Thursday, May 2, 2013

Common Criteria and the CyberSecurity Framework Initiative

In response to the recent U.S. Presidential Executive Order 13636 entitled "Improving Critical Infrastructure Cybersecurity" various agencies are issuing RFI's in order to gain information on the topic. These include:

  • NIST's RFI: Developing a Framework To Improve Critical Infrastructure Cybersecurity.
    The comments are found on this NIST page
  • Department of Commerce: Notice of Inquiry into “Incentives to Adopt Improved Cybersecurity Practices
    The comments in relation to this inquiry are found on the NTIA page
The comments submitted in response to these requests for information cover a lot of ground. In this blog I collate those comments that mention Common Criteria presenting them "as is". I make no attempt to evaluate them. I leave that as an exercise for the reader.
I have tried to include enough text surrounding the comment to allow for the context to be understood.
Where you see "SNIP" that means that I snipped some text that I felt was not pertinent to the topic of CC.

American Airlines

"7. What standards, guidelines, best practices, and tools are organizations using to understand, measure, and manage risk at the management, operational, and technical levels?
ISO 27001/2/5, ITIL, OCTAVE, OWASP, MS SDL, Common Criteria, PCI DSS, home-grown frameworks and techniques."

ANSI’s JTC/CS1- ICT SCRM AdHoc Working Group

"ICT SCRM efforts include a wide variety of efforts, but are primarily focused on opportunities within ISO/IEC JTC 1 SC 27, The Open Group’s Trusted Technology Forum (OTTF), “Common Criteria” and US ICT SCRM guidance development by National Institute of Standards and Technology (NIST). (See Annex A for a Landscape of SCRM Standards Activities.)

In the 1990’s the U.S. government moved away from their “customized” military-specifications & military-standards philosophy, to a more commercial based standards approach, however they did not accompany that policy change with an increased engagement capability/capacity with that commercial standards community. OMB Circular A-119, Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities. This Circular directs all federal agencies to use voluntary consensus standards in lieu of government-unique standards in their procurement and regulatory activities, except where inconsistent with law or otherwise impractical. The policies in this Circular are intended to reduce to a minimum the reliance by agencies on government-unique standards. (http://www.whitehouse.gov/omb/circulars_a119). The new “Ad Hoc Group Approach” is a useful representative/model example for targeting U.S. engagement with Standards Development Organizations (SDO)."
and
"NOTE: A complementary ICT SCRM effort is led by the Open Group. The Open Group Trusted Technology Forum (OTTF) leads the development of a global supply chain integrity program and framework in order to provide buyers of IT products with a choice of accredited technology partners and vendors. The Open Group Trusted Technology Provider Standard (O-TTPS) will identify best practices for secure engineering and supply chain integrity that distinguish trusted technology providers, and foster a secure and sustainable global supply chain. The result of this effort is being considered for submission as a 5th part of ISO/IEC 27036. Additionally, OTTF and “new Common Criteria-protection profile” developments are working to harmonize their process accreditation and product certification efforts."

atsec

"While the U.S. government has:
  • Mandated the use of Common Criteria as a procurement criterion for DoD, through DOD 8500.1 and 8500.2
  • Expressed preference in acquisition of evaluated and validated products according to Common Criteria in CNSS NSTISSP No. 11
  • Recommends the use of ISO/IEC 15408 (The ISO published equivalent to Common Criteria) in NIST SP 800-53 (Rev 4)
The NIAP’s current policy is that the NIAP will only accept products for evaluation claiming exact compliance with one or more published “NIAP approved PPs.” Further, the NIAP policy is that the CCEVS will not accept evaluations that do not have valid U.S. Government customers as outlined in CCEVS Policy #12.
This situation forces U.S. developers and vendors that do not target U.S. Government customers to seek evaluation from a scheme outside the U.S. relying on the Common Criteria Recognition Arrangement (CCRA) for acceptance in the U.S. However This strategy is becoming increasingly difficult since NIAP must be involved with evaluations to NIAP approved PPs performed outside the U.S., and because NIAP policies are specified so that acceptance under the CCRA is no longer possible.
The result of these NIAP policies is that suppliers of ICT products to those parts of the critical infrastructure, or in the U.S. general infrastructure and that would desire to follow the U.S. government policies and recommendations for evaluation are effectively precluded from doing so.
Further, NIAPs current policy of demanding low-assurance evaluations, through the specification of low-assurance PP’s effective for the U.S. does not meet the needs of developers of mature technologies that have already established high-assurance, these technologies are often critical to the assurance case for a larger system and include operating systems, virtualization, smartcards and real-time embedded systems. All of which are key technologies in protecting the U.S. critical infrastructure.
COTS developers are subject to assurance demands from around the world, not just the U.S. The current U.S. policies add costs and time-delays to developers and it is unlikely that other nations will accept ICT products with only U.S. specified low-assurance as suitable for their own needs.
atsec notes that the National Information Assurance Partnership (NIAP) makes the following claims:
"The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have established a program under the National Information Assurance Partnership (NIAP) to evaluate IT product conformance to international standards. The program, officially known as the NIAP Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS) is a partnership between the public and private sectors. This program is being implemented to help consumers select commercial off-the-shelf information technology (IT) products that meet their security requirements and to help manufacturers of those products gain acceptance in the global marketplace.
1 Project Objectives

