Tuesday, September 25, 2012

Double Vision

This picture was originally published in Puck magazine in 1915 as a cartoon entitled "My Wife and My Mother-in-Law."

Every year, we attend the International  Common Criteria Conference. The most recent  was last week's 13th edition held in Paris. This conference is one of the highlights of our year. 
We meet our customers, hear from the national schemes, rub elbows with the key players in the industry, keep tabs on our competitors, and listen to the ideas and thoughts that are brought to the community. Not only do we listen, but we try and provoke thought too.

atsec is engaged in an industry that is both founded upon and relies upon mutual trust and reputation. Where professionalism, respect, and a common bond meld together in supporting the developers of COTS IT products demonstrate the independently assured security functionality of their products to a variety of end-users including government, critical infrastructure, and commercial sectors. These products are the front line in protecting the assets of the end users; be they governments, part of critical infrastructures, financial sector, commercial organizations, or the general population. Anyone  that  builds their cyber defenses relying on COTS products demands assurance about the security functions that are claimed.

As we listened to the plenary opening, we heard an exciting “hot off the press” announcement: The CC  Management Committee's vision statement detailing a framework for managing and agreeing collaborative Protection Profiles (cPPs). It seems that after several years the international Common Criteria Recognition  Arrangement (CCRA) will be updated soon. 

Progress at last?
For some years the audience of developers, schemes, and labs have been searching for the next step, and at last now it is here. With the application of agreed upon cPPs, many of the issues and problems associated with using evaluation assurance levels, EALs, as the basis of recognition will be solved. This is good news but it is not yet in effect. Unfortunately we were treated throughout the conference to presentations and discussions that seemed to treat the announcement as if it is fact.

Article 14 of the CCRA demands a full consensus by participants before a change to the Arrangement can be made. While it was not shared if this means the participants that are noted in the last published version of the Arrangement or the CCRA members, including both authorizing and consuming nations that are given on the CC portal's web page. Whatever the constituency for approval is, we were informed that two nations have disagreed with the sections of the proposed vision statement, which allude to  amending the CCRA in order to limit the mutual recognition of certificates for evaluations that do not claim conformance to an agreed cPP to EAL2. The MC proposes additional workshops to help achieve full consensus, but the presentation of the framework as published last week cannot be sure. Given the normal difficulty in achieving full consensus amongst nations, this may take some time.

The risks involved in presenting the vision statement to the community as if it is a “done deal” are immense. The framework will surely need some amendments. Upon review some very obvious issues with the framework are apparent. The agreement process is far from transparent  and there is no call for review by stakeholders other than the MC, so the  MC risks the reputation and trust that has been built in the CC model over more than a decade. Something that affects ALL the stakeholders, not just the members/participants.

By the end of the conference, the MC seemed to have realized that the vision statement was being perceived as already effective and in the closing, found it necessary to stress that nothing had changed yet and that the current agreements and policies are still firmly in place.

By Sal La Pietra,  President & CEO

P.S. For those who were not at the conference you can see our presentations and our humorous clips on our web site.


  1. Great Points.

    I am also very concerned that, while no agreement has been reached, they are acting like it is a done deal.

    Perhaps our only course of action is to exercise our vote as consumers. If we don't agree with the decision, we seek out the two that are holding out and give them as much support and business as possible.

    Michael F. Angelo, CISSP, CRISC
    Chief Security Architect
    NetIQ Corporation

  2. I wholeheartedly agree with this approach IF it means we can sell products to all with the new certs in place. The day we are forced to do multiple evaluations to meet some scheme's national requirement, is the day CC is no longer "Common."

  3. Oh I posted my take on the conference itself on my company website, if interested. http://bit.ly/R4WRbC


Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.