Challenges in the Adoption of CC:2022 for Protection Profiles, PP Modules and Functional Packages (A22a)
The new version of Common Criteria includes new entities in its conceptual model, most of them based on the evolution of the NIAP’s evaluations (PP configurations, PP modules, Functional Packages, Evaluation Activities, exact conformance, direct rationale, etc.). There are, however, some challenges. Protection Profiles, PP modules and Functional Packages define specific evaluation activities for both SFRs and SARs, but this approach does not meet all requirements of the framework for the specification of evaluation methods and activities defined in CC:2022 Part 4. Specifically, evaluation activities for SFRs are presented in an Assurance Activity Report (AAR), but they are not mapped to work units or security assurance components following the CEM. Therefore, to adopt CC:2022 in PP-based evaluations, Protection Profiles, PP modules and Functional Packages need to be updated.
In this talk, the author will propose a few alternatives to bridge the gap between the current approach and the requirements stated in CC:2022, trying to minimize the impact in current documents and avoid further evaluation efforts. The author will also share experience as a lab for evaluations performed through different certificate authorizing schemes, where a common approach was adopted to address this loophole in the standard. This ad-hoc solution will also become obsolete in CC:2022 evaluations.