Joint Statement of Support

The Common Criteria Recognition Arrangement Participants listed below, greatly encouraged by the 'agreement in principle' reached by the CC Management Committee in respect of the updated CCRA, and the associated work of the CC Development Board editing group producing the draft process for the creation of collaborative Protection Profiles, have been considering how best to support the demand for progress on cPPs.

We have, as a first step, agreed to provide draft 'position statements*' for the following 'new style' national PPs most of which have been developed in a joint manner. We expect to be able to publish broadly similar formal endorsement statements as soon as the corresponding cPPs are produced.

  1. Software Full Disk Encryption (U.S. Government Approved Protection Profile - Protection Profile for Software Full Disk Encryption Version 1.0)
  2. Firewall Extended Package (U.S. Government Approved Protection Profile - Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall Version 1.0)
  3. Network Devices (U.S. Government Approved Protection Profile - Protection Profile for Network Devices Version 1.1)
  4. Mobile Devices Fundamentals (U.S. Government Approved Protection Profile - Protection Profile for Mobile Devices Version 1.0)
  5. Mobile Device Management (U.S. Government Approved Protection Profile - Protection Profile for Mobile Device Management Systems Version 1.0)
  6. Virtual Private Network Client (U.S. Government Approved Protection Profile - Protection Profile for IPsec Virtual Private Network (VPN) Clients Version 1.4)
  7. Virtual Private Network Gateway - Extended Package (U.S. Government Approved Protection Profile - Network Device Protection Profile (NDPP) Extended Package VPN Gateway Version 1.1)

Next Steps:

We will then work, together with any other interested CCRA participants, to take the first three technologies through the iTC/cPP process as it develops. The three were selected after a technical assessment of their level of complexity, priority, and match to available resources.

In parallel we will continue our ongoing support to the USB cPP development.

Our primary aims are to:

  1. indicate our strong support for detailed, repeatable, achievable, transparent cPPs
  2. produce a set of four cPPs (and associated supporting documents) as quickly as possible (expecting these to be completed before ICCC 2014)
  3. help assess and characterise the cPP process using well-understood start points
  4. create strong international Technical Communities in key areas to continue the development and maintenance of the cPPs etc.

Once these have been successfully produced, and lessons have been learned about the process, we will then apply our resources to other iTCs and cPPs. Of course other participants may, in the interim, be using the developing/completed iTC process for other technologies but resource constraints dictate that we are unlikely to participate beyond providing our position statements for these.

Other Technologies:

To provide the clarity and transparency sought by industry regarding national cPP requirements there are three technology areas where we are reassessing whether or how to evaluate products using the Common Criteria. These technology areas are General Purpose Operating Systems (GPOS), Database Management Systems (DBMS) and Enterprise Security Management (ESM). More information regarding our use of Common Criteria to evaluate these technologies will be forthcoming.

Additionally, given the complexity of Hardware Security Modules (HSM) and Virtualisation, we are not yet clear on the best way to evaluate these technologies. These technologies require community discussion about the feasibility of evaluations
using the Common Criteria.

Overall Aims:

We also believe it would be useful to publicly state our shared aims for the Common Criteria, and for the changes we are jointly advocating within it. These are:

Statement Supported by the Following Common Criteria Schemes:

Australia
Canada
UK
US

* This text differs from the other joint statements which state "endorsement statements.' The intent remains the same.