Presentation is loading. Please wait.

Presentation is loading. Please wait.

National Information Assurance Partnership Paul Mansfield January 2013 1.

Similar presentations


Presentation on theme: "National Information Assurance Partnership Paul Mansfield January 2013 1."— Presentation transcript:

1 National Information Assurance Partnership Paul Mansfield January

2 ® Common Criteria Recognition Arrangement (CCRA) Certificate Producers US Canada UK Germany France Australia Japan NetherlandsNorway South Korea New Zealand Spain Sweden Certificate Consumers FinlandGreece Israel Austria Turkey Hungary Czech Republic SingaporeIndia Denmark Pakistan Malaysia Italy

3 International Common Criteria Conference Common Criteria Recognition Arrangement (CCRA) Management Committee (CCMC) Agreement Common Criteria Recognition Arrangement (CCRA) Management Committee (CCMC) Agreement Vision Statement Vision Statement – Develop Collaborative Protection Profiles (cPP) – International Technical Communities (iTC) CC Schemes CC Schemes Labs Labs Stakeholders Stakeholders Vendors Vendors CCMC Chair Directed CC Executive Secretariat and CC Directors Board CCMC Chair Directed CC Executive Secretariat and CC Directors Board – Update CCRA – Terms of Reference & CCRA Documents – Transition Plan

4 ICCC Vision Statement Key Points Raise General Security Level Raise General Security Level Standardization Standardization CCRA Mutual Recognition – cPP CCRA Mutual Recognition – cPP iTCs Define cPPs iTCs Define cPPs cPPs Instead of Individual STs cPPs Instead of Individual STs STs w/o cPP – Limited to EAL2 STs w/o cPP – Limited to EAL2 – 2 Nations Disagreement Evaluations above cPP Evaluations above cPP – National Requirements & Special Arrangements – CCRA cPP Only cPPs Will Address Vulnerability Analysis cPPs Will Address Vulnerability Analysis – Transparent and Repeatable https://www.commoncriteriaportal.org/ https://www.commoncriteriaportal.org/

5 NIAP Functions: NIAP Functions: – Prioritize PP Development – Author and promulgate PPs Conduct risk analysis Conduct risk analysis Develop profiles with a risk-based mindset Develop profiles with a risk-based mindset – Influence international standards (e.g., ISO) NIAP leads technical communities to develop, promulgate and manage foundational security requirements that enable the acquisition of validated products to continually improve network defense for America and its Allies. 5 Develop, promulgate and manage foundational security requirements Develop, promulgate and manage foundational security requirements

6 GOTS vs. COTS Traditionally, the US government has used government designed and certified devices to protect its most sensitive data. Government Devices (GOTS) Government Devices (GOTS) – Purpose-built for security – Strict design and implementation criteria – Long, exhaustive security evaluation Commercial Devices (COTS) Commercial Devices (COTS) – Provide a balance of security and features – Quick to market, flexible 6

7 Committee on National Security Systems Policy (CNSSP) 11 Policy Policy – COTS comply with NIAP process – Layered COTS preferred over GOTS – GOTS evaluated by NSA Evolution Evolution – Move away from Evaluation Assurance Level (EAL) – Comply with Protection Profile (PP) – PPs developed by Technical Communities – CCRA Collaborative PPs (cPP) 7

8 Benefits of New Evaluation Process One Evaluation Level One Evaluation Level – Achievable, Repeatable, Testable One PP per Technology One PP per Technology – Internationally accepted – Objective Assurance Requirements – Extended Package (EP) if required Technical Communities Technical Communities – Industry/Government Partners, shared expertise, contribute to PP development 8

9 What’s Not Working? “Cookie cutter approach” to technology type being evaluated “Cookie cutter approach” to technology type being evaluated Subjective, inconsistent standards across vendors or countries Subjective, inconsistent standards across vendors or countries Higher EAL doesn’t equal higher security Higher EAL doesn’t equal higher security Process is too lengthy Process is too lengthy Not repeatable across labs, schemes/nations Not repeatable across labs, schemes/nations No enforcement of security requirement testing No enforcement of security requirement testing 9

10 What is a Protection Profile? Tailored set of baseline security functional and security assurance requirements Tailored set of baseline security functional and security assurance requirements Focuses on tailored requirements and assurance activities by technology Focuses on tailored requirements and assurance activities by technology Tailored set of use cases, threats, and objectives Tailored set of use cases, threats, and objectives Allows for the expansion of baseline requirements through extended packages for specialized technologies Allows for the expansion of baseline requirements through extended packages for specialized technologies – i.e. Network Device PP and Firewall EP 10

