One way for a product vendor to make sure that a product undergoing a Common Criteria (CC) evaluation is providing expected security functionality is to conform to a Protection Profile (PP) for that product type. PPs outline the appropriate security functionality for a given product type, and are usually written with a certain Evaluation Assurance Level (EAL) in mind. An EAL is a package of assurance requirements defined by the CC standard that outlines the type and amount of evidence that must be provided to a lab for an evaluation at that level. Traditional EAL packages are numbered from 1 to 7 (e.g., EAL4), where 1 is the lowest defined level of assurance, and 7 is the highest. Evaluations meeting the requirements of EALs from 1 to 4 have historically been recognized by all CC participating nations. Evaluations meeting the requirements of EALs 5 through 7 are typically only recognized by the scheme, or country, in which the evaluation is performed, with some exceptions.
In past years, vendors have chosen EALs for their CC evaluations based on many factors, including the EALs their competitors have chosen to meet for their products. This frequently resulted in an “arms race” of successively higher EAL evaluations, up to the maximum mutually recognized level of EAL4+. This means that vendors and their consultants have had to provide increasingly more assurance evidence to the evaluation labs in order to get their products certified. As a result, the end-users, or purchasers, of those products now expect to see those higher EALs in all certified products of those types. For some, this is just a quick way to determine which product is “better” (i.e., 4 is higher than 2, so it must be better). But others correctly believe that products that are certified at a higher EAL are more certainly providing the security functionality they claim than those certified at a lower EAL. (Note that this does not mean those products are “more secure”; it simply means a third-party laboratory has seen more evidence that those products provide the security functionality they claim to provide.) A byproduct of this “arms race” is that evaluations become more expensive and take more time to complete because of the greater amount of evidence that must be provided to a lab and then reviewed and analyzed by that lab.
NIAP’s targeted assurance PPs
The National Information Assurance Partnership (NIAP) is the oversight body for the United States’ Common Criteria Evaluation and Validation Scheme (CCEVS). Schemes are responsible for development of Protection Profiles, evaluation methodologies, and national policies surrounding Common Criteria evaluations. Recently, NIAP has moved toward creation of Protection Profiles with assurance requirements targeted to the product type (sometimes called “null-EAL PPs”), partly because of the expense and time involved in completing higher EAL evaluations. NIAP believes it is in the best interest of all parties that evaluations be done quickly and inexpensively, so that more vendors will undergo certification, and therefore end-users (government purchasers) will have more evaluated products to choose from. So these “targeted assurance” PPs do not conform to the traditional evaluation packages defined by the CC standard. Instead, they include their own list of Security Assurance Requirements (SARs) as part of the PP itself. These assurance requirements are generally pulled from the possible assurance requirements defined by the CC standard, but the PPs can also include additional detailed instructions on such things as how the product is to be tested, or the level of auditing required, or the type of design information to be provided in the Security Target’s (ST’s) TOE Summary Specification (TSS). In most of the “targeted assurance” PPs published so far by NIAP, the SARs listed are similar to what was historically included in an EAL1 package, but the PPs also have more “targeted assurance activities” relating to testing, auditing, and design that provide specific guidance on how to verify that the product provides the security functionality it claims in the Security Functional Requirements (SFRs). An analogy to this approach might be safety testing of electrical equipment: more scrutiny should be placed on shock prevention than on the level of heat output, as the former is more likely to cause a life-threatening injury than the latter, though both are important to safety.
Targeted assurance does not mean less secure
A by-product of this philosophy is that it now appears to many that products that conform to a “targeted assurance” PP are less secure, or at least are not vetted as rigorously as products that achieve an EAL4+ certification, or even an EAL2+ certification. However, Corsec has found that the “targeted” assurance activities embedded in these PPs require the vendor to provide much more specific and rigorous testing, auditing, and design evidence than would normally be required of an EAL1+ evaluation. In fact, the amount of testing, auditing, and design information required by these additional assurance activities could be argued to exceed EAL2+ testing, auditing, and design requirements. Further, some of the design information required appears to equal EAL4+ requirements. So, the amount of assurance required by the “targeted assurance” PPs could be said to be equivalent to the overall amount of assurance required by a higher EAL evaluation. This new paradigm has simply shifted the emphasis in CC evaluations away from the traditional EAL packages to “targeted” assurance requirements, not necessarily diminished the amount of assurance required. In other words, the assurance requirements are different, not less; targeted, not traditional.
This should provide some comfort to end-users who are concerned that products conforming to the new “targeted assurance” PPs are not evaluated rigorously enough. On the other hand, this should also provide a warning to vendors who are planning to conform to one of these PPs that the evaluation will not be as simple and inexpensive as an EAL1+ evaluation. If you are considering pursuing an evaluation against one of NIAP’s “targeted assurance” PPs, or any other PPs, Corsec would be happy to help you navigate the process.