In my last post, I wrote about FIPS 140-2 and what it means for products that obtain that validation. This post will be about the other major security certification: Common Criteria. Aruba Mobility Controllers and access points have now completed two different Common Criteria evaluations, and are in the process of a third. What that means for our customers is that you’re now able to use the latest gigabit Wi-Fi standard (802.11ac) in a completely accredited solution.
While FIPS is focused on cryptography, Common Criteria is focused on the rest of the security functions of an IT product. Evaluations are primarily concerned with the presence of specific security features, and the correctness of those features. Examples include cryptography (a FIPS-validated product generally gets an automatic “pass” on that section), trusted channels (IPsec, TLS, SSH), auditing and logging, administrative roles, access controls, and so on. Those are general categories – specific protection profiles also add mission-specific requirements: Wi-Fi requirements in the Wireless LAN Protection Profile, VPN requirements in the VPN Protection Profile, and firewall requirements in the Firewall Protection Profile. For a look at all the available protection profiles, head over to https://www.niap-ccevs.org/pp/. Pick one of them, such as the Wireless LAN Access System PP and give it a quick read. If your eyes glaze over at terms like O.RESIDUAL_INFORMATION_CLEARING, have no fear – mine do too. Skip over those parts, and look for the Security Requirements and Rationale section.
But wait – why aren’t we tossing around terms like “EAL4”? Isn’t that the gold standard by which Common Criteria evaluations should be judged? No, not anymore. In a nutshell, EALs (Evaluation Assurance Levels) are dead – at least in the US, Australia, New Zealand, Canada, and the UK. Many other nations have agreed in principle to kill off EALs, but it’s a slow-moving process. Why the change? You can read the official explanation here: https://www.niap-ccevs.org/NIAP_Evolution/faqs/nia
The other interesting thing that happened along the way was Commercial Solutions for Classified (CSfC), which you can read about at https://www.nsa.gov/ia/programs/csfc_program/. The entrance requirement for CSfC is a Common Criteria evaluation against a government-written PP. CSfC required that a higher bar be set for security capabilities within a commercial product, and the old EAL scheme didn’t have the necessary requirements called out as mandatory – things like cryptographic entropy and required cipher suites, for example. Any vendor who has completed an older EAL-style Common Criteria evaluation will have to repeat the evaluation under a Protection Profile in order to meet eligibility requirements for CSfC.
That leads in to my final point. Aruba is now the first and (at the time of this writing) only vendor listed on the CSfC approved components list (https://www.nsa.gov/ia/programs/csfc_program/compo
Have more questions about FIPS, Common Criteria, or other public sector certifications? Feel free to post them on the Government and Military section of Airheads Community. We’ll get them answered.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.