On September 19 at Progress Report from the Supply Chain Security Technical Working Group (September 19 2012), a status report was presented from the Supply Chain Security Technical Work Group which was formed in March 2012 with the approval of the Common Criteria Development Board, in order to produce a Common Criteria Supporting Document that technical communities can use and adapt for their protection profiles.
The information and communications technology (ICT) supply chain has become increasingly complex, with logically long and geographically diverse routes, including multiple tiers of outsourcing. This leads to a significant increase in the number of organizations and individuals who “touch” a product, and thus, increase the likelihood that a product’s integrity will be compromised. Ensuring that ICT products from commercial software and hardware providers are free from vulnerabilities introduced via the product developer’s supply chain is an increasing concern which has manifested in proposed legislation and draft government regulations, as well as publicized attacks.
Exacerbating those concerns is the fact that awareness of supply chain risks and potential mitigations is not widely shared within the ICT industry, academia, government regulators, and product acquirers.
The product life cycle and its corresponding supply chain aspects extend from design to sourcing, manufacturing, distribution, delivery, installation, support, and end-of-life. Each stage presents potential threats of attack: the introduction of counterfeit products or components; elements of product taint, for example via malware or an integrity breach; disruptions to logistics and delivery; as well as tampered communications between the product developer and the customer or the customer and supplier.
The initial Supply Chain Security Supporting Document will describe several of these threats in more detail, specify additional threats, suggest assurance requirements, and recommend best practices for product manufacturers, evaluators, certifiers and end users.
As communities incorporate targeted material from the Supply Chain Supporting Document in protection profiles and vendors complete Common Criteria security evaluations against those protection profiles, customers will gain additional assurance of the product developer’s actions to secure their supply chain, and confidence in the manufactured product they are receiving; all under the globally accepted Common Criteria framework.
Tags: CC, Common Criteria, ICCC, secure supply chain
Last week I attended the ICCC in Paris where Ashit Vora, Manager, Security Assurance, Cisco discussed the Cloud and how Common Criteria can be used to help mitigate threats. The following is an excerpt from his presentation and food for thought on Cloud security.
More and more enterprises, including governments are moving their data “to the Cloud” in the hopes of saving infrastructure and maintenance costs. But is this at the risk of security? As both private and public Clouds become pervasive, security is going to be a major concern. Cloud infrastructure by definition has large amounts of information including proprietary information, competitive information, information of different classification levels, etc. In addition, the types of mechanism available to access the information in the Cloud, such as B.Y.O.D. (Bring Your Own Device), are increasing day by day. If the proper security mechanisms are not in place and validated, it could prove to be damaging to all users of the Cloud.
Read More »
Tags: Bring your Own Device (BYOD), cloud security, Common Criteria, ICCC
Alicia Squires, Cisco Certifications Engineer and Common Criteria Users Forum (CCUF) Chair, discussed the benefits of Common Criteria yesterday at the International Common Criteria Conference (ICCC).
- Single certification recognized by 26 nations
- Improves availability of evaluated, security-enhanced IT products
- Contributes to higher levels of citizen confidence in IT security
- Improves the efficiency and cost-effectiveness of the evaluation and certification process
- Allows vendors to focus their resources on a common set of requirements to improve the security of products overall
- Increases the breadth of certified products and technologies available to IT administrator
For more information visit the Common Criteria Users Forum.
Alicia Squires, CCUF Chair
Tags: CCUF, Common Criteria, ICCC
Alicia Squires, Common Criteria Users Forum (CCUF) Chair, and Cisco Certifications Engineer, CC Users Forum press conference reviews the mission of the CCUF and the benefits of Common Criteria at the 13th Annual International Common Criteria Conference, held in Paris September 18-20, 2012.
The Common Criteria User Forum mission is to provide a voice and communications channel amongst the CC community including the vendors, consultants, testing laboratories, Common Criteria organizational committees, national schemes, policy makers, and other interested parties.
Tags: CCUF, Cisco, Common Criteria, ICCC
The Common Criteria Users Forum (CCUF) Management Board is pleased to announce the CCUF-CCDB (Common Criteria Development Board) Workshop September 11th – 13th, 2012, as a preceding event to the International Common Criteria Conference (ICCC) in Paris, France.
As was done at the Tokyo workshop, the CCDB has invited active Industry participation in a Private + Public Partnership dialogue for the majority of the joint meetings. To allow for greater numbers to participate in interactive dialogue and directly with the CCDB, an extended closing meeting will be held between the CCUF and CCDB on Thursday at the Microsoft offices.
The Tuesday and Thursday sessions will be held at the Microsoft Office in Paris; Wednesday Cisco will be hosting workshop participants at their offices.
Wednesday will be composed of breakout topics amongst the CCUF participants, and will be held at the Cisco Office. The main topics for Tuesday and Thursday, which will be presented to the CCDB during the closing session on Thursday, are:
- Framework for coordination between Common Criteria technical communities
- Role of CCUF in the work of forming, supporting, and cross-fertilizing Common Criteria technical communities
- Taking forward the work on ‘innovation’
- How to efficiently, effectively, and fairly use the associated technical community to maintain the collaborative Protection Profile as new approaches are developed
The Cisco Global Certification Team (GCT) is looking forward to this opportunity to interact with our peers, be an active voice in the Common Criteria community, and work together to further this program as the global standard in security and assurance certifications. If you have any questions or comments on the CCUF-CCDB workshop, please contact Alicia Squires at email@example.com.
Tags: board, CCDB, CCUF, Common, Conference, criteria, Development, Forum, ICCC, International, users