Common Criteria National Information Assurance Partnership Evaluation of Mobile Technology Janine Pedersen 1

Common Criteria Background History Developed more than 12 years ago Developed more than 12 years ago Unified earlier schemes (ITSEC for UK, Orange book for US) Unified earlier schemes (ITSEC for UK, Orange book for US) Commercial basis (recognized that govt could no longer fund evaluation) Commercial basis (recognized that govt could no longer fund evaluation) Truly International 26 Nations in the recognition arrangement (Major western 26 Nations in the recognition arrangement (Major western nations plus India, Japan, Korea, etc) nations plus India, Japan, Korea, etc) More than 50 Evaluation Laboratories More than 50 Evaluation Laboratories China and Russia are possible future members, as is Brazil China and Russia are possible future members, as is Brazil 2

® Certificate Producers Certificate Consumers FinlandGreece Israel Austria US UKNorway South Korea New Zealand Spain Sweden Turkey HungaryCzech Republic Singapore India Denmark Pakistan CanadaGermanyFrance Australia Japan NetherlandsMalaysia Italy

Common Criteria Much more detail on Much more detail on A worldwide standard - also ISO A worldwide standard - also ISO Recognition Arrangement - (CCRA) is very important Recognition Arrangement - (CCRA) is very important Minimizes need for re-evaluations This is a primary aim of CCRA This is a primary aim of CCRA 4

21 st Century Approach Last Century CC was developed when products took a long time to develop CC was developed when products took a long time to develop Remaining static in use Remaining static in use Threats were also less dynamic Threats were also less dynamic Now Now Threats evolving all the time Threats evolving all the time Products constantly updated Products constantly updated Architectures also adapt rapidly Architectures also adapt rapidly Decision makers need detailed information Decision makers need detailed information 5

Common Criteria Recognition Arrangement Ensure evaluations are performed to consistent standards Ensure evaluations are performed to consistent standards Increase availability of evaluated ICT products Increase availability of evaluated ICT products Evaluate once - sell to many Evaluate once - sell to many Improve the efficiency and cost-effectiveness of evaluation, certification and validation process for ICT products Improve the efficiency and cost-effectiveness of evaluation, certification and validation process for ICT products

Cyber Defense Needs Architectural Approach Architectural Approach Agility Agility More information More information Many more products covered Many more products covered More realism More realism More comparability More comparability 7

What is Happening in CCRA? What is Happening in CCRA? Protection Profile-based evaluations (cPPs) - detailed requirements specifications Protection Profile-based evaluations (cPPs) - detailed requirements specifications Produced by an International Technical Community Produced by an International Technical Community Kept up to date by that community Kept up to date by that community Provides a robust foundation Provides a robust foundation Outside of cPPs - recognition limited to EAL2 activities Outside of cPPs - recognition limited to EAL2 activities 8

Why is this Happening in CCRA? Evaluations took too long, and were too costly, with inconsistent Return on Investment Evaluations took too long, and were too costly, with inconsistent Return on Investment Unrealistic on a technical level (Firewalls -OS) Unrealistic on a technical level (Firewalls -OS) Unrealistic expectations on Evaluators (developers at leading edge, not evaluators) Unrealistic expectations on Evaluators (developers at leading edge, not evaluators) Not using power of community and peer input/review Not using power of community and peer input/review Little connection to system integrator, procurement needs Little connection to system integrator, procurement needs 9

What is the Process? Governments set high level requirements Through `Essential Security Requirements’ Through `Essential Security Requirements’ Industry (and others) perform the work With consultation and review - using plain language With consultation and review - using plain language Governments steer the work Using `Position Statements' and `Endorsement Statements' Using `Position Statements' and `Endorsement Statements' Kept up to date Technical communities continue to develop the technology standards Technical communities continue to develop the technology standards 10

Providing the Recognition Vehicle Some of the technical communities setting the standards will already exist (e.g. 3GPP, ETSI, TCG, Open Group, etc.) Some of the technical communities setting the standards will already exist (e.g. 3GPP, ETSI, TCG, Open Group, etc.) Different approaches to interaction/oversight Different approaches to interaction/oversight Working on a lightweight oversight approach Working on a lightweight oversight approach 11

Industry Linkage Common Criteria User Forum Significant role Significant role Significant growth (~ 500 members, > 26 countries) Significant growth (~ 500 members, > 26 countries) Incubator for technical communities Incubator for technical communities Recent NATO CC-CAT Workshop Strong support for the change Strong support for the change Keep up the pace Keep up the pace Provide more information Provide more information Maintain the Industry involvement Maintain the Industry involvement 12

NIAP 13 Partnership to evaluate commercial IT products for use in National Security Systems

NIAP Mission  Evaluate COTS IT products for use in National Security Systems (NSS) and  Develop requirements specifications  US representative within the international Common Criteria Recognition Arrangement (CCRA) 14

