Joshua Brickman, Director, Security Evaluations, Oracle. The Common Criteria has been as ISO standard and a framework for security assurance since the late 1990s. Mutual recognition officially was rolled out in 1998 with the charter countries’ signatures on the CCRA. Fast forward to 2017 and the ICMC conference. The CC is facing the potential balkanization of the CCRA, with at least two factions apparently unwilling to compromise on a way forward. Three countries have issued statements implying that their approach to CC evaluations is better than the CCRA approach. Five countries have issues position statements refusing to accept that CC can be used meaningfully for certain product technologies. Vendors are increasingly faced with the stark reality of doing multiple evaluations of the same products to meet different countries’ requirements and being blocked from evaluating some products in some countries despite ongoing demand from government customers in those countries.
In this talk, the author will look at the usefulness of the CC today and going forward as a mutually agreed upon assurance program. Who is using the CC today? What are the key differences between the various approaches to CC? What can we do to reconcile those differences?
The author will then propose what a future with CC as one mutually recognized standard would look like versus the potential for many versions and requirements.