CCLab’s report on ICCC 2023, Washington

The annual International Conference on Common Criteria (ICCC) stands as a  high-level technical conference. Celebrating its 21^st year, this event provides a platform for professional networking and discussion forums on CC policy and implementation for those involved in the specification, development, assessment, certification, and validation of IT security for products and systems.

This important event brings together Certification Bodies, laboratories, experts, policymakers, and product developers who have an interest in the specification, development, evaluation, and certification of IT security.

The recent event was held in Washington, DC., where Mr. Ferenc Molnár, our CEO, and Dr. Katalin Szűcs, our COO and Head of Legal, represented CCLab from October 31^st to November 2^nd, 2023.

The following insights were gathered during an interview with them after the conference.

What is the most relevant information presented at the conference that will influence the future of CCLab?  Did you get any update on the EUCC?

It is always a pleasure to participate in such conferences, as we can meet industry experts from all around the world. We also excitedly prepared for this year's ICCC conference, since many changes affecting the cybersecurity industry took place in the past year, so we were curious to hear more about these changes.

One of the most interesting topics at the ICCC conference was the EUCC, the European Union's new cybersecurity scheme for certifying  ICT products. Under the new  EUCC plan, each member state will have its National Cybersecurity Certification Authority (NCCA) overseeing Conformity Assessment Bodies (CABs). These CABs will conduct certifications and issue assessments to laboratories. Additionally, the EUCC makes ALC_FLR (Flaw remediation) mandatory. Without it, no certificate can be issued under the EUCC in the future. This initiative has gained support from other schemes, such as  NIAP (the US CC scheme), and the methodology within CCRA has been developed to complement existing Protection Profiles (PPs) and collaborative Protection Profiles (cPPs).

CCLab is tasked with adapting to this new set-up and successfully integrating it into its organizational structure.  This was already part of our plans and preparations have begun during 2023 internally. Negotiations are ongoing with a partner to transform CCLab into a certificate-issuing entity.   Initiatives have been launched to help CCLab become a Conformity Assessment Body (CAB). 

CC 2022 transition is now a hot topic for labs and companies interested in Common Criteria. Have you heard any new information about this at the Conference?

Yes, another interesting topic discussed at the conference was related to the Common Criteria 2022 transition. An ISO standard has been developed to support the Common Criteria 2022 transition ( ISO/IEC TR 22216:2022). Previously, a major achievement was the free availability of ISO/IEC 15408:2022 and ISO/IEC 18045:2022. The latest information is that ISO has started to make ISO TR 22216:2022 available free of charge. 

The Transition Policy to CC:2022 and CEM:2022 summarizes the related information well. Basic rules include that CC v3.1 R5 is the last version of 3.1 and can be used no later than June 30, 2024, and that new Security Targets that conform to CC:2022 and PPs qualified according to CC v3.1 are acceptable until December 31, 2027. This document provides further details on the compatibility of different ratings and PPs, various exceptions and exceptional cases, and other rules applicable during the transition period.

Was the event successful in terms of meetings and discussions?

Our US consultancy partner, Corsec Security, Inc., also participated in the conference. We maintain a long-standing partnership with them, having successfully executed numerous joint projects. It's always a pleasure to meet them, not only due to their significance as a partner but also because we hold a genuine appreciation for the professionals within their organization. Over the years, a robust level of trust has evolved between the CCLab team and Corsec. Corsec was represented at the event by Iain Holness (CC Senior Program Manager) and Ryan Butler (CC Consultant).

We engaged in a conversation with Corsec’s President, John Morris, and their Head of Delivery, Kathleen Moyer about specific deals as well as strategic developments with Corsec, alongside our ongoing projects. Corsec proves to be an invaluable partner for us in various aspects. The clients they prepare for the evaluation process experience a  smoother, and more efficient evaluation, requiring less time and iteration. We have now come to the point where it is our agile and professional approach that convinces customers to choose us, rather than price. They see that our focus is to understand them, to take them through the assessment as effectively as possible, and if we disagree somewhere, we tell them in a prepared, clear way that makes it easier for them to work with.

