NIAP Director’s Corner a look back on 2013
With the New Year soon upon us, this is a good time to look back on what has been accomplished in 2013 with the generous and valuable help of many of you who follow this column.
In our national role supporting U.S. customers throughout 2013, NIAP focused on developing protection profiles and implementing PP-based testing through Common Criteria. Results already demonstrate this is the right path to give end users more clarity in acquisition decisions, a better balance of security and features, and more rapid access to existing and emerging commercial IT products.
In a major step at mid-year, through CNSSP #11, the U.S. government officially established priority for commercial products evaluated according to NIAP requirements including Common Criteria. This revised policy applies to future acquisitions by the Department of Defense and other U.S. National Security Systems users. Supporting the policy, CNSSP #11 directs NIAP to develop, review and maintain protection profiles in “an open, public process in collaboration with industry, laboratories, academia, consortia, and standards groups to ensure maximum acceptance and usability,” whenever possible. This is a direct reference to technical communities with participants from the U.S. and other nations in the Common Criteria Recognition Arrangement (CCRA).
A good example of this policy in action was the multinational development and publication in October of two new protection profiles for mobility technologies along with two revised PPs. In all, NIAP with our multinational CCRA partners have published 17 PPs to date and is working on several more to address the needs of customers.
NIAP also developed new policies and processes to ensure consistency among labs when evaluating against protection profiles. These include a new Check-In/Check-Out (CICO) process to facilitate discussion between all parties at the beginning of the evaluation process; meetings as needed throughout the course of evaluation, and discussion following the completion of evaluation activities. Taking the place of the Validation Oversight Reviews (VORs), the CICO process will ensure the technical quality and consistency of the evaluation submissions; confirm that testing labs follow scheme oversight policies, and verify that all required tasks including analysis, testing and auditing are accomplished.
As yet another means to promote efficiency in evaluations, NIAP has implemented Technical Rapid Response Teams. These teams are charged with responding to technical questions regarding evaluations within 48 hours. Additionally, an Evaluation Consistency Review Board has been established to help ensure that protection profiles are clear and objective and that evaluations are conducted consistently.
All of these initiatives are meant to make evaluations more efficient and effective – and to avoid unwelcome surprises and setbacks in the evaluation process. Our objectives are to be transparent in how NIAP operates, efficient in our own processes, and confident that evaluated products satisfy customer requirements.
Applying the same spirit in our international role, NIAP is committed to ensuring CCRA partners and international labs understand protection profiles approved by NIAP and how to apply them consistently during evaluations. We continue to value inputs and assistance from partners and labs on our processes, procedures and policies. We are committed to collaborative participation in international technical communities so that all needs are taken into account in developing and updating protection profiles.
We had great discussions on these and other topics during September’s 14th annual International Common Criteria Conference, which NIAP was honored to co-host with the Common Criteria Management Committee in Orlando. We made important progress in several areas: The Management Committee agreed in principle to a revised CCRA with collaborative protection profile-centered evaluation methodology. India received approval to become a certificate-producing nation, increasing the number of certificate authorizing members to 17 out of 26 CCRA nations. And the Common Criteria Users Forum (CCUF) emerged as a more prominent contributor than ever – making progress on marketing, end-user outreach, technical working groups, and other initiatives.
To our international partners in the CCRA, the entire NIAP team joins me in thanking you for this collaboration in Orlando and your continuing cooperation as we make Common Criteria better for end users, industry and government overseers. To the hundreds of industry, lab, government and customer representatives who have worked closely with NIAP and contributed to technical communities and international technical communities, we thank you too for the time and expertise that you invest in making Common Criteria testing better, faster and more affordable.
This is a bittersweet time for me because, as some of you may have heard, I depart NIAP in mid-January for a new assignment in NSA’s congressional liaison office, representing the Information Assurance Directorate. It’s a role that will give me the chance to communicate the benefits of Common Criteria evaluations and the value of international collaboration through the CCRA. So while I am sorry to leave, be assured that I will continue to follow NIAP and the CCRA community with interest and pride. The opportunity to work with international partners, the CCUF, other members of industry, and the customers that we support through Common Criteria has been a source of great pleasure as well as professional satisfaction.
