ISO's work related to The Common Criteria

In 1990  ISO/IECJTC 1 sub committee 27 was formed in order to deal with ICTsecurity, Not long afterwards SC27 initiated Working Group 3"Security Evaluation Criteria". This working group focuses onsecurity evaluation, testing andspecification. 

At that time, Common Criteria was in development and the need tohave these standards internationally recognised was an importantpoint of the strategy. The goal, which has been achieved, was thatthe standards should be available to the world, regardless of theformal Common Criteria Recognition Arrangement which was the formalarrangement between nations.

SC27'sbusiness plan mentions that "The CCDB and SC 27/WG 3 have had along-standing technical liaison on projects related to IT SecurityEvaluation Criteria. Thus, Working Group 3 has been working inclose co-operation with the CCDB on the development of the CommonCriteria, which has been simultaneously published as ISO/IEC 15408.The co-operation has been extended to also involve the work on18045 “Evaluation methodology for IT security”.

This liaison allows ISO's member national bodies, especially thosenot represented directly in the CCRA, an opportunity to review,comment and contribute to the project. In many cases it alsoprovides a vehicle for industry experts from the commercial sector(vendor) community to have a place to contribute moredirectly.

Boththe ISO/IEC 15408 and ISO/IEC 18045 standards are currently fullyaligned with their CCDB counterparts. For many years WG 3 has beencontributing to the CCDB's exploratory work on future developmentof Common Criteria and has also been producing supportive documentsand work relating to the CC but which are not duplicated by theCCDB.

The CCDB have produced some supporting documents of their own,these are listed on the CC portal at the bottom of the supporting publicationspage and cover smartcard and IC technology as well asdocuments directly related to supporting the CCRA.
   
By the way, another blog article discussesthe work items from WG 3 relatedto cryptographic modules.These items, not detailed inthis blog, are also important aspects of the work of WG3.

So what has been, and what is going on in ISO in regard to ITSecurity Evaluation Criteria? 

2016 Study Period

2016:A Study Period has been run by ISO, in close liaison with the CCDB, in regard to determiningappropriate futuredevelopments of ISO/IEC 15408, ISO/IEC 18045 and other IT Assurance standards. As of April 2016 this has been extended for6 months asthe rapporteurs received many inputs from ISO experts which allowed for greater focus and hencerequestsfor more detail to be consideredby WG 3.
 

Evaluation criteria and Methodology for IT securityevaluation

ISO/IEC 15408-1:2009: Evaluationcriteria for IT security -- Part 1: Introduction and generalmodel

ISO/IEC 15408-2:2008:Evaluation criteria for IT security -- Part 2: Security functionalcomponents

ISO/IEC 15408-3:2008:Evaluation criteria for IT security -- Part 3: Security assurancecomponents

ISO/IEC 18045:2008:Methodology for IT security evaluation

Theseare the "equivalent standards" to those published by the CCDB onthe CC Portal. Minorrevisions of the CC standards are usually addressed in ISO throughthe publication of corrigenda.
These ISO standards are available from ISO for free (as in beer).The first three are equivalent to the first three parts of the CC,the fourth in the list is the equivalent of the CEM.
The alignment of these ISO standards with those produced within theCCDB takes some hard work achieved via a long-standing two wayliaison established directly between Working Group 3 and the CCDB.Ideas and contributions from the larger ISO community arecommunicated through the direct liaison channel with theCCDB.

WG 3 updatedthese standards with the CC version 3 revision 4 changes suppliedby the CCDB to the working group in October 2012and have added corrigenda to address minor changes in the CCDB'sCommon Criteria.

As of April 2016 both the ISOand CCDB standards are aligned.