  • To meet the needs of government and industry for cost-effective evaluation of IT products;
  • To encourage the formation of commercial security testing laboratories and the development of a private sector security testing industry;
  • To ensure that security evaluations of IT products are performed to consistent standards;
  • To improve the availability of evaluated IT products.
2 Goal of the Partnership
The long-term goal of NIAP is to help increase the level of trust consumers have in their
information systems and networks through the use of cost-effective security testing,
evaluation, and validation programs. In meeting this goal, NIAP seeks to:

  • Promote the development and use of evaluated IT products and systems;
  • Champion the development and use of national and international standards for IT security;
  • Foster research and development in IT security requirements definition, test methods,tools, techniques, and assurance metrics;
  • Support a framework for international recognition and acceptance of IT security
    testing and evaluation results; and
  • Facilitate the development and growth of a commercial security testing industry
    within the U.S
    ."
atsec believes that the current situation represents a disincentive to U.S. companies and
developers that would otherwise invest in providing validated security assurance claims in regard to their COTS ICT products.
atsec recommends that the project for a Framework to improve critical infrastructure
Cybersecurity consider this problem of providing effective evaluations in the U.S. and
recommend a solution for developers wishing to demonstrate through independent analysis the security assurance claims of their COTS products to critical infrastructure and commercial sector users."

Boeing

"The FAA has 14 CFR Part 25 requirements that require the applicant to ensure the design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data. There are similar requirements imposed via EASA (European Aviation Safety Agency). The FAA requirements within 14CFR Part 25 encompass elements of the various NIST and industry standards, SP800-30 Risk Management Guide for Information Technology Systems, SP800-53 Information Security, and SP800-82 Guide to Industrial Control Systems (ICS) Security as well as the Common Criteria for Information Technology Security Evaluation."

BSA Software Alliance

" ISO and IEC, and ANSI as the U.S. representative to ISO and IEC, have been active in critical infrastructure cybersecurity conformity assessments. In general national/international standards and organizations that develop national/international standards could play an important role in conformity assessments. As NIST looks at conformity assessments in the cybersecurity space, BSA urges it not to employ overly stringent conformity assessment and testing mechanisms that could hamper innovation or affect the United States' global positioning. Rigid conformity assessments are not effective in managing the risks associated with cybersecurity and badly implemented third-party certification systems can inadvertently limit the flexibility and evaluative mechanisms needed to have a truly strong cybersecurity framework.
A useful example of industry-supported, international, standard-based conformity assessment is the Common Criteria. Under the Common Criteria, a product evaluation conducted by an independent laboratory in one participating country is recognized by any other country that is a member of the Common Criteria Recognition Arrangement (CCRA.)"
and
" The IT software industry has been built around industry-led voluntary global standards created in international bodies like the IETF, IEEE and similar organizations. These standards permit the use of various solutions and approaches. In addition, as noted above, a number of BSA members use documents produced by ISO, SANS, COBIT and ITIL among others.
In addition, many BSA members comply with ISO 15408, more widely known as the Common Criteria. In its current form, the Common Criteria has been mostly applied to critical products that perform security functions. Its value comes from the fact that it is the only international industry-supported, standard-based conformity assessment for product assurance. Under the Common Criteria, a product evaluation conducted by an independent laboratory in one participating country is recognized by any other country that is a member of the Common Criteria Recognition Arrangement (CCRA.)"
and 
"A number of organizations use the controls and standards described above. It is worth noting how each of the documents identified above assist companies in their cybersecurity efforts:
...
  • Common Criteria is applied through a robust network of independent evaluation labs that are accredited under the criteria to conduct product reviews that are accepted in more than two dozen countries."

