Prezi logo
Log in
Loading…

CCUF - Common Criteria

LT

Lachlan Turner

Transcript

What is the Common Criteria?

The Common Criteria (CC) is an international standard for evaluating the security properties of IT products. It defines a framework for the oversight of evaluations, syntax for specifying the security requirements to be met and a methodology for evaluating those requirements. The CC is used by governments and other organizations around the world to assess the security of information technology products and is often specified as a pre-requisite to procurement.

For more information or to obtain the standard:

Protection Profile

Set of functional AND assurance req's

Requirements incorporated into Security Target

EAL?

1 - 7

Pre-canned set of assurance requirements.

Protection Profile Examples:

Optionally referenced by PPs and STs

  • Encrypted Storage
  • BIOS for PC
  • Mobility
  • Wireless
  • Operating System
  • Network Device
  • Multi-Function Device
  • Security Management

e.g. EAL1

  • ADV_FSP.1 Basic functional specification
  • AGD_OPE.1 Operational user guidance
  • AGD_PRE.1 Preparative procedures
  • ALC_CMC.1 Labelling of the TOE
  • ALC_CMS.1 TOE CM coverage
  • ATE_IND.1 Independent testing - conformance
  • AVA_VAN.1 Vulnerability survey

http://www.commoncriteriaportal.org/pps/?cpp=1

https://www.niap-ccevs.org/pp/

International recognition only to EAL4

Is there a Protection Profile for my product?

No

Yes

PP Evaluation

EAL Evaluation

Characteristics:

  • Automatic acceptance
  • Development may be needed to meet PP requirements
  • Entropy requirements tricky
  • US PCL Listing for NIAP PPs
  • Precludes evaluation in some schemes
  • Acceptance criteria apply
  • You determine scope / functions
  • No US PCL listing

CCUF

Acceptance

Testing

  • Functional Testing
  • Penetration Testing
  • Product generally shipped to lab
  • Eligibility (if EAL)
  • Security Target
  • Entropy Description (USA)
  • Results in 'in-evaluation' listing

2

4

The Common Criteria User Forum mission is to provide a voice and communications channel amongst the CC community including the vendors, consultants, testing laboratories, Common Criteria organizational committees, national schemes, policy makers, and other interested parties.

1

3

Security Target

Documentation Review

Certification

Capstone document that drives evaluation.

  • Certificate
  • Certification Report
  • Product Listings

http://www.ccusersforum.org/

  • Security Target
  • Guidance
  • Design (EAL)
  • Life-cycle (EAL)
  • Testing documents (EAL)

Vendor's Claims

Functional requirements

Security functionality that the product must provide.

  • FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user.

Assurance requirements

Actions to be performed by the developer and evaluator to generate assurance.

  • ATE_FUN.2.2D The developer shall provide test documentation.
  • ATE_FUN.2.1C The test documentation shall consist of test plans, expected test results and actual test results.
  • ATE_FUN.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

Common Criteria?

http://www.commoncriteriaportal.org

Evaluation Process