Common Criteria Recognition Arrangement (CC RA)

Similar documents
June 2011 COMMON CRITERIA EMBRACE, REFORM, EXTEND. Presented by:

NIAP Progress Report Second Quarter 2016

Detailed Data from the 2010 OECD Survey on Public Procurement

Common Criteria Evaluation and Validation Scheme For. Information Technology Laboratory. Guidance to Validators of IT Security Evaluations

CCUS I N I T I A T I V E CCUS I N I T I A T I V E

The Third-Party Process: Waste of Resources or Added Value?

Carbon Pricing in Japan

Enabling international research collaboration:

G8 GLOBAL PARTNERSHIP ANNUAL REPORT. G8 Senior Group, June 2004

How2Guide for Bioenergy. Ingrid Barnsley, Anselm Eisentraut Southeast Asia regional workshop July 2014, Bangkok, Thailand

G8 Global Partnership Annual Report G8 Senior Group, June 2004

SPTF Universal Standards for. Social Performance. Management. Version 2.0, Published August 2016

Developing International Standards for Very Small Enterprises

ISO National Mirror Committees Training with Lesotho, Malawi, & Zambia: ISO/TC-242 Energy Management

ARCTIC SDI Governance Document

Best Practices for Promoting the Renovation of Buildings and the Interlinkage with the EPBD

ANALYTICAL STANDARDS AND REAGENTS

Benefits of the IEA Wind Co-operation

GRI Sustainability Reporting Statistics Publication year By Report Services

Welcome to the Bank Statement Processing introduction topic. During this training, we use the acronym BSP for Bank Statement Processing.

Thus, let s focus on 35% 30% 25% 20% 15% 10%

Proposer. Subject (the subject shall be described unambiguously and as concisely as possible)

American Academy of Forensic Sciences Standards Board, LLC

OIML B 18 Edition 2018 (E)

Final Document. IMDRF Terms of Reference. Date: 17 December Jeff Shuren, IMDRF Chair. IMDRF/MC/N1FINAL:2014 (Edition 3)

Benefits of the IEA Wind Co-operation

National Information Assurance Partnership /Common Criteria Evaluation and Validation Scheme. Publication #2

POSITIVE ECONOMY INDEX NATIONS INDICE DE POSITIVITÉ DES NATIONS

INTERNATIONAL ENERGY AGENCY. In support of the G8 Plan of Action TOWARD A CLEAN, CLEVER & COMPETITIVE ENERGY FUTURE

Ranking der Nachhaltigkeitsberichte 2005 March 15, 2005, Hannover Ralph Thurm. Deputy Chief Executive

Benefits of the IEA Wind Co-operation

The OECD The Nuclear Energy Agency

Ethical leadership and corporate citizenship. Applied. Applied. Applied. Company s ethics are managed effectively.

Highlights. Figure 1. World Marketed Energy Consumption by Region,

OECD RECOMMENDATION OF THE COUNCIL FOR ENHANCED ACCESS AND MORE EFFECTIVE USE OF PUBLIC SECTOR INFORMATION [C(2008)36]

Agilent N6171A MATLAB Data Analysis Software for X-Series and PSA Series Signal and Spectrum Analyzers

Asset Management an IAM Perspective

COGNIZANT TECHNOLOGY SOLUTIONS CORPORATION. Audit Committee Charter. Updated December 12, 2017

ABCANN GLOBAL CORPORATION CORPORATE GOVERNANCE POLICIES AND PROCEDURES

International Experts Meeting on Illegal Logging Possible Way Forward towards More Sustainable Forest Management. Chairpersons Summary

Global Shipping and Logistics

Pros and Cons of a Regulation on Accreditation and Verification for the purposes of the EU ETS

A new environment for nuclear safety: Main challenges for the OECD/NEA

5 REASONS TEKTRONIX OSCILLOSCOPES ARE RELIABLE AND TRUSTED TECHNICAL BRIEF

Audit committee charter

Common Criteria Evaluation and Validation Scheme For. Information Technology Laboratory. Guidance to Validators of IT Security Evaluations

Global Commerce Review EMEA, Q2 2018

Expert meeting on Building an open and innovative government for better policies and service delivery. Paris, 8-9 June 2010

Wassenaar Arrangement. What is it all about? India s entry: What it means for us? What critics have to say?

