IST/33/-/3 is the technical panel that advises the British Standards Institution (BSI) on proposed standards for Information Technology - Security Techniques - Evaluation Criteria for IT Security.
It reports to IST/33, the BSI Standards Committee responsible for IT security techniques. IST/33 sets policy and advises BSI how to respond on behalf of the United Kingdom on ballots on proposed European or International Standards.
IST/33/-/3 is now exclusively an electronic panel; documents to be considered by members are posted to this web page whenever possible. There are no physical meetings. Comments are distributed and collated by E-mail. Membership of the panel is open to anyone resident in the UK with an interest in standardisation. Contact the Panel Convenor to join.
Under BSI rules, a voluntary charge may be made to cover the costs of running the panel. However, no charge has been made since the panel went electronic more than ten years ago, and there are currently no plans to levy a charge, now or in the future.
The formal way to obtain information on the work of the panel, including electronic notification of new documents, is to join BSI Committee IST/33. This also gives you the right to vote as to whether technical contributions should be put forward, and whether the UK should approve or disapprove formal drafts of standards in this area. For more information, please see the BSI Standards Getting Involved page. It can be pretty difficult to find information on the BSI Standards web pages. If necessary, contact the IST/33 Committee Secretary.
If you are a UK resident and interested in standardisation, you may view or download any documents from this page free of charge and formalities. Please observe copyright where applicable. Most Working Group documents are available without conditions; some documents may not be republished without permission from the author or (more usually) the SC 27 Secretariat. All such documents contain a clear copyright statement. Sometimes documents cannot be placed on the web, even for standards development purposes. The number of such documents seems to be increasing, probably due to the standard copyright wording prepared by ISO. These documents are marked in the indexes below as "only available from the Convenor".
IST/33/-/3 tracks the work of an International Standards Working Group - the International Organisation for Standardisation - International Electrotechnical Commission Joint Technical Committee 1 Subcommittee 27 Working Group 3: Security Evaluation Criteria. This is commonly called "SC 27 WG 3" for short. This WG is responsible for developing standards for IT security evaluation and certification. More information is available from the Subcommittee Secretariat.
SC 27 has a new, improved official web site.
The main task of SC 27 WG 3 (and thus IST/33/-/3) has been to produce an ISO/IEC standard corresponding to the "Common Criteria" (CC), the large and rather complex IT security evaluation criteria originally developed by Government agencies in six North American and European Union countries as a replacement for their current national or EEA criteria. The WG3 version of the Common Criteria has now been adopted as an official International Standard, ISO/IEC 15408. The latest (2005) published edition can be purchased in printed form from BSI, and is also available from ISO in Geneva. It can be downloaded free of charge as a pdf file from http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/Ittf_Home/PubliclyAvailableStandards.htm. This corresponds to Version 2.3 of the Common Criteria.
The last meeting of SC 27 WG 3 was held in Kyoto, Japan between 14th and 18th April 2008. The official meeting report (written by the Convenor of this BSI Panel) is available here. The next meeting is in Limassol, Cyprus between 6th and 10th October 2008.
For many years, WG 3 concentrated almost exclusively on evaluation criteria. However, there has been a significant change in recent years and a number of other standards have been prepared, dealing with, for example, the security assessment of operational systems, security requirements for cryptographic modules and a framework for security evaluation and testing of biometric technologies.
Despite this, the main motivation for WG 3 remains evaluation criteria. The ISO evaluation criteria, ISO/IEC 15408, is out of step with the Common Criteria. The official version of the CC is now Version 3.1 Release 2. ISO/IEC 15408 is currently being revised in line with this CC update. However, the latest published CC Version 3.1 has some technical deficiencies - not least that there is no Part 1.
The latest version of the ISO equivalent hopefully addresses these problems. It is available in the documents for download section. Parts 2 and 3 are currently being balloted as FDIS (Final Draft International Standard), in forms technically identical to CC Version 3.1 Release 2. This is the final ballot in standards development, where no further technical changes are allowed. A corresponding Part 1 has been prepared, but is less mature and has no CC equivalent. It is therefore being prepared for balloting as a third FCD. You will be able to buy printed copies of these drafts from BSI shortly.
WG 3 has also been developing an Evaluation Methodology Standard, ISO/IEC 18045, to match the Common Evaluation Methodology (CEM). This was published in parallel with the updated criteria standard as ISO/IEC 18045:2005. ISO/IEC 18045 is also undergoing an FDIS ballot to bring it into line with the latest CEM for Version 3.1 Release 2. It is also available in documents for download. You will be able to buy printed copies from BSI shortly.
