Stackable Certifications: A Proposal for Using SBOMs to Accelerate Evaluation Efforts (B22b)
One of the recurring goals in CC certification is to find ways to make the process more repeatable and to eliminate unnecessary duplication of effort. the presenters propose a means for utilizing software bill of materials (SBOM) to reduce the scope of evaluation efforts by treating SFR-enforcing libraries, such as TLS and SSH, as sub-TSFs that are utilized by a “higher level” TOE. Mechanisms exist within the CC standard for defining and evaluating “composed TOEs” but are not currently being used in practice. Benefits of this approach include addressing the concerns that are developing around AI vulnerability identification, evaluation time and complexity requirements, and the creation of paths for reuse of evaluation work between evaluation efforts. This discussion will explore what would be required structurally from schemes, evaluation labs, and developers to build this ecosystem in a way that preserves security assurance of tested products.