Monday, March 19, 2012

About PPs, CC Technical Communities and ITSEFs

atsec's ITSEFs, like many other IT Security Evaluation Facilities (aka: laboratories), are committed to supporting the CC community, and understands and supports the development of good, and useful Protection Profiles. We support the objectives of the CCRA:
  1.  to ensure that evaluations of Information Technology (IT) products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles;
  2. to improve the availability of evaluated, security-enhanced IT products and protection profiles;
  3. to eliminate the burden of duplicating evaluations of IT products and protection profiles;
  4. to continuously improve the efficiency and cost-effectiveness of the evaluation and certification/validation* process for IT products and protection profiles."
We support the participants of the CCRA to achieve the goals and the purpose of the Arrangement: 

"to advance those objectives by bringing about a situation in which IT products and protection profiles which earn a Common Criteria certificate can be procured or used without the need for further evaluation. The arrangement seeks to provide grounds for confidence in the reliability of the judgements on which the original certificate was based by requiring that a Certification/Validation Body (CB) issuing Common Criteria certificates should meet high and consistent standards."

An ITSEF supports the certificate issuing schemes of which they are a part by:

a) performing evaluations impartially;
b) applying the Common Criteria and Common Methodology correctly and consistently; and
c) adequately protecting the confidentiality of protected information.


The costs of developing a PP that can be mutually recognized under the CCRA

The costs of evaluation (including PPs) are typically presented in three parts:
  1. the costs of development, and review of the PP;
  2. the costs for the  evaluation of the PP by an accredited ITSEF (Assuming that it needs to be evaluated at all, although evaluation, validation, and certification of a PP is a requirement of the CCRA for mutual recognition of the PP to be considered.);
  3. the costs incurred by the national scheme for validation and certification of PPs  make a charge for such an evaluation.
An ITSEF's responsibilities
Those responsible for the formation of technical communities focused on PP development, regardless of whether this is a NIAP technical community,  one formed under the CCDB, or one relating to any other scheme need to understand the nature of the ITSEF as a stakeholder in the business of CC certification.

ITSEF are a class of stakeholder with different objectives, risks, and duties than developers, evaluation sponsors, and national schemes. Here are some of the issues that an ITSEF must consider:
  1. Evaluation under CC is a core service of an independent ITSEF
    The smaller laboratories, unlike those that are part of a larger organization, such as a defense integrator, do not produce any products, nor do they offer any services outside of the information security domain.
    As a small company, an ITSEF has overheads. Evaluators typically take a minimum of two years to train and they need to be fully allocated to ensure the health of a small company.
  2. Pro-bono work (Performing evaluations free of charge)
    Of course an ITSEF may attach any price to their evaluation services. An ITSEF needs to cover it's overheads including training, accreditation costs, facility maintenance, etc.
    For a small independent ITSEF, the pro-bono work that they undertake represents a very significant investment and unlike the larger ITSEF that are, for example, part of a large defense integrator, cannot be funded through a separate research or business development budget from outside of the lab. Consider the investment that one or two full time people represents to a large company such as a defense integrator with thousands of employees, compared to a small independent ITSEF!
  3. Conflict of interest
    If a laboratory has been involved in  technical consulting for a PP, no matter the price attached to such a service, then there is a clear conflict of interest in their performing the subsequent evaluation of the PP.
  4. Contract for evaluation of a PP
    Regardless of the price attached to the evaluation of the services, an ITSEF must have a contract. Contracts address many more issues than just the price. They include items such as:
  • confidentiality
  • protection of IP, 
  • termination of the work
  • standard of service
  • warranty (for example that the ITSEF works under an accredited CC scheme)
  • professional insurance
  • conditions for the use of trademarks
  • conflict of interest considerations
  • and a great many other issues...
Asking a laboratory to perform such evaluation work without a valid contract would be asking them to act in a very naive and unprofessional way. Note that in order to gain accreditation under a CCRA certificate producing scheme, an ITSEF must be accredited to ISO/IEC 17025 (NIST's Handbook 150 and 150-20 in the U.S.). This is a requirement of the CCRA.

One of the requirements of ISO/IEC 17025 is that a contract is in place between the ITSEF and their evaluation client (sponsor) covering the topics mentioned above. Many schemes independent of the CCRA also require an ITSEF to have a contract, because there are often requirements of the individual  validation scheme's operations that need to be passed to the ITSEF approved to work with that scheme. Examples include the need for a national scheme to be able to implement policies and requirements for use of their logo and to pursue any cases of certificate misuse.

In short, performing evaluation services that are covered by accreditation as an ITSEF without a contract would mean that the ITSEF is not conforming with the requirements of the ISO/IEC 17025 standard. In turn, that would mean that the evaluation was not performed in accordance with national scheme and CCRA requirements.

What this means for the Terms of Reference for a technical community
These issues need to be considered in the formation of technical communities and the development of their Terms of Reference. An expectation of contract-less evaluation services by an accredited evaluation facility is unrealistic.

It is therefore necessary for a technical community to have the means to negotiate and sign such a contract, and also to negotiate and raise funds for any costs outside the development of the PP that may be necessary.

By Fiona Pattinson 

1 comment:

  1. nice post thanks for sharing this wonder ful information.

    ISO 17025

    ReplyDelete

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.