NIAP deputy director Janine Pedersen will serve as director, so please feel free to contact Janine at firstname.lastname@example.org.
Best wishes to all for the holidays and I trust our paths will cross again!
NIAP Director’s Corner on Mobility Protection Profiles
The completion of two entirely new protection profiles for Mobility, along with two revised PPs to better align with the mobility space, represents a major milestone in NIAP’s Common Criteria program. Mobility is a high priority technology area to most end users throughout government, the military and beyond. These new and revised protection profiles will enable rapid access to improved and emerging mobility technologies with a better balance of security and features. For industry, these protection profiles mean more predictability, greater speed, less cost, and a wider U.S. and international market for their products. Details of all four protection profiles can be found on the NIAP website.
Of special note is the development of the new Protection Profile for Mobile Devices Version 1.0, developed by the multinational Mobility Technical Community with more than 100 representatives from industry, U.S. government agencies and four other participating nations from the Common Criteria Recognition Arrangement. This Technical Community is a terrific example of the cross-sector and multinational collaboration at the heart of the reformed Common Criteria approach. Such international communities are envisioned to develop, maintain and update protection profiles.
Special recognition is deserved by the Australasian Information Security Evaluation Program, Canadian Common Criteria Evaluation and Certification Scheme, and UK IT Security Evaluation and Certification Scheme. We also thank each and every one of the companies who participated in the Technical Community, including major contributions from Apple, BlackBerry, Microsoft, Motorola and Samsung – along with Aruba Networks, Cellcrypt, Citrix, EWA-Canada, Gossamer Security Solutions, Mobile Active Defense, SteelCloud and Trustonic. Credit also goes to hard-working staff members of the Department of Defense Chief Information Officer (DoD/CIO), Defense Information Systems Agency (DISA), NSA’s Information Assurance Directorate (IAD), and our partners at NIST.
Thanks to these combined efforts, we now have a Mobile Device protection profile suite that specifies information assurance requirements for mobile devices for use in an enterprise. This covers the smartphones, tablet computers and other mobile devices with similar capabilities that have become commonplace tools of doing business. The assurance standard in the new protection profile includes essential features such as cryptographic services, data-at-rest protection, key storage services, application mandatory access control, anti-exploitation features, user authentication and software integrity protection. These and other security services serve as a foundation for secure mobile architecture along with third-party or bundled components for data-in-transit protection and security management policy.
Next, the Mobility Technical Community will be developing the Web and Email Client protection profiles to complement the Mobility suite for those applications.
We are excited about this progress to benefit the end users of these technologies. We also believe that the success of the Mobility Technical Community can serve as a positive example of international participation in developing, maintaining and updating collaborative protection profiles. It’s a good step that supports the vision encompassed in the revised Common Criteria Recognition Arrangement agreed to in principle by the Common Criteria Management Committee in September and now subject to national reviews and ratification.
In concert with the other 25 nations that are members of the CCRA and with the help from all sectors, from end users to suppliers, we are leaning forward to prioritize additional areas of technology for collaborative protection profiles, form the necessary international Technical Communities, and develop new or revised collaborative protection profiles to close the gaps between customer needs, industry capabilities and security requirements. Please contact us with your recommendations and questions!
14th ICCC 2013 Highlights – Thanks to all for a great Conference!
The 14th annual International Common Criteria Conference (ICCC) concluded September 12th in Orlando and yielded a number of significant developments for the Common Criteria community: The Management Committee agreed in principle to a revised Common Criteria Recognition Arrangement (CCRA) with collaborative protection profile-centered evaluation methodology to reach reasonable, comparable, reproducible, and cost-effective evaluation results. India received approval to become a certificate-producing nation, increasing the number of certificate authorizing members to 17 out of 26 CCRA nations. And the Common Criteria Users Forum (CCUF) emerged as a more prominent contributor than ever – making progress on marketing, end-user outreach, technical working groups, and other initiatives.
