Common Criteria News: MRA signed, ISO Adopts CC, more
contributed by Gene Troy
The Common Criteria Project is very active these days, and momentum and
consensus continue to build on world-wide adoption of the CC as both
de-facto and official International Standard. Several important items of
interest have happened recently in CC-land. Read on! (Contact: Gene Troy,
NIST, email: criteria@nist.gov)
-- CC Mutual Recognition Arrangement (MRA) Signed.
On 5 October, as part of the opening ceremonies of the NISSC, senior
officials of six of the seven CC Project Sponsoring Organizations signed
the MRA, ensuring mutual recognition of CC-based IT security product
evaluations conducted in each others' countries. This is an historic event
and an important break-through, signaling the culmination of the CC
Project. The signatories were: Canada (CSE), France (SCSSI), Germany
(GISA/BSI), United Kingdom (CESG), and the United States (NIST and NSA).
The Netherlands (NLNCSA) temporarily abstained, as their evaluation program
is not yet in place. Read the MRA at: http://niap.nist.gov/ccmra-v1.pdf.
-- ISO Adopts CC as Final Draft International Standard (FDIS) 15408.
At its meeting in Rio de Janeiro on 26 October, ISO/JTC1 "Security
Techniques" Subcommittee 27 adopted the CCv2.0 with some minor editorial
changes as the new ISO FDIS 15408. This is the next-to-last step in the
CC's process of becoming International Standard 15408. All that remains is
a short up-or-down ballot among the ISO National Bodies, which will be
completed this winter. The text of the CCv2.0, with the recent ISO editing
changes included, is now almost certain to become the exact text of the new
IS 15408. This slightly revised CC text is posted at:
http://csrc.nist.gov/cc/ccv20/ccv2list.htm.
-- NIST Information Technology Lab (ITL) Publishes CC Bulletin.
On 24 November, NIST-ITL published a new bulletin, "Common Criteria:
Launching the International Standard", that is the most current description
of the CC Project. The bulletin provides an introduction and overview of
the CC and discusses its US and multi-national implementation. The CC
Project's relationship with ISO and its new FDIS 15408 (the CCv20 in ISO
lingo) are also described. The bulletin discusses mutual recognition of
evaluated products. It also provides some potential scenarios for using the
CC. Get the bulletin at http://csrc.nist.gov/cc/info/infolist.htm#papers.
-- NIAP Announces CC Application Courses.
The joint NIST-NSA National Information Assurance Partnership (NIAP) has
developed a series of three courses to help educate IT personnel in the use
and application of the CC. These courses are open to the public. Course
descriptions and further information are available at:
http://niap.nist.gov/announcements/98highlights.html#Classes. There are
still openings in the third offering to date of Class #1, "Developing CC
Protection Profiles", which will be given December 15-18, 1998 at NIST,
Gaithersburg, MD. This four-day class provides introductory information to
IT product developers and consumers in the use and application of the CC.
Students will get hands-on experience in defining IT security requirements
and developing CC Protection Profiles using practical real-world examples.
Security Target construction will also be addressed. There is a charge for
these classes; group rates and on-site delivery are available. To register
or for further information call +1.410.859.4458. Ask for the CC Usage
Class Administrator.
Other NIAP CC classes, dates and venues will be announced soon, so check
out http://niap.nist.gov/event.html#Classes from time to time.