AUDIT COMMITTEE CHARTER

EA MULTILATERAL AGREEMENT Facilitating cross border trade with reliable goods and services

Standards and accreditation. Tools for delivering better regulation

IEA Wind Co-operation. Name Hannele Holttinen IEA Wind Chair Workshop Winterwind 2011 Place Umeå, Sweden Date 9th Feb, 2011

Organic Standards and Regulations

The Nuclear Security Summit: Forging Consensus and Building Momentum

ISO Road Traffic Safety Management

WELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER

THE QUALITY INSTITUTIONS An enabling framework for international trade. Tom Rotherham International Institute for Sustainable Development (IISD)

REGULATORY DIVERGENCE: COSTS, RISKS, IMPACTS

ISO 31000, a risk management standard for decision-makers

GLOBAL COALITION FOR GOOD WATER GOVERNANCE

Report on the G-8 Global Partnership 2010

irobot Corporation Audit Committee Charter I. General Statement of Purpose

ISO TC265 Carbon Dioxide Capture, Transportation, and Geological Storage

Global Commerce Review. Americas, Q2 2018

The Connected Business

Application of King III Corporate Governance Principles

Certification in Central and Eastern Europe

Strong focus on market and policy analysis

«FRAMEWORK OF ACTIONS FOR THE LIFELONG DEVELOPMENT OF COMPETENCIES AND QUALIFICATIONS» Evaluation report

Thank you for your commitment to providing Henkel with quality materials and services.

AFRRCS Agency Handbook

The European Market for Woody Biomass Supply and Demand Drivers and Trends

Integrated Programme of Work for the ECE Committee on Forests and the Forest Industry and the FAO European Forestry Commission

2. Resolved to establish a global network for the Resource Efficient and Cleaner Production (RECPnet); and

Chapter 1. Software Engineering Supporting Processes

TG Therapeutics, Inc. Audit Committee Charter

ILAC Mutual Recognition Arrangement: Policy and Management ILAC-P4:06/2017

[ MS IMAGING ] FULL SPECTRUM MOLECULAR IMAGING COMPLETE VISUALIZATION OF MOLECULAR DISTRIBUTIONS

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

APEC Architect Operations Manual

STATIONARY SOURCE AUDIT SAMPLE PROGRAM [VOLUME 1, MODULE 2] GENERAL REQUIREMENTS FOR AN ACCREDITOR OF STATIONARY SOURCE AUDIT SAMPLE PROVIDERS

WORKFORCE METRICS BENCHMARK REPORT

An Overview of ISO Anti-Bribery Management System Standard

MEDIA ADVISORY. Tokyo, January 29, 2007

Economic and Social Council

Standards Development and Modification

ZPG PLC (THE COMPANY) AUDIT COMMITTEE - TERMS OF REFERENCE adopted by the Board on 6 July 2017

Helping Organizations Manage their GHG Portfolio. Pierre Boileau Manager Canadian Standards Association

Economic and Social Council

MEANS TO AN END: the OECD Approach for Effective Implementation of Public Procurement Systems Getting really strategic

REACH. Main concerns resulting from the implementation of REACH. Within the Aerospace Defence and Security business VERSION 1.5

EXECUTIVE FOREST AGENCY MEMORANDUM OF UNDERSTANDING AND FORUM BALKAN FORESTS

globalg.a.p. aquaculture

Succession planning for business families and family offices. Joint report by Moore Stephens and The Aster Club.

1 June Dear Sir / Madam,

Working together to meet global energy challenges

Cross-border Executive Search to large and small corporations through personalized and flexible services

RESULTS. SAMPLE OF AN ACTUAL REPORT (PART II) Name of site left off. CERTIFIED: No Yes

2016 Global Manufacturing Competitiveness Index Report highlights

Transcription:

Common Criteria Recognition Arrangement (CC RA) History, Implementation, Future Expansion, and International Experiences Dr. Stuart Katzke National Institute of Standards and Technology skatzke@nist.gov This presentation will provide some background on the history of the Common Criteria Recognition Arrangement (CC RA), including its implementation, and will discuss its future expansion. The CC RA has been in operation for almost 2 years now. I will share with you my thoughts on the successes of the CC RA and the challenges that we still have to face. 1

International Recognition of Test Results Motivating Factors Eliminate or reduce duplicate evaluations of IT products and protection profiles Improve global market opportunities for the IT industry Encourage formal security testing of IT products Increase the availability of evaluated, securityenhanced IT products and protection profiles for national use The next two slides indicate the many reasons why recognition of CC evaluation results are beneficial to users, developers, and evaluation laboratories. Perhaps the most important motivating factor was the desire on the part of developers to have one evaluation, accepted everywhere, in order to maximize their returnon-investment in getting their products evaluated. 2

