What is Common Criteria

I received the following from a friend today, via email, that I thought warranted some attention:
know anything about this?

Provided in the link is a set of "Common Criteria" tools developed by Apple. Common Criteria (which is actually shorthand) is a buzzword that many people in IT have heard, but is a topic they don't have much exposure to. For that purpose, I figured I would provide a brief outline and resources for further research.

The "Common Criteria for Information Technology Security Evaluation" is essentially a set of guidelines that can be applied to computers for certification as "secure." I put that word in quotes for a reason: every good analyst knows that meeting certain predefined and broad guidelines doesn't guarantee system security. Additional monitoring and analysis by security analysts should be performed in order to evaluate the unique security issues that apply to each system. However, these guidelines can play an important role in assessing risk within an organization. The CC guidelines are tied closely to "Certification and Accreditation" (often called "CnA") of mission-critical US government systems. Performing CnA's is required by the Federal Information Security Management Act (FISMA) of 2002, and is one item that every government agency is graded on each fiscal year. The formula provided by FISMA employing CC isn't perfect, but it's a step in the right direction.

I haven't used the tools identified in the link, so I'm speculating here, but it appears that this tool will evaluate the system against the Common Criteria established by NIST, the NSA, and a host of other foreign government bodies.

Analyzing and implementing the Common Criteria can itself be a career, and I haven't even scratched the surface here. However, I recommend security professionals familiarize themselves with Common Criteria Project concepts, where they are used, and what their goals and implications are. This is information that will come in handy, in a practical or theoretical sense, at some point in many InfoSec career paths.

No comments: