Post on 31-Mar-2015
1
National Information Assurance Partnership
Paul MansfieldJanuary 2013
AN EVOLUTION
®
Common Criteria Recognition Arrangement (CCRA)
CertificateProducers
US Canada
UK
GermanyFranceAustralia Japan
Netherlands Norway South Korea
New Zealand Spain Sweden
CertificateConsumers Finland Greece
Israel
Austria
Turkey
Hungary
Czech Republic
SingaporeIndia
Denmark
Pakistan
MalaysiaItaly
3
2012 International Common Criteria Conference
• Common Criteria Recognition Arrangement (CCRA) Management Committee (CCMC) Agreement
• Vision Statement – Develop Collaborative Protection Profiles (cPP)– International Technical Communities (iTC)
• CC Schemes• Labs• Stakeholders• Vendors
• CCMC Chair Directed CC Executive Secretariat and CC Directors Board– Update CCRA– Terms of Reference & CCRA Documents– Transition Plan
4
2012 ICCC Vision Statement Key Points• Raise General Security Level• Standardization• CCRA Mutual Recognition – cPP• iTCs Define cPPs • cPPs Instead of Individual STs• STs w/o cPP – Limited to EAL2
– 2 Nations Disagreement• Evaluations above cPP
– National Requirements & Special Arrangements– CCRA MR @ cPP Only
• cPPs Will Address Vulnerability Analysis– Transparent and Repeatable
• https://www.commoncriteriaportal.org/
5
• NIAP Functions:– Prioritize PP Development– Author and promulgate PPs
• Conduct risk analysis• Develop profiles with a risk-based mindset
– Influence international standards (e.g., ISO)
NIAP leads technical communities to develop, promulgate and manage foundational security requirements that enable the acquisition of validated products to continually improve network defense for America and its Allies.
Develop, promulgate and manage foundational security requirements
GOTS vs. COTS
Traditionally, the US government has used government designed and certified devices to protect its most sensitive data.
• Government Devices (GOTS) – Purpose-built for security– Strict design and implementation criteria– Long, exhaustive security evaluation
• Commercial Devices (COTS)– Provide a balance of security and features– Quick to market, flexible
6
7
Committee on National Security Systems Policy (CNSSP) 11
• Policy – COTS comply with NIAP process– Layered COTS preferred over GOTS– GOTS evaluated by NSA
• Evolution– Move away from Evaluation Assurance Level (EAL)– Comply with Protection Profile (PP)– PPs developed by Technical Communities– CCRA Collaborative PPs (cPP)
8
Benefits of New Evaluation Process• One Evaluation Level
– Achievable, Repeatable, Testable• One PP per Technology
– Internationally accepted– Objective Assurance Requirements– Extended Package (EP) if required
• Technical Communities– Industry/Government Partners, shared expertise,
contribute to PP development
9
What’s Not Working?• “Cookie cutter approach” to technology type being
evaluated• Subjective, inconsistent standards across vendors or
countries• Higher EAL doesn’t equal higher security• Process is too lengthy• Not repeatable across labs, schemes/nations• No enforcement of security requirement testing
What is a Protection Profile?
• Tailored set of baseline security functional and security assurance requirements
• Focuses on tailored requirements and assurance activities by technology
• Tailored set of use cases, threats, and objectives• Allows for the expansion of baseline requirements
through extended packages for specialized technologies– i.e. Network Device PP and Firewall EP
10
Why Are PP’s Good• (Achievable) Reduced time and costs of evaluation• (Repeatable) Produce comparable and meaningful results
across labs/schemes• (Testable) Assurance Activities – tailored CEM
– Assurance of product compliance
• Address specific threats• Created and maintained by Technical Communities (TCs)
11
12
What Exactly Are TCs?• Any participating vendor, country, critical
infrastructure, evaluator or lab• Collaborative environment to create
requirements and standards for PPs• Ultimate creator of PPs with NIAP guidance
ST vs. PP Example
13
*SFR – Security Functional Requirement**SAR – Security Assurance Requirement***TAA – Tailored Assurance Activity
ST vs. PP Example
*SFR 1 SFR 2 SFR 3 SFR 4
14
*SFR – Security Functional Requirement**SAR – Security Assurance Requirement***TAA – Tailored Assurance Activity
**SAR 01 SAR 02 SAR 03 SAR .... SAR .... SAR 24
Functional Package
AssurancePackage
Security Target
*SFR 1 SFR 2 SFR 3
**SAR 01 SAR 02 TAA 03 TAA .... TAA .... TAA 10
Functional Package
Assurance Package
Protection Profile
ST vs. PP Example
*SFR 1 SFR 2 SFR 3 SFR 4
15
*SFR – Security Functional Requirement**SAR – Security Assurance Requirement***TAA – Tailored Assurance Activity
**SAR 01 SAR 02 SAR 03 SAR .... SAR .... SAR 24
Functional Package
AssurancePackage
Security Target
*SFR 1 SFR 2 SFR 3
**SAR 01 SAR 02 TAA 03 TAA .... TAA .... TAA 10
Functional Package
Assurance Package
Protection Profile
ST vs. PP Example
*SFR 1 SFR 2 SFR 3 SFR 4
16
*SFR – Security Functional Requirement**SAR – Security Assurance Requirement***TAA – Tailored Assurance Activity
**SAR 01 SAR 02 SAR 03 SAR .... SAR .... SAR 24
Functional Package
AssurancePackage
Security Target
*SFR 1 SFR 2 SFR 3
**SAR 01 SAR 02 TAA 03 TAA .... TAA .... TAA 10
Functional Package
Assurance Package
Protection Profile
Technical Community
• Key to PP Development and Maintenance• Any participating CCRA nation, vendor, critical
infrastructure industry, academia, evaluator, or lab
• Collaborative environment to create requirements and testing standards for PPs
17
18
Published Protection Profiles• Full Disk Encryption• USB Flash Drive• Hardcopy Device (MFP)• Stateful Firewall• Network Devices 1.1• ESM Policy Management• ESM Access Control• ESM Identity & Credential Mgt.
• Mobility Endpoint OS• Mobility Endpoint VoIP App• SIP Server• Wireless LAN Access System• Wireless LAN Client• VPN Client• Peripheral Sharing Switch
Located at www.niap-ccevs.org/pp/
19
Protection Profiles Under Development
• NDPP V2• VPN Gateway Extended
Package• BIOS• MFP v2• USB v2
• Hardware Security Module• Virtualization• Storage Area Network• File Encryption• Mobile Device Management
20
Contact Information• NIAP website:
– http://www.niap-ccevs.org/• Contact info:
– Mark Loepker – msloepk@nsa.gov– Paul Mansfield – pbmansf@nsa.gov
• Email: – scheme-comments@niap-ccevs.org
• Telephone: – 410.854.4458
21
Questions?
22
NIAP Evolution Progress• IA Products Must be CC Evaluated & Validated – U.S.
National Policy (NSTISSP-11)– Not the case in most other CC-nations
• No longer accepting traditional (EAL4) evaluations• Evaluations must go against NIAP Approved PP• Created Technical Communities
– Network, Firewall, ESM
• Published 12 Standard PP (December 2012)• Continuing Outreach to Gov’t & International Partners,
Industry, Labs, Academia