NIAP Goals Ensure Commercial ICT products represent best practice level of security Ensure Commercial ICT products represent best practice level of security Raise the security bar toward a goal of “secure-by-default” Raise the security bar toward a goal of “secure-by-default” Independent 3 rd party assessment of a product against a specified set baseline security requirements, using defined, objective tests Independent 3 rd party assessment of a product against a specified set baseline security requirements, using defined, objective tests 15

Stakeholder Engagement Industry (Commercial IT vendors, Common Criteria Test Labs) Industry (Commercial IT vendors, Common Criteria Test Labs) DoD & Federal Government Groups & Reps DoD & Federal Government Groups & Reps - Committee on National Security Systems (CNSS) IC Community Stakeholders IC Community Stakeholders International Stakeholders (NATO) International Stakeholders (NATO) International-Common Criteria Recognition Arrangement (26 member nations) International-Common Criteria Recognition Arrangement (26 member nations) 16

NIAP Protection Profiles (PP) Protection Profiles (PP) Define the totality of product security functions to be tested and how they will be tested Technical Communities (TC) Technical Communities (TC) Collaborative group from industry, government (US and foreign), and academia working to develop Protection Profiles for a specified technology. 17

Protection Profiles Technology Specific Technology Specific Objective Test Criteria Objective Test Criteria Requirements Address Documented Threats Requirements Address Documented Threats Achievable, Repeatable, and Testable Achievable, Repeatable, and Testable

Common Criteria Evolution Technology focused Protection Profiles Technology focused Protection Profiles Emphasis on Security Functional Requirements (SFR) with specified Assurance Activities Emphasis on Security Functional Requirements (SFR) with specified Assurance Activities Establishing Technical Communities with international partners & industry representatives (vendors & labs) to develop the next generation of technology focused PPs Establishing Technical Communities with international partners & industry representatives (vendors & labs) to develop the next generation of technology focused PPs

Focus For National Security System Procurement, COTS IA Products Must be Evaluated per NIAP processes For National Security System Procurement, COTS IA Products Must be Evaluated per NIAP processes – U.S. National Policy, CNSSP#11 NIAP evaluates COTS IA Products against requirements in NIAP approved Protection Profiles NIAP evaluates COTS IA Products against requirements in NIAP approved Protection Profiles

Progress Currently 9 Technical Communities Currently 9 Technical Communities Published 12 technology based PPs Published 12 technology based PPs Ongoing international evaluations against NIAP approved PPs (Various Nations) Ongoing international evaluations against NIAP approved PPs (Various Nations) Evaluations complete in 3-6 months Evaluations complete in 3-6 months 21

Protection Profile Technology Types – Mobile Devices (smartphones, tablets, etc) – Mobile Device Management – Network Devices – VPN – Application – Encrypted Storage – Wireless Local Area Network (LAN) 22

Technical Communities Mobility Mobility Redaction Redaction CA certificate Authority CA certificate Authority Apps on OS Apps on OS Data at rest Data at rest Network Device (ND) Network Device (ND) Intrusion Prevention Systems (IPS) Intrusion Prevention Systems (IPS) Peripheral Sharing Switch (PSS) Peripheral Sharing Switch (PSS) Trusted Platform Management Trusted Platform Management 23

Stakeholder Participation Increase Industry participation in Technical Communities Increase Industry participation in Technical Communities Continue developing consistent set of technology-focused security requirements with associated assurance activities Continue developing consistent set of technology-focused security requirements with associated assurance activities Continue work on collaborative PP development through International Technical Communities Continue work on collaborative PP development through International Technical Communities Partner with Industry to improve Time to Market Partner with Industry to improve Time to Market 24

Vendors Working with NIAP Wireless LAN Wireless LAN Aruba Aruba Motorola Motorola General Dynamics General Dynamics Fortress Fortress Technologies Technologies Cisco Cisco Network Devices Dell Dell Juniper Juniper Cisco Cisco Microsoft Microsoft SafeNet SafeNet Checkpoint Checkpoint Symantec Symantec MDM and MDF MDM and MDF Samsung Samsung Air-Watch Air-Watch Fixmo Fixmo RIM/ Blackberry RIM/ Blackberry Mocana Mocana Motorola Motorola Mobile Iron Mobile Iron 25

NIAP High Priority Technology Areas Mobility Mobility Network Devices Network Devices Operating Systems Operating Systems Wireless Local Area Networks (WLAN) Wireless Local Area Networks (WLAN) Virtualization Virtualization 26

US Governing Policies (U) National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems” (U) National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems” (U) CNSSP 11, “National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products” as follows: (U) CNSSP 11, “National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products” as follows: (U) CNSS Directive 502, “National Directive on Security of National Security Systems” (U) CNSS Directive 502, “National Directive on Security of National Security Systems” Department of Defense Directives Department of Defense Directives – DoDD , “National Security Agency/Central Security Service (NSA/CSS)” – DoDD E, “Information Assurance (IA)” – DoDI , “Information Assurance (IA) Implementation”

Contact Information NIAP website: NIAP website: – Contact info: Contact info: – Telephone: Telephone: –