International Recognition of Test Results Motivating Factors Ensure that evaluations of IT products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles Improve the efficiency and cost-effectiveness of security evaluations and the certification/validation process for IT products and protection profiles These two motivating factors are particularly important since the CC RA provides a forum where CC RA members can raise complaints if they think a particular member is not upholding the spirit of the CC RA and a forum where members can agree on detailed or specific evaluation methods for specific technical areas (e.g. specific evaluation techniques for smartcards) 3

CC RA History Interim Arrangement (October 1997) Canada, United Kingdom, United States Interim Arrangement (March 1998) Canada, France, Germany, United Kingdom, United States Full Arrangement (October 1998) Canada, France, Germany, United Kingdom, United States October 1999: Australia, New Zealand Harmonized Arrangement (May 2000) Australia, Canada, Finland, France, Germany, Greece, Italy, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States November 2000: Israel February 2002: Sweden This slide shows the temporal order of arrangements that led up to the full harmonized CC RA in May 2000. The May 2000 CC RA was significant in that it merged the members of two prior arrangements: members of the Full CC Arrangement (October 1998) with members of the ITSEC arrangement that existed in Europe prior to the Full CC Arrangement. This February, Sweden was admitted as a certificate consuming member. 4

CCRA Organization Management Committee Executive Subcommittee Technical Working Technical Working Technical Group Working Group Groups Technical Working Technical Working Ad Group Hoc Working Group Groups The CC RA specifies that each signatory of the CC RA is a member of the Management Committee (MC), with one vote on the MC. Decisions in the MC are by majority vote, except in cases where the CC RA calls for unanimous consent. These are: Admitting new certificate consumer participants Admitting a new certificate producer participant (following a shadow certification) Accepting a certification body as being compliant (following a shadow certification) Changing the CC RA. The MC meets once a year, unless it is necessary to hold meetings in between annual meetings. The Executive Subcommittee (ES) carries out the day-to-day activities of the CC RA and meets 3-4 times per year. It is composed of all certificate producer members and a few certificate consumer members. Decisions in the ES are taken by majority vote. Disagreements are resolved at the MC level. There is one standing working group, the CC Interpretations Management Board (CCIMB) which addresses Requests for Interpretation, development of CC methodology, resolution of methodology issues, resolution of technical issues, and development of new versions of the CC and the Common Evaluation Methodology (CEM) 5

Committee Responsibilities Develop and recommend procedures for the conduct of Arrangement Group business Assess the technical compliance of new Certification Bodies Recommend revisions to the Arrangement Manage continuous monitoring activities Manage the conduct of shadow certification activities for current participants and new applicants The MC responsibilities are contained on the next two slides. In almost all cases, the ES performs the required tasks and background work for the MC. As an example, the ES is currently working on several procedures that supplement the CC RA document. These include: Process for shadow certification. Procedures for admitting new CC Recognition Arrangement (RA) members. Procedures for voluntary periodic assessment. Procedures for handling supporting documents (i.e., documented evaluation methods that are utilized in at least two CC RA member schemes) Procedures for maintaining a Centralized Certified Product List and Protection Profile List Procedures for handling internal disagreements Guidance to sponsors on reuse of evaluation results for reevaluation and certificate maintenance. 6

Committee Responsibilities Resolve technical disagreements about the terms and application of the Arrangement Manage the promotion and development of IT security evaluation criteria and evaluation methods Manage the maintenance of historical databases for criteria and methodology interpretations and any resultant decisions that could affect future versions of either the criteria or methodology 7

Types of Participants All participants are certificate consumers (i.e., agree to accept the security testing results produced by other participants) Some participants are also certificate producers (i.e., maintain a compliant certification or validation authority for security evaluations and authorize the use of CC certificates) The CC RA requires that signatories to the CC RA must be government members. As indicated before, there are two types of participants: 1. Certificate Consumer: those participants that agree to accept CC certificates issued by certificate authorizing participants 2. Certificate Producer: those participants that issue CC certificates under the conditions indicated in the slide. 8

Admission Requirements All prospective participants must agree to uphold the general provisions of the Recognition Arrangement In addition, if seeking to become a certificate producer, a prospective participant must satisfy rigorous technical requirements by demonstrating competence in conducting IT security evaluations This slide indicates the conditions for admission to the CC RA. 9

