Monday, November 12, 2012

The Price to Pay

The demand for the product evaluations in most cases originates from government requirements. Because the Common Criteria Recognition Arrangement (CCRA) certificates are recognized not only by one nation, but also more or less worldwide, the cost for evaluation (including the cost for the evaluator, developer, and certifier) can be shared by the larger market.

For any evaluation that is not performed under the CCRA, the customer requiring the certification will have to carry the whole certification cost, regardless if it's a COTS or GOTS product.

Currently the international CCRA covers claims of compliance against any of the Common Criteria assurance components required for Evaluation Assurance Levels (EAL) 1 through 4. However, the
CC Management Committee's vision statement announced in September 2012, applies different rules.

I have considered the following four acquisition scenarios:

Scenario 1. 
The government customer would like to acquire an evaluated product. This means that there should be a cPP for all types of products that government customers might acquire. This is of course not an issue if we have cPPs for these products. For obvious reasons it is unlikely that we will have cPPs for all government products that we need to have evaluated. Yi Mao points out in A Dragon or a Worm that “[…] being non cPP-compliant would not be a vendor’s fault, but rather a consequence of their own innovation.”

According to the vision statement: "For those cases where cPPs do not exist or are not applicable evaluations will be performed against a product ST where the mutual recognition of the resulting certificate will be limited to assurance components up to and including EAL2 (and FLR)." This means that government customers that are looking for cost sharing with other CCRA nations are limited to maximum of EAL2 in the product acquisition for product types where cPP does not exist, regardless of their requirements.

Scenario 2. 
The level of assurance in cPPs might be too low for some government customers. According to CC Part 1, EAL 2 provides “a low to moderate level of independently assured security.” The government customers might require higher assurance and this would lead to an evaluation outside the CCRA. The vision statement states: "All
cPPs shall include assurance components derived from the CC part 3 to a maximum
of EAL2 [...]" and "Assurance activities not defined in the cPP will not be recognised under the CCRA and certificates claiming conformance to the cPP shall not include higher level and/or additional assurance requirements."

I have to add that it might be (theoretically) possible to add higher assurance components (up to EAL 4) in the cPP if the Technical Community that is developing the cPP can
provide a rationale that the assurance activities can be repeated between different CC schemes.

Scenario 3
Government customers might want to add some additional (extended) security assurance
requirements, however such requirements are not welcomed either. The vision statement
states: “The use of extended assurance components should be avoided unless a
rationale can be provided and is subject to the normal approval process.“ In addition, assurance activities not defined in the cPP will not be recognized under the CCRA as stated in Scenario 2.

Scenario 4. 
The security functional requirements in the cPPs might not cover functionality that
the government customers are interested in and therefore additional functional requirements would be added in the ST. The vision statement states: "CCRA certificates claiming conformance to the cPP shall not include additional security functionality besides those specified in the cPP.”

All in all, government customers in Scenario 1 that are looking for cost sharing with other CCRA nations are limited with products at maximum EAL 2, regardless of their
requirements. Scenarios 2 to 4 leads to an evaluation outside the CCRA. This means
that the same product might have to be evaluated multiple times under different
CC schemes to meet even identical government requirements in different countries. The cost for governments’ acquisitions described in Scenarios 2 to 4 will increase. Why don't we ask our government or vendors if they are willing to pay the higher price just to satisfy the CC Management Committee's vision statement?


By Rasma Mozuraite Araby

Lead Evaluator, atsec

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.