Report on the work in ISO/IEC JTC 1/SC 27/WG 3 related to ISO/IEC 15408

Last week I was once again privileged to be able to  join ISO/IEC JTC 1/SC 27/WG 3 during the latest of their bi-annual working sessions held in April and October.

Convened by Miguel Bañón, this working group is of particular interest to atsec since it includes work on the international standards and guidance documents relating to ISO/IEC 15408, ISO/IEC 19790 and other documents closely related to evaluation and testing and the provision of assurance.

I have written in more detail on these standards in:

• ISO's work related to the Common Criteria and
• ISO's cryptographic module work

A little history on the relationship between ISO/IEC 15408 and the Common Criteria reveals that in the early 1990's, as the various national criteria , including Europe's ITSEC, The Canadian Criteria (CTCPEC) and the US Federal criteria, were brought together in order to create a single set of harmonized criteria, the intention was to publish the new set of "Common Criteria" as an ISO standard. A decision was made to create a more agile  technical community that could produce the work and present it to ISO. This was not done using the "PAS" process, but aimed to produce and submit  a substantially complete work that would allow expeditious instantiation of the work with the full involvement of the ISO community,which could then support the standard's future maintenance within ISO.

Hence the CCDB and ISO established a close liaison relationship, the Common Criteria were submitted to ISO by the CCDB and the first edition of  ISO/IEC 15408 was published in December of 1999.  Since then the CCDB have continued to liaise with ISO enabling the content  ISO/IEC 15408 and the "Common Criteria" to remain synchronized. It's a two way relationship allowing for changes and innovations to be brought to WG 3, and vice versa.

ISO brings to the table a breadth and depth of constituents far beyond that of the CCDB. SC 27 (Security Techniques) currently brings together 50 participating nations, a further 27 observing nation and is in liaison with many industry groups and standards organizations.
(At the SC 27 level these currently include CCDB, CCETT, Cloud security alliance, ECBS, ENISA, EPC, ETSI, Ecma International, ISACA/ITGI, ISSEA, ITU, MasterCard, and Visa, and organizations in direct liaison with WG 3 include the CCDB, CSNISG, ENISA, FIRST, ISCI, ISA99, ITU-T, ISO SC 7, ISO SC 37, ISO TC 65/WG 10, ISO TC 247. TCG and The Open Group.)

The various national bodies and liaison organizations represented in WG 3 work closely within their home fields to garner the participation of, and to  represent the interests of, their own constituents.

The CCDB was initially comprised of representatives from those  countries contributing their own national criteria, today the CCDB is still a subset of  the  13 members of the CCRA certificate issuing signatory nations and development efforts  focus on the needs of the government agencies which they represent. From the perspective of commercial industry and the wider group of CCRA it is a closed group, a little disconcerting when you realize that at least in the U.S., the stated policy is to adopt COTS products as a means of making government systems, more timely and cost-effective  and the US government emphasizes the benefits of public-private partnership.

What does this mean in practice? WG 3 have focused on the open development of supporting standards and guidance. My earlier blogs detailed much of the work the WG 3 has established or that in progress. During  our  last WG 3 meeting  we heard from both The Open Group Real Time Embedded Systems forum and from our hosts at ETSI that work on High-assurance is an important topic to them and so WG 3 has initiated a study period on High-assurance - asking for contributions on this topic from it's national bodies and liaison organizations. WG 3 is also calling for contributions on the study period for predictive assurance, in which we hope to  understand the needs of industry and the  nations for this important topic.

As a result of  our last meeting WG 3:

• Proposed a new work item - A Catalogue of Architectural and Design Principles for Secure products, Systems and Applications 
• Resolved  to revise the existing standard ISO/IEC 19791: Security assessment of operational systems in the light of progress that has been made in the few years since it was published and expected findings from the study of predictive assurance
• Resolved to send the final corrigenda for  ISO/IEC 15408 and ISO/IEC 18045 for ballot by the ISO members. (These corrections to the standards reflect the changes that were introduced by Common Criteria V3.1 release 4.)
• Initiated a study period on high-assurance
• Extended the study period on predictive assurance

If you are interested in contributing to these or other developments within SC 27 then you can do so either through your national body, or through one of the liaison organizations to SC 27.

By, Fiona Pattinson