Developing security and privacy functional requirements basedon ISO/IEC 15408

ISO/IEC TS 19608:2016: Guidancefor developing security and privacy functional requirements basedon ISO/IEC 15408

 2016:This Technical Specification is due for publication before October2016

Guide for the production of Protection Profiles and SecurityTargets

ISO/IEC TR 15446:2009: Guide forthe production of Protection Profiles and SecurityTargets

Thistechnical report provides much needed guidance to PP authors and STwriters. Although ISO/IEC 15408-1 provides the technicalinformation about writing a PP or an ST, The member nations of ISOsupported that some practical guidance in writing these documentswas needed and that this work should becompleted. 

2016: ISO/IEC 15446 is currently being revised for it's 3rdedition. 

Security assessment of operational systems

ISO/IEC TR19791:2010  Security assessment ofoperational systems.

ISO/IEC TR 19791:2010 provides guidance and criteria for thesecurity evaluation of operational systems. It provides anextension to the scope of ISO/IEC 15408 by taking into account anumber of critical aspects of operational systems not addressed inISO/IEC 15408 evaluation. The principal extensions that arerequired address evaluation of the operational environmentsurrounding the target of evaluation, and the decomposition ofcomplex operational systems into security domains that can beseparately evaluated.
ISO/IEC TR 19791:2010 provides:

1. a definition and model for operational systems;
2. a description of the extensions to ISO/IEC 15408 evaluationconcepts needed to evaluate such operationalsystems;
3. a methodology and process for performing the security evaluationof operational systems;
4. additional security evaluation criteria to address those aspectsof operational systems not covered by the ISO/IEC 15408 evaluationcriteria.

ISO/IECTR 19791:2010 permits the incorporation of security productsevaluated against ISO/IEC 15408 into operational systems evaluatedas a whole using ISO/IEC TR 19791:2010.
ISO/IEC TR 19791:2010 is limited to the security evaluation ofoperational systems and does not consider other forms of systemassessment. It does not define techniques for the identification,assessment and acceptance of operational risk.

Thisdocument was initially produced as a technical report with the goalof gaining experience in the subject sufficient to be able tocodify a standard. It defines extensions to ISO/IEC 15408 in orderto enable the security assessment (evaluation) of operationalsystems. Since ISO/IEC 15408, does not capture certain criticalaspects of an operational system that must be precisely specifiedin order to effectively evaluate such asystem. 

Thecontents are fairly exhaustive with discussions of

• The technical approach to operational systems assessment used inthis Technical Report.
• The extension of ISO/IEC 15408 evaluation concepts for use inoperational system evaluation.
• The relationship between this Technical Report and other securitystandards which have been used in its development.
• requirements for specification of security problems, securityobjectives, security requirements, SST contents and periodicreassessment which are needed in order to evaluate operationalsystems.

Annexesprovide further supportive material including operationalsystem:

• Security Targets and System Protection Profiles, which definesthe security requirement specifications needed for operationalsystems.
• Functional control requirements, which defines the additionalsecurity functional requirements needed for operationalsystems
• Assurance requirements, which defines the additional securityassurance requirements needed for operationalsystems.
• evaluation methodology, which defines additional actions to beperformed by an evaluator conducting the evaluation of anoperational system.

ThisTR has been used in practice, with an early trial evaluation beingreported from Japan.

Competence requirements for information security testers andevaluators

2016: These new standards are in draft stage

DRAFT ISO/IEC TR 19896-1:Competence requirements for information security testers andevaluators: Part 1: Introduction, concepts and generalrequirements

Provide the fundamental concepts related to the topic of thecompetence of the individuals responsible for performing IT productsecurity evaluations and conformance testing. Provides theframework and the specialised requirements that specify the minimumcompetence of individuals performing IT product security evaluationand conformance testing using established standards.
This will support the goals of ISO CASCO conformity assessment bycontributing standardized requirements for competency supportingISO/IEC 17024.

DRAFT ISO/IEC TR 19896-3:Competence requirements for information security testers andevaluators: Part 3: Knowledge, skills andeffectiveness requirements for ISO/IEC 15408 evaluator

Provides the specialised requirements to demonstrate competence ofindividuals in performing IT product security evaluations inaccordance with ISO/IEC 15408 and ISO/IEC 18045.

