|
|
|
 |
|||||||||||||||||||||||||||||||||||||
SIMPLER SECURITY TARGETS
One of the major objections to the CC has been the excessive cost of low assurance evaluations. Although this is due in part to evaluation scheme and evaluation authority overheads, a major contributing factor has been the overhead cost of evaluating the security target, where costs are pretty much independent of the target evaluation level for the associated TOE. At low to moderate assurance levels, it is not unusual for the cost of ST evaluation to exceed that of TOE evaluation. Although it is a general accepted systems engineering principle that bad requirements specifications can only generate bad systems, sponsors still want and expect low assurance evaluation to concentrate on examination of the system, not on ancillary documentation generated purely for evaluation purposes. Trial use revision 2.4 of the Common Criteria addresses this issue, but does not offer a complete answer, and perhaps introduces some new problems of its own. For example, the proposed Low Assurance Security Target can still claim conformance to a full-strength Protection Profile. How is this assessed and what does it mean? Does a low assurance evaluation need both a TOE summary specification and a functional specification? Why? – at least in CC V2.4 it is a requirement that they are checked for mutual consistency. Most sponsors regard EAL2 as the entry level for credible assurance – can nothing be done to reduce the overheads of EAL2 evaluation? This presentation looks into some of these important issues, from both a methodological and practical point of view. |
||||||||||||||||||||||||||||||||||||||
|
