Adapting the Common Criteria as a Standards-Based Approach for Authentication and Certification

The Common Criteria (CC) for Information Technology (IT) Security Evaluation is a well-documented andaccepted international standard (ISO/IEC 15408). It presents a set of requirements and processes forowners, developers, and evaluators of equipment to assess and certify the security of a given piece of ITequipment for use in a given environment or system. The CC are concerned with protecting theconfidentiality, integrity, and availability of data through the evaluation of hardware, software,firmware, and the operating environment in which the equipment will be deployed. This is nearlyidentical to the objectives of authentication and certification in an arms control context.The CC utilize Evaluation Assurance Levels (EALs) to qualify the security of the equipment, whereincreasing EALs represent greater scope, depth, and rigor of evaluation and therefore confidence in theequipment. In the early 2000’s the joint DOE-DoD Authentication Task Force (ATF) for arms controlmonitoring equipment began to explore the concept of adapting the EALs into Authentication AssuranceLevels (AALs) for evaluating potential monitoring and verification equipment. This presentation willhighlight current work performed to explore the effort begun under the ATF and expansion of that workto better utilize the standards-based approach defined by the CC for authentication and certification.