The following is an article from Eric Betts, who manages VMware's Common Criteria certification program.
Feed back to VMware’s announcement of vSphere 5.1 achieving “In-Evaluation” has been overwhelmingly successful. However, it also caused quite a flurry of questions regarding the change in EAL level from EAL4+ to EAL2+ and questions on EAL4 vs. EAL2. This blog posting will help with clarifying VMware’s position and overview of reform changes in-progress with Common Criteria.
Information Technology (IT) customers often leverage third party validations, such as Common Criteria, for assurance of IT product features & implementation and compliance with a known standard. Common Criteria is a methodology framework for the evaluation of IT products, mutually recognized by 26 member nations (up to EAL4) and is an ISO standard (ISO-15408). These factors, among many others, have contributed to the success, acceptance and often the requirement for Common Criteria certifications for Government and Defense related procurement sales. However, as with any technology, process or standard, they must evolve and adapt to address current technologies and industry trends to remain relevant. Common Criteria is evolving to address such needs.
The National Information Assurance Partnership (NIAP) in cooperation with other countries has initiated a series of changes for reform. Changes include enlisting the help of industry through technical communities for development of new Protection Profiles (PP), improving consistency, speed and efficiency of evaluations. As part of the reform, requirements for specific EAL levels will be replaced with “Approved Protection Profiles” and products will be listed as “PP Compliant”. These products which implement the functionality described in the protection profile will then be evaluated in a consistent manner and against the same security threats which have been observed by the larger security community. In the event that there is no protection profile in place at the time of entering the evaluation evaluations will be accepted up to a maximum evaluation level of EAL2 which is roughly consistent with the level of detail in the current protection profiles.
Security claims for prior Common Criteria evaluations were driven by vendor developed Security Targets and optional Protection Profiles. While this provided vendors with greater flexibility, it also enabled opportunity for inconsistent evaluations. Going forward products will be required to conform to a set of security claims from a mandatory protection profile. This baseline will improve consistency across evaluations, testing laboratories and international schemes.
The Common Criteria certification of vSphere 5.1 @ EAL2+ demonstrates VMware’s continued commitment to evolving standards, validation of the latest VMware platform and providing assurance to our customers.
The National Information Assurance Partnership (NIAP) developed a FAQ which provides in-depth details on the Common Criteria reform titled “Frequently Asked Questions for NIAP/CCEVS and the Use of Common Criteria in the US (28 March 2012)”
The FAQ below is based on specific questions and discussions at VMware:
Q: Why is vSphere being certified at EAL2?
A: As stated in the NIAP FAQ, the ability to certify at EAL4 was sunset as part of the Common Criteria reform. When vSphere started the certification process, EAL2 was the target level for commercial software.
Q: You just stated that Common Criteria evaluations at EAL4 are no longer possible, I searched and discovered VMware vCNS 5.1.2 on the “In-Evaluation” list at EAL4? What gives??
A: Correct. Short answer is timing and timelines. vCNS entered into evaluation when while EAL4’s were still being accepted. However, when vSphere entered into evaluation, certifications at EAL4 were no longer being accepted.
Q: Does certifying at EAL2+ mean that vSphere 5.1 is less secure?
A: No, absolutely not! The certification process by which vSphere 5.1 is being evaluated is changing. vSphere 5.1 remains the trusted center piece of the industry-leading virtualization platform for building flexible cloud infrastructures with performance and reliability to run the most demanding enterprise applications.
Q: Why didn’t vSphere 5.1 conform to a mandatory Protection Profile?
A: When vSphere 5.1 entered into evaluation a protection profile for virtualization was not available. vSphere 5.1 will be a Security Target based evaluation. The vSphere 5.1 Security Target contains a full comprehensive set of security claims where applicable, portions were leveraged from existing protection profiles like General Purpose Operating System (GPOS).
Also see NIAP FAQ questions #14 & #16.
VMware was an active participant in the Tech Community that developed the foundation content for the Virtualization Protection Profile. The Protection Profile for Virtualization is currently under development and the estimated completion date is Q3/2013.
See complete NAIP PP lists:
- Completed: http://www.niap-ccevs.org/pp/
- In draft: http://www.niap-ccevs.org/pp/draft_pps/
Q: Why is vSphere 5.1 being certified through Canada and not the US?
A: Common Criteria certifications up to EAL4+ are mutually recognized by all member nations. All schemes are governed and accredited by identical standards, so location isn’t important. The decision to certify though Canada was a decision based on several business factors.
Also see the Common Criteria Recognition Agreement “Vision Statement”.
Q: Why are some products still being certified at EAL4 through other schemes?
A: While the US, Canada and most other schemes are in lock-step agreement with proposed timelines and processes for reform, some schemes decided to postpone new NIAP direction and continue to perform evaluations at EAL4 for specific country requirements.
Join the conversation:
VMware community discussion: “VMware Common Criteria Security Certification Update”