Common Evaluation Methodology CEM Overview

1
CommonEvaluation Methodology (CEM) Overview

• Mark Merkow
• American Express Company
• Phoenix, Arizona
• November 16, 1999

2
The Common Evaluation Methodology

• The Need for CEM
• How it is being produced
• What it will contain
• What is available
• Schedule and plans

3
Programming SATANs Computer

• Security engineering is different from any other
  type of engineering
• Most products are useful for what they do
• Security products are useful precisely because of
  what they do not allow to be done
• Most engineering involves making things work
• Security engineering involves figuring out how to
  make things not workand then preventing those
  failures
• Safety engineering involves making sure things do
  not fail in the presence of random faults
• Security engineering involves making sure things
  do not fail in the presence of an intelligent and
  malicious adversary who forces faults at
  precisely the wrong time and in precisely the
  wrong way

Adapted from Bruce Schneier, Flaws In
Cryptographic Systems, Certicom, April 1999
4
Testing SATANs Computer

• Security is orthogonal to functionality
• Just because a security product functions
  properly does not mean that its secure
• No amount of beta testing can ever uncover a
  security flaw
• Experienced security testing is required to
  discover security flaws

5
CEM Answers The Call

• Common Methodology for Information Technology
  Security Evaluation
• Companion document to the CC
• Describes evaluator actions
• Supports the Mutual Recognition Arrangement (MRA)
• Aimed at evaluators, but should be useful to
  developers, sponsors, overseers

6
How the CEM is Being Developed

• Common Evaluation Methodology Editorial Board
  (CEMEB)
• Members represent government organizations of six
  nations (USNSA, NIST CanadaCSE UKCESG
  GermanyBSI NetherlandsNLNCSA FranceSCSSI)
• Reports to the CC Management Committee
• Meets regularly to draft, review,and publish
  portions
• Supported by TPEP partners, TTAP labs, and
  consulting organizations

7
Organization and Contents of the CEM

• Part 1 Introduction and General Model
• Universal Principles of Evaluation
• Roles
• Process Overview
• Part 2 Evaluation Methodology
• General Evaluation Tasks
• Handling deliverables
• Producing reports
• PP Evaluation
• ST Evaluation
• EALs 1-4
• Annexes (Glossary, General techniques, Open
  issues)

8
Organization and Contents of the CEM (Concluded)

• Organized by EAL
• Addresses only evaluation actions (no CC Part 2
  content)
• Based on Work Units

9
Current Status

• Draft of Part 1 published January, 1997
• uses CC Version 1.0
• Version 1 of Part 2, PP, ST, and EAL 1-4
  evaluation methodology, published August 1999
• uses CC Version 2.0
• Available at http//csrc.nist.gov/cc/cem/cemlist.h
  tm

10
CEM Training

• NIAP is currently offering classes to the public
  at their Gaithersburg, Maryland facility as an
  aid in promulgating the CC and the CEM.
• Class 3, understanding the Common Evaluation
  Methodology (CEM), is a one day class for IT
  product developers, consumers, and evaluators on
  the basic concepts of the CEM and its fit in the
  NIAP Common Criteria Evaluation and Validation
  Scheme (CCEVS). The Mutual Recognition
  Arrangement (MRA) is also discussed.

11
Future Plans

• Revise and publish Part 1 (if time permits)
• Future work to be determined in conjunction with
  the CC Management Committee
• EAL 5-7
• Address augmentation
• Address extensibility
• Address assurance maintenance
• Reorganize Part 2
• Develop methodology for functional requirements
• Address comments