The National Information Assurance Partnership (NIAP) is introducing an initiative to form Technical Communities (TCs) for the development of Protection Profiles (PPs). A key goal for the TCs is to ensure that PPs are generated as the result of collaboration between Government, industry, and academia. The near term goal is to stand up TCs to develop NIAP-approved PPs with the future goal of acceptance of the Technical Community concept by the international CCRA community. This approach differs from what has been done for PPs in the past. Under the new approach, Subject Matter Experts (SMEs) within the TC are empowered to make decisions about PP content. Threat information will be provided by domain experts, and Security Functional Requirements (SFRs) and threats will be tightly integrated – only those capabilities supporting government needs or required to counter technology-specific threats will be included as SFRs in the PP. Objective assurance activities will be carefully crafted by SMEs from various TCs in an effort to generate reproducible results from the evaluation methodology consistently across labs and evaluators, to ensure security assurance requirements (SARs) are appropriate for the technology and the government’s needs, and to produce results that can be compared across technology areas.
Technical Community Purpose and Approach:
TCs are intended to be Government/Industry/Academia partnerships formed for the purposes of:
- developing, managing, and maintaining PPs to support evaluations of specific categories of technology,
- influencing the evolution of identified technologies to ensure they are able to satisfy US government protection needs in the face of changing threats, and
- ensuring PP content supports a process that is objective, efficient, yields repeatable results, and produces outcomes that have relevance and added-value to the operational user community.
TCs will be responsible for the following PP content:
- A set of technology-specific threats,
- The minimal security functionality sufficient to mitigate the identified threats, and
- A collection of assurance activities tailored to the technology and covering each functional requirement. These activities are to be objective, measurable, repeatable, effective, and scoped such that they can be completed within a reasonable timeframe.
NIAP Technical Communities Organization Overview:
The Steering Committee (SC) facilitates the work of individual Technical Communities and performs oversight of all TCs.
The Steering Committee has responsibility for forming and overseeing the Technical Communities to ensure consistency and completeness of the PPs developed by each Community. The Steering Committee is the approving authority for PPs developed by the TCs. Initially, NIAP will largely fulfill the role of the Steering Committee until the formation process is mature. Over time, however, it is envisioned that the Steering Committee could evolve to include other partners.
As illustrated, the Technical Communities are comprised of representatives from a broad range of affiliations such that the resultant PPs benefit from knowledge contributions that come from a variety of perspectives to produce effective and relevant technology content.
The guiding principles of the organization (SC and TCs) are:
- Improved "time to market"
- Leverages industry expertise
- International participation
- Collective ownership of the process
NIAP Technical Communities Goal for FY12:
NIAP’s goal for the formation of the TCs in FY12 is to initiate three TCs in the following technology areas:
- Formalize the existing Network Device Community to form a Network Device TC (NDTC) to create version 2 of the Network Devices Protection Profile (NDPP)
- Establish the USB Technical Community (USBTC) with the support of the other nations (e.g., UK and Sweden) to create a USB Protection Profile (USBPP)
- Establish a Mobility TC with the initial goal of developing a PP for Mobile Device Management (MDM)
A call for participant announcement for the NDTC has been sent out to industry, government, end users, academic institutions, and labs. The kick-off meeting for the NDTC was held on 31 May 2012. The establishment of the USB and Mobility TCs will be initiated in the near future. All interested parties wanting to participate in Mobile Device Management Technical Community (MDMTC) and the USBTC should provide the following information to the aliases below:
- Affiliation (Vendor/CCTL/Academic Institution/Scheme/Other)
- Telephone number
- Email address
- A brief statement of the qualifications for participation in the TC