Presentation is loading. Please wait.

Presentation is loading. Please wait.

Common Criteria National Information Assurance Partnership Evaluation of Mobile Technology Janine Pedersen 1.

Published byDorcas Ryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Common Criteria National Information Assurance Partnership Evaluation of Mobile Technology Janine Pedersen 1."— Presentation transcript:

1 Common Criteria National Information Assurance Partnership Evaluation of Mobile Technology Janine Pedersen 1

2 Common Criteria Background History Developed more than 12 years ago Developed more than 12 years ago Unified earlier schemes (ITSEC for UK, Orange book for US) Unified earlier schemes (ITSEC for UK, Orange book for US) Commercial basis (recognized that govt could no longer fund evaluation) Commercial basis (recognized that govt could no longer fund evaluation) Truly International 26 Nations in the recognition arrangement (Major western 26 Nations in the recognition arrangement (Major western nations plus India, Japan, Korea, etc) nations plus India, Japan, Korea, etc) More than 50 Evaluation Laboratories More than 50 Evaluation Laboratories China and Russia are possible future members, as is Brazil China and Russia are possible future members, as is Brazil 2

3 ® Certificate Producers Certificate Consumers FinlandGreece Israel Austria US UKNorway South Korea New Zealand Spain Sweden Turkey HungaryCzech Republic Singapore India Denmark Pakistan CanadaGermanyFrance Australia Japan NetherlandsMalaysia Italy

4 Common Criteria Much more detail on www.commoncriteriaportal.org Much more detail on www.commoncriteriaportal.org A worldwide standard - also ISO 15408 A worldwide standard - also ISO 15408 Recognition Arrangement - (CCRA) is very important Recognition Arrangement - (CCRA) is very important Minimizes need for re-evaluations This is a primary aim of CCRA This is a primary aim of CCRA 4

5 21 st Century Approach Last Century CC was developed when products took a long time to develop CC was developed when products took a long time to develop Remaining static in use Remaining static in use Threats were also less dynamic Threats were also less dynamic Now Now Threats evolving all the time Threats evolving all the time Products constantly updated Products constantly updated Architectures also adapt rapidly Architectures also adapt rapidly Decision makers need detailed information Decision makers need detailed information 5

6 Common Criteria Recognition Arrangement Ensure evaluations are performed to consistent standards Ensure evaluations are performed to consistent standards Increase availability of evaluated ICT products Increase availability of evaluated ICT products Evaluate once - sell to many Evaluate once - sell to many Improve the efficiency and cost-effectiveness of evaluation, certification and validation process for ICT products Improve the efficiency and cost-effectiveness of evaluation, certification and validation process for ICT products

7 Cyber Defense Needs Architectural Approach Architectural Approach Agility Agility More information More information Many more products covered Many more products covered More realism More realism More comparability More comparability 7

8 What is Happening in CCRA? What is Happening in CCRA? Protection Profile-based evaluations (cPPs) - detailed requirements specifications Protection Profile-based evaluations (cPPs) - detailed requirements specifications Produced by an International Technical Community Produced by an International Technical Community Kept up to date by that community Kept up to date by that community Provides a robust foundation Provides a robust foundation Outside of cPPs - recognition limited to EAL2 activities Outside of cPPs - recognition limited to EAL2 activities 8

9 Why is this Happening in CCRA? Evaluations took too long, and were too costly, with inconsistent Return on Investment Evaluations took too long, and were too costly, with inconsistent Return on Investment Unrealistic on a technical level (Firewalls -OS) Unrealistic on a technical level (Firewalls -OS) Unrealistic expectations on Evaluators (developers at leading edge, not evaluators) Unrealistic expectations on Evaluators (developers at leading edge, not evaluators) Not using power of community and peer input/review Not using power of community and peer input/review Little connection to system integrator, procurement needs Little connection to system integrator, procurement needs 9

10 What is the Process? Governments set high level requirements Through `Essential Security Requirements’ Through `Essential Security Requirements’ Industry (and others) perform the work With consultation and review - using plain language With consultation and review - using plain language Governments steer the work Using `Position Statements' and `Endorsement Statements' Using `Position Statements' and `Endorsement Statements' Kept up to date Technical communities continue to develop the technology standards Technical communities continue to develop the technology standards 10

