Cyber Security Industry Alliance Newsletter • Volume 1, Number 11 • July/August 2005

Recap of the Second Common Criteria Users' Forum (CCUF II)

On July 14, CSIA and TechNet, in partnership with the National Institute of Standards & Technology (NIST), the Department of Homeland Security (DHS), and Symantec, held the second Common Criteria Users' Forum (CCUF II) in Washington, DC. The day-long event brought together CSOs, CISOs and technical staff members who perform security assessments of products and make purchasing recommendations, as well as key executives, product developers, program managers and staff who oversee product evaluations and specifically, those who manage the process of obtaining Common Criteria certification.

Andy Purdy

The first Common Criteria Users' Forum (CCUF) took place in October, 2004. At this event, vendors, evaluators, and representatives from government agencies shared their views on the Common Criteria and NIAP evaluation process – purpose, utility, difficulties, successes, and potential improvements.

This year’s Common Criteria Users' Forum sought to achieve consensus on whether the Common Criteria can and should endeavor to meet the needs of commercial customers. The forum addressed two key questions:

  • What are the security evaluation needs and requirements of commercial customers?

  • Can the Common Criteria evaluation process be altered to meet the security needs of commercial customers?

CSIA Executive Director Paul Kurtz and Andy Purdy of the Department of Homeland Security made introductory remarks, followed by a keynote presentation by Rhonda MacLean of the Global Council of Chief Security Officers on “Information Assurance: The Role of Certification – Issues and Questions.”

The program included several discussion sessions:

  • A panel discussing certification models in the commercial space was moderated by Wes Higaki of Symantec Corporation, and featured John Banghart of The Center for Internet Security, Larry Bridwell from ICSA Labs, Ann Patterson of BITS, and Randy Easter from NIST.

  • Jim Reavis of ISSA moderated the afternoon panel on commercial perspectives on the utility of independent product evaluations for information assurance. That panel included Pamela Fusco of Merck, Todd Krahenbuhl from Batelle, Chris Medina of BAE Systems, our keynote presenter Rhonda MacLean, and Larry Schwarberg, also from Merck.

  • Other afternoon sessions included a discussion on product certification, specifically on Common Criteria and the National Information Assurance Program (NIAP). Audrey Dale provided an overview of NIAP, Ronald Bottomly discussed Common Criteria improvements in Version 3.0, and Greg Larsen from the Institute for Defense Analysis presented findings from the NIAP Review.

Breakout sessions focused on the following issues:

  • What, if anything, can be realistically done with Common Criteria to better meet the product security evaluation needs of a broader set of customers? This discussion was moderated by CSIA’s Paul Kurtz and Robin Roberts of Cisco Systems.

  • What are the prioritized needs of customers relative to product security assurance? Wes Higaki moderated this discussion.

An executive summary of discussions and findings from CCUF II will be released in the early fall.