On the opening morning of the conference, Dag Stroman of Sweden, CC Management Committee Chairman, announced the revised CCRA as agreed to in principle. He noted it is consistent with the Vision Statement approved by the Management Committee in its annual meeting in September 2012, prior to last year’s ICCC. In the year since then, he said eight nations served as editors and ten to 14 nations participated in the bi-monthly virtual meetings where the new text was established. Stroman shared excerpts from the revised arrangement as agreed in principle by the Management Committee, including the characteristics of international technical communities that will develop collaborative protection profiles. Stroman explained that the arrangement now requires legal review in each of 26 CCRA nations, which he estimated could require six to 12 months before ratification is completed. He said there would be a transition period once the arrangement is ratified.
Commenting on the entire process in his subsequent report on Common Criteria Development Board, Chairman David Martin of the U.K. said, "We are well underway on the journey."
The approval for India to produce Common Criteria certificates means that the nation’s Standardization Testing and Quality Certification (STQC) Directorate of India’s Department of Electronics and Information Technology will assume the role of a certification body working with private-sector testing labs. This is an important achievement for the Common Criteria program, especially considering India’s stature as an information technology leader and the world’s third largest national economy.
Nearly everyone at the conference spoke positively about the Common Criteria Users Forum and the opportunity to harness industry’s expertise and energy to meet shared goals of the CC community. CCUF Chair Alicia Squires spoke to conference attendees about the group’s recent accomplishments and vision for the future. Since forming officially in 2012, the organization has increased its web presence and online collaboration, liaised with CC leadership and formed a number of working groups to help solve the various challenges the CC community faces. Some of the goals Squires articulated for the CCUF include increasing the involvement of end users and other active participants in the Users Forum and igniting the interest of more scheme leaders to leverage the talent within the CCUF.
In addition to the progress from the schemes, the conference bore witness to a wide spectrum of discussions ranging from the philosophy of security in the digital age to the nuts and bolts of testing processes. Keynote speakers and presenters spoke about the move toward collaborative protection profiles, the success and growing importance of the Users Forum and how to market CC to a broader community.
In the first keynote address, Information Assurance Director Debora Plunkett opened the conference with a U.S. perspective on the importance of the Common Criteria Recognition Agreement. The new regime, she said needs to be achievable, repeatable and testable. That will pave the way for vendors to evaluate once and then sell globally. "Any reform of this magnitude has its bumps and its detours along the way, and we truly are learning as we go," Plunkett said, acknowledging that some challenges have come up. "None of the issues indicate technical deficiencies with the way forward."
Anne Neuberger, Director of the NSA/CSS Commercial Solution Center, gave the closing keynote address, also emphasizing the importance of the shift toward protection profiles. Our charge, Neuberger said, is to have "objective, reusable protection profiles, produced in collaboration between multiple countries and used as the basis for evaluations internationally." When end users demand CC certified products, we will have succeeded, Neuberger said.
Throughout the conference, industry, lab, consulting, academic and government representatives discussed how to better market CC thereby increasing the number of end users. Out of a panel discussion on the topic, a rough consensus emerged: The CC community needs to identify its core value proposition, develop messaging around it, and spread the word. In order to do that, the panel generated some actionable ideas including having private companies tap the expertise of their marketing departments for help; identify ways to get end users of IT products more involved; actively communicate through trade shows, conferences and other events, and improve the content on existing CC-related websites.
Thank you to everyone who attended and helped to make the 14th annual ICCC such a great success. As co-host of this year’s ICCC, the NIAP/CCEVS team is particularly pleased with the great collaboration, lively discussions, and important outcomes of the conference. More information plus photos and video segments will be posted on this website, the Common Criteria portal, and the ICCC 2013 website in the weeks to follow. Meanwhile many of the ICCC 2013 presentations and a daily news digest already can be accessed on the conference website.
