Update on the Common Criteria in the Cloud Technical Working Group (A20a)
The Common Criteria in the Cloud Technical Working group has been working on a solution for the following problem defined in 2020: “There is not yet a defined and accepted method within the Common Criteria that addresses IT product evaluations in the cloud environment.”
The US, Canada and Australian CC schemes have issued position statements supporting the working group’s Essential Security Requirements (ESR). Its goal is to deliver guidance documents for PP authors to use which should allow products attempting to meet the PP to be tested when they are deployed in a cloud service. Challenges remain, including the fact that the CC is currently limited to evaluating products and not services, that the CC requires the TOE installation and configuration settings are known and can be described to the customer, and that the use cases described in the ESR, in which a product is deployed in a cloud service, are not in ISO 15408.
In this talk the author will provide an update on the Technical Working Group’s progress and invite the community to become participants in the effort to widen CC’s scope and future relevance.