Intel Draft Proposal To Reform Common Criteria

By David Hoffman, director of Security Policy and Global Privacy Officer

The White House has recently released both a Cybersecurity Legislative Proposal and an International Strategy for Cyberspace. Other governments are similarly focused on what they can do to increase the security of their government and critical information and communications technology (ICT) infrastructure. One component of these government efforts is the analysis of how to promote more secure hardware and software.

Security and privacy are major focuses for Intel Corporation. Intel understands it is fundamental that governments, organizations and individuals must be able to trust their use of technology. Further, increasing the level of security is an important means to better protect the personal data of individuals. One method of increasing trust and confidence in hardware and software is to improve the methods for evaluating technology product assurance. This progress must be made while also increasing the efficiency of such evaluations so Intel and other companies can innovate security features and solutions that keep pace with the innovations made by malicious actors.

Improving evaluation methods should focus on improving the Common Criteria (CC) evaluation system. Countries around the world are defining their own evaluation and certification processes for products. This proliferation creates a burden on vendors and could result in the unintended effect of of increased costs and less secure products. By making CC relevant for countries globally, the ICT sector can continue to provide the next generation of innovation while meeting customer requirements for functionality and security assurance.

Embracing, extending and reforming the CC will help: increase the value derived from evaluation and mutual recognition, improve certainty and consistency, facilitate international trade, enhance security assurance and create market access opportunities. Additionally, providing greater cost and time efficiency around evaluations will yield a longer effective sales life for evaluated products.

To adequately address today’s environment, there are improvements which need to be made to modernize and reform the CC. This discussion draft recommends the following actions:

1. Use the Common Criteria Forum to drive mutual recognition and reduce or eliminate the need for geography specific certification. In turn, this will reduce cost to vendors from having to certify the same product in multiple geographies and allow vendors to more rapidly deliver the assurance and certifications that customers demand.

2. Establish and work through technical communities to develop new Protection Profiles to drive mutual recognition of certified products.

3. Accelerate and enhance Protection Profile development, through a community led process, to cover the needed product categories and enhance mutual recognition of certifications across participating schemes.

4. Improve the consistency and efficiency of evaluations to drive increased value in the certification and more trust and confidence in certified products.

5. Expand Common Criteria to address manufacturing process integrity aspects of the supply chain.

To read more about these reform proposals, please review our white paper:CC -Embrace Reform Extend.pdf.

Intel welcomes your comments on this discussion draft. We look forward to working with others in academia, government and industry to further refine and implement these reform recommendations.

Comments are closed.