Understanding Common Criteria Assurance

Questions and Answers

What does CC stand for in the context of security evaluation?

CC stands for Common Criteria.

Define the term 'Classes' in the Common Criteria Structure.

Classes are groups of families that share a common focus within the Common Criteria structure.

What is the smallest selectable set of elements in a PP, ST, or package called?

It is called a Component.

Explain the term 'Reproducibility' in the evaluation process.

Reproducibility means another evaluator must replicate the documented effort and achieve the same results. Signup and view all the answers

What is meant by 'Objectivity' in the context of evaluators?

Objectivity means that evaluators must be free from emotional or personal biases. Signup and view all the answers

How do Families differ from Classes in the Common Criteria structure?

Families are groups of components sharing security objectives but differing in emphasis or rigor, unlike Classes that group based on common focus. Signup and view all the answers

What role does the Common Criteria Users Forum (CCUF) play in the CC community?

The CCUF acts as a community representative to promote and educate about Common Criteria. Signup and view all the answers

Identify two types of participants that are involved in the Common Criteria structure.

CCTLs (Common Criteria Testing Laboratories) and Product Vendors are two types of participants. Signup and view all the answers

What ensures that evaluators can deliver consistent results across evaluations?

Repeatability ensures that evaluators can reproduce their previous efforts and obtain the same outcomes. Signup and view all the answers

What is the purpose of providing input into the feature evolution of certified technologies?

The purpose is to ensure that the technologies remain relevant and secure by adapting to emerging security needs. Signup and view all the answers

What is the role of 'Elements' in the Common Criteria structure?

Elements are security requirements that cannot be meaningfully divided further. Signup and view all the answers

How does relying on CC-evaluated products provide assurance?

It provides a baseline assurance that the evaluated products meet specific security standards. Signup and view all the answers

What additional technologies might require certification input from stakeholders?

Emerging technologies, such as AI and IoT devices, may require certification input. Signup and view all the answers

Why is participation from CC consultants important in the Common Criteria process?

CC consultants provide specialized knowledge and guidance on achieving compliance with security standards. Signup and view all the answers

In the context of Common Criteria, what is meant by a Protection Profile?

A Protection Profile is a set of security requirements for a category of products or systems. Signup and view all the answers

What is the significance of the relationship between end users and product vendors in Common Criteria?

The relationship ensures that user needs and security concerns are directly addressed by product offerings. Signup and view all the answers

What is the main focus of Conformance Testing in the context of Common Criteria?

The main focus of Conformance Testing is to ensure that products meet specified security requirements and standards. Signup and view all the answers

Who are the key participants in the Common Criteria framework?

Key participants include Common Criteria Test Laboratories (CCTLs), consultants, schemes, product vendors, end users, and the Common Criteria Users Forum (CCUF). Signup and view all the answers

What role do Common Criteria Test Laboratories (CCTLs) play in the evaluation process?

CCTLs provide product evaluation, design consultation, and documentation services as part of the Common Criteria evaluation process. Signup and view all the answers

How is the quality of service from Common Criteria consultants characterized?

The quality of service from Common Criteria consultants varies widely because no formal accreditation is required. Signup and view all the answers

In the evolving landscape of security testing, what approach remains unchanged according to the content?

The interface-based testing approach remains unchanged in its application despite the evolving landscape. Signup and view all the answers

What types of activities do Common Criteria laboratories often participate in beyond product evaluation?

CCTLs often participate in standards updates and the creation of Protection Profiles (PPs). Signup and view all the answers

What is a potential consequence of the changing emphasis on Architecture Review in Common Criteria?

The potential consequence is that the thoroughness of security assessments may decline if Architecture Review is deemphasized. Signup and view all the answers

What services do CCTLs typically provide to assist vendors in the evaluation process?

CCTLs typically provide product evaluation, design consultation, and documentation services. Signup and view all the answers

Study Notes

Common Criteria Overview

Common Criteria (CC) provides a framework for evaluating the security properties of IT products.
Focuses on evaluation assurance through the use of Protection Profiles (PP) and Security Target (ST).

Common Criteria Users Forum (CCUF)

Serves as a representative community promoting Common Criteria participation.
Encourages engagement from various entities: CCTLs, product vendors, consultants, and schemes.
Aims to enhance knowledge and support for Common Criteria.

Participant Relationships

Involves multiple stakeholders: end users, product vendors, Common Criteria Test Laboratories (CCTLs), and consultants.
Each group plays a unique role in the CC ecosystem, facilitating communication and cooperation.

Assurance Testing Methods

Conformance Testing and Assurance Testing are core components of the evaluation process.
Architecture Review is increasingly being deemphasized, while Interface-based Testing remains stable as a key assessment method.
Testing locations and methodologies are evolving to meet contemporary security needs.

Common Criteria Test Laboratories (CCTLs)

Spread worldwide with notable numbers in various countries:
- US: 9, Australia: 2, Canada: 2, France: 5, Germany: 6, Japan: 3, Spain: 8, Netherlands: 5, South Korea: 7, Turkey: 6.
Most CCTLs operate as commercial entities offering product evaluations, design consultations, and documentation services.
Active participation in standards updates and development of Protection Profiles.

Consultants in Common Criteria

No formal accreditation for CC consultants, leading to variable service quality.
Essential for developing and applying Test Security Specifications (TSS) relevant to Evaluated Products.

Gaining Assurance in Common Criteria

Assurance relies on key principles of evaluation:
- Impartiality: Evaluators must be unbiased regarding outcomes.
- Repeatability: Consistent results must be achievable.
- Reproducibility: Different evaluators should align on results.
- Objectivity: Emotional influence must be avoided in evaluations.

Structure of Security Assurance Requirements (SAR)

Composed of a hierarchical structure involving:
- Classes: Groups of families with shared focus areas.
- Families: Collections of components with similar security objectives.
- Components: Smallest selectable elements for inclusion in PPs or STs.
- Elements: Fundamental security requirements critical for the evaluation outcome.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

This quiz explores the Common Criteria framework and its significance in providing baseline assurance for evaluated configurations. Learn about the role of the Common Criteria Users Forum and how it contributes to the evolution of certified technologies in security. Test your knowledge on the principles and applications of Common Criteria.