Bangalore, India ,17-18 December 2012

Sustainable Broadband Communications: International Perspective – Common Criteria

David Martin,Head of International Assurance,

Common Criteria Scheme Director, CESG, UK,

david.martin@cesg.gsi.gov.uk

Joint ITU-GISFI Workshop on “Bridging the Standardization Gap: Workshop on

Sustainable Rural Communications”

(Bangalore, India, 17-18 December 2012)

David Martin

Involved in Information Assurance Standards for many yearsChair of International Common Criteria Development BoardScheme Director for the UK Common Criteria Scheme (operated by UK government)Representing UK Scheme - reporting on new CC vision statement

Bangalore, India ,17-18 December 2012 2

Bangalore, India ,17-18 December 2012 3

Common Criteria - Background

Standards for Assurance of IT Product Security 26 Nations (more to come)16 Nations evaluate/certify productsAlso an ISO standard (15408 and 18045)Run by a Management Committee (with an executive to support) and a Development Board

Bangalore, India ,17-18 December 2012 4

Common Criteria – The Value

Manufacturers do not have to evaluate products in multiple places.

Evaluation is very expensive in time and money

Good cyber defence (and sustainable telecom) needs many more products evaluatedAll nations agree and procure to the common standardIndustry involvement (CCUF)

Bangalore, India ,17-18 December 2012 5

Common Criteria – New Vision – Rationale -1

CC usage has been little changed for more than 12 years A number of nations found that:-

The focus on ‘assurance level (EAL)’ was damaging product security Not enough products are evaluated - Cyber defence needs many moreExpertise is applied in the wrong place, inconsistently, and without wide peer review.

Bangalore, India ,17-18 December 2012 6

Common Criteria – New Vision – Rationale -2

Smartcard Community has developed a very effective way of using CCWork has taken place to support a similar approach for general IT products Resulting in the CCMC (management Committee) vision statement – published in September 2012

Bangalore, India ,17-18 December 2012 7

For more information

Common Criteria Portal: www.commoncriteriaportal.orgThe vision statement links from the

front pageOther links show the products,

schemes, operating documents etc.Also see CCUF at

www.ccusersforum.org

Existing Approach

Bangalore, India ,17-18 December 2012 8

New Approach

Bangalore, India ,17-18 December 2012 9

Technical Communities

Bangalore, India ,17-18 December 2012 10

Much quicker and more effective

Bangalore, India ,17-18 December 2012 11

Time

Meeting virtually

Bangalore, India ,17-18 December 2012 12

Bespoke design/evaluation

Bangalore, India ,17-18 December 2012 13

Better to have known standards

Bangalore, India ,17-18 December 2012 14

Other Important developments

Common view on cryptographySecurity Configuration AutomationStrong Linkage to Vulnerability/Weakness reportingSupply Chain working groupConsistent Government Procurement (and other major users) – addressing what ‘recognition’ really means

Bangalore, India ,17-18 December 2012 15

Common support for procurement

Bangalore, India ,17-18 December 2012 16

Procurement Links

Provide developers with larger marketLower cost and better productsRecognise there may be additional national needsThese are likely to be <5% of marketMajor requirement is common and delivered by evaluation anywhere

Bangalore, India ,17-18 December 2012 17

Bangalore, India ,17-18 December 2012 18

Common Criteria – New Vision – Summary

More assurance than a simple ‘EAL approach’ Uses worldwide expertise, instead of relying on single ‘expert’Open, Transparent, Repeatable – as befitting an International StandardStep change in volume – better for cyberdefenceLowers procurement costs

Bangalore, India ,17-18 December 2012 19

Further detail

First International Technical Community about to launch – based on USB storage deviceMany more to follow next yearAlready many TCs exist (mostly US based)

Example TC Areas

Networking (NDPP, Firewalls, VPNs, etc)Storage (USB, Hard disks, etc)Applications on Operating systemsMobile telecoms (VOIP, SIP, MDM, etc) Multifunction devices (printers etc.)

Bangalore, India ,17-18 December 2012 20

Process to form an iTC

Not yet fully defined but likely to be:-Work with national bodies to formulate an ESR (Essential Security Requirements)Obtain commitmentStart iTC – using CCUF etc.Publish cPP (and supporting documents)Continual update

Bangalore, India ,17-18 December 2012 21

Outline Process & Detail Notes (1)

Request iTC formation

Initiate iTC

Solicit iTC members

CCDB

CCUF

CCMC

CCDB Work Group

CreateESR

Draft ToRs Agree initial

iTC Chair&

hold initial meeting

Establish levels of

commitment &

Committed Nations

portal

iTC entry

Define Workpla

n

Define ToRs

Elect Chair

Define infrastructure

Outline Process & Detail Notes (2)

Levels of commitment:Intention to Adopt – MandatedIntention to Adopt – RecommendedUncommittedOpposed

Only those with an Intention to Adopt can vote on ESR contents.Intention to Adopt is refreshed every 6 months (by CCDB) as part of monitoring progress.Levels may change, but reducing commitment requires a rationale.

Bangalore, India ,17-18 December 2012 24

GISFI Applicability

3GPP discussion – potential development of cPPsCould extend to system approachesKey is to have the real technical expertise setting the standards CCRA maintains the fairness, the reliability/reputation, and the worldwide recognition for vendors 3GPP sets the technical standards

Conclusions and Recommendations

This time of change for CCRA is a good time to get involved!Look at www.commoncriteriaportal.org Join CCUF (no cost) www.ccusersforum.orgGreat opportunity for 3GPP to use CCRA for its needs (become an international Technical Community)Liaison request from GISFI

Bangalore, India ,17-18 December 2012 25