Vulnerability analysis and penetration testing for ISO/IEC15408

ISO/IEC TR 20004-1:2016:Refining software vulnerability analysis under ISO/IEC 15408 andISO/IEC 18045

ISO/IEC TR 20004-2:Detailing software penetration testingunder ISO/IEC 15408 and ISO/IEC 18045 vulnerabilityanalysis

2016: The first document is in the process of a publishing as a new edition this yearand offers some much needed guidance to supplement ISO/IEC 18045,on the topic of vulnerability analysis using publicsources.

Vulnerability Handling

ISO/IEC 30111:2013 Vulnerability handlingprocesses 

ISO/IEC29147:2014  Vulnerability disclosure

Givesguidelines for the disclosure of potential vulnerabilities inproducts and online services. It details the methods a vendorshould use to address issues related to vulnerability disclosure.ISO/IEC 29147:2014

1. provides guidelines for vendors on how to receive informationabout potential vulnerabilities in their products or onlineservices,
2. provides guidelines for vendors on how to disseminateresolution information about vulnerabilities in their products oronline services,
3. provides the information items that should be produced throughthe implementation of a vendor's vulnerability disclosure process,and
4. provides examples of content that should be included in theinformation items.

 2016: ISO/IEC29147 has recently been publishedand is currently available forfree.

Biometrics 

Delvinginto technology specific areas of evaluation, biometrics were seenby the community as anatrea in need of standardization.So far WG 3 has produced two standards in thisarea.

ISO/IEC 19792:2009 Securityevaluation of biometrics

Relevantto both evaluator and developer communities as it addressesbiometric-specific aspects and principles to be addressed during asecurity evaluation of a biometric system.
It does not address the non-biometric aspects which might form partof the overall security
evaluation of a system using biometric technology (e.g.requirements on databases or communication channels).
Neither does this standard aim to define any concrete methodologyfor the security evaluation of biometric systems but insteadfocuses on the principalrequirements. 
As such, the requirements in this International Standard areindependent of any evaluation or certification scheme and will needto be incorporated into and adapted before being used in thecontext of a concrete scheme. The standard includes:

• an overview of all terms, definitions and acronymsused,
• an introduction of the overall concept for a security evaluation ofa biometric system,
• a description of the statistical aspects of security-relevant errorrates,
• vulnerability assessment of biometric systems and
• the evaluation of privacy aspects.

 ISO/IEC24745:2011 Biometric information protection

Provides guidance for the protection of biometric information undervarious requirements for confidentiality, integrity andrenewability/revocability during storage and transfer.Additionally, ISO/IEC 24745:2011 provides requirements andguidelines for the secure and privacy-compliant management andprocessing of biometric information. ISO/IEC 24745:2011 specifiesthe following:

• analysis of the threats to and countermeasures inherent in abiometric and biometric system application models;
• security requirements for secure binding between a biometricreference and an identity reference;
• biometric system application models with different scenariosfor the storage of biometric references and comparison; and
• guidance on the protection of an individual's privacy duringthe processing of biometric information.

ISO/IEC 24745:2011 does not include general management issuesrelated to physical security, environmental security and keymanagement for cryptographic techniques.


2016: WG 3 is initiating work on:

DRAFT IS 19989-1: Criteriaand methodology for security evaluation of biometric systems: Part1- Performance

DRAFT IS 19989-2: Criteriaand methodology for security evaluation of biometric systems: Part2 Security Evaluation of Presentation Attack Detection

 

Test and analysis methods for random bit generators withinISO/IEC 19790 and ISO/IEC 15408

DRAFT ISO/IEC  TR20543:Testand analysis methods for random bit generators within ISO/IEC 19790and ISO/IEC 15408.

2016: This standard is currently under development.

