Trial use experiences with ASE and APE for the new CC EAL1 concept

Abstract:

The CC in its version 2.1 is internationally recognised as a standard for assessing IT Security. However the CC is also often criticised - especially by CC newcomer - to be overly complex and expensive.

The CC is currently undergoing a rewriting process from version 2.1 to version 3.0. For Germany it was an essential goal of this rewrite to simplify the criteria in order to facilitate the access to the CC and make evaluations as cost-effective as possible.
Simplification of writing Security Targets and Protection Profiles as well as enabling vendors and evaluation labs to do reasonably priced evaluations on an EAL1 level have been identified as one step of achieving that goal.
Therefore the BSI, together with the Partner Organisation from the Netherlands, have been intensely engaged in the definition of simplified ASE and APE criteria (CC assurance classes dealing with Security Target and Protection Profile evaluation), especially for EAL1 which will become part of the CC version 3.0.

To verify the practicality and suitability of the new criteria, the BSI decided to set up a trial use project. Subject of the project was to show the applicability of the criteria by compilation and evaluation of several protection profiles and by performing the evaluation of products according to the new criteria.

The results and lessons learned are subject of this presentation.