CC and CEM Review — The CCDB Managed Call for Input

Background

Both the CCDB and ISO SC27WG3 are performing reviews involving the CC and the CEM. The purpose of this announcement is twofold:

  • To explain the background and how the two reviews differ slightly but will be coordinated
  • To explain how to provide input for the CCDB review process.

The roles of the two groups in the process are described below:

CCRA
The Common Criteria (parts 1, 2, and 3, and the associated CEM) are kept under constant review by the Common Criteria Development, and Maintenance, Boards (CCDB and CCMB) and have been updated as a result of change requests via addenda and minor releases (currently at release 4, with another due shortly).

See www.commoncriteriaportal.org/cc/ and www.commoncriteriaportal.org/cc/maintenance/ for more detail.

ISO
The CC/CEM documents are also published, in essentially identical forms to the CCRA documents, by ISO as ISO/IEC15408 and ISO/IEC18045. The ISO group SC27/WG3 and the CCDB have worked together over the life of the current version to synchronise changes and ensure that the alignment continues.

The ISO review timetable now calls for the SC27/WG3 expert group to review these documents and SC27/WG3 has chosen to undertake this as part of a more wide ranging study period covering all of its role in assurance standards (NB not just ISO/IEC15408 and ISO/IEC18045).

Joint Update
The CCDB is working with SC27WG3, via liaison, aiming for updates to be performed jointly and in a harmonised way so that the current alignment remains effective. A variety of approaches will be used for this, including joint editors and/or joint editing sessions.

The Process:  Inputs

ISO
SC27WG3 has issued a call for comments in respect of its wider assurance standards review via ISO national bodies. This is repeated on the CCUF discussion board (ccusersforum.onlyoffice.com)

CCRA
The CCDB is taking input from three major routes:

  • All CCRA members are reviewing the documents,
  • A number of iTCs are working on change proposals,
  • This web page is calling for inputs from the wider community.

Next Steps

ISO
The SC27WG3 call for comments requests that these be submitted by 29 February 2016 to allow review by the working group at their next meeting (11-15 April 2016). The WG3 roadmap will then be updated, appropriate new work items identified, and relevant results of the study period used to facilitate the review of ISO/IEC 15408 and ISO/IEC 18045 and any subsequent update (in collaboration with CCDB).

CCRA
The CCDB has decided that all comments taken forward for consideration should have a CCRA member supporting them and that these comments should be in an actionable form (i.e. not only describing the issue raised but also indicating how this could be addressed) in text format or Word (templates can be found below). The comments should be submitted by 18 March 2016 in time for a preliminary discussion at the April CCDB meeting.

Scope

It is important to note that the comments can cover any aspect of the documents. There is no limitation on relevant assurance activities etc.

Timescale

Both CCDB and ISO SC27WG3 are currently seeking inputs for discussion at their respective next meetings. Following these discussions, and subsequent liaison concerning best routes for collaboration, it will be possible to provide details of the next stages and timeframes. The current CCDB plans however anticipate a 12 month update process, trials against changes, and then a gradual transition to the new standard.

How to Submit Comments to the CCDB

As described above, in order to be progressed, each comment needs a CCDB member to be able to support the comment during the review process. The simplest submission route is therefore via your national/preferred scheme/CCDB member.

The CCDB will only accept comments that make clear exactly which element(s) of the document(s) are referenced, indicate the severity of the comment, and are in an actionable form (i.e. they should not only describe the issue raised but also indicate how this could be addressed).

Comments can also be provided by email to review@commoncriteriaportal.org and will then be examined by CCDB members but only those being supported by a CCDB member will be taken forward for consideration in the full review process.

NOTE:  This is a public commenting process: the text of comments and responses may be distributed, or made available in other ways during the process, without restriction.

Please submit comments in one of the following forms:

Text - please include the headings below:

  • Reviewer:
  • Review Date:
  • Document Title:
  • Location for Change:
  • Comment/Rationale:
  • Suggested Change:
  • Severity:  (should be numerically rated)
    1. Significant - Impact the correct or efficient operation of the item.
    2. Moderate - Normally clarifications or proposed improvements to the item which are unlikely to impact other areas.
    3. Minor - Does not affect the correct operation or interpretation of the item. These are usually syntax and format errors which have no effect on the meaning or interpretation of the item.

PDF - please use this form and use a well known standard character set.

ODT - please use this form and use a well known standard character set.

For any further clarification of the submission process please contact one of the CCRA members/schemes.

Helpful Questions

I am still confused – tell me again, why are there two reviews?
CCDB and ISO have distinct responsibilities, the CCDB is responsible for the CC and CEM that is the foundation of the CCRA recognition arrangement, while ISO SC27 WG3 manages the related international standards ISO/IEC 15408 and ISO/IEC 18045. Both groups work together and aim to keep these in line. The SC27 WG3 review however is significantly wider in scope. It is asking for responses concerning all aspects of IT security assurance evaluation, where CC fits in, how developers/end users/policy makers/others see the overall landscape, etc.

So which one should I respond to?
If your response concerns wider aspects and not just the detail of CC/CEM then the ISO review is where you should feed your comments (ideally through your ISO National Body). If you are commenting directly on the CC or CEM ( ISO/IEC 15408 or ISO/IEC 18045) then you could use either the ISO route or CCDB route.

How long do I have to respond?
To allow initial reviews of the quantity and key themes of comments at their next meetings, ISO SC27WG3 have set a deadline of 29 February 2016 and the CCDB have a deadline of 18 March 2016.

How do I provide input?
See 'How to Submit Comments to the CCDB' above for the required format and process.

NOTE:  The simplest submission route is via your national/preferred scheme/CCDB member.