NIAP Director’s Corner on ICCC 2013
A unique opportunity is approaching this month as the International Common Criteria Conference returns to the United States for the first time in 12 years. NIAP is pleased to be working with the Common Criteria Management Committee to co-host the 2013 conference September 10-12 at the Caribe Royale All-Suite Hotel & Convention Center in Orlando, Florida. Since the inaugural ICCC in Baltimore, Maryland in 2000, the conference has been hosted by CCRA partners in the United Kingdom, Canada, Sweden, Germany, Japan, Spain, Italy, Republic of Korea, Norway, Turkey, Malaysia and France.
We expect to have over 250 participants from more than 26 nations representing government, business and academic sectors at this 14th annual ICCC. The theme, "Reforming the Use of Common Criteria: A Collaborative Approach," focuses on the international Management Committee’s September 2012 Vision Statement to raise the general security level of COTS certified products by migrating to protection profile-based testing. A lively, open and informative discussion is expected and encouraged.
From the full agenda, here are some highlights of the sessions scheduled:
- Keynote presentations by NSA Information Assurance Director Debora Plunkett, Common Criteria User Forum Chair Alicia Squires, and NSA/CSS Commercial Solutions Center Director Anne Neuberger.
- A general session moderated by CCDB Chair David Martin of the U.K.’s CESG with international industry panelists discussing their differing approaches to collaboration in a number of standards bodies involved with Common Criteria including IEEE, ISO, JTEMS, JHAS and others.
- Another general session led by Michele Mullen of Canada’s CSEC on "Widening the Use of Common Criteria for End Users Worldwide," with panelists from Microsoft, Cisco and other suppliers.
- Three alternative tracks on Reforming the Use of Common Criteria, Technology, and Collaboration with a multitude of topics including national scheme updates; Technical Community perspectives; securing smart grids, Internet banking, mobile devices and other technologies; and how to create slim and comprehensive protection profiles.
On the second night, we also will have an awards ceremony and dinner for schemes to present certificates to vendors and testing labs.
For any free moments, the location adds further appeal to this month’s conference: The Caribe Royale’s accommodations are all one-bedroom suites and the amenities include a spa, fitness center, tennis and basketball courts, expansive swimming pool, whirlpools, poolside bar and restaurant. Less than 18 miles from Orlando International Airport, it is centrally located to world-famous Orlando tourist attractions, golf courses and parks.
If you are not already planning to attend, please consider joining us for this important annual gathering of the international Common Criteria community. Discounted pre-registration is available until Sept. 5, then onsite registration will be available Sept. 10-12. This is a great opportunity to share perspectives and work out the details of evolving the Common Criteria for the benefit of our governments, the IT industry, and customers who want access to the latest technologies – with the required degree of security and with minimum delay and added costs.
We look forward to seeing you in Orlando!
NIAP Director’s Corner
NIAP is pleased to announce approval of an updated U.S. government policy that officially establishes the priority for commercial off-the-shelf (COTS) products that are evaluated according to NIAP requirements including Common Criteria. This pertains to future acquisitions by all U.S. government users of National Security Systems. This new policy will give users more rapid and affordable access to the newest commercial technologies from participating members of industry. This also is a significant milestone in NIAP’s transition to the September 2012 Vision Statement of the international Management Committee of the Common Criteria Recognition Arrangement (CCRA).
The new policy, the U.S. Committee on National Security Systems Policy (CNSSP) No. 11, titled “National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products,” replaces the National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11, last updated in 2003. The new policy aligns U.S. National Security System acquisitions with international Mutual Recognition through United States participation in the Common Criteria Recognition Arrangement (CCRA). NIAP is and will continue to operate in accordance with the current and soon to be revised CCRA.
CNSSP 11 establishes a preference for acquisition of COTS products in layered, defense-in-depth solutions when such solutions “are available and satisfy an organization’s requirements.” The policy states that government-originated or co-designed (GOTS) products “shall only be acquired or developed when an existing COTS IA and IA-enabled IT product solution is not available or is unable to satisfy an organization’s requirements.” GOTS products typically require much more time and expense to deploy than do commercially available technologies.
While the new policy does not demand the use of Common Criteria evaluated products per se, it reflects NIAP’s strong support of the CCRA Vision Statement. CNSSP 11 directs NIAP to develop, review and maintain Protection Profiles in “an open, public process in collaboration with industry, laboratories, academia, consortia, and standards groups to ensure maximum acceptance and usability,” whenever possible.
