CCCAB tool - Making CABs life easy - Chapter 2

Javier Tallón
Javier TallónSecurity Expert en jtsec Beyond IT Security
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
❑ Automate everything!
❑ Less time to obtain the certificate
❑ Lower economic cost for everyone
❑ Meet the market expectations
❑ Increased number of Common Criteria
certifications
❑ Fast pace in the evolution of IT
❑ Lack of talent
Why automation tools for Common Criteria?
❑ The CSA brings a new paradigm
❑ Regulation (EC) No 765/2008: ‘conformity
assessment body’ shall mean a body that performs
conformity assessment activities including
calibration, testing, certification and inspection;
❑ EUCC v1.1.1 further refines this concept:
❑ CAB = CB + ITSEF
❑ CB: issues certificate
❑ ITSEF: calibrates / tests / samples
CSA & EUCC Context
❑ CCCAB is co-financed by the Connecting Europe Facility of the European Union.
❑ ISCOM (OSCI), CCN (OC-CCN) and jtsec
Brief & Stakeholders
CCCAB tool - Making CABs life easy - Chapter 2
❑ Improve current schemes capabilities to support the high
assurance certifications defined in the EUCC
❑ Build up CAB capabilities for newcomers and for private CABs
that will operate under the EUCC for level substantial
❑ Share good practices between CABs for high and support peer
reviews by sharing the same tool
❑ Enhance the communication flow with ENISA, ITSEFs,
manufacturers…
❑ Allow focus on validation of the reports
Objectives
❑ CCCAB provides a framework to manage EUCC
certifications smoothing the process and saving around
25% of the certification effort for existing CABs.
❑ CCCAB will ease the creation of EUCC CABs around
Europe given that it will be very easy to deploy the
required IT system to manage a CAB.
❑ CCCAB will be a free open-source tool that could be
potentially adapted to be used in other future schemes.
Therefore, it could be a key factor for a successful
adoption of the EU Cybersecurity Certification
framework.
Why is CCCAB needed?
CCCAB as a part of a framework
Main technologies used
Features
❑ Project Management: CCCAB will allow you to have a global view
of all projects in progress, helping in the overall management of
the project.
❑ Simple installation: Can be used from anywhere without the
need to install any software. Online and offline.
❑ Web Edition, docx/pdf Output: CCCAB will allow the generation
in DOCX or PDF format.
Features
Document
Generator
❑ Presentation engine
❑ Access control (I&A, 2FA, …) and
authorization subsystem (PGP,
PAdES, XAdES)
❑ Evidence and versioning
subsystem
❑ CC Analysis Engine & Expert tips
❑ ITSEF non-conformities subsystem
Features
Validation Framework
CC Analysis
Engine Smart Validation System
Presentation
Engine
Access control & Authorizations
CC3.1R5
Non - Conformities Evidences & Versioning
❑ Smart Validation System
❑ ITSEF communications parser
❑ Manufacturers communications
parser
❑ Automagic filling
Features
Validation Framework
CC Analysis
Engine Smart Validation System
Presentation
Engine
Access control & Authorizations
CC3.1R5
ITSEF
Comm.
Manufact.
Comm.
Non - Conformities Evidences & Versioning
ITSEFs
Manufacturers
Features
❑ Adaptation to the EUCC
❑ Communications with ENISA website
❑ Compliance System
❑ Vulnerability Inbox
❑ Vulnerability Monitoring
Features
Validation Framework
CC Analysis
Engine Smart Validation System
Presentation
Engine
Access control & Authorizations
CC3.1R5
Non - Conformities Evidences & Versioning
Vulnerability inbox
How it works?
CCCAB Specification
• Analysis of
current tools
used by CBs
• Information flows
identification
• Information
Exchange
languages
specification
Validation
Framework
• Access Control and PM
system
• Interface development
• Evidence management
• Report printing
• NCs Management
• Version Management
Smart Validation
System
• ITSEF
Communications
parser
• Manufacturer
communications
parser
• Autofill
• Expert tips
Adaptation to the
EUCC scheme
• Communication
module with
ENISA website
• Compliance
Monitoring
System and non-
compliance
handling
Validation
• Full Project using
CCCAB
• Guidance
development
• Final version
release
Action plan
CCCAB website
❑ https://www.cccab.eu/
CCCAB website
❑ Define the Open Source licensing model
❑ Release the source code
❑ Test the tool properly in a real use cases with the
partners
❑ Develop the connection with the ENISA website, which is
not yet up and running
❑ Making stakeholders aware of the tool
Conclusions & ToDos
jtsec Beyond IT Security
Granada & Madrid – Spain
hello@jtsec.es
@jtsecES
www.jtsec.es
Contact
“Any fool can make something complicated. It takes a
genius to make it simple.”
Woody Guthrie
1 de 22

