atsec adds Italian Common Criteria Scheme accreditation

atsec is pleased to announce that it has recently been accredited to work as a Common Criteria evaluation laboratory (LVS - Laboratori per la Valutazione della Sicurezza) under the Italian Common Criteria scheme.

OCSI - Organismo di Certificazione della Sicurezza Informatica, founded in 2004, is the Italian scheme which is a signatory to both the CCRA - Common Criteria Recognition Arrangement as well as SOGIS – the Senior Officials Group Information Systems Security.

This means that atsec’s Common Criteria customers have the opportunity to select from the US, Sweden, Italian and German Schemes for their Common Criteria certification.

Helmut Kurth, atsec Chief Scientist stated that the addition of an LVS accreditation by the Italian national scheme to astec’s portfolio allows atsec to support customers in selecting the certification scheme that best fits their commercial needs with respect to certification timeline, cost, and knowledge in specific technical domains.

Riding the tiger

The 14th ICCC is now over. 

As you know, we were hoping to see a new CCRA announced but it seems that was an over-optimistic expectation. There has been no new version of the CCRA signed, and it seems that there are still open issues, matters of interpretations which need to be resolved and of course the long and winding road of ratification by each of the nations.

The good news is that there is an agreement in principle that a new CCRA is needed.

In fact during the conference we heard several estimates of tasks and milestones from the CCDB and CCMC chairs on this topic. Since in a previous blog we suggested that a simple Gantt chart might be useful in visualizing this we present a simple chart here, both the optimistic and the pessimistic scenarios. Probably the new CCRA will be with us somewhere between the best and worst case; i.e., sometime between the beginning of 2016 and mid-2018.

 
We have previously raised some of our concerns relating to the CCRA vision in our blog. 
But, and this is important, the impressions we gained from this conference is that some of these issues are at long last being discussed much more actively and openly than ever before with the CCUF. Both in the formal presentations to the conference attendees and also on a one-to-one basis with the participants at the conference. We can hope that with this openness also comes a little more understanding for the concerns in respect of the position from all CCRA nations, both new and old as well as from other stakeholders represented through the CCUF. The opening and closing presentation of the CCMC and CCDB chairs surprised us. 

This time we were positively surprised. Thank you for listening.

We also heard, at last, the confusion caused by mixing up the CCMC vision and national policies being addressed through clearer communication about what is the purview of the CCMC and which is a national approach. One contribution to this clarity is that the CCDB and national schemes are using recently coined terminology more precisely and not re-using terminology for similar, but nevertheless different concepts. It is vital that similar yet different terms are clearly distinguished if we are to avoid wasting time due to issues of fear, uncertainty and doubt.

Some high-lights of the conference:

•    The collaboration between the CCRA community and the CCUF was very evident. We also heard from both the CCMC and the CCUF a clearly stated intent to involve the end-user community in the future. (The assurance consumers.)

•    The CCUF are growing, leading the community, becoming a force for change, can move relatively quickly, are gaining momentum and is proving to be a much respected organization.

•    Although we are not allowed to see any of the 17 drafts of the proposed CCRA agreement, we are made aware that, with so many revisions, the discussions have involved a lot of hard work...

•    The transition period for the new CCRA is 36 months once it is fully signed. Alas it is estimated that it will take at least a year and maybe two before all the nations complete their bureaucratic dance.

•    As of this moment we have no available cPPs. 

We believe that it is necessary for the key cPPs to be in place as soon as the CCRA is signed and a great many more of them must be in place before the 36 month transition period ends.

The CCDB chair estimated that 10, 20, or more cPPs might be possible by next year. Let's see if that is possible. 


•    Several schemes have expressed that they will continue to do medium and high assurance certification, while at the same time participate in the cPP development. This means that there will not be high or low assurance schemes, but schemes that are committed to both and will allow end users to select the assurance they need.

•    India is a new CCRA certificate authorizing member. This is important, not only because India is a large nation, but because they have been the only nation so far to ask for certification of telecom products.

...and some low-lights:

•    The CCRA has 26 nations all over the world. So how is it that we have a marketing panel of U.S. vendors only discussing primarily how to market the CC to the U.S. DoD? The CCUF, although dominated by the U.S., must take great care to make sure that all the CCRA nations are properly represented. An important working group like this, composed of members from only one nation is not credible.

•   One thing to note is that the CCUF has no way to move things forward without the CCDB authorizing that. The CCUF can suggest a cPP but only the CCDB will say "yes" or "no." 

Summary

Not only did we receive positive comments on our “activism” but interestingly references to the atsec blog were made in plenary, formal presentations, and by many individuals at least once a day during the conference. We heard little dissent about our blog, although we recognize that an approach relying on informal public discussion  is a difficult one for government folks to be able to contribute.