11 Providing the Recognition Vehicle Some of the technical communities setting the standards will already exist (e.g. 3GPP, ETSI, TCG, Open Group, etc.) Some of the technical communities setting the standards will already exist (e.g. 3GPP, ETSI, TCG, Open Group, etc.) Different approaches to interaction/oversight Different approaches to interaction/oversight Working on a lightweight oversight approach Working on a lightweight oversight approach 11

12 Industry Linkage Common Criteria User Forum Significant role Significant role Significant growth (~ 500 members, > 26 countries) Significant growth (~ 500 members, > 26 countries) Incubator for technical communities Incubator for technical communities Recent NATO CC-CAT Workshop Strong support for the change Strong support for the change Keep up the pace Keep up the pace Provide more information Provide more information Maintain the Industry involvement Maintain the Industry involvement 12

13 NIAP 13 Partnership to evaluate commercial IT products for use in National Security Systems

14 NIAP Mission  Evaluate COTS IT products for use in National Security Systems (NSS) and  Develop requirements specifications  US representative within the international Common Criteria Recognition Arrangement (CCRA) 14

15 NIAP Goals Ensure Commercial ICT products represent best practice level of security Ensure Commercial ICT products represent best practice level of security Raise the security bar toward a goal of “secure-by-default” Raise the security bar toward a goal of “secure-by-default” Independent 3 rd party assessment of a product against a specified set baseline security requirements, using defined, objective tests Independent 3 rd party assessment of a product against a specified set baseline security requirements, using defined, objective tests 15

16 Stakeholder Engagement Industry (Commercial IT vendors, Common Criteria Test Labs) Industry (Commercial IT vendors, Common Criteria Test Labs) DoD & Federal Government Groups & Reps DoD & Federal Government Groups & Reps - Committee on National Security Systems (CNSS) IC Community Stakeholders IC Community Stakeholders International Stakeholders (NATO) International Stakeholders (NATO) International-Common Criteria Recognition Arrangement (26 member nations) International-Common Criteria Recognition Arrangement (26 member nations) 16

17 NIAP Protection Profiles (PP) Protection Profiles (PP) Define the totality of product security functions to be tested and how they will be tested Technical Communities (TC) Technical Communities (TC) Collaborative group from industry, government (US and foreign), and academia working to develop Protection Profiles for a specified technology. 17

18 Protection Profiles Technology Specific Technology Specific Objective Test Criteria Objective Test Criteria Requirements Address Documented Threats Requirements Address Documented Threats Achievable, Repeatable, and Testable Achievable, Repeatable, and Testable

19 Common Criteria Evolution Technology focused Protection Profiles Technology focused Protection Profiles Emphasis on Security Functional Requirements (SFR) with specified Assurance Activities Emphasis on Security Functional Requirements (SFR) with specified Assurance Activities Establishing Technical Communities with international partners & industry representatives (vendors & labs) to develop the next generation of technology focused PPs Establishing Technical Communities with international partners & industry representatives (vendors & labs) to develop the next generation of technology focused PPs

20 Focus For National Security System Procurement, COTS IA Products Must be Evaluated per NIAP processes For National Security System Procurement, COTS IA Products Must be Evaluated per NIAP processes – U.S. National Policy, CNSSP#11 NIAP evaluates COTS IA Products against requirements in NIAP approved Protection Profiles NIAP evaluates COTS IA Products against requirements in NIAP approved Protection Profiles

21 Progress Currently 9 Technical Communities Currently 9 Technical Communities Published 12 technology based PPs Published 12 technology based PPs Ongoing international evaluations against NIAP approved PPs (Various Nations) Ongoing international evaluations against NIAP approved PPs (Various Nations) Evaluations complete in 3-6 months Evaluations complete in 3-6 months 21

22 Protection Profile Technology Types – Mobile Devices (smartphones, tablets, etc) – Mobile Device Management – Network Devices – VPN – Application – Encrypted Storage – Wireless Local Area Network (LAN) 22

23 Technical Communities Mobility Mobility Redaction Redaction CA certificate Authority CA certificate Authority Apps on OS Apps on OS Data at rest Data at rest Network Device (ND) Network Device (ND) Intrusion Prevention Systems (IPS) Intrusion Prevention Systems (IPS) Peripheral Sharing Switch (PSS) Peripheral Sharing Switch (PSS) Trusted Platform Management Trusted Platform Management 23