Recomendados

CCCAB - Making CABs life easy por
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easyJavier Tallón
86 vistas17 diapositivas
Project P Open Workshop por
Project P Open WorkshopProject P Open Workshop
Project P Open Workshopmatteobordinadacore
9.8K vistas86 diapositivas
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPT por
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPTManaging Your ROI & TCO In Automation Testing | V&V Webinar PPT
Managing Your ROI & TCO In Automation Testing | V&V Webinar PPTSadatulla Zishan
65 vistas25 diapositivas
Ensuring Successful OPNFV-based NFV Deployments | QualiTest Group por
Ensuring Successful OPNFV-based NFV Deployments | QualiTest GroupEnsuring Successful OPNFV-based NFV Deployments | QualiTest Group
Ensuring Successful OPNFV-based NFV Deployments | QualiTest GroupQualitest
589 vistas30 diapositivas
Taking AppSec to 11 - BSides Austin 2016 por
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
3.7K vistas73 diapositivas
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better por
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
2.5K vistas70 diapositivas

Más contenido relacionado

Similar a CCCAB tool - Making CABs life easy - Chapter 2

LFN Dev and Testing Forum 2022 CNF Certification Tutorial por
LFN Dev and Testing Forum 2022 CNF Certification TutorialLFN Dev and Testing Forum 2022 CNF Certification Tutorial
LFN Dev and Testing Forum 2022 CNF Certification TutorialWavell Watson
12 vistas18 diapositivas
Quick wins in the NetOps Journey by Vincent Boon, Opengear por
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
48 vistas31 diapositivas
Automating Common Criteria por
Automating Common Criteria Automating Common Criteria
Automating Common Criteria Javier Tallón
127 vistas18 diapositivas
Components of CI/CD in DevOps por
Components of CI/CD in DevOpsComponents of CI/CD in DevOps
Components of CI/CD in DevOpssunil173422
25 vistas9 diapositivas
Resume_Sahida Sultana por
Resume_Sahida SultanaResume_Sahida Sultana
Resume_Sahida SultanaSahida Sultana
226 vistas7 diapositivas
Resume por
ResumeResume
Resumenandisg
183 vistas7 diapositivas

Similar a CCCAB tool - Making CABs life easy - Chapter 2(20)

LFN Dev and Testing Forum 2022 CNF Certification Tutorial por Wavell Watson
LFN Dev and Testing Forum 2022 CNF Certification TutorialLFN Dev and Testing Forum 2022 CNF Certification Tutorial
LFN Dev and Testing Forum 2022 CNF Certification Tutorial
Wavell Watson12 vistas
Quick wins in the NetOps Journey by Vincent Boon, Opengear por MyNOG
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
MyNOG48 vistas
Automating Common Criteria por Javier Tallón
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
Javier Tallón127 vistas
Components of CI/CD in DevOps por sunil173422
Components of CI/CD in DevOpsComponents of CI/CD in DevOps
Components of CI/CD in DevOps
sunil17342225 vistas
Resume por nandisg
ResumeResume
Resume
nandisg183 vistas
Journey Through Four Stages of Kubernetes Deployment Maturity por Altoros
Journey Through Four Stages of Kubernetes Deployment MaturityJourney Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment Maturity
Altoros1.1K vistas
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015 por Vimal Suba
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Vimal Suba2.6K vistas
Testwarez 2009 Use Proper Tool por Adam Sandman
Testwarez 2009 Use Proper ToolTestwarez 2009 Use Proper Tool
Testwarez 2009 Use Proper Tool
Adam Sandman666 vistas
Pivotal CloudFoundry on Google cloud platform por Ronak Banka
Pivotal CloudFoundry on Google cloud platformPivotal CloudFoundry on Google cloud platform
Pivotal CloudFoundry on Google cloud platform
Ronak Banka201 vistas
Enterprise QA and Application Testing Services por Cygnet Infotech
Enterprise QA and Application Testing ServicesEnterprise QA and Application Testing Services
Enterprise QA and Application Testing Services
Cygnet Infotech218 vistas
Enterprise QA and Application Testing Services por Hemang Rindani
Enterprise QA and Application Testing ServicesEnterprise QA and Application Testing Services
Enterprise QA and Application Testing Services
Hemang Rindani93 vistas
Service Virtualization: What, Who, When, and How por TechWell
Service Virtualization: What, Who, When, and HowService Virtualization: What, Who, When, and How
Service Virtualization: What, Who, When, and How
TechWell1.1K vistas
Presentation on 3 Pillars of DevOps - Kovair DevOps por Kovair
Presentation on 3 Pillars of DevOps - Kovair DevOpsPresentation on 3 Pillars of DevOps - Kovair DevOps
Presentation on 3 Pillars of DevOps - Kovair DevOps
Kovair359 vistas
Common Criteria service overview for Developers - jtsec a CC consultancy company por Javier Tallón
Common Criteria service overview for Developers - jtsec a CC consultancy companyCommon Criteria service overview for Developers - jtsec a CC consultancy company
Common Criteria service overview for Developers - jtsec a CC consultancy company
Javier Tallón770 vistas
The art of wmb deployment automation por MidVision
The art of wmb deployment automationThe art of wmb deployment automation
The art of wmb deployment automation
MidVision1.5K vistas

