At the 14th International Common Criteria Conference (ICCC) held in Orlando this week, it was announced that India has become a Common Criteria Certificate issuing nation. We congratulate India on this significant achievement and look forward to working closely with the Indian Common Criteria Scheme. For more information on the announcement, see the article “India Earns Authorizing Nation Status for IT Product Testing”.
In order for government and enterprise organizations to keep their data secure from increasingly advanced cyber threats, security solutions and protocols are critical. However, these organizations must ensure that their chosen security solutions meet key security criteria, are standards based, perform as expected and interoperate reliably with existing technology.
The challenges above are why Common Criteria was created. Common Criteria is an international standard for IT product security and reliability. In fact, many governments will not use security products that don’t meet Common Criteria standards.
This year, the International Common Criteria Conference is being held in Orlando, Florida from September 10-12. The conference is a place for Certification Bodies, Evaluation Laboratories, Researchers, Evaluators, Product Makers and Buyers and Sellers to come together and exchange ideas in order to improve Common Criteria.
Cisco will lead multiple sessions covering topics like Cryptography, Network Device Protection Profiles, Improving Common Criteria and Marketing Common Criteria.
Details on the speaking sessions presented by and in collaboration with Cisco are below:
- Keynote Speaker: CCUF Perspective
September 11 from 9-9:30AM ET
Alicia Squires, Cisco, CCUF Chair
- Marketing the New CC
September 11 from 9:30-11AM ET
Moderator: Mark Loepker, NIAP, CCES Chair
Panelists: Joshua Brickman, Oracle; Jen Gilbert, Cisco; Matt Keller, Corsec; Eric Winterton, Booz Allen Hamilton.
- Entropy Sources -- Industry Realities and Evaluation Challenges
September 11 from 10-10:30AM ET
Alicia Squires: CISSP, Product Certification Engineer, Cisco Chair, CCUF Management Group
- Cryptography and Common Criteria
September 11 from 11:30-12PM ET
Ashit Vora, Manager, Common Criteria Certification, Cisco and Chris Brych, Manager, Security Certifications, SafeNet, Inc.
- Lessons and Recommendations from Evaluating Against NDPP in Three Different Schemes
September 11 from 5-5:30PM ET
Terrie Diaz, Product Certification Engineer, Cisco and Ashit Vora, Manager, Common Criteria Certification, Cisco
- Widening the Use of CC for End Users Worldwide
September 12 from 9:30-11AM ET
Moderator: Michele Mullen, Director, ATA, CSEC
Adam Golodner, Director, Global Security & Technology Policy, Cisco; Steve Lipner, Microsoft; Blackberry (INVITED); Ericsson (INVITED)
Invitation to attend a discussion about IT product security and information assurance requirements for the Canadian government
The Common Criteria Users Forum is inviting representatives from Canadian government agencies to participate in a free round-table discussion about how the information assurance requirements of Canadian government agencies can be incorporated in international standards for IT security and the evaluation of IT products.
Specifically, we are hoping to engage individuals who have a working-level understanding of government IT security standards, procurement policies, or certification and accreditation, in a discussion about how Canadian government agencies can provide input into the development of Common Criteria Protection Profiles for IT products.
Note that we will not be discussing specific requirements, it is not a commercial or sales event, and there is no fee or obligation for attending. While this event is intended for Canada, the CCUF is looking to expand to other geographies.
Date, time, and location:
The meeting is being held on Friday, 17 May 2013 from 10:30 AM to noon, at Oracle, 45
O’Connor St Ottawa, ON K1P 1A4.
10:30 to 10:45 — Welcome and introductions
10:45 to 11:00 — A brief introduction to the Common Criteria and the CCUF
11:00 to noon — Round-table discussion
Today more than ever, networks are transforming the way organizations operate and are touching more people through a wider range of devices than ever before. Achieving a secure infrastructure is increasingly complex with today’s mobility, collaboration and cloud services added to the mix. These new capabilities offer much operational efficiency and reduce costs, but they also introduce additional risk to the network. Read More »
On September 19 at Progress Report from the Supply Chain Security Technical Working Group (September 19 2012), a status report was presented from the Supply Chain Security Technical Work Group which was formed in March 2012 with the approval of the Common Criteria Development Board, in order to produce a Common Criteria Supporting Document that technical communities can use and adapt for their protection profiles.
The information and communications technology (ICT) supply chain has become increasingly complex, with logically long and geographically diverse routes, including multiple tiers of outsourcing. This leads to a significant increase in the number of organizations and individuals who “touch” a product, and thus, increase the likelihood that a product’s integrity will be compromised. Ensuring that ICT products from commercial software and hardware providers are free from vulnerabilities introduced via the product developer’s supply chain is an increasing concern which has manifested in proposed legislation and draft government regulations, as well as publicized attacks.
Exacerbating those concerns is the fact that awareness of supply chain risks and potential mitigations is not widely shared within the ICT industry, academia, government regulators, and product acquirers.
The product life cycle and its corresponding supply chain aspects extend from design to sourcing, manufacturing, distribution, delivery, installation, support, and end-of-life. Each stage presents potential threats of attack: the introduction of counterfeit products or components; elements of product taint, for example via malware or an integrity breach; disruptions to logistics and delivery; as well as tampered communications between the product developer and the customer or the customer and supplier.
The initial Supply Chain Security Supporting Document will describe several of these threats in more detail, specify additional threats, suggest assurance requirements, and recommend best practices for product manufacturers, evaluators, certifiers and end users.
As communities incorporate targeted material from the Supply Chain Supporting Document in protection profiles and vendors complete Common Criteria security evaluations against those protection profiles, customers will gain additional assurance of the product developer’s actions to secure their supply chain, and confidence in the manufactured product they are receiving; all under the globally accepted Common Criteria framework.