Cisco

" In addition to challenges, there are significant incentives for IT companies to continually improve security. At a base level, companies want to protect their operations, but also preserve and expand the benefits flowing from the use of IT, benefits that have been a significant driver of global economic growth. IT companies, like other companies, also want to protect their intellectual property, and the availability and quality of the services they provide. And fundamentally, IT companies want an increasingly trusted global Internet and infrastructure, which fuels their future growth globally. These
incentives drive the significant innovation and security in IT products and services, draw tens of billions of dollars in IT R&D (which includes R&D related to security) each year, and has spurred global standards like the Common Criteria (ISO 15408 and the related Common Criteria Recognition Arrangement) for product assurance."

and
"The IT industry, and IT networks, are based on the use of industry-led, voluntary international standards developed by bodies like the IETF, W3C, and IEEE, which seek to ensure interoperability and security across global networks. For example, the Internet itself is based largely on these standards and standards bodies. And the Internet is governed by a non-governmental multistakeholder governance model, that has fueled the exponential growth of the Internet for a generation. The IT industry builds products based on these interoperable standards and a build-oncesell-globally business model that that drives innovation, security and efficiency into products and networks. The security of IT products is evaluated under the global conformance standard, the
Common Criteria (CC), which is both an ISO standard, ISO 15408, and the subject of the Common Criteria Recognition Arrangement (CCRA) among most leading economies of the world. NIST is a partner in the National Information Assurance Partnership (NIAP), the Common Criteria scheme lead for the U.S.


The Common Criteria allows for evaluations by non-governmental independent labs, and mutual recognition by CCRA countries, allowing the IT industry to certify once and sell globally, avoiding any disparate and conflicting country-specific requirements that would undermine interoperability and security of the network. Further, the use of independent labs (accredited by the CCRA schemes) helps ensure the protection of the core intellectual property and innovation of IT companies. The CC is forward looking, and can evaluate for new issues, such as supply chain (where a pilot has been
authorized), and new generation mobile devices. Importantly, the benefits of the Common Criteria evaluation and certification process inures to the benefit of all IT users, as the same product that achieved CC certification for national security systems under the build-once-sell-globally business model, is the same product that is sold into, and used by, private industry globally. Having and adhering to this global standard is of paramount importance to security, the interoperability of the network, and the IT industry."

and
"The IT industry, and IT networks, are based on the use of industry-led, voluntary international standards developed by bodies like the IETF, W3C, and IEEE, which seek to ensure interoperability and security across global networks. For example, the Internet itself is based largely on these standards and standards bodies. And the Internet is governed by a non-governmental multistakeholder governance model, that has fueled the exponential growth of the Internet for a generation. The IT industry builds products based on these interoperable standards and a build-oncesell- globally business model that that drives innovation, security and efficiency into products and networks. The security of IT products is evaluated under the global conformance standard, the
Common Criteria (CC), which is both an ISO standard, ISO 15408, and the subject of the Common Criteria Recognition Arrangement (CCRA) among most leading economies of the world. NIST is a partner in the National Information Assurance Partnership (NIAP), the Common Criteria scheme lead for the U.S.
 

The Common Criteria allows for evaluations by non-governmental independent labs, and mutual recognition by CCRA countries, allowing the IT industry to certify once and sell globally, avoiding any disparate and conflicting country-specific requirements that would undermine interoperability and security of the network. Further, the use of independent labs (accredited by the CCRA schemes) helps ensure the protection of the core intellectual property and innovation of IT companies. The CC is forward looking, and can evaluate for new issues, such as supply chain (where a pilot has been
authorized), and new generation mobile devices. Importantly, the benefits of the Common Criteria evaluation and certification process inures to the benefit of all IT users, as the same product that achieved CC certification for national security systems under the build-once-sell-globally business model, is the same product that is sold into, and used by, private industry globally. Having and adhering to this global standard is of paramount importance to security, the interoperability of the network, and the IT industry.