Más de Javier Tallón

ICCC2023 Statistics Report, has Common Criteria reached its peak? por
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
24 vistas29 diapositivas
ICCC23 -The new cryptographic evaluation methodology created by CCN por
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
5 vistas44 diapositivas
Experiences evaluating cloud services and products por
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
8 vistas26 diapositivas
TAICS - Cybersecurity Certification for European Market.pptx por
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
62 vistas31 diapositivas
La ventaja de implementar una solución de ciberseguridad certificada por el C... por
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
9 vistas24 diapositivas
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf por
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
14 vistas41 diapositivas

Más de Javier Tallón(20)

ICCC2023 Statistics Report, has Common Criteria reached its peak? por Javier Tallón
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón24 vistas
ICCC23 -The new cryptographic evaluation methodology created by CCN por Javier Tallón
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
Javier Tallón5 vistas
Experiences evaluating cloud services and products por Javier Tallón
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón8 vistas
TAICS - Cybersecurity Certification for European Market.pptx por Javier Tallón
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
Javier Tallón62 vistas
La ventaja de implementar una solución de ciberseguridad certificada por el C... por Javier Tallón
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón9 vistas
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf por Javier Tallón
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
Javier Tallón14 vistas
Evolucionado la evaluación Criptográfica por Javier Tallón
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón22 vistas
España y CCN como referentes en la evaluación de ciberseguridad de soluciones... por Javier Tallón
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón8 vistas
EUCA22 Panel Discussion: Differences between lightweight certification schemes por Javier Tallón
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón16 vistas
EUCA22 - Patch Management ISO_IEC 15408 & 18045 por Javier Tallón
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón22 vistas
Cross standard and scheme composition - A needed cornerstone for the European... por Javier Tallón
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón16 vistas
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)? por Javier Tallón
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón33 vistas
Is Automation Necessary for the CC Survival? por Javier Tallón
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón10 vistas
2022 CC Statistics report: will this year beat last year's record number of c... por Javier Tallón
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón57 vistas
CCCAB, la apuesta europea por la automatización de los Organismos de Certific... por Javier Tallón
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón59 vistas
jtsec Arqus Alliance presentation por Javier Tallón
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentation
Javier Tallón102 vistas
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram... por Javier Tallón
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
Javier Tallón112 vistas
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ... por Javier Tallón
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Javier Tallón127 vistas
La certificación de ciberseguridad en Europa, un desafío común. por Javier Tallón
La certificación de ciberseguridad en Europa, un desafío común.La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.
Javier Tallón169 vistas

Último

"Running students' code in isolation. The hard way", Yurii Holiuk por
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk Fwdays
17 vistas34 diapositivas
Data Integrity for Banking and Financial Services por
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial ServicesPrecisely
25 vistas26 diapositivas
Unit 1_Lecture 2_Physical Design of IoT.pdf por
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdfStephenTec
12 vistas36 diapositivas
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors por
TouchLog: Finger Micro Gesture Recognition  Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition  Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensorssugiuralab
21 vistas15 diapositivas
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... por
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
11 vistas29 diapositivas
Microsoft Power Platform.pptx por
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptxUni Systems S.M.S.A.
53 vistas38 diapositivas

Último(20)

"Running students' code in isolation. The hard way", Yurii Holiuk por Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays17 vistas
Data Integrity for Banking and Financial Services por Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely25 vistas
Unit 1_Lecture 2_Physical Design of IoT.pdf por StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec12 vistas
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors por sugiuralab
TouchLog: Finger Micro Gesture Recognition  Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition  Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab21 vistas
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... por TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc11 vistas
Voice Logger - Telephony Integration Solution at Aegis por Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 vistas
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive por Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Igniting Next Level Productivity with AI-Infused Data Integration Workflows por Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software280 vistas
Ransomware is Knocking your Door_Final.pdf por Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp59 vistas
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 por IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... por James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson92 vistas
STPI OctaNE CoE Brochure.pdf por madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 vistas
Serverless computing with Google Cloud (2023-24) por wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 vistas
6g - REPORT.pdf por Liveplex
6g - REPORT.pdf6g - REPORT.pdf
6g - REPORT.pdf
Liveplex10 vistas