11 Why Are PP’s Good (Achievable) Reduced time and costs of evaluation (Achievable) Reduced time and costs of evaluation (Repeatable) Produce comparable and meaningful results across labs/schemes (Repeatable) Produce comparable and meaningful results across labs/schemes (Testable) Assurance Activities – tailored CEM (Testable) Assurance Activities – tailored CEM – Assurance of product compliance Address specific threats Address specific threats Created and maintained by Technical Communities (TCs) Created and maintained by Technical Communities (TCs) 11

12 What Exactly Are TCs? Any participating vendor, country, critical infrastructure, evaluator or lab Any participating vendor, country, critical infrastructure, evaluator or lab Collaborative environment to create requirements and standards for PPs Collaborative environment to create requirements and standards for PPs Ultimate creator of PPs with NIAP guidance Ultimate creator of PPs with NIAP guidance 12

13 ST vs. PP Example 13 *SFR – Security Functional Requirement **SAR – Security Assurance Requirement ***TAA – Tailored Assurance Activity

14 ST vs. PP Example *SFR 1 SFR 2 SFR 3 SFR 4 14 *SFR – Security Functional Requirement **SAR – Security Assurance Requirement ***TAA – Tailored Assurance Activity **SAR 01 SAR 02 SAR 03 SAR.... SAR 24 Functional Package Assurance Package Security Target *SFR 1 SFR 2 SFR 3 **SAR 01 SAR 02 TAA 03 TAA.... TAA 10 Functional Package Assurance Package Protection Profile

15 ST vs. PP Example *SFR 1 SFR 2 SFR 3 SFR 4 15 *SFR – Security Functional Requirement **SAR – Security Assurance Requirement ***TAA – Tailored Assurance Activity **SAR 01 SAR 02 SAR 03 SAR.... SAR 24 Functional Package Assurance Package Security Target *SFR 1 SFR 2 SFR 3 **SAR 01 SAR 02 TAA 03 TAA.... TAA 10 Functional Package Assurance Package Protection Profile

16 ST vs. PP Example *SFR 1 SFR 2 SFR 3 SFR 4 16 *SFR – Security Functional Requirement **SAR – Security Assurance Requirement ***TAA – Tailored Assurance Activity **SAR 01 SAR 02 SAR 03 SAR.... SAR 24 Functional Package Assurance Package Security Target *SFR 1 SFR 2 SFR 3 **SAR 01 SAR 02 TAA 03 TAA.... TAA 10 Functional Package Assurance Package Protection Profile

17 Technical Community Key to PP Development and Maintenance Key to PP Development and Maintenance Any participating CCRA nation, vendor, critical infrastructure industry, academia, evaluator, or lab Any participating CCRA nation, vendor, critical infrastructure industry, academia, evaluator, or lab Collaborative environment to create requirements and testing standards for PPs Collaborative environment to create requirements and testing standards for PPs 17

18 Published Protection Profiles Full Disk Encryption Full Disk Encryption USB Flash Drive USB Flash Drive Hardcopy Device (MFP) Hardcopy Device (MFP) Stateful Firewall Stateful Firewall Network Devices 1.1 Network Devices 1.1 ESM Policy Management ESM Policy Management ESM Access Control ESM Access Control ESM Identity & Credential Mgt. ESM Identity & Credential Mgt. 18 Mobility Endpoint OS Mobility Endpoint OS Mobility Endpoint VoIP App Mobility Endpoint VoIP App SIP Server SIP Server Wireless LAN Access System Wireless LAN Access System Wireless LAN Client Wireless LAN Client VPN Client VPN Client Peripheral Sharing Switch Peripheral Sharing Switch Located at

19 Protection Profiles Under Development NDPP V2 NDPP V2 VPN Gateway Extended Package VPN Gateway Extended Package BIOS BIOS MFP v2 MFP v2 USB v2 USB v2 19 Hardware Security Module Virtualization Storage Area Network File Encryption Mobile Device Management

20 Contact Information NIAP website: NIAP website: – Contact info: Contact info: – Mark Loepker – – Paul Mansfield – – Telephone: Telephone: –

21 Questions? 21

22 NIAP Evolution Progress IA Products Must be CC Evaluated & Validated – U.S. National Policy (NSTISSP-11) IA Products Must be CC Evaluated & Validated – U.S. National Policy (NSTISSP-11) – Not the case in most other CC-nations No longer accepting traditional (EAL4) evaluations No longer accepting traditional (EAL4) evaluations Evaluations must go against NIAP Approved PP Evaluations must go against NIAP Approved PP Created Technical Communities Created Technical Communities – Network, Firewall, ESM Published 12 Standard PP (December 2012) Published 12 Standard PP (December 2012) Continuing Outreach to Gov’t & International Partners, Industry, Labs, Academia Continuing Outreach to Gov’t & International Partners, Industry, Labs, Academia 22


Download ppt "National Information Assurance Partnership Paul Mansfield January 2013 1."

Similar presentations


Ads by Google