As a general matter with regard to cybersecurity standards, global standards are critical not only for interoperability and developing global markets, but for improving cybersecurity posture. Poorly designed or implemented, or conflicting, national standards in the area of cybersecurity can create unnecessary risks that extend beyond the borders of a nation. Therefore, modern global standards tend to exhibit principles such as being voluntary, transparent, and expert-driven, and provide for
interoperability, scalability, stability and resilience. These kinds of standards have a positive role to play in cybersecurity.
"
and

"The IT industry is a global industry, both as to the products it sells, and to the location of its own enterprise infrastructure. This is why international standards are so important. The industry is based on international standards that seek to ensure the interoperability and security of networks and products. What the NIST does here sets a precedent globally. The international implications and effects are core to the continued success of the U.S. IT industry as a leading innovation industry into the future. This is why international standards, like the Common Criteria, and the ability to innovate
and drive security and interoperability into networks and products is so key. One screen to apply to the framework is whether something proposed works internationally, and whether the U.S. would be happy if another country suggested the same thing, or something of the same kind, but of an exaggerated scale. NIST is setting the global path forward, and like most of NIST’s work, adhering to base principles of global networks, innovation, interoperability, and standards are good principles to apply here.
Recognizing that the IT industry is global, standards-based, interoperable, and that security needs to driven by innovation, and the build-once-sell-globally innovation and business model, the Executive Order seeks to ensure that the framework provides guidance that is ‘technology neutral,’ that is that it doesn’t get the government into the design, development, or manufacture of commercial IT products, and doesn’t pick winners and losers. This same sentiment is expressed in the leading drafts of U.S. legislation. To do otherwise would undermine the very innovation and security we need to promote security, and give other governments license to interfere with the core innovation engine of the IT sector, impose country specific requirements, and pull apart the very innovation, interoperability, and global standards that are needed to drive security and innovation into the global network. Any country specific requirement would also undermine the Common Criteria, the global product evaluation methodology that undergirds security and innovation globally."

Infineon

"Some standards groups to look to in this exercise include:
SNIP
  • Common criteria : http://www.commoncriteriaportal.org/
SNIP"

Intel

"Dozens of well-defined and carefully developed standards exist to cover multiple aspects of cybersecurity and adjacent fields, from cryptographic primitives to IT governance. Today, most technology standards include elements of security and privacy. There are numerous broadly defined approaches, such as Common Criteria, included as an international standard in JTC1 (Joint Technical Committee of ISO and IEC) and ISO/IEC 27000 series, focusing on process and security management. These standards and approaches are designed to work across diverse fields. At the same time, there are industry-specific standards and best practices that work within the bounds of an industry utilizing a vertical model. The Payment Card Industry (PCI) standard developed for the financial industry, standardized numerical identification for prescription drug packages, 3GPP's LTE security standards, or Aerospace Quality Management Standard (AS9100 based on ISO 9901) belong to this group.
It would be inadvisable and unrealistic to recommend one approach for different contexts of use. However, some level of generalization for best practices that are broadly and globally applicable is useful because of the diverse but connected technological environment in existence today. A group of experts could study best practices and standards developed for specific industry segments and use contexts to assess if the knowledge already developed in other areas, such as aerospace, computer hardware or software, healthcare, smart cards, RFID, or financial services could fill the gaps in other cybersecurity standards and best practices."

ITI

"Globally developed security standards form the foundation of cybersecurity risk management. However, it is important to stress that there is no one “cybersecurity standard” or set of practices  that is applicable across the board. Cybersecurity risk management is complex, including many  moving parts, responsible parties, and standards. In addition, the global ICT industry continually establishes new standardization efforts addressing emerging cybersecurity risk concerns. Overall, the ICT industry uses a range of global standards. U.S. ICT companies contribute to
developing such standards on a global, voluntary, and consensus-based basis through a range of organizations including formal standards development bodies as well as consortia and alliances.  Examples include:
SNIP
Below we provide some examples of standards developed and used by our member companies. While not exhaustive, these standards illustrate a range of options used.
  • ISO/IEC 15408 (Common Criteria for Information Technology Security Evaluation
    (CC)) is the global standard for computer security certification. The CC is based on the  ISO/IEC standard and is a multi-lateral agreement – the Common Criteria Recognition  Arrangement (CCRA) - among 26 countries including the United States, Japan, the  United Kingdom, Australia, Germany, Korea, and India.
  • SNIP
  • 3GPP has begun to address the issue of security assurance standards and has chartered its  security group, SA3, to develop a suitable methodology for mobile network security  assurance. This work is still in progress, but is moving towards re-using Common  Criteria methodology to define appropriate security assurance criteria for mobile networks. Once a security methodology is agreed upon, SA3 will likely begin work to  produce a collaborative Protection Profile (cPP) that would be used for security  compliance of mobile networks."

