Using the Common Criteria for IT Security Evaluation

Designed to be used by acquiring organizations, system integrators, manufacturers, and Common Criteria testing/certification labs, the Common Criteria (CC) for IT Security Evaluation is a relatively new international standard. This standard provides a comprehensive methodology for specifying, implementing, and evaluating the security of IT products, systems, and networks. This book explains in detail how and why the CC methodology was developed, describes the CC methodology and how it is used throughout the life of a system, and illustrates how each of the four categories of users should employ the methodology as well as their different roles and responsibilities.

Many organizations and government agencies require the use of Common Criteria certified products and systems and use the Common Criteria methodology in their acquisition process. In fact, in July 2002 the U.S. National Information Assurance Acquisition Policy (NSTISSP #11) mandated the use of CC evaluated IT security products in critical infrastructure systems. This standard provides a comprehensive methodology for specifying, implementing, and evaluating the security of IT products, systems, and networks. Because the Common Criteria (CC) for IT Security Evaluation is a relatively new international standard, little written material exists which explains this how-to knowledge, and it's not exactly easy to interpret. Designed to be used by acquiring organizations, system integrators, manufacturers, and Common Criteria testing/certification labs, Using the Common Criteria for IT Security Evaluation explains how and why to use the Common Criteria during the acquisition, implementation or evaluation of an IT product, system, network, or services contract. The text describes the Common Criteria methodology; the major processes, steps, activities, concepts, terminology, and how the CC methodology is used throughout the life of a system. It illustrates how each category of user should employ the methodology as well as their different roles and responsibilities. This text is an essential resource for all those involved in critical infrastructure systems, like those operated by the FAA, the Federal Reserve Bank, DoD, NATO, NASA, and the intelligence agencies. Organized to follow the Common Criteria lifecycle, Using the Common Criteria for IT Security Evaluation provides examples in each chapter to illustrate how the methodology can be applied in three different scenarios: a COTS product, a system or network, and a services contract. The discussion problems at the end of each chapter ensure the text's effectiveness in an educational setting and ensure that those government officials required to comply with Presidential Decision Directive 63 (PDD-63) will be able to do so with confidence.

IntroductionBackgroundPurposeScopeIntended AudienceOrganization What Are the Common Criteria?HistoryPurpose and Intended UseMajor Components of the Methodology and How They WorkRelationship to Other StandardsCC User Community and StakeholdersFuture of the CCSummaryDiscussion ProblemsSpecifying Security Requirements: The Protection ProfilePurposeStructureIntroductionTOE DescriptionTOE Security EnvironmentSecurity ObjectivesSecurity RequirementsPP Application NotesRationaleSummaryDiscussion ProblemsDesigning a Security Architecture: The Security TargetPurposeStructureIntroductionTOE DescriptionSecurity EnvironmentSecurity ObjectivesSecurity RequirementsTOE Summary SpecificationPP ClaimsRationaleSummaryDiscussion ProblemsVerifying a Security Solution: Security Assurance ActivitiesPurposeISO/IEC 15408-3Common Evaluation Methodology (CEM)National Evaluation SchemesInterpretation of ResultsRelation to Security Certification and Accreditation (C&A) ActivitiesSummaryDiscussion ProblemsPostscriptASE-Security Target EvaluationAVA - Vulnerability Analysis and Penetration TestingServices ContractsSchedules for New CC Standards (ISO/IEC and CCIMB)Annex A : Glossary of Acronyms and TermsAnnex B: Additional ResourcesStandards, Regulations, and Policy (Historical and Current)PublicationsOnline ResourcesAnnex C: Common Criteria Recognition Agreement (CCRA) ParticipantsAustralia and New ZealandDefence Signals DirectorateCanadaFinlandFranceGermanyGreeceIsraelItalyThe NetherlandsNorwaySpainSwedenUnited KingdomUnited StatesAnnex D: Accredited Common Criteria Evaluation LabsAustralia and New ZealandCanadaFranceGermanyUnited KingdomUnited StatesAnnex E: Accredited Cryptographic Module Testing LaboratoriesCanadaUnited StatesAnnex F: Glossary of Classes and Families