Impressions from the 12th International Common Criteria Conference

by Courtney Cavness

atsec had several presenters and attendees at the 12th annual ICCC in Kuala Lumpur, Malaysia.

As a presenter, I can say it was an honor to speak at the conference, and have the extended opportunity to exchange ideas with other experts in the security industry. The host of the event, CyberSecurity Malaysia, graciously shared with us a taste of their country's culture and cuisine, which includes Malay, Chinese, and Indian cultures, and to a lesser extent Persian, Arabic, and British influences. Their theme, "One Malaysia," was the perfect embodiment of the CC itself; several different interests and cultures coming together in harmony to create a unique and diverse environment. It was a wonderful and beneficial experience to be there.

I attended many presentations in each of the three different track sessions: CC formalities, technical use of the CC, and aspects of CC application. The sessions varied from many interesting topics such as how SCAP can be used with the CC, industry-stated issues with supply chain security, and updates from the schemes of various countries. Also of interest to me personally were talks on foreseen problems with cloud computing, attribute similarities between the CC and FIPS 140-2 evaluations, and different countries' experiences with implementing CC training in unique and different ways.

Above and beyond the presentations, the conference offered the invaluable opportunity to put a name to a face. Many attendees were able to meet with vendors, lab representatives, and country delegates and get an understanding of what they need the CC to do. The task now is to take that input and help ensure that everyone who has a stake in the CC is being heard and appropriate updates are made.

What was surprising to me was that there was a vast majority of agreement between schemes, vendors, and delegates as to what the issues are with the CC. The conference gave us a platform to share these ideas, as well as our individual successes in working with the CC -- a global standard meant to meet global security needs.

My personal take-away from this conference is that having a standard that is accepted and successfully implemented by product vendors requires a balance between process and common sense. If you eliminate the steps required in a standard for the sake of expediency, you could easily lose some evidence of due diligence. By the same token, if too many checklists are in place, then certification could risk becoming a series of hoops to jump through for reasons that may be lost on the parties involved.

How then is balance best achieved? When many and diverse stakeholders have a voice in enforcing and updating the standard. This is another benefit of attending the ICCC conference.

atsec is invested in seeing the CC thrive and remain a vital part of the security industry, and will continue to attend these conferences and do our part to help raise security awareness, contribute to meaningful updates of the CC, and be a part of the CC community to strengthen and empower all of its constituents.

You can find atsec’s presentations from the ICCC on our website.