Accepting New Members Many countries expressing interest in joining the Arrangement as certificate consumers and as certificate producers Participants must assess new membership requests and vote on admittance Final approvals must have unanimous consent of participants Many countries have expressed interest in joining the CC RA. We are very pleased to see large amount of interest in the CC RA, and are looking forward to Japan joining the arrangement in the future. 10

Transition of Current Participants (To Certificate Producing Status) Israel Norway Italy Spain The Netherlands This slides indicates current certificate consumer CC RA participants that are planning to transition to certificate producer status in the future. 11

Potential Future Expansion (Prospective Participants) 2 Europe 5 Asia-Pacific Since some prospective participants may not want it know they are planning to join the CC RA, I didn t include references to specific nations in the slide. However, the slide does indicate the parts of the world the inquires came from. However, a number of nations have publicly announced their intent to join the CC RA. These include: Japan Korea Russia 12

Summary of History, Implementation, and Future Expansion Implementation of the Recognition Arrangement has been largely successful Fifteen nations currently participating as signatories seven nations operating active Common Criteria evaluation and certification programs Significant interest globally for new participants acceding to the Arrangement Using the metric of international interest in joining the CC RA, the CC RA appears to be very successful. However, as the remainder of the slides in this presentation will show, there are issues that need to be addresses within the CC RA by the CC RA members to ensure its continued success and growth. 13

International Experience: The CC RA in Practice To provide information on how the Common Criteria Recognition Arrangement is functioning in practice to include: Experiences to-date in the day-to-day operation and administration of the Arrangement Key issues that still need addressing Challenges for the future This slide begins the discussion of issues that still need to be addressed by current CC RA members and of challenges for the future. The rest of the presentation will elaborate on these issues and challenges 14

Key Issues and Challenges Non-Binding Arrangement Achieving Relative Parity (Intra-scheme and Interscheme) Confidence Building Activities Resource Requirements Common Criteria Interpretations Partnership with ISO Working with External Groups Commercial Sector Acceptance International Outreach Activities Extending the Arrangement This slide contains a listing of the issues and challenges that will be discussed in slides that follow. 15

Non-Binding Arrangement Respect for national sovereignty resulted in nonbinding arrangement Non-binding arrangement easier for governments to negotiate and to approve but has drawbacks Lack of ability to require a central funding mechanism Weak enforcement of terms of arrangement Sometimes difficult to achieve convergence of views, particularly when schemes implement evaluation and certification programs differently (e.g., differing levels of rigor and different processes) The current CC RA is a non-binding agreement. That means that all signatories agree that the CC RA is a voluntary arrangement (i.e., not mandatory) and cannot be enforced in a court of law. It also means that if a participant does not abide by the arrangement, the participant cannot be thrown out of the arrangement. It also requires each member to respect the national sovereignty of other members. This type of agreement (called an arrangement rather than an agreement ) was negotiated because it was faster to get approval by all of the original signatories. A binding agreement would have taken several years to negotiate and would have had a low probability of being approved by the respective governments. Consequently, we chose the easier path of a non-binding agreement. This has some draw backs. A major one is that it does not allow an official or formal membership fee. To be able to function in professional business like manner, an information infrastructure is required (e.g., website for external parties and an internal one for documents, archives, communication) and technical editors are needed to support to the ES, MC, CCIMB, and other working groups. This takes funding and resources. The original CC RA has no provision for requiring each member to provide funding and other resources. Consequently, it is not mandatory for a member to provide any funding/resources it is voluntary. However, without adequate funding/resources the CC RA can not meet CC RA goals and external expectations. The MC/ES is currently investigating an equitable way to obtain funding from members. 16

Achieving Relative Parity (Intra-scheme and Inter-scheme) Natural competition among national schemes and among testing and evaluation facilities within schemes the business case aspects Schemes implement terms of the Recognition Arrangement differently but must still satisfy overall requirements Differences in testing and evaluation costs can be due to labor rates and currency exchange rates The credibility of the CC RA is only as good as the relative parity of the schemes. If there are large differences in comparability, repeatability, and consistency of evaluations among the different schemes, the credibility of the CC RA will be questioned. These differences occur in two areas: cost-time of evaluation and technical results. While some of the differences in cost-time of evaluation can be attributed to labor and currency exchange rates, it is the differences in technical results that potentially can cause the largest, most significant problems. The CC RA members have to strive to make sure differences in technical results are minimal and that the differences do not undermine the CC RA. The confidence building activities discussed on the next slide are intended to address the technical parity issue. 17