Physically unclonable functions (PUFs)

DRAFT: ISO/IEC  20897:Securityrequirements, test and evaluation methods for physically unclonablefunctions (PUFs) for generating non-stored security parameters

2016: This standard is currently under development.

Cryptographic Protocols 

IS 29128:2011:Verification of cryptographicprotocols: 

Establishes a technical base for the security proof of thespecification of cryptographic protocols. It specifies designevaluation criteria for these protocols, as well as methods to beapplied in a verification process for such protocols. It alsoprovides definitions of different protocol assurance levelsconsistent with evaluation assurance components in ISO/IEC15408.

Physical Security Attacks, Mitigation Techniques and SecurityRequirements

ISO/IEC 30104:2015 Physical Security Attacks, Mitigation Techniques andSecurity Requirements

Thistechnical report provides guidance and addresses the followingtopics:

• a survey of physical security attacks directed against differenttypes of hardware embodiments including a description of knownphysical attacks, ranging from simple attacks that require littleskill or resource, to complex attacks that require trained,technical people and considerable resources;
• guidance on the principles, best practices and techniques for thedesign of tamper protection mechanisms and methods for themitigation of those attacks; and
• guidance on the evaluation or testing of hardware tamper protectionmechanisms and references to current standards and test programsthat address hardware tamper evaluation and testing.

Secure System Engineering

DRAFT ISO/IEC TS 19249: Catalogue ofArchitectural and Design Principles for Secure Products, Systems,and Applications

Provides a catalogue of architectural and design principles thatcan be used in the development of secure products, systems, andapplications together with guidance on how to use those principleseffectively. Each architectural and design principle is describedusing a common structure, identifying the purpose and advantage ofthe design principle, how it can contribute to develop a secureproduct, system, or application, its dependency on other principlesdescribed in the catalogue.

Examples are provided for each principle on how it may beimplemented, how it may contribute to security properties andfunctions and what other aspects have to be taken into account inthe example provided to also address non-security relatedrequirements like usability and performance.

It gives guidelines for the development of secure products, systemsand applications and is aiming for a more effective assessment withrespect to the security properties they are supposed toimplement.

ISO/IEC TS 19249 is related to IS 15408 and IS 18045 and addressesboth developers and evaluators of secure products, systems, andapplications.

This Technical Specification does not establish any requirementsfor the evaluation or the assessment process orimplementation.

2016: This document is entering the final stages of review by SC27.

ISO/IEC TR 29193: Secure systemengineering principles and techniques

This technical report, ISO/IEC TR 29193 offers guidance on secure systemengineering for Information and Communication Technology systems orproducts, and emphasizes security engineering aspects within the scope ofthe development stages of the system lifecycle described in ISO/IEC15288.

Drawing on the notion that it is better to build a system orproduct securely in the first place than to spend much resourceafter its instantiation this technical report begins to offerguidance on how the use of these principles and techniques willsupport a system engineering process to obtain results consistentwith the system security characteristics and objectives determinedfor the ICT system or product. 

ISO/IEC 21827:2008: SystemsSecurity Engineering -- Capability Maturity Model®(SSE-CMM®). 

This standard was submitted through the Publicly AvailableSpecification (PAS) process by ISSEA and remains in the ISOcatalogue.

2016:  ISONational bodies have decidedto confirm this standard withoutrevision.

ISO/IEC 15443  ("FRITSA")

ISO/IEC TR15443-1:2012: Security assurance framework -- Part 1: Introduction andconcepts

ISO/IEC TR15443-2:2012: Security assurance framework -- Part 2:Analysis

Substantiallyrevised in 2012. Part one gives a discussion of the nature ofsecurity assurance, providing a framework for further discussionsand documents. Part 2 of this technical report describes the"criteria for criteria". It discusses security assurance schemes,and how these themselves can be evaluated.While some schemes are of high quality, others may not be. What criteria can be usedto tell?