Welcome to the Acumen Security Blog

Its here! The new NDcPP (and a number of others) are listed on Common Criteria Portal

Congratulations to the Common Criteria community as a whole! On Friday, February 27, the first ever collaborative Protection Profiles (cPPs) were released publicly. These include,

  • collaborative Protection Profile for Full Drive Encryption – Encryption Engine v1.0
  • collaborative Protection Profile for Full Drive Encryption – Authorization Acquisition v1.0
  • collaborative Protection Profile for Stateful Traffic Filter Firewalls v1.0
  • collaborative Protection Profile for Network Devices v1.0

This is a very important step for the Common Criteria as a whole because these Protection Profiles represent the future of CC.

Acumen has taken an active part in the development of several of these PPs. In particular, we have been a part of the NDcPP iTC (international Technical Community) since its inception. While the overall structure of the cPP remains similar to that of the NIAP NDPP, there are a number of key differences that will likely necessitate changes in products that have been evaluated against the NIAP NDPP if they want to also be evaluated against NDcPP. The following changes are examples of changes that may lead to the need for development on products wishing to be validated against the NDcPP,

  • Extensive updates to zeroization requirements, including, read/verify requirements for most media
  • Requiring FIPS 186-4 for all asymmetric cryptography
  • Removing the option to use a simple hash as a software integrity update mechanism

As a first step for vendors, Acumen has performed an analysis comparing the NDcPP to the NIAP NDPP and created a White Paper (http://www.acumensecurity.net/ndpp-vs-ndcpp/) to help vendors prepare as schemes move away from validating against the NIAP NDPP and start validating against the NDcPP. The White Paper provides a description of the differences between PPs on an SFR by SFR basis.

We hope you find it helpful. If you have any questions or comments on the content of our paper, please stop by, call, or send up an email. We love to chat!

Also, if you are interested in the potential future direction of FIPS 140, don’t forget to check out our FIPS 140-2 vs ISO 19790 White Paper.

And finally don’t forget to follow us on Twitter and like us on Facebook, we’ll keep you up-to-date on the ever changing world of government certifications.

Comments

  1. Francis Chen says:

    I read that: “these Protection Profiles represent the future of CC”!
    Do you mean that HDcPP would replease CC in the near future?
    If so, then when do you think that this would happen?

    Thanks a lot!

    • ashit vora says:

      Hello Francis, NDcPP will not replace CC. Think of CC as a toolbox with SFRs equivalent to various tools for different jobs. A PP (NDcPP in this case) is a collection of SFRs (tools) specifically addressing security needs of a network device (job). So rather than replacing CC it is just a different approach to product certification under the CC.

Speak Your Mind

*