On November 28th, NIAP posted two new documents on the Evolution Announcement page. In my earlier blog, the Dumbing Down of the Common Criteria, I discussed a direction that was being pushed within the CC community to only offer EAL1 certifications. At that time I didn’t realize that NIAP had taken additional steps in the 'Dumbing Down' process. These new steps are the Elimination of the NIAP ‘In Evaluation List' and the Updated NIAP Policy 12 “Acceptance Requirements of a Product for CCEVS Validations” .
The Elimination of the NIAP In Evaluation List provides dates and a rationale for eliminating the current In Evaluation list (IEL) and associated processes. The IEL will be eliminated effective 1 August 2012. NIAP has said that the development of NIAP Mandatory Protection Profiles, within Technical Communities, will make the IEL superfluous. NIAP believe that NIAP approved PP’s will streamline the certification process and thus reduce the overall time to completion. In addition by mandating that any new products be evaluated for compliance with the NIAP Approved PP's they believe that all certifications will be completed faster. A second reason that NIAP wants the IEL to process to be discontinued is that they have repeatedly expressed their concern that companies have gotten on the list, made the sale, and then not completed the certification. This announcement ties in well with the NIAP Policy 12 announcement which dictates the creation of NIAP approved PP’s and attempts to limit certifications to only those PPs.
The NIAP Policy 12, aka Acceptance Requirements of a Product for CCEVS Validations adds requirements for evaluation against NIAP Approved Protection Profiles. A NIAPP Approved Protection Profile is a PP that has been created by a technical community and approved by NIAP. Policy 12 also describes a mechanism for certifying without a NIAP approved PP. To begin with the company will require the following items:
- analysis of the product describing all security relevant features
- a government customer issued Letter of Intent (LoI… not lol )
Assuming no PP adequately describes the product, they can then certify with a Security Target (ST). The highest level of certification obtainable with this mechanism is an EAL2. Okay, this is confusing given that NIAP is pushing for an EAL1 max certification, but hey where am I to question their consistency (did they really mean an EAL1?).
So why should you be concerned about these two items?
In the past we have seen the In Evaluation list to be critical when a product was in the process of getting Common Criteria certified, but had not yet completed the certification. The list allows companies to demonstrate to customers that the product is in the process of being certified; which allows them to derive value from near the beginning of the certification (as opposed to having to wait 6 to 12 months to get anything of value from it).
If the reason for removing the In Evaluation list is the speed with which products will be able to be certified, then we should be very concerned as we have no track record or performance metrics for the new process. It is extremely concerning that, at this second, we don't have any ‘new PPs’ to validate the proposed process. We may be concerned that removing the In Evaluation List, companies certifying through NIAP will not be able to provide customer validation. On the other hand, if NIAP is doing this to stop people from gamming the system (i.e. going into certification, getting the sale, and then stopping certification), they are going about it the wrong way. The contracts I have seen over the past three years, which require certifications, have explicit clauses covering failure to certify. These clauses include penalties as well as sanctions for failure to deliver products with a completed CC evaluation. Let’s look at NIAP Policy 12 “Acceptance Requirements of a Product for CCEVS Validations”. Policy 12 requires products be validated against NIAP approved PP’s. NIAP, in specifying a PP that is only approved by one certifying agency, seems to be acting contrary to the Mutual Recognition Agreement (MRA). The Mutual Recognition Agreement MRA requires any signatory to recognize certifications up to and including an EAL4.
Thus NIAP Policy 12 raises a number of questions.
- Does Policy 12 indicate a change to the MRA?
- Will products certified by CCS, BSI or CESG be allowed to be used by US Government agencies?
- Given the limitation level for STs (EAL2) will products that are certified using an ST at EAL3 or EAL4 under a different scheme still be treated as products that are certified by NIAP?
From a corporate point of view NIAP Policy 12 has other issues.
- While Policy 12 enables you to use an ST, if your product is not covered by a NIAP Approved PP, it would be easier to have the product certified offshore than find a customer willing to generate an LOI.
- How will limiting the ST for US certifications to and the EAL for products certified in the US, allow us to be competitive if other schemes do not impose similar limitations?
- Will a product that is certified in another country, to a non NIAP Approved PP, be accepted? If not, how will this impact the MRA and ultimately the foundation of the CC?
So removing the ‘In Evaluation List’ and enacting Policy 12 , before we have any approved completed NIAP PP’s is planning to fail. In addition NIAP has not confirmed that the other schemes are in line with their process which could further stress the MRA and may even fracture the CC.
In the end these actions can only make one wonder if NIAP is trying to make a Government Certification (ala Orange Book) or do they want this to be of value to Industry as well.
Posted
Dec 21 2011, 10:49 AM
by
Michael F. Angelo
Filed under: Certification, NIAP, Common Criteria Certification, EAL4, EAL2, EAL3, Orange Book, Mutual Recognition Agreement, BSI, EAL1, IEL, Government Certification, CESG, CCEVS, MRA, CCS