Mälardalen University

"Where security is a concern, accepting software as fit for use requires deciding whether to accept its contributions to security threats and their mitigation. My colleagues and I have developed a technique for analysing a security standard to determine how well conformance to it supports such a conclusion. This technique could help to ensure that any guidance or standard in the new framework could be relied upon to accomplish its objectives.
The basic premise of our technique is that there is an (implicit or explicit) argument showing how conformance with each clause of a standard supports a series of intermediate security claims and, ultimately, the main claim of acceptability. The essence of the technique is structured, rigorous review and criticism of this argument. Application of this technique to the Common Criteria for Information Technology Security Evaluation revealed a number of defects in that standard.
The journal Information and Software Technology will soon publish an article describing our technique and some of the defects we found in the Common Criteria. Preprint copies and details of our article entitled “Using Argumentation to Evaluate Software Assurance Standards” can be found on the publisher’s web site (http://dx.doi.org/10.1016/j.infsof.2013. 02.008) and on Mälardalen University’s web site (http://www.mrtc.mdh.se/index. php?choice=publications&id=3268).
Given our findings, I recommend both the development of an explicit rationale for any guidance or standard being developed or adopted and expert review of this rationale using our technique. I would be happy to answer questions about our technique, our findings regarding the Common Criteria, or application of our technique to future guidance or standards."

McAfee

 "The global information and communications technology (ICT) industry is fast moving and depends on rapid innovation to meet customer requirements. Governments should further the adoption of global security standards to address security assurance concerns and to better secure the critical infrastructure, as opposed to taking a geographically siloed or local jurisdiction focused approach to security regulations. Focusing on the development of country-specific regulations – especially those that disadvantage products developed in other countries – will impede the continued development of security products intended to be sold and operated globally.

Regulations tend to force budget allocation to compliance, a shorter-term goal often leading to protecting against a subset of known vulnerabilities while leaving others wide open until regulations catch up. Further, regulation discourages investment in new technologies for better security, which leaves little funding or incentive for true scientific innovation worldwide. Governments seeking to establish security assurance standards and other security standards should view the ICT industry as an indispensable partner in such efforts and should leverage private sector expertise. Governments should evaluate previously developed international standards, such as Common Criteria, and modify these standards as required rather than create new country-specific standards. If new standards are determined to be necessary, these should be developed, approved and adopted via international standards organizations
."

Microsoft

"To ensure that supply chain risks are not exacerbated, the Framework should require that organizations use only genuine software that has been developed pursuant to well-known security standards and best practices. There are several standards-related efforts underway in supply chain risk management that could help address some of these concerns, including draft ISO/IEC 27036 and work in the Common Criteria."
and
"Specifically, to provide some detail on international standards that may be relevant to leveraging government procurement to improve cybersecurity, our response to NIST’s recent RFI concerning development of the Framework recommends that NIST integrate a broad range of international standards, including several that specifically address cybersecurity concerns. For example: ISO/IEC 27034-1, an internationally recognized application security standard that provides frameworks and a process that can help inform a vendor’s approach to building and operating a comprehensive application security program; draft ISO/IEC 27036 and work in the Common Criteria to address supply chain security risk management; and ISO 19770-2 for software tagging."

Rockwell Automation

"What additional approaches already exist? 
SNIP
  • ISO/IEC 15408: Common Criteria for Information Technology Security Evaluation 
SNIP
Which of these approaches apply across sectors?
SNIP
  • ISO/IEC 15408: Common Criteria for Information Technology Security Evaluation 
SNIP
Which organizations use these approaches?