It is envisioned that these Protection Profiles will be developed by collaborative Technical Communities using the Common Criteria, both within NIAP (NIAP-led Technical Communities) and as part of the CCRA (international Technical Communities - iTCs). Technical Communities already have proven successful in the areas of mobility, network devices, encrypted storage, VPNs, Wireless LAN, and other technologies and the implementation of iTCs is currently being refined within the CCRA. The new policy also requires NIAP to “leverage industry standards to the maximum extent possible.”
CNSSP 11 is effective immediately, with no specified transition period. However, NIAP recognizes there needs to be a transition period while EAL-based evaluations complete and until all products on the Validated Products List are archived. Therefore, products included on the NIAP Validated Products List, the NIAP Product Compliant List, and the Common Criteria portal are all suitable for National Security System acquisition under the new policy. More details on CNSSP 11 will be forthcoming for the benefit of users, industry, and CCRA partners. I will be presenting on the policy’s implications and support of Common Criteria on the first day of the upcoming International Common Criteria Conference (ICCC) 2013 in Orlando offering a great opportunity for discussion. Please do plan to join us for this important event!
NIAP Director’s Corner
The semi-annual Common Criteria Recognition Arrangement (CCRA) meetings were just held in Ottawa, Canada, in conjunction with the Common Criteria Users Forum (CCUF). We appreciate and thank our Canadian colleagues for a job well done in hosting this event.
Meetings with the CCUF proved especially productive. Major topics of discussion included updates from the Mobility, USB, and Multi-Function Printer Technical Communities, evolution of technical communities, international Protection Profile (PP) developments, and the status of the ongoing various working groups. Vendors expressed their appreciation at being included earlier in the technical community PP development process.
The number of product evaluations against NIAP approved Protection Profiles continues to grow as the vendor community embraces the new generation PPs. The following vendors currently have evaluations against NIAP approved PPs in CCEVS Labs:
- Brocade Communications Systems
- CA Technologies
- Cisco Systems
- Fortress Technologies
- Haivision Network Video
- Jericho Systems
- Layer 7
NIAP continues to engage with CCRA Schemes and the vendor community to promote commercial product evaluations against NIAP approved PPs to ensure they meet user requirements and essential security functionality. Watch this space for more news on our combined collaborative progress.
NIAP Director’s Corner
It gives me great pleasure to announce the first product to comply with the NIAP approved Network Device Protection Profile (NDPP) was evaluated and validated by our Communications Security Establishment Canada (CSEC) colleagues. McAfee® Email Gateway (MEG) software v7.0.1, running on appliance models 4000-B, 4500-B, 5000(B,C,&C-2U), 5500(B&C) and the Content Security Blade Server. You may find the product listed on the CCRA Portal under the Boundary Protection Devices and Systems section.
This product complies with NSTISSP 11 and therefore is available for U.S. acquisition to protect National Security Systems.
As we evolve NIAP’s Product Compliant List website, this product and others compliant with NIAP approved Protection Profiles will be visible. However, this area is still under construction. Therefore, we wanted to provide this announcement ensuring the Committee on National Security Systems (CNSS) was aware of Canada’s success and the ability to acquire this product within the US!
This is only the beginning.
The US has 26 products under evaluation against NIAP approved Protection Profiles. In addition to US efforts, we are teaming with Australia/New Zealand, Canada, Germany and the United Kingdom in collaborative Protection Profile evaluations. We welcome all CCRA Certificate Producer nations who wish to review, validate and use a NIAP approved Protection Profile, collaborate on a product evaluation or join a NIAP Technical Community to help develop a Protection Profile. Please review our Protection Profile tab for the latest information on NIAP approved PPs and PPs under development.
This is a new feature for NIAP’s Web Portal. The intent of the Director’s Corner is to provide a monthly blog on what’s happening within NIAP. We encourage your feedback and ideas if there is a topic of interest you would like discussed. Please send your note to the email below and ensure "Director’s Corner" is in the subject line.