There will be a long ride with the tiger. The discussions, development and implementation of the new CCRA framework will not be over soon. During this process it is important not only to understand the technical underpinning of the Common Criteria, but also the technical and political issues involved with the standardization processes.

Finally, it would be appreciated if the CCDB could agree on the location of the next ICCC, at least “in principle."

By Staffan Persson

P.S. If anyone is interested to receive the atsec material we showed at our conference booth (pictures and clips) as well our presentations and other material please send us an email request to  info@atsec.com

The first week in Orlando

Last week we attended the CCUF meeting in Orlando. 

This meeting is co-located with the bi-annual CCDB meeting and co-locating them allows the two organizations the opportunity for cooperation. Both groups operate in closed session but for the CCMC the members are the CCRA nation representatives while the CCUF membership includes representatives from the whole community, including the national schemes. The two organizations also arranged for some joint “de-briefing” meetings.
 
In addition to the formal sessions, of course a lot of discussion also happens during the breaks, and for quite a few of us at the joint “(Un) Happy” hour.

Gossip, rumors, and innuendo are always prevalent when two groups with different objectives are juxtaposed. Here are a few from the week:

If only… “The atsec blog would go away”…  and … “Yay! for the atsec blog”  ;)

If only… We could solve the CCUF tea problem! 

Trivial? Perhaps this is a symptom; but how can the CCUF be a powerful organization if we don’t have a nice hot cup of tea? 

It's an important part of the process, accepted and enjoyed by the diverse peoples of many nations. Tea can be used to predict the future and, especially useful when discussing crypto topics, can also be used for  generating small amounts of finite improbability.

(I don’t know, perhaps the CCUF needs to be a legal entity before we can sponsor tea for ourselves?)

If only… The CCUF would represent the whole of the criteria-using community. Not just those working under one MRA (i.e., the CCRA) but also supporting those working under other mechanisms for applying the criteria such as SOGIS, commercial schemes, and even national applications – regardless of whether they use the CCDB’s CC or ISO/IEC 15408.

An observation from the Mobility Device working group: "The CCUF has just about zero direct representation from end users. This is fine (in theory) because the schemes may play the role of advocating for their end users. They don't here. At least, NIAP doesn't, who was clearly running this TC."

If only… “We’d started developing cPPs ten years ago. Using this process we would have an agreed PP for secure floppy disks ready for use very soon now.”

Does the CCMC realize that it takes at least 2-3 years for international organizations to achieve international consensus? While some TC's are being led to believe that once completed a PP can be approved in a few months (NIAP quoted 3-4 months from completion in the TC to publication during the MFP workshop today) the CCMC process can be expected to take much longer, with the complex national approvals and endorsements required by the formal process being developed as part of the USB TC. 

We must set expectations properly and communicate that in reality, following a formal process, it will take at least 5 years to produce a cPP.

In fact ISO’s JTC 1/SC 27 and the CCDB have an established special relationship, are we clever enough to leverage that relationship intelligently? Can we save some time?  

If only… Key CCDB documents, such as the proposed new CCRA, could be open for CCUF members to review too. 
The CCUF has many very experienced members and offer potentially valuable contributions. Even though the CCUF will not be a signatory to the CCRA, the CCUF members are key stakeholders. 
Last week I heard from the MC chair that the new CCRA will be published without any review from the CCUF constituents. If these stakeholders have any issues, the CCMC may consider these for the next CCRA. – Wow!

If only… The good intentions, willingness to contribute and produce something good, enthusiasm and expertise that we find in the CCUF was not being eroded by confusing, changing, inconsistent policies, and delaying tactics from the CCMC.   

Here is one expression of opinion I heard: "There is not clear direction, everyone is concerned they will do work that won't be approved, and they constantly look around to see what others are doing to see if they comply with that, since there seems no clear directive on a way forward."

(See Edward Gibbons "The History of the Decline and Fall of the Roman Empire")

 
If only…  We understood the parameters and goals of the proposed iTC for “Apps on an OS.” That is obviously going to be one very busy iTC and will need some special management techniques.

By the way, is a virtualized OS also an “App on an OS” and will there be another sister iTC for “Apps not on an OS?”

Again, information on this proposal seems scanty, and I, for one, look forward to much more clarity from the CCMC on the scope of this item.


If only… The CCMC would adopt another message for the week other than “It is hard to co-ordinate 26 nations.” Yes, we got that. All the CCUF members I spoke with during the week agreed that it is hard to coordinate 26 nations.
Two points on this:

1. I would suggest that every time we hear this message next week we recall that some organizations have already worked this out, and have policies and procedures to deal with this problem in “reasonable” time-frames: Two examples: ISO (SC27 currently coordinates 68 nations) and ICAO (currently coordinates 191 nations). These organizations publish their procedures and it’s not easy for them either.