SNIP
IT/G ISO/IEC 15408: Common Criteria for Information Technology…SNIP
IT = Information Technology G = Government "

Symantec

"There are numerous existing standards, guidelines, and best practices that directly or indirectly address cybersecurity. Examples include:
SNIP
• International Common Criteria Schema;"
SNIP

Tacoma Public Utilities

"While a one-size-fits-all approach may be desired, the reality is that each sector and organization has its own specific set of risks, and therefore must provide its own set of controls. Under a cross-sector approach, incorporating appropriate controls for these disparate risks in a meaningful way may be the greatest challenge. Another challenge will be regional and cross-sector information sharing.
General information security frameworks exist, such as, IS027000, ITIL, COB IT v5, Common Criteria and SANS 20 Critical Security Controls.
The implementation of any of these standards is up to the organization, and as such varies greatly between like organizations. However, there are obvious similarities in taxonomy between organizations that deliver based on the same standard (i.e.IS027001) which benefits those organizations by speaking the same security"language."
Unfortunately, these frameworks or standards do not address the necessary regional and cross-sector information sharing required to better address critical infrastructure cybersecurity needs." 

TIA

"The communications sector is far ahead of others in efforts to improve the resilience of our Nation’s critical infrastructure. Numerous standards, guidelines, best practices, and tools are used by ICT manufacturers and the owners & operators of telecommunications networks to understand, measure, and manage risk at the management, operational, and technical levels. TIA has aggregated an alphabetized list of these efforts, which we emphasize to be non-exclusive, that can be viewed below:
SNIP
CCRA: CCRA aims to ensure that evaluations of information technology products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles; and to improve the availability of evaluated, security-enhanced IT products and protection profiles (see http://www.commoncriteriaportal.org/). They have produced the Common Criteria for Information Technology Security Evaluation (ISO 15408, known as CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM) (see http://www.commoncriteriaportal.org/cc/)."
SNIP
and
"TIA believes that national/international standards and organizations that develop national/international standards should serve as a cornerstone in critical infrastructure cybersecurity conformity assessment. Standard developers and related organizations are already active in developing cybersecurity standards and conformity assessment, and should continue to play a key role. As we have described above in this response, several international standards cover cybersecurity conformity assessment across parts of the ICT landscape, such as SAFEcode, the Trusted Technology Forum, and the Common Criteria."
and
"TIA members have found that several key efforts (described in more detail above), particularly the work in developing the Common Criteria and the work of the OTTF, should be considered some of the most critical efforts for secure operation of critical infrastructure." 

U.S. Chamber of Commerce

"The federal government should collaborate with the private sector to improve, expand, and implement the Common Criteria for Information Technology Security Evaluation, generally known as Common Criteria, which is the primary international standard (International Organization for Standardization, or ISO, 15408) for computer product assurance security certification. This international standard is recognized under a multilateral agreement (Common Criteria Recognition Arrangement) by more than 20 countries. Common Criteria is preferred by many in industry, rather than a collection of country-specific standards, rules, and required actions that could unintentionally balkanize cyberspace and security." 

VMware

"VMware applauds this effort by NIST to gather input and suggestions from industry. In fact, VMware has demonstrated a strong corporate commitment to the use and advancement of standards across the industry. VMware has provided resources to support the efforts of the Distributed Management Task Force (DMTF), including the current DMTF President, who is also a VMware employee. Through these efforts, VMware has worked across the industry to facilitate the establishment of various standards including the Open Virtualization Format 2.0 and open API based Cloud Management Standards. VMware has also been adhering to the Common Criteria standard to certify a number of our core products at the EAL 4+ level. Thus, VMware is supportive of the approach and objectives associated with a standards-based approach to cyber security and protection of our Nation’s Critical Infrastructure. VMware has taken an international approach to standards that includes coordination and participation with numerous standards bodies including IEEE and ISO. As a global company, it would be our preference for the cyber security standards framework to have global applicability. However, we also recognize that such a global approach could take time to unfold and each respective standards body might not work on the same timeline."

Waterfall

"This hardware-enforced unidirectionality of the Waterfall technology has been verified by both an Idaho National Labs security assessment, and a Common Criteria EAL4+ certification." 

3 comments:

  1. Very nice and helpful information has been given in this article. I like the way you explain the things. Keep posting. Thanks.. nsa and bsa

    ReplyDelete
  2. ISO 27001 Training
    There are deviations between the aim, criteria and accent of the ISO 9001 quality system standard, and the accreditation standard of ISO/IEC 17025. For laboratories related with explaining technical competency underpinned by sound quality system elements, ISO/IEC 17025 is the conquer standard. Even so, if the laboratory is providing a more holistic, quality management realization that explains customer focus and continual improvement, it may determine to also sustain a certified ISO 9001 management system.

    ReplyDelete

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.