For many years, there has been a concern in WG 3 that the ISO/IEC 15408 criteria were inadequate to evaluate certain types of security requirements, in particular functional properties that must hold for the whole of a TOE, but cannot be mapped to individual interfaces of the TOE. A simple example would be that certain sensitive information is not retained within a TOE at all. It is conceptually possible to prove such requirements by examination of the security architecture of the TOE, and this has been done in some evaluations. However, it represents a misuse of the existing architectural assurance criteria, which are not intended - and designed - to be used in this way.
The Common Criteria developers are currently encouraging users of evaluation criteria to think more deeply about deficiencies in the current criteria. WG 3 therefore held a dedicated drafting meeting to look at this specific problem, with a view to developing and submitting a detailed technical solution to both ISO and the Common Criteria Development Board. This solution will be radically innovative. This meeting was held in Madrid, Spain on 12th and 13th February 2008. The report of the meeting is available here.
ISO and IEC sponsor a register of Protection Profiles, although this is currently inactive. At the Luzern meeting, a proposal from Centro Criptológico Nacional of Spain, who host the Common Criteria Portal Register, to take over the ISO Register was endorsed. This has now been approved by JTC 1, and it with the ISO TMB for final approval.
With regard to other WG 3 Projects, TR 15443, A Framework for IT Security Assurance, is now finally completed! The first two parts were published some considerable time ago, and Part 3, Analysis of Assurance Methods, was published by ISO on 15th December 2007, and can now be purchased from ISO or through BSI. For copyright reasons, the ballot draft for Part 3 is only available from the Panel Convenor. An earlier version can be downloaded from the "Documents for Download" section of this web page.
ISO/IEC 19790, Security Requirements for Cryptographic Modules, has completed the ISO/IEC JTC 1 standards approval process and been published. A number of changes were made before, during and following the final ballot and thus the published text is slightly different to that balloted as an FCD and available here. The FDIS text and a list of subsequent changes are available from the Panel Convenor.
A companion Project, ISO/IEC 24759, Test Requirements for Cryptographic Modules, is under way. This has now reached FDIS (Final Draft International Standard) ballot - FDIS is the final stage of standards development.. The FDIS text is available, but, for copyright reasons, only from the Panel Convenor.
A number of defect reports concerning ISO/IEC 19790 have been received, one of which concerns a missing test. A Draft Technical Corrigendum concerning this defect has been prepared. This has now been approved and is awaiting formal publication.
ISO/IEC 19790 has been approved for early revision, and WG 3 is currently seeking contributions to its update.
ISO/IEC TR 19791, Security Assessment of Operational Systems, is now published. The final text has significant differences from that balloted as a DTR (National Bodies are allowed to make technical comments on Draft Technical Reports). The final text was circulated to SC 27 but for copyright reasons cannot be accessed from this page. It is available from the Panel Convenor.
ISO/IEC TR 19791 has been approved for early revision, and a first Working Draft of the revision is expected shortly. This will be compatible with the recent changes to ISO/IEC 15408 and CC Version 3.1.
Project 19792, Security Evaluation of Biometrics, has progressed more slowly, and is still at the Committee Draft stage. Biometrics is a difficult technical area, and the commenting process has exposed significant technical problems in previous drafts. The next version is expected shortly, and will be balloted as a Final Committee Draft. For copyright reasons, the latest Committee Draft is only available from the Panel Convenor.
The revision of TR 15446, Guide to the Production of Protection Profiles and Security Targets, has now reached the PDTR (Preliminary Draft Technical Report) stage, the equivalent of a Committee Draft. It is available for download here. This version is complete, and aligned with the current FCDs and FDIS versions for ISO/IEC 15408. With minor changes, it will shortly be circulated as a Draft Technical Report for its final stage of balloting.
The review and revision of ISO/IEC 21827, Systems Security Engineering - Capability Maturity Model, was going very well indeed until it got to its final FDIS ballot, when problems were discovered concerning the original Carnegie Mellon CMM intellectual property statements. This has blocked publication of the revision - we have been waiting several months for a response from ISO's legal advisors. The ballot text is ISO copyright, and therefore only available from the Panel Convenor, although the (original) text prepared by the editor for the ballot is available for downloading.