At least ISO’s JTC 1 process includes co-ordination with each national standards body. In turn many of these JTC 1 members include representatives from the vendor/developer community, whose expert contributions are solicited and respected.

Does the CCMC not try to learn from these mature organizations?

2. Developers working internationally also have to deal with this problem. They are selling products to a variety of national governments and have the unenviable task to understand the various regulations and policies of nations in order to develop and sell their products. That is not easy either.

If only… The CCMC paid attention to some of the project dependencies and communicated (estimated) time frames. Perhaps a simple Gantt chart might help the CCUF in their planning and coordination?
Example: New iTC’s cannot be formed until the iTC procedures and policies are complete, yet we seem to have already formed several TCs that may be put back at beginning once we know where the beginning is.

If only… The schemes paid proper attention to current weaknesses and threats.
Example: The Mobile PP requiring just TLS 1.0 rather than more recent versions that have been updated to address more recently identified weaknesses and threats.
(On this topic an interesting speculative blog article by Matthew Green, is here.) 

If only… The  national schemes would communicate between themselves more effectively.
Example: last week we heard from two major vendors in the OSPP workshops claim that a document containing "General-Purpose OS Cryptographic Requirements" had been provided to U.S. and Canadian evaluations back in April, but the OSPP pilot evaluation run by BSI has never been made aware of their existence, which shows some weird understanding of the cooperation in such pilot projects.

If only… There were no rumors…:
Next week we may find out if some are true…

• A new certificate producing nation will be announced. (It is already announced on the CC Portal)
• A new CCRA , as promised by the CCMC chair (this was announced at least a year ago in Paris) and the promise has been re-iterated this week.
• Where will the conference be held next year?
• Who is the missing Mickey?  

By Fiona Pattinson

Marketing the CC: It's all about Trust

Shall we call our new product "honey" or "bee vomit"?

When it comes to selling products, you need to choose your words wisely, or you might offend your customers and not sell anything at all. Still, just using some wording to hide your intentions most often only buys you some time until your customers realize that your 97% fat-free yoghurt was not so fat-free after all. (I'd rather go for a 100% fat free beer, just to be safe :-).

While starting to pack my stuff to leave for Orlando, I am wondering about some of the wordings we have been accustomed to, and I also wonder how much of a marketing event the upcoming ICCC is going to be, and for whom.

 

One of the key aspects of marketing the CC is that it is a brand. It’s not a product brand (such as those marketing their products use.) Instead it is a brand associated with the trust that others may place in the products sporting the logo. The Common Criteria logo is a registered trademark*, and its use is regulated, because it has value. The CC brand is all about trust.
 

But what is the value of the brand? A brand conveying trust must be recognised for trust: Criteria including credibility, who is supplying the trust, core values of the CCMC, the goals of the CCRA, openness and transparency, etc.

Even the name itself is a key part of the brand: "Common Criteria."* To what does the "common“ refer: The standards containing the criteria, the framework in which they are applied, or both?

Perhaps the "Common Criteria"* brand, as we have previously established it, used it and relied upon, is eroding.

Do we still have a common understanding about what assurance the certificates provide? Are the customers really prepared to trust a certificate, no matter where it comes from? With every cPP defining its own evaluation methodology, disregarding the Part 3 of the CC as the common assurance framework, can we really claim these this to be  either "common“ or "criteria“ at all, and still respect the common framework that has been built over the years?

For the upcoming ICCC panel discussion on "Marketing the CC," I am curious what the topics will be. I have myself some ideas for promoting the acceptance of the "New CC" (did you notice that there are no "New CC" standards? That's probably just another marketing gag.):

1. What are the goals of the CCRA?

The CCRA is the basis for conveying trust. The CCRA has been used for establishing trust supporting commercial trade as well as for helping establish some of the security assurance for those involved with government systems, or even a simply subsection of government organizations.

One of the goals of the CCRA is to support international trade and to support national vendors and developers in their goal to be successful globally. To support this goal it is important that national certificates are accepted by other governments and companies globally. In that scenario it's not helpful if the organization that is your national scheme has core competences including clandestinely break into systems; eaves-dropping on communications and disseminating disinformation. It makes sense to entrust those agencies with your national computer security, but it works really poorly in the international arena. Others just have a hard time to figure out if the schemes are honest or fooling them again.

Signed by many of the worlds key national security agencies, some nations have forgotten or sidelined that commercial goal and as the world changed have not promulgated that CC may be used outside of systems needing higher assurance than national security systems.

At least some of the certificate-issuing nations have built their scheme outside their intelligence community; for example, Turkey has chosen the national standards body to host its scheme. Although such a change is probably very hard for most nations. The U.S. originally envisaged this by founding the National Information Assurance Partnership (NIAP) with both the NSA and the NIST as two signatories of the CCRA. (although of course the current situation is that NIST's currrent involvement is restricted to support of the NSA led scheme by accrediting labs to the US 17025 equivalent.) As a major certificate issuing nation the U.S. could show commitment and leadership by having NIST come back into its original issuing role for the commercial sector.

