1 / 22

The Common Criteria

The Common Criteria. Cs5493(7493). CC: Background. The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series. CC: Background. 1996 - The CC was conceived following the TCSEC, Rainbow series.

les
Download Presentation

The Common Criteria

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Common Criteria Cs5493(7493)

  2. CC: Background • The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series

  3. CC: Background • 1996 - The CC was conceived following the TCSEC, Rainbow series. • The Rainbow series was used as a guide and model for the CC. • 1997 NIAP is formed (National Information Assurance Partnership) • Published in 1998

  4. CC: Background • 1999 Adopted by the ISO (International Standards Organization, ISO-15408) • 2000 Evaluations performed by accredited labs with government oversight and validation. • 2003 NSA Assumes responsibility for CCEVS (CC Evaluation and Validation Scheme)

  5. CC Purpose • To provide consistent evaluation standards to IT products and systems • To improve the availability of evaluated security-enhanced IT products and systems. • To eliminate duplicating evaluations of IT products and systems. • To improve the efficiency and cost-effectiveness of the evaluation process.

  6. CC • The CC does not define the features of an IT product • The CC does not require the product itself be secure • The CC is a common framework for an evaluation process.

  7. CC • By placing focus on security evaluation process, and not on the actual product design, vendors can keep their technology proprietary.

  8. The CC Process • IT products are organized into categories: http://www.commoncriteriaportal.org/products

  9. The CC Process • The CC process is centered around an IT product referred to as the Target Of Evaluation: TOE. • The CC Process is determined for the TOE by three documents: • The Protection Profile (PP) • The Security Target (ST) • The Certification/Validation Report

  10. CC General Requirements • Functional security requirements – define desired security behavior. • Assurance requirements – indicating claimed security measures are effective and implemented correctly.

  11. The CC Process: Protection Profile • Each IT category has at least one document describing the functional and assurance security requirements. These documents are known as Protection Profiles

  12. CC: Protection Profile • Created by a user, user community, laboratory, etc. • NIAP is currently working on a standard protection profile for each technology category.

  13. CC : Protection Profile • Contains a description of threats • Security objectives • Security functional requirements • Security assurance requirements • etc

  14. CC : Security Target • The Security Target (ST) document is usually written by the developer/vendor of the IT product.

  15. CC : Security Target • The document contains information on how the TOE fulfills the security objectives outlined in the PP.

  16. CC : Evaluation • The evaluation process is used to determine if the security target (ST) is satisfied for the target of interest (TOE). • The TOE developer requests the evaluation. • Evaluation only occurs when the product is complete • Cost of the evaluation is negotiated between the developer and the evaluator.

  17. CC : Evaluations • A validation/certification report documents the evaluation findings.

  18. CC : Validation • Validation for the TOE comes in the form of a Validation/Certification Report. • The Validation report assigns an EAL to the TOE.

  19. CC : EAL • Evaluation Assurance Levels • Levels 1 through 7 • The EALs reflect the degree of confidence a user can have in the performance of the TOE • EAL – 1 are no longer done by accredited labs • EAL – 2 through 4 are assigned by one of the accredited labs • EAL 4+ are assigned by the NSA

  20. CC : EAL • EAL 1-4 do not require evaluation of the software, only the development process • EAL 4+ require more rigorous design evaluation.

  21. CC Sustainability Cycle • Revisions are required as vulnerabilities are discovered • Each revision may require re-evaluation

  22. Accredited Evaluators • NIST accredits the evaluators • There are 15 countries that have accredited evaluators. • There are 11 other countries that support the CC standards.

More Related