Sunday, September 15, 2013

Riding the tiger


The 14th ICCC is now over. 

As you know, we were hoping to see a new CCRA announced but it seems that was an over-optimistic expectation. There has been no new version of the CCRA signed, and it seems that there are still open issues, matters of interpretations which need to be resolved and of course the long and winding road of ratification by each of the nations.




The good news is that there is an agreement in principle that a new CCRA is needed.

In fact during the conference we heard several estimates of tasks and milestones from the CCDB and CCMC chairs on this topic. Since in a previous blog we suggested that a simple Gantt chart might be useful in visualizing this we present a simple chart here, both the optimistic and the pessimistic scenarios. Probably the new CCRA will be with us somewhere between the best and worst case; i.e., sometime between the beginning of 2016 and mid-2018.

 
We have previously raised some of our concerns relating to the CCRA vision in our blog. 
But, and this is important, the impressions we gained from this conference is that some of these issues are at long last being discussed much more actively and openly than ever before with the CCUF. Both in the formal presentations to the conference attendees and also on a one-to-one basis with the participants at the conference. We can hope that with this openness also comes a little more understanding for the concerns in respect of the position from all CCRA nations, both new and old as well as from other stakeholders represented through the CCUF. The opening and closing presentation of the CCMC and CCDB chairs surprised us. 

This time we were positively surprised. Thank you for listening.

We also heard, at last, the confusion caused by mixing up the CCMC vision and national policies being addressed through clearer communication about what is the purview of the CCMC and which is a national approach. One contribution to this clarity is that the CCDB and national schemes are using recently coined terminology more precisely and not re-using terminology for similar, but nevertheless different concepts. It is vital that similar yet different terms are clearly distinguished if we are to avoid wasting time due to issues of fear, uncertainty and doubt.

Some high-lights of the conference:

•    The collaboration between the CCRA community and the CCUF was very evident. We also heard from both the CCMC and the CCUF a clearly stated intent to involve the end-user community in the future. (The assurance consumers.)

•    The CCUF are growing, leading the community, becoming a force for change, can move relatively quickly, are gaining momentum and is proving to be a much respected organization.

•    Although we are not allowed to see any of the 17 drafts of the proposed CCRA agreement, we are made aware that, with so many revisions, the discussions have involved a lot of hard work...

•    The transition period for the new CCRA is 36 months once it is fully signed. Alas it is estimated that it will take at least a year and maybe two before all the nations complete their bureaucratic dance.

•    As of this moment we have no available cPPs. 

We believe that it is necessary for the key cPPs to be in place as soon as the CCRA is signed and a great many more of them must be in place before the 36 month transition period ends.

The CCDB chair estimated that 10, 20, or more cPPs might be possible by next year. Let's see if that is possible. 


•    Several schemes have expressed that they will continue to do medium and high assurance certification, while at the same time participate in the cPP development. This means that there will not be high or low assurance schemes, but schemes that are committed to both and will allow end users to select the assurance they need.

•    India is a new CCRA certificate authorizing member. This is important, not only because India is a large nation, but because they have been the only nation so far to ask for certification of telecom products.

...and some low-lights:

•    The CCRA has 26 nations all over the world. So how is it that we have a marketing panel of U.S. vendors only discussing primarily how to market the CC to the U.S. DoD? The CCUF, although dominated by the U.S., must take great care to make sure that all the CCRA nations are properly represented. An important working group like this, composed of members from only one nation is not credible.

•   One thing to note is that the CCUF has no way to move things forward without the CCDB authorizing that. The CCUF can suggest a cPP but only the CCDB will say "yes" or "no." 


Summary

Not only did we receive positive comments on our “activism” but interestingly references to the atsec blog were made in plenary, formal presentations, and by many individuals at least once a day during the conference. We heard little dissent about our blog, although we recognize that an approach relying on informal public discussion  is a difficult one for government folks to be able to contribute.

There will be a long ride with the tiger. The discussions, development and implementation of the new CCRA framework will not be over soon. During this process it is important not only to understand the technical underpinning of the Common Criteria, but also the technical and political issues involved with the standardization processes.

Finally, it would be appreciated if the CCDB could agree on the location of the next ICCC, at least “in principle."

By Staffan Persson

P.S. If anyone is interested to receive the atsec material we showed at our conference booth (pictures and clips) as well our presentations and other material please send us an email request to  info@atsec.com


No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.