Breakthroughs in standardisation of IT security criteria

Abstract

The results of the Common Criteria project can indeed be viewed as a major breakthrough in the field of IT security. For the first time, six nations, representing both the military interests as well as civil government and private industry, have not only sat down at the table to iron out their philosophical differences in IT security but have achieved a great measure of accord. Admittedly, this accord not been won easily; it has come at a significant expense of both time and energy. Notwithstanding, the result is a very flexible and extensible approach that is designed to meet the needs of today and tomorrow; indeed the CC is the next generation criteria.

In doing so, the developers of the new CC have been careful to protect the fundamental technical principles of IT security, such as the Trusted Computing Base and Reference Mediation on the one side and effectiveness and correctness on the other. The resulting approach represented by the CC version 1 is a major contribution to international harmonisation. The fact that it has already been accepted by ISO as the basis for further work towards an international standard is indicative of the success of the project.

The desired end-state is now in sight — a level playing field for IT security products world-wide, where it should make no difference to the consumer where a product is manufactured or evaluated. The degree of trust to be placed in a product's secure and predictable operation will be known and accepted.