*Please read down to the bottom for information about the Awards Ceremony on Wednesday, 11 September 2013.
U.S. Information Assurance Director Debora Plunkett started the day outlining a path forward for Common Criteria that will keep these standards relevant in an environment of rapidly changing technology. This reform movement, Plunkett emphasized, is about changing how the Common Criteria is used, not the Common Criteria itself. The new regime needs to be achievable, repeatable and testable, Plunkett noted. In order to achieve mutual recognition, it's essential to start with a consistent written set of technology profiles, Plunkett said. That will pave the way for vendors to evaluate once and then sell globally. "Any reform of this magnitude has its bumps and its detours along the way, and we truly are learning as we go," Plunkett said, acknowledging that some challenges have come up. "None of the issues indicate technical deficiencies with the way forward."
Common Criteria veteran David Martin, Director of the UK's International CC activities, led a panel discussion on the benefits and challenges of the collaborative approach. Recognizing that effective collaboration means overcoming obstacles - competing business interests, language barriers and different government philosophies, among others - industry representatives shared thoughts on why it's important. Perhaps panelist Tony Boswell, a consultant with SiVenture, put it best when he said "collaboration is about achieving more than you can on your own."
Other TakeawaysDag Stroman, CC Management Committee Chairman, announced that India received approval to become a certificate-producing nation. Dr. Gulshan Rai, Director General of the Indian Computer Emergency Response Team (ICERT), was recognized on stage on behalf of his country. India's expanded role in the CC "will help us to create an ecosystem in the area of cybersecurity" and a good "cybersecurity culture" that will lead to "good products," Rai later said.
Stroman also announced that another CCRA nation is interested in becoming a certificate authorizing scheme and one new nation is interested in joining the CCRA as a certificate consumer.
Stroman outlined the collaborative process over the past year to prepare a revised agreement - with eight nations serving as editors, ten to 14 nations participating in bi-monthly virtual meetings, and 17 succeeding versions of the agreement. He announced that all 26 CCRA nations have agreed in principle to the updated arrangement, with national review to follow. He shared excerpts of the latest version of the new arrangement. Recognizing that the situation is fluid, and that getting 26 countries to agree to a new arrangement is no easy task, he advised it might be finalized, vetted and ratified in a six to 12 month period. He called the revised agreement a "huge reform" that requires time, but will improve the ability for evaluations to keep pace with rapidly developing IT technologies.
In meetings the day before the conference opened, Stroman was re-elected for another year as chair of the committee.
David Martin, CCDB chair, told attendees that the CCRA is continuing to move toward a more open international standards-based approach. This approach involves capitalizing on the expertise of those at the cutting edge of the technical side and working very closely with the growing Common Criteria Users Forum. He acknowledged the hard work required for openness and wider involvement and concluded, "We are well underway on the journey."
Francois Guerin, a security engineer at Gelmato, gave a look behind the curtain at how the International Security Certification Initiative (ISCI), a European initiative focused on smart card technologies, works. There is equality between the members of the organization and it functions with the use of working group leaders and some subgroups, Guerin said. They work to find consensus, a process that can be time consuming, Guerin noted. He concluded by saying the objectives of ISCI and Technical Communities differ, so the best practices of the former may not apply directly to the latter.
Five countries - Germany, Japan, the U.S., the U.K and Turkey - gave an update on reforming the use of CC.
Terrie Diaz and Ashit Vora of Cisco Systems briefed a standing-room only audience on the results of a study in which Cisco evaluated three switch product lines against the NDPP in three different schemes: Germany, the U.S. and the U.K. They found the results met the goals of PP-centric evaluations to be achievable, testable and repeatable. They also shared a number of recommendations based on their experience including the need for consistency across PPs and other standards.
Location: Jimmy Buffett's Margaritaville, in the center of Universal Orlando CityWalk
Attire: Casual attire is recommended - Coat & tie and other business attire not required ... but please DO bring conference badges.
Guests: Additional guests are invited to attend the Ceremony. ICCC attendees can sign up to three additional guests at the ICCC registration check-in desk on the second day of the conference. Guests are $103.00 per person.
Departure from hotel: buses will leave from the main entrance to the convention center beginning at 6 pm.
Return to hotel: buses will be available to bring ICCC attendees and guests back to the Caribe Royale from the conclusion of the dinner until final departure at 2 am.