24 Stakeholder Participation Increase Industry participation in Technical Communities Increase Industry participation in Technical Communities Continue developing consistent set of technology-focused security requirements with associated assurance activities Continue developing consistent set of technology-focused security requirements with associated assurance activities Continue work on collaborative PP development through International Technical Communities Continue work on collaborative PP development through International Technical Communities Partner with Industry to improve Time to Market Partner with Industry to improve Time to Market 24

25 Vendors Working with NIAP Wireless LAN Wireless LAN Aruba Aruba Motorola Motorola General Dynamics General Dynamics Fortress Fortress Technologies Technologies Cisco Cisco Network Devices Dell Dell Juniper Juniper Cisco Cisco Microsoft Microsoft SafeNet SafeNet Checkpoint Checkpoint Symantec Symantec MDM and MDF MDM and MDF Samsung Samsung Air-Watch Air-Watch Fixmo Fixmo RIM/ Blackberry RIM/ Blackberry Mocana Mocana Motorola Motorola Mobile Iron Mobile Iron 25

26 NIAP High Priority Technology Areas Mobility Mobility Network Devices Network Devices Operating Systems Operating Systems Wireless Local Area Networks (WLAN) Wireless Local Area Networks (WLAN) Virtualization Virtualization 26

27 US Governing Policies (U) National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems” (U) National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems” (U) CNSSP 11, “National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products” as follows: (U) CNSSP 11, “National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products” as follows: (U) CNSS Directive 502, “National Directive on Security of National Security Systems” (U) CNSS Directive 502, “National Directive on Security of National Security Systems” Department of Defense Directives Department of Defense Directives – DoDD 5100.2, “National Security Agency/Central Security Service (NSA/CSS)” – DoDD 8500.01E, “Information Assurance (IA)” – DoDI 8500.02, “Information Assurance (IA) Implementation”

28 Contact Information NIAP website: NIAP website: – http://www.niap-ccevs.org/ Contact info: Contact info: – Email:scheme-comments@niap-ccevs.org Telephone: Telephone: – 410.854.4458 28

Download ppt "Common Criteria National Information Assurance Partnership Evaluation of Mobile Technology Janine Pedersen 1."

Similar presentations

National Information Assurance Partnership Paul Mansfield January 2013

National Information Assurance Partnership Paul Mansfield January 2013
© 2011 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International.

© 2011 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International.
Copyright (C) The Open Group 2014 Securing Global IT Supply Chains and IT Products by Working with Open Trusted Technology Provider™ Accredited Companies.

Copyright (C) The Open Group 2014 Securing Global IT Supply Chains and IT Products by Working with Open Trusted Technology Provider™ Accredited Companies.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
The 7 Year Itch - Time To Commit Or Time To Move On? Shaun Lee Security Evaluations Manager, Global Product Security.

The 7 Year Itch - Time To Commit Or Time To Move On? Shaun Lee Security Evaluations Manager, Global Product Security.
Wade E. Kline, AICP Community Development Planner.

Wade E. Kline, AICP Community Development Planner.
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
Developing Guiding Principles for ICT in Education Policy

Developing Guiding Principles for ICT in Education Policy
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
Bangalore, India,17-18 December 2012 Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International.

Bangalore, India,17-18 December 2012 Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International.
Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All ETSI Standardization Activities on M2M communications Joachim Koss, ETSI Board Member Document No:

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All ETSI Standardization Activities on M2M communications Joachim Koss, ETSI Board Member Document No:
Systems Engineering in a System of Systems Context

Systems Engineering in a System of Systems Context
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Sustainable Energy Systems Int’l H 2 Safety Conf, Pisa, Italy, 8-10 Sep. 2005 1 IPHE projects focus on pre-competitive collaborative research, development.

Sustainable Energy Systems Int’l H 2 Safety Conf, Pisa, Italy, 8-10 Sep IPHE projects focus on pre-competitive collaborative research, development.
ISO Current status of development

ISO Current status of development
1. 2 The Public Health Agency of Canada Pandemic Influenza Preparedness: An Overview Dr. Paul Gully Deputy Chief Public Health Officer Ottawa, 19 January.

1. 2 The Public Health Agency of Canada Pandemic Influenza Preparedness: An Overview Dr. Paul Gully Deputy Chief Public Health Officer Ottawa, 19 January.
IPHE Goal Efficiently organize and coordinate multinational research, development and deployment programs that advance the transition to a global hydrogen.

IPHE Goal Efficiently organize and coordinate multinational research, development and deployment programs that advance the transition to a global hydrogen.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.

Similar presentations

Ads by Google