ISCI-WG1 Contribution to the Common Criteria Methodology Improvement and Usage (U11b)
ISCI-WG1 is a key contributor in the Common Criteria (CC) and SOG-IS certification ecosystem. This talk is about ISCI-WG1 2020 achievements and how to tackle new challenges.
Currently, ISCI-WG1 includes 68 members, with certification body (CB) representatives, ITSEF, vendors and consultants.
ISCI-WG1 defines, supports and promotes a common framework for certifications based on the Common Criteria standard up to the highest levels of assurance (up to EAL7, ALC_DVS.2and AVA_VAN.5).
ISCI outcomes are tangible well beyond writing CC or JIL supporting documents.
The first goal is to improve and to harmonise activities within the SOG-IS community by sharing the return of experience of numerous evaluations performed each year by vendors and ITSEFs all across European CC schemes.
The scope includes:
• Production of Product certificates and their reuse for composite evaluations,
• Production of site certificates, and reuse of audit outcomes (STAR) for product evaluations.
We work towards a common understanding and optimised application of CEM methodology, harmonisation of evaluation methods contributing to efficient mutual recognition, as well as experiment of innovative evaluation practices within a trial period.
Several innovations have arisen in 2020, such as the sharing of supporting documents between technical domains, and the definition of methodology to perform patch management.
Additionally, we are proud of the introduction of a new technology for Secure System in System-on-Chip (SoC), and the initiative for managing validity of certification in case of reassessment during the COVID-19 crisis.
We have also started to address two new topics: the usage of protection profile (PP) for the evaluation of IoT platform and devices, and the evaluation of Hardware IP blocks.
With the implementation of the EU Cybersecurity Act, the legal structure of ISCI-WG1 will be adapted. But our working group will keep feeding the EU CC scheme with pertinent inputs on interpretation and methodology documents, as well as on policies for reuse of product and site certificates.