I attended the CESG Commercial Product Assurance (CPA) event held 14-17th February 2011 at GCHQ in Cheltenham. 
This event was a welcome opportunity for community involvement in the development of the scheme.  It was disappointing that there were not more vendors in attendance at the event, which may have been down to publication of the event or the timing of the event, which unfortunately clashed with the RSA conference in San Francisco which is a key event for many security vendors.  Some sessions were more focused than others, with greater substance to the discussion where the Security Characteristic document the product classes was more mature.
IconSecurity have a couple of significant concerns regarding the adoption and operation of the CPA scheme coming out of the event: 
While it is accepted not everyone feels the Common Criteria is immediately accessible due to the off-putting formalisation of the wording in the functional and assurance requirements, it is a shame that CESG appear to shun the use of the CC in favour of adopting CPA.  There are many good features of the CC that have been abandoned in the development of CPA; not least of which is the benefit (to both vendors and consumers) of Mutual Recognition.  Also, it would have been helpful to those vendors and consumers in the information assurance community who, out of necessity, have had to become familiar with CC terminology to provide a transition guide, as there seems to have been a deliberate move in the development of CPA to steer clear of using any CC terminology.  The one exception to this rule item is likely to cause a lot of confusion as the term “objective” was used in the CC in terms of a goal of the IT security product and/or its operational environment, whereas CPA uses “objective” to express the goal of the attacker; this reverse use of the term is not helpful when introducing a new approach.
CESG have characterised the 2 grades of certification under CPA as “Foundation and Augmented. Foundation grade certification represents a basic level of confidence in security behaviours of a product. Augmented grade certification means that CESG evaluators have spent more time and effort investigating the product's working, and have required it to exhibit additional security properties.”  As Foundation grade certification is targeted at lower threat deployments, with examples given as Local authority/education, Forestry Commission, most of police, benefits, customs etc, there is an implication Augmented grade certification will be required for central government and MoD.  This begs the question how CESG are going to cope with the demand for Augmented grade certifications, as at present CPA Test Labs will be unable to perform the evaluation activities.
Add Comment
 

    Author

    Denise Cater is a security IT professional with 15 years experience in Information Assurance.  She has been a member of the committee authoring the Common Criteria (ISO15408) and Common Evaluation Methodology (ISO18405), and now provides evaluation and certification services.

    Archives

    April 2011