By David Sheets
and Paul Hart
ASHBURN, Va. –Trusted computing standards are evolving constantly within the United States, which can be confusing enough. Now consider international trusted computing standards that may apply to a growing number of embedded computing projects and you can encounter a real dilemma.
This overview could help. It's a guide to the international government agencies that perform security accreditation for equipment, such as network switches, storage devices, and ruggedized computers used in military applications.
International agreements exist like the National Information Assurance Partnership (NIAP), that recognize Common Criteria (CC) schemes and Protection Profiles (PP) to reduce the level of re-assessment on international military program standards.
Nevertheless, applicants generally must submit a Security Target document that describes the Target Of Evaluation (TOE) and the relevant protection features built around the critical security areas, such as hard drive encryption, key management, and secure boot that cryptographically verifies executable code on power-up.
The extent of these features depends on the type of program. For example, secure boot can range from validating checksums prior to loading code, to verifying cryptographic signatures and decrypting all boot artifacts. Government agencies and international authorities will issue high-level requirements that specify the protection levels. There also are specific agencies and protection schemes for individual countries.
The United Kingdom Ministry of Defence (MOD) in London issues a Security Aspects Letter (SAL) on a new military program. In turn, the National Cyber Security Centre (NCSC) in London determines the assessment process level -- the highest grade being the CESG Assisted Product Service (CAPS), with official-level programs following the Commercial Product Assurance (CPA) certification route.
CAPS assessments are performed directly by NCSC, whereas CPA approvals are outsourced to licensed evaluation facilities.
Companies performing development work in this field also need to meet facility-level IT and access security requirements which flow down from Defence Condition DEFCON 658 (Cyber) and Defence Standard DEFSTAN 05-138 (Cyber Security for Defence Suppliers). The MOD sponsors a scheme known as Cyber Essentials Plus, whereby potential suppliers can seek accreditation against these requirements.
Related: Establishing a trusted supply chain for embedded computing design
The French government agency Agence nationale de la sécurité des systèmes d'information (ANSSI) is equivalent to the United Kingdom NCSC. It two certification schemes that depend on the security level, which are assessed by facilities approved by the Centres d’évaluation de la sécurité des technologies de l’information (CESTI).
Among the CESTI schemes is the Critères communs (CC), which is equal to the Common Criteria. It is applicable to products already accredited in another country, like the United States, United Kingdom, and Canada, that is a signatory to the ITSEC accord. It also is based on ISO15408 (IT Security) and focused on network, enterprise-level computing.
The Certification sécuritaire de premier niveau (CPN) represents first level security certification. Accreditation to this scheme is not normally recognized outside of France.
Equally, the German federal office for information security, known as the Bundesamt fur Sicherheit in der Informationstechnik (BSI) offers similar accreditation schemes.
Related: Decomposing system security to prevent cyber attacks in trusted computing architectures
The Italian Ministry of Economic Development is that country's regulatory agency for security & integrity for electronic communication systems.
The Spanish government agency for certifying cryptographic equipment is the Organismo de Certificación - Centro Criptológico Nacionalis (OC-CCN).
In Turkey, the Ulusal Elektronik Ve Kriptoloji Arastirma Enstitüsü (UEKAE) is the Turkish National Research Institute of Electronics and Cryptology.
In South Africa, COMSEC Electronics Communications Security is a company owned by the South African government. It secures government communications against unauthorized access, and provides verification services for electronics communications security systems, products, and services used by the government.
KISA is the South Korean government agency responsible for international cyber security. It is managed by KrCERT/CC within KISA. South Korea has an NCSC within the National Intelligence Service that coordinates with KrCERT/CC.
The Australian Department of Defence State Security Agency provides cryptographic evaluations under the Australian Signals Directorate (ASD).
For the European Union, the European Union Agency for Network and Information Security (ENISA) is the certification organization for trusted computing.
Cryptographic products in a NATO member nation are subject to approval by the developing nations National Communications Security Authority. These include those that are evaluated and approved in accordance with the INFOSEC Technical and Implementation Directive on Cryptographic Security and Cryptographic Mechanisms.
Related: Developing a secure COTS-based trusted computing system: an introduction
These products are eligible for inclusion to the NATO Information Assurance Product Catalogue (NIAPC). The list of cryptographic products and cryptographic mechanisms is updated and maintained by the NATO Communications and Information (NCI) Agency Cyber Security on behalf of input provided by the National Communications Security Authority of the NATO member nation.
The NCI agency develops interoperable C4ISR capabilities, operates the NATO Information Assurance Product Catalog (NIAPC), and recognizes Collaborative Protection Profiles under the NATO Common Criteria. The NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) is based in Tallinn, Estonia.
To sell trusted computing and security products effectively into North American and international markets, companies must ensure that the correct certification authorities and regimes are identified and understood. This will help pave the way for the acceptance of their offerings.
Also, suppliers can deliver significant cost reductions to their customers, as well as greater security testing and resiliency, by capitalizing on certifications across different markets.
David Sheets is senior principal security architect at Curtiss-Wright Defense Solutions in Ashburn, Va. Contact him by email at [email protected]. Paul Hart is chief technology officer at Curtiss-Wright Controls Avionics & Electronics in Bournemouth, England. Contact him by email at [email protected].
Ready to make a purchase? Search the Military & Aerospace Electronics Buyer's Guide for companies, new products, press releases, and videos