Confidence Building Activities Schemes have ongoing requirement to participate in voluntary periodic assessments of their evaluation and certification programs (every five years) Periodic assessments are to develop confidence among the Arrangement participants in the technical capabilities of their partners and in the relative parity of their certification processes Intense negotiations ongoing as to the protocol and procedures for conducting such assessments Although all producer participants in the CC RA agreed to follow the CEM, the CEM is at a high level of specificity. This allows schemes some variation in the specific methods they use to meet CEM requirements. Because each scheme does things a little bit differently, it is necessary to be sure that evaluation results in the schemes are comparable even though evaluation methodology and approaches of the schemes may differ. Confidence building activities are intended to build confidence among the schemes that all schemes evaluations are resulting in evaluations of comparable technical quality. A key component of confidence building is requiring that each scheme go through a voluntary periodic assessment every 5 years or less. The ES has just completed the procedure that specifies the requirements for the voluntary periodic assessment, including the shadow certification process that is performed as part of the voluntary periodic assessment. 18

Resource Requirements Schemes face continuing demands for scarce and dwindling resources: To operate and maintain evaluation and certification programs To participate in technical working groups associated with the Common Criteria Project and Recognition Arrangement To support management committees of the Recognition Arrangement As mentioned previously, funding and staffing/human resources are needed to conduct day-to-day business of the CC RA (e.g., the support information infrastructure, the ES, the MC) and to support the technical working group activities (e.g., CCIMB). In addition, the producer participants need human resources to staff their schemes. This demand coupled with the lack of available trained professionals in this area has resulted in a shortage of human resources. The shortage of human resources has had a negative impact on the ability of the schemes and the CC RA project to meet desired goals. We do not see this situation changing in the future. As an example, it is very difficult for scheme to find competent validators/certifiers to oversee evaluations. Likewise, laboratories are having difficulty find staff that have experience performing evaluations. 19

Common Criteria Interpretations Common Criteria development in natural language results in (potentially) different interpretations of security requirements by national evaluation and certification schemes Recognition Arrangement technical working group meets frequently to develop standardized, agreed upon, official interpretations of Common Criteria security requirements Interpretations development process is resource intensive, but a necessary part of the overall Common Criteria project Since the CC & CEM are written in a natural language, their use has resulted in numerous Request for Interpretation (RI). These RIs often point out errors in the CC & CEM or areas that need clarification. Often it takes months to process a RI. The unusually long length of time to process a RI is due, in part to the: Shortage of human resources to apply to resolving the RIs Inability to obtain consensus within the CCIMB on a solution Complexity of the CC & CEM 20

Partnership with ISO Common Criteria development group made significant effort to get criteria adopted as an international standard (ISO/IEC 15408) Need to maintain regular and consistent coordination/liaison with ISO SC 27 Working Group 3 but this effort requires resources which tend to be limited A major goal of the CC project has been to work with ISO SC 27 WG3 to make the CC an international ISO standard. This goal has been achieved. The CC project still believes it is important to work with ISO on other CC-related activities (e.g., making the CEM a standard) but, as described previously, lacks the human resources to provide significant coordination with and contributions to ISO. The CC RA project recently met with the Chair of SC 27 WG 3 to explore how both organizations can work together to meet each others expectations. 21

Working with External Groups Need effective mechanisms to work with and have technical consultations with external groups, including government and industry organizations interested in using the Common Criteria and participating in criteria-related projects and activities Smart Card Security Users Group Biometrics Consortium International Standards Organization Governments with emerging schemes interested in acceding to the Arrangement The CC RA does not contain any provisions for the CC RA project to work with external CC RA non-members. The CC RA requires the consistency of all official CC RA project working groups to be made up of representatives from the CC RA participants. However, the CC RA members have recognized the need to allow external technical consultation between outside groups/individuals and the CC project. Consequently, a procedure is being developed to allow this technical consultation in the future. The new procedure would still not permit external groups/individuals to be part of the CC RA (or its working groups) but it would define a process of cooperation/coordination/technical input if these support the goals of the CC RA. 22

Commercial Sector Acceptance Commercial sector gradually embracing the Common Criteria and associated evaluation schemes but progress has been slow Continuing industry concerns about: Cost of testing and evaluation processes Length of time required for security evaluations Consistency of security evaluations among international schemes The CC was originally developed by governments because they wanted their agencies to use evaluated products in government systems. To support this goal, the governments established evaluation schemes to ensure there were commercial laboratories available to perform the evaluations. However, it was recognized by many, including this author, that government demand for and use of evaluated products might not be large enough to sustain a healthy evaluation infrastructure. Thus, in order for the CC and the CC RA project to succeed, there needs to be commercial sector acceptance of the value of evaluated products and the commercial sector s desire to use evaluated products in their systems. Consequently, the CC RA project members and their respective schemes need to address the concern of the commercial sector that are on this slide. The commercial sector will be reluctant to embrace the evaluated product concept until these concerns are eliminated. 23

