Texas 78759, USA / niap@atsec.com BKP Security Labs 888 347 7140 408 492 1419 3080 Olcott Way, Suite 110-A, Santa Clara, CA 95054, USA Booz Allen Hamilton Common Criteria Testing Laboratory 410 684 6692 410 684 6475 900 Elkridge Landing Road, Suite 100, Linthicum, MD 21090, USA / rome_steven@bah.com CEAL: a CygnaCom Solutions Laboratory 703 270 3518 703 848 0985 7925 Jones Branch Drive, Suite 5200, Mc Lean, VA 22102-3321 COACT Inc. CAFÉ Laboratory 301 498 0150 301 498 0855 9140 Guilford Road, Suite L, Columbia, MD 21046, USA / teb@coact.com Computer Sciences Corporation 240 456 6019 301 470 2083 2711 Technology Drive, Annapolis Junction, MD 20701, USA / cnightin@csc.com Criterian Independent Labs 304 368 4516 304 363 4340 1000 Technology Drive, Suite 5000, Fairmont, WV 26554, USA / snider@criterianlabs.org CygnaCom Solutions’ Security Evaluation Laboratory 858 509 0180 703 270 3563 7925 Jones Branch Drive, Suite 5200, McLean, VA 22102-3321, USA / krogers@cygnacom.com Study on Promotion Strategy of Conformity Assessment System of Information Security February 28th, 2006 (Final) ORGANIZATION PHONE FAX ADDRESS / E-MAIL InfoGard Laboratories, Inc 805 783 0810 805 783 0889 641 Higuera St., Second Floor, San Luis Obispo, CA 93401, USA / swilson@infogard.com Lockheed Martin IS&S SSO 410 796 7854 410 796 7886 7170 Standard Drive, Hanover, MD 21076-1322, USA / carl.e.odom@lmco.com NACLA National Cooperation for Laboratory Accreditation 407-3333327 407-3333309 103 Commerce St. Suite 160, Lake Mary, FL 32746,USA / naclaexec@comcast.net NIST National Institute of Standards and Technology 301 975 6478 301 975 8295 100 Bureau Drive, Stop 1070, Gaithersburg, MD 20899-1070, USA / inquiries@nist.gov SAIC Common Criteria Testing Laboratory 410 953 6819 410 953 7001 7125 Columbia Gateway Drive, Suite 300, Columbia, MD 21046, USA / robert.l.williamson.jr@saic.com February 28th, 2006 (Final) Study on Promotion Strategy of Conformity Assessment System of Information Security 241