My hope here is that the CCUF will break up the navel-gazing of government agencies for their own procurement, supposing that „if it's good for us, it's good for everybody else“. The CCUF should open the view into other markets, acknowledging that different markets have different assurance requirements, even for the same product type. "A good marketing organization listens to its customers. We hear you!", if you get my drift :-)

At least if providing assurance to others outside national security systems is no longer a goal of the CCRA then that change should be clearly communicated.

2. In whom do we place our trust?

My understanding is that the CCMC is responsible for managing the international agreement that is the CCRA.

Today, center stage in the CCMC is provided to partners from the "five eyes" club, their contractors and collaborating companies.

When thinking about about marketing, it makes me wonder if this is such a good idea. Clearly, it is expected of the hosting country to provide some focus on how the CC are used locally, but given the current propaganda about the "five eyes“ club members being involved in massive spying on their and other nation's citizens, I'd rather suggest a more open debate on how, given the associations, that issue might affect the CC brand. What effect does this have on end-users and consumer nations perceptions and on trust in the certificates issued?

3. Credibility:

The CCRA is first and foremost about the trust that the signatory isssuing nations have vested in the awarded certificates.

The CC & CEM are standards intended to be used by many nations, and provide at least part of the basis of trust for the CCRA. They are internationally agreed standards. When the CCDB was first established it was intended that the standards become international standards, and indeed they were submitted to ISO and fast tracked as ISO/IEC 15408 and ISO/IEC 18045. The CCDB is a closed community whose task was to bring together the various national criteria from various national agencies, ISO’s role was to be to foster open development allowing input from the commercial community and from IA experts around the globe. This happened and for a while the two communities worked together to keep the two sets of standards in line as the CC and CEM evolved. Of course as we can observe, the CCDB did not "let go" of the standards development (as was intended) and the current CCRA specifies equivalency to a particular version of the IS standards, and so ISO is "stuck in the doldrums" by staying in synch with currently unmaintained standards, and allowing for loopholes that allow signatory nations to bypass the CCRA by specifying the current ISO standards as national standards hence allowing them to produce national policy which is outside of the intention of the CCRA.

Of course this may not be so simple when governments, in order to save money, are specifying that COTS products be used in national security systems wherever possible. While that is, of course, a matter of national perogative the credibility issue that ensues is when the morphing of the CC paradigm, and the policies surrounding cPPs are seen to be a thinly disguised method of converting COTS (that draw requirements from the larger global market) to GOTS (that draw requirements from the government specifications).

4. Transparency:

Another mistake being made is that the "5 eyes club" seem to be subverting the CC brand by morphing the whole CC paradigm into a low-assurance one. The flexibility of picking appropriate assurance, that is the corner-stone of the CC is being removed. Unspoken, but visible through observation, are the close similarities between the current US approach and the UK’s CPA scheme. While that is a perfectly valid approach to address national assurance requirements, it’s a huge marketing mistake that undermines the CC brand.

You see, it‘s not CC at all (it is one perfectly valid corner use-case for CC), but it is being being sold to consumers as the "new CC." That is a huge marketing mistake and leads to issues of reduced credibility and opaqueness! By some definitions the tactic could even be defined as fraud or counterfeiting.

The forthcoming ICCC panel discussion on "Marketing the CC" is scheduled with U.S. panelists only, and the panel discussion about "Widening the use of CC for End users Worldwide" originally had just one European telecom supplier as the only panelist not too deeply entangled with the "five eyes" intelligence community. This supplier does not even have any CC-certified products . Now let's see whether the panel will include another developer who do pursue CC certification on this basis. Perhaps the brand would be much enhanced if the program committee put national politics to one side and reflected the diversity that is CC? Allowing Europeans, and Asians, and perhaps even developers that use the CC that are headquartered outside a CC signatory nation.

5.Don't change everything at once:

The CC standards have been a success story in the past not because of new features added every month, but because it distilled decades of experience with security evaluations into a commonly accepted framework. Back then, the CC actually marketed themselves.

As in every aging house, renovations are due every now and then. If you don't like your house anymore, it's even o.k. to build a new one. However, it's quite silly to burn down the old house first and only then start to think about how to build the new, especially when other people still lived in it.

Gerald Krummeck

atsec GmbH Laboratory Manager 

* "Common Criteria" and the associated logo is a registered trademark by the National Security Agency FEDERAL AGENCY UNITED STATES ATTN: AGC (IP&T) 9800 Savage Road, Suite 6542 Fort Meade MARYLAND 207556542f