Beyond Pass/Fail: Revolutionizing CC Scoring for Enhanced Assurance and Decision-Making (L31a)
For years, the CC framework has been a cornerstone in certifying the security of IT products. However, despite its widespread use, significant challenges persist in demonstrating its value to risk-owners and buyers. The current CC evaluation results in either a PASS or FAIL status for a package of Security Assurance or EALs, offering limited insights into the actual security posture of a product. This binary approach falls short in several areas: it provides minimal information, lacks visibility with regards to the threat model or risk analysis, lacks benchmarking capabilities, obscures the specific scope of assessment, and fails to offer the granularity necessary for nuanced risk management. Moreover, it does not incentivize vendors to exceed basic requirements, potentially fostering a false sense of security.
In this talk, a pioneering proposal for a new CC scoring mechanism designed to address these shortcomings will be unveiled. This approach introduces a more detailed and granular scoring system that enhances transparency and comparability, enabling risk-owners to make more informed decisions when adopting CC-certified TOEs. This innovative system aims to provide a clearer picture of security strengths and weaknesses, promote higher security standards among vendors, and ultimately drive the market towards better adoption and utilization of CC-certified products.
This talk will explore how this advanced scoring mechanism can transform the landscape of IT security certification, offering both vendors and users a robust tool for achieving and recognizing superior security assurance outcomes. This talk promises to challenge the status quo and inspire a new era of security evaluation that goes beyond the limitations of the traditional pass/fail paradigm.