‍

We also had the opportunity to meet several officials from the Italian Certification Body, OCSI. Our already-existing strong professional relationship with them was strengthened during our meetings. We also grabbed the opportunity to discuss some operational issues about the ongoing evaluation projects. 

Besides our strategic partner, Corsec we also had the chance to personally meet with Ken Lasosky, from Versa Networks, with whom we have just finalized our first project. 

How many CC evaluation projects were done by CCLab in 2023?

We have successfully concluded 8 (certified) +3 (finished, not yet published) CC evaluation projects during 2023, although some of these certificates were only issued after the ICCC conference was over. We are proud to work with the following clients to get their products certified:

1. NXP / ID&Trust - IDentity Applet v3.4-p2/QSCD on NXP JCOP 4 P71 - EAL4+ (AVA_VAN.5)
2. NXP / ID&Trust - IDentity Applet v3.4-p2/BAC on NXP JCOP 4 P71 - EAL4+ (ALC_DVS.2)
3. NXP / ID&Trust - IDentity Applet v3.4-p2/PACE-EAC1 on NXP JCOP 4 P71 - EAL4+ (ALC_DVS.2, ATE_DPT.2, AVA_VAN.5)
4. NXP / ID&Trust - IDentity Applet v3.4-p2/eIDAS on NXP JCOP 4 P71 - EAL4+ (ALC_DVS.2, ATE_DPT.2, AVA_VAN.5)
5. Corsec/Qumulo, Inc. - Qumulo Core v5.1.1 - EAL2+ (ALC_FLR.2) 
6. Ascertia Ltd. - ADSS PKI Server v8 - EAL4
7. Corsec / Ivanti, Inc.- Ivanti Security Controls 2022.2 (Version 9.5.9293.0) - Evaluation results officially accepted by CB, waiting for the certificate to be published
8. Versa Networks - Versa Operating System (VOS) 21.2.23 with OS Spack 20230511 running on Versa Cloud Service Gateways - Evaluation results officially accepted by CB, waiting for the certificate to be published.

What are the latest industry developments?

During the conference, there was a surprisingly high level of interest in Common Criteria (CC) in the cloud. Repeated mentions of a Gartner study highlighted a government site migration to the cloud,  growing at over 20% annually. This topic was inescapable, with some labs reporting ongoing evaluations of products operating in the cloud. Many envision the future of CC heading in this direction. The EU is in the process of developing a cloud certification scheme (EUCS), similar to the EUCC. This scheme is primarily intended to guarantee the compliance of the cloud infrastructure itself and could serve as the basis for a CC evaluation in the cloud.

The topic of ChatGPT and EU5G also garnered considerable interest. 

EU5G, particularly relevant to EU participants, is the third scheme ENISA is working on, alongside EUCC and EUCS. It encompasses 5G technology, and under its umbrella, plans include the incorporation of eIDAS and the new eIDAS wallet.

Two presentations from Polish state labs focused on Industrial Control Systems (ICS)  discussing the assessment of compliance with IEC 62443-4-1 requirements using CC and the recently published European standard FIT-CEM (EN 17640:2022, Fixed-time cybersecurity evaluation methodology for ICT products). Although the pilot project was successful, they will be working on the validation of whether this methodology is appropriate for compliance in a wider circle. 

Furthermore, there was also more interesting information on the IoT. 

A colleague from NXP presented SESIP (Security Evaluation Standard for IoT Platforms) and how it is used in different areas to evaluate compliance. The fundamental concept involves "mapping" requirements (RED directive, ETSI 303 645, 62443-4-1/2, UK PSTI, ISO 21434, etc.) to SESIP, enabling the generation of 4-5 certifications from a single SESIP evaluation. SESIP is already undergoing standardization as EN 17927. 

CCLab's active participation in the conference, strengthened partnerships, this year’s successful conclusion of CC evaluation projects, and engagement with industry professionals underscored the company's commitment to staying at the forefront of cybersecurity advancements. As the industry evolves, CCLab remains agile and poised for growth, reflecting its dedication to providing efficient and effective evaluation services. The future holds promising opportunities for CCLab in a rapidly transforming cybersecurity landscape.

‍