CCCAB tool - Making CABs life easy - Chapter 2

  • 3. ❑ Automate everything! ❑ Less time to obtain the certificate ❑ Lower economic cost for everyone ❑ Meet the market expectations ❑ Increased number of Common Criteria certifications ❑ Fast pace in the evolution of IT ❑ Lack of talent Why automation tools for Common Criteria?
  • 4. ❑ The CSA brings a new paradigm ❑ Regulation (EC) No 765/2008: ‘conformity assessment body’ shall mean a body that performs conformity assessment activities including calibration, testing, certification and inspection; ❑ EUCC v1.1.1 further refines this concept: ❑ CAB = CB + ITSEF ❑ CB: issues certificate ❑ ITSEF: calibrates / tests / samples CSA & EUCC Context
  • 5. ❑ CCCAB is co-financed by the Connecting Europe Facility of the European Union. ❑ ISCOM (OSCI), CCN (OC-CCN) and jtsec Brief & Stakeholders
  • 7. ❑ Improve current schemes capabilities to support the high assurance certifications defined in the EUCC ❑ Build up CAB capabilities for newcomers and for private CABs that will operate under the EUCC for level substantial ❑ Share good practices between CABs for high and support peer reviews by sharing the same tool ❑ Enhance the communication flow with ENISA, ITSEFs, manufacturers… ❑ Allow focus on validation of the reports Objectives
  • 8. ❑ CCCAB provides a framework to manage EUCC certifications smoothing the process and saving around 25% of the certification effort for existing CABs. ❑ CCCAB will ease the creation of EUCC CABs around Europe given that it will be very easy to deploy the required IT system to manage a CAB. ❑ CCCAB will be a free open-source tool that could be potentially adapted to be used in other future schemes. Therefore, it could be a key factor for a successful adoption of the EU Cybersecurity Certification framework. Why is CCCAB needed?
  • 9. CCCAB as a part of a framework
  • 12. ❑ Project Management: CCCAB will allow you to have a global view of all projects in progress, helping in the overall management of the project. ❑ Simple installation: Can be used from anywhere without the need to install any software. Online and offline. ❑ Web Edition, docx/pdf Output: CCCAB will allow the generation in DOCX or PDF format. Features Document Generator
  • 13. ❑ Presentation engine ❑ Access control (I&A, 2FA, …) and authorization subsystem (PGP, PAdES, XAdES) ❑ Evidence and versioning subsystem ❑ CC Analysis Engine & Expert tips ❑ ITSEF non-conformities subsystem Features Validation Framework CC Analysis Engine Smart Validation System Presentation Engine Access control & Authorizations CC3.1R5 Non - Conformities Evidences & Versioning
  • 14. ❑ Smart Validation System ❑ ITSEF communications parser ❑ Manufacturers communications parser ❑ Automagic filling Features Validation Framework CC Analysis Engine Smart Validation System Presentation Engine Access control & Authorizations CC3.1R5 ITSEF Comm. Manufact. Comm. Non - Conformities Evidences & Versioning ITSEFs Manufacturers
  • 16. ❑ Adaptation to the EUCC ❑ Communications with ENISA website ❑ Compliance System ❑ Vulnerability Inbox ❑ Vulnerability Monitoring Features Validation Framework CC Analysis Engine Smart Validation System Presentation Engine Access control & Authorizations CC3.1R5 Non - Conformities Evidences & Versioning Vulnerability inbox
  • 18. CCCAB Specification • Analysis of current tools used by CBs • Information flows identification • Information Exchange languages specification Validation Framework • Access Control and PM system • Interface development • Evidence management • Report printing • NCs Management • Version Management Smart Validation System • ITSEF Communications parser • Manufacturer communications parser • Autofill • Expert tips Adaptation to the EUCC scheme • Communication module with ENISA website • Compliance Monitoring System and non- compliance handling Validation • Full Project using CCCAB • Guidance development • Final version release Action plan
  • 21. ❑ Define the Open Source licensing model ❑ Release the source code ❑ Test the tool properly in a real use cases with the partners ❑ Develop the connection with the ENISA website, which is not yet up and running ❑ Making stakeholders aware of the tool Conclusions & ToDos
  • 22. jtsec Beyond IT Security Granada & Madrid – Spain hello@jtsec.es @jtsecES www.jtsec.es Contact “Any fool can make something complicated. It takes a genius to make it simple.” Woody Guthrie