Certification Strategy of the Federal Office for Information Security (C13c)
The presenter will address the software certification strategy of BSI. Today development processes like CI/CD, agile implementation or the future usage of AI require a change in the art of cybersecurity product certification like Common Criteria. Certification must be much faster, more reactive and effective than today. In addition BSI sees the need to make certification more compliant with regulatory needs. The presenter will present the strategy of BSI to consider more than today the development process needs during certifications like Common Criteria. BSI strategy implies a focus shift from product certification to process certification e.g. by extending the ALC family. The final goal must be to allow software updates without involving evaluation facilities and certification bodies. Such a step can be done if there exist sufficient assurance in the development process. BSI strategy also supports the Technical Domain Software. Creating harmonised attack methods will lead to new product types being able to be certified in Common Criteria not only on low but also on a high level of assurance. From BSI perspective the Technical Domain Software shall not only address new attack methods but also address how theses attack methods are to be included in today’s development processes. BSI expects that AI will have an impact not only on the reporting procedures of the certification but also on the search for vulnerabilities. As a consequence, the author will present current and future activities in the area of AI in certification.