Project 29128, Verification of Cryptographic Protocols is a standard under development in a new area. Standards already exist for the specification of cryptographic algorithms, and for the implementation and test of cryptographic devices and modules. However, there is a gap between the algorithm and its implementation in communication between entities. There are no standards or generally accepted processes for the assessment of the protocols used in such communication, and this new Project fills the gap. The first Working Draft is unfortunately already ISO copyright, and therefore only available from the Panel Convenor. A second Working Draft is expected shortly.
At its South African meeting in November 2006, WG 3 initiated a study period to investigate the development of an International Standard for Responsible Vulnerability Disclosure. At the moment, there is no generally agreed process that should be followed when researchers or users identify vulnerabilities in commercial software. Likewise, there is no consensus on how software vendors or vulnerability identification tool developers should respond to such information. The Rapporteur's final report on the Study Period is available here. It has been decided to develop a formal standard in this area, ISO/IEC 29147, Responsible Vulnerability Disclosure. Its scope and outline contents list are available here. A first Working Draft is expected shortly.
Finally, at its Russia meeting in May 2007, WG 3 initiated a one year study period into Secure System Design. The Rapporteur's final report on the Study Period is available here. The Study Period has now closed, and WG 3 will consider at its next meeting in October 2008 whether to seek permission to develop a standard or standards - or Technical Report or Reports - in this area.
The Convenor of IST/33/-/3 is Mike Nash. He can always be contacted for any further information needed on any of these topics.
The published versions of ISO/IEC 15408:2005 and ISO/IEC 18045 are available for free downloading from the ITTF area of the ISO web site. Go to http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/Ittf_Home/PubliclyAvailableStandards.htm, and scroll down until you come to the relevant entries.
This very useful ISO/IEC Technical Report (usually referred to as the PPST Guide) on preparing Protection Profiles and Security Targets is available for free - and legal - downloading from the ITTF web site. Look for entry TR 15446 at http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/Ittf_Home/PubliclyAvailableStandards.htm. It contains guidance and advice that anyone faced with the task of producing a CC or ISO/IEC 15408 Protection Profile or Security Target for the first time will find useful.
Some of the worked examples are a little out of date - best practice in PP and ST specification has advanced since they were written. However, the general approach and some of the checklist annexes are still as good as you will find anywhere on the web.
The document has started a revision process to bring it into line with modern methods of preparing for evaluation and the recent changes to the evaluation criteria. You can download the current draft here. This is a complete document, compatible with the latest revisions to ISO/IEC 15408 and Common Criteria Version 3.1. Although this is still only a draft, you will probably want to use this version in preference to the published one - despite the warnings on the cover sheet!
It is regretted that the official text for ISO/IEC TR 15443-1, A Framework for IT Security Assurance, Part 1 - Overview and Framework cannot be posted here as its copyright has been transferred to ISO/IEC. Document SC27 N3987 contains the final Editor's Report and is available here. It is regretted that the official text for ISO/IEC TR 15443-2, A Framework for IT Security Assurance, Part 2 - Assurance Methods cannot be posted here as its copyright has been transferred to ISO/IEC, and unfortunately no record of changes from the Draft Technical Report text is available. It is regretted that the official text for ISO/IEC TR 15443-3, A Framework for IT Security Assurance, Part 3 - Analysis of Assurance Methods cannot be posted here as its copyright has been transferred to ISO/IEC, and unfortunately no record of changes from the PDTR text is available.
It is regretted that the final text submitted for publication for ISO/IEC 19790, Security Requirements for Cryptographic Modules, cannot be posted on this open-access web page due to ISO copyright restrictions. The balloted text and a list of subsequent changes is available from the Panel Convenor.
It is regretted that the final text submitted for publication for ISO/IEC TR 19791, Security Assessment of Operational Systems, cannot be posted on this open-access web page due to ISO copyright restrictions. The document is available from the Panel Convenor.
Latest versions of documents that are available for immediate download are:
Most WG 3 documents other than actual drafts of standards can be downloaded for private use and those issued in the last two meeting cycles are listed below. Please do check with the author or SC 27 secretariat before using them for other purposes. Older documents are available from the Panel Convenor.
The International CC Project has its own web site at http://www.commoncriteriaportal.org/. This provides access to free copies of the current versions of the Common Criteria and Common Evaluation Methodology, an archive of older versions and interpretations, a discussion forum, and lots more. You can download the latest version of the Common Criteria, CC Version 3.1, from here.
Web space kindly donated by Gamma Secure Systems Limited
BSI IST 33/-/3 pages maintained by webmaster@gammassl.co.uk
Last updated: 05 May 2008