Common Criteria
National Information Assurance
Partnership
Evaluation of Mobile Technology
Janine Pedersen
1
Common Criteria Background
History
• Developed more than 12 years ago
• Unified earlier schemes (ITSEC for UK, Orange book for US)
• Commercial basis (recognized that govt could no longer
fund evaluation)
Truly International
• 26 Nations in the recognition arrangement (Major western
• nations plus India, Japan, Korea, etc)
• More than 50 Evaluation Laboratories
• China and Russia are possible future members, as is Brazil
2
Common Criteria Recognition Arrangement (CCRA)
®
26 Member Nations
Mutual Recognition
Certificate
Producers
Australia
Netherlands
Canada
France
Germany
India
New Zealand
Norway
Spain
Sweden
Czech
Republic
Denmark
Finland
Italy
Japan
South Korea
Turkey
Malaysia
UK
US
Certificate
Consumers
Austria
Singapore
Greece
Hungary
Israel
Pakistan
Common Criteria
• Much more detail on
www.commoncriteriaportal.org
• A worldwide standard - also ISO 15408
• Recognition Arrangement - (CCRA) is very
important
Minimizes need for re-evaluations
• This is a primary aim of CCRA
4
21st Century Approach
Last Century
• CC was developed when products took a long
time to develop
• Remaining static in use
• Threats were also less dynamic
Now
• Threats evolving all the time
• Products constantly updated
• Architectures also adapt rapidly
• Decision makers need detailed information
5
Common Criteria Recognition
Arrangement
• Ensure evaluations are performed to
consistent standards
• Increase availability of evaluated ICT products
• Evaluate once - sell to many
• Improve the efficiency and cost-effectiveness
of evaluation, certification and validation
process for ICT products
Cyber Defense Needs
•
•
•
•
•
•
Architectural Approach
Agility
More information
Many more products covered
More realism
More comparability
7
What is Happening in CCRA?
• Protection Profile-based evaluations (cPPs) detailed requirements specifications
• Produced by an International Technical
Community
• Kept up to date by that community
• Provides a robust foundation
• Outside of cPPs - recognition limited to EAL2
activities
8
Why is this Happening in CCRA?
• Evaluations took too long, and were too costly,
with inconsistent Return on Investment
• Unrealistic on a technical level (Firewalls -OS)
• Unrealistic expectations on Evaluators
(developers at leading edge, not evaluators)
• Not using power of community and peer
input/review
• Little connection to system integrator,
procurement needs
9
What is the Process?
Governments set high level requirements
• Through `Essential Security Requirements’
Industry (and others) perform the work
• With consultation and review - using plain language
Governments steer the work
• Using `Position Statements' and `Endorsement
Statements'
Kept up to date
• Technical communities continue to develop the
technology standards
10
Providing the Recognition Vehicle
• Some of the technical communities setting the
standards will already exist (e.g. 3GPP, ETSI,
TCG, Open Group, etc.)
• Different approaches to interaction/oversight
• Working on a lightweight oversight approach
11
Industry Linkage
Common Criteria User Forum
• Significant role
• Significant growth (~ 500 members, > 26
countries)
• Incubator for technical communities
Recent NATO CC-CAT Workshop
• Strong support for the change
• Keep up the pace
• Provide more information
• Maintain the Industry involvement
12
NIAP
Partnership to evaluate commercial IT
products for use in National Security Systems
NIAP Mission
Evaluate COTS IT products for use in National
Security Systems (NSS) and
Develop requirements specifications
US representative within the international
Common Criteria Recognition Arrangement
(CCRA)
14
NIAP Goals
• Ensure Commercial ICT products represent
best practice level of security
• Raise the security bar toward a goal of
“secure-by-default”
• Independent 3rd party assessment of a
product against a specified set baseline
security requirements, using defined,
objective tests
15
Stakeholder Engagement
• Industry (Commercial IT vendors, Common
Criteria Test Labs)
• DoD & Federal Government Groups & Reps
- Committee on National Security Systems
(CNSS)
• IC Community Stakeholders
• International Stakeholders (NATO)
• International-Common Criteria Recognition
Arrangement (26 member nations)
16
NIAP
• Protection Profiles (PP)
Define the totality of product security
functions to be tested and how they will be tested
• Technical Communities (TC)
Collaborative group from industry, government (US
and foreign), and academia working to develop
Protection Profiles for a specified technology.
17
Protection Profiles
• Technology Specific
• Objective Test Criteria
• Requirements Address Documented
Threats
• Achievable, Repeatable, and Testable
Common Criteria Evolution
• Technology focused Protection Profiles
• Emphasis on Security Functional
Requirements (SFR) with specified Assurance
Activities
• Establishing Technical Communities with
international partners & industry
representatives (vendors & labs) to develop
the next generation of technology focused PPs
Focus
• For National Security System Procurement,
COTS IA Products Must be Evaluated per NIAP
processes
– U.S. National Policy, CNSSP#11
• NIAP evaluates COTS IA Products against
requirements in NIAP approved Protection
Profiles
Progress
• Currently 9 Technical Communities
• Published 12 technology based PPs
• Ongoing international evaluations against
NIAP approved PPs (Various Nations)
• Evaluations complete in 3-6 months
21
Protection Profile Technology Types
–
–
–
–
–
–
–
Mobile Devices (smartphones, tablets, etc)
Mobile Device Management
Network Devices
VPN
Application
Encrypted Storage
Wireless Local Area Network (LAN)
22
Technical Communities
•
•
•
•
•
•
•
•
•
Mobility
Redaction
CA certificate Authority
Apps on OS
Data at rest
Network Device (ND)
Intrusion Prevention Systems (IPS)
Peripheral Sharing Switch (PSS)
Trusted Platform Management
23
Stakeholder Participation
• Increase Industry participation in Technical
Communities
• Continue developing consistent set of
technology-focused security requirements with
associated assurance activities
• Continue work on collaborative PP development
through International Technical Communities
• Partner with Industry to improve Time to Market
24
Vendors Working with NIAP
• Wireless LAN
• Aruba
• Motorola
• General
Dynamics
• Fortress
Technologies
• Cisco
Network Devices
•
•
•
•
•
•
•
Dell
Juniper
Cisco
Microsoft
SafeNet
Checkpoint
Symantec
• MDM and MDF
•
•
•
•
•
•
•
Samsung
Air-Watch
Fixmo
RIM/Blackberry
Mocana
Motorola
Mobile Iron
25
NIAP High Priority Technology Areas
•
•
•
•
•
Mobility
Network Devices
Operating Systems
Wireless Local Area Networks (WLAN)
Virtualization
26
US Governing Policies
• (U) National Security Directive 42, “National Policy for the
Security of National Security Telecommunications and
Information Systems”
• (U) CNSSP 11, “National Policy Governing the Acquisition of
Information Assurance (IA) and IA-Enabled Information
Technology (IT) Products” as follows:
• (U) CNSS Directive 502, “National Directive on Security of
National Security Systems”
• Department of Defense Directives
– DoDD 5100.2, “National Security Agency/Central Security
Service (NSA/CSS)”
– DoDD 8500.01E, “Information Assurance (IA)”
– DoDI 8500.02, “Information Assurance (IA) Implementation”
Contact Information
• NIAP website:
– http://www.niap-ccevs.org/
• Contact info:
– Email:scheme-comments@niap-ccevs.org
• Telephone:
– 410.854.4458
28