Evolving CC for the AI Era: Enabling Secure Use of Cloud and LLMs in High-Assurance Design Environments (A21b)
Minimum Site Security Requirements (MSSR v2) impose strict isolation constraints on critical and critical+ assets, effectively prohibiting the use of external networks, cloud platforms, and advanced AI tooling. While these controls are essential for achieving high assurance levels such as AVA_VAN.5, they create a growing gap between secure design environments and modern engineering capabilities. This talk examines the security assurance asymmetry created by the competing requirements of MSSR-compliant isolation and the urgent need for security evaluators to leverage cloud-based, large-scale AI systems. It highlights key challenges in extending MSSR to support these technologies, including ensuring confidentiality and integrity of critical data, defining verifiable trust conditions for secure cloud environments, and controlling bidirectional data transfers between isolated networks and external infrastructures.