International Outreach Activities Need to improve awareness and understanding of the Common Criteria and the international evaluation infrastructure and their role in system development and evaluation Goal is to develop better information systems and networks through appropriate utilization of evaluated products Common Criteria is a powerful tool/language for capturing both system and product security requirements even if nothing ever gets evaluated Information about the CC, the national schemes, and the goals of the CC RA project are spreading. As I mentioned previously, many nations have indicated a desire to join the CC RA. In 10 years, the CC has become a widely recognized standard and the benefits of using evaluated products in building critical infrastructure systems has been recognized. However, there are many communities that could benefit from the use of the CC to define their requirements in the form of a protection profile but these communities do not know about the CC or understand how to apply it. Those of us that understand the CC and how to use it have a responsibility to evangelize its use to communities that know little about IT security and that do not understand the power of the CC. As an example, I initiated discussions with key members of the process control community that led to establishment of a working group focused on defining security requirements for process control real-time systems. Such systems include: electric power generation & distribution, control of nuclear power plants, control of manufacturing plants, control of building environmental controls including safety/fire. Many of these systems are part of the critical infrastructures of many nations and, as such, are vulnerable to terrorist and other types of attacks. We need to engage other communities in order to educate them and to activate them to develop their security requirements. This type of outreach is necessary for the continued success and growth of the CC. 24

Extending the Arrangement Modifying the Arrangement to include higher levels of assurance requires: The development of Common Evaluation Methodology for Evaluation Assurance Levels 5 through 7 Additional confidence-building activities to include shadow certifications of all certificate-producing participants in the Arrangement Consensus vote by all participants to include new assurance components in the scope of the Arrangement The current CC RA allows for changes by unanimous consent of its members. It is anticipated that in the future the current scope of the CC RA may need to be extended beyond EAL4. There are two key conditions that will have to be met prior to extending the scope of the CC RA beyond EAL4: 1. Methodology would have to developed and adopted for the extensions 2. All original members (US, UK, Canada, France, Germany) would undergo voluntary periodic assessments for confidence building purposes to ensure that they have a common technical base and comparable evaluation capability. 25

Future Challenges Continued expansion of the Recognition Arrangement to include additional participants Revision and modification of the Common Criteria and associated evaluation methodology Additional resources needed to complete planned activities and support new activities Close coordination and cooperation among participants to effectively manage the international process The future of the CC RA looks promising but there are still challenge that need to be overcome. It takes a lot of work to maintain the health of the CC RA and, as more members join, the level of effort will increase and the ability to get consensus will become more difficult. I believe the CC will not succeed if the CC RA does not succeed since there will be no incentive for developers to get evaluated. While developers are not excited about the cost-time aspects of evaluation, they will accept it if they can have one evaluation, accepted everywhere. If they have to go back to the situation where they need to have separate evaluations to meet the requirements of regional/national schemes, they will not go for evaluation. To leave on a positive note, we have come a long way in 10 years, from multiple criteria to one, from multiple evaluations with no recognition to the CC RA, from no standard way to express security requirements to security targets and protection profiles. As I look back at the progress we have made, on balance, I believe there is an excellent chance the CC & CC RA will succeed. I look forward to having Japan contribute in and share in its success. 26

Summary Anticipate continued expansion Current member transitions to certificate authorisers Increased membership since full Arrangement New inquiries from Europe & Asia-Pacific Ongoing oversight and quality control required by CCRA committees Continuous improvements needed in: Evaluation methods and their effectiveness Promotion, outreach, and education 27

Contact Information Director Dr. Ron S. Ross 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Deputy Director Terry Losonsky NIST-ITL NSA-V1 (301) 975-5390 (301) 975-4060 rross@nist.gov tmloson@missi.ncsc.mil Senior Advisor Chief Scientist Dr. Stuart Katzke R. Kris Britton NIST-ITL NSA-V1 (301) 975-4768 (410) 854-4384 skatzke@nist.gov britton@radium.ncsc.mil Email: niap-info@nist.gov World Wide Web: http://niap.nist.gov 28

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback