Scaling Common Criteria to the Next Level (A21a)
The need for independent security evaluation is present everywhere. New markets, like IoT, medical and automotive look to existing standards, but are not easily convinced that CC is the path to go. The CC makes sense as it has all elements needed to perform a good security evaluation but the current implementation of CC has many drawbacks: expensive, time-consuming, cumbersome and seemingly unable to scale to a 1000+ evaluations per year Based on 20 years of experience in over 30 security certification schemes, among which 9 Common Criteria Schemes this presentation investigates the essence of CC, to determine what works, what does not yet work, what will never work and what can be learned from other schemes. From those results we determine what modifications are necessary to scale CC beyond its current application areas to new areas and attain the scale necessary to be relevant in those new areas.