Feedback from Australia

[jgb1128]

I received this feedback from our 3rd sponsor (Australia) at ICCC. We need to walk through it:

OFFICIAL Hey Josh,

It was very nice to meet you in DC!

As mentioned, we are currently soliciting comments from SMEs from within our cyber centre on this topic. Below are comments what I received so far which I hope are useful:

///

Typos, grammar, expression, etc:

• Glossary – typo: “CSP” is used as acronym for cloud service offering when “CSO” is expected. • Expression: There was some “CPU Equivalency” text that we did not quite understand. we would think that in “mass cpu” settings like cloud that CPU equivalency rules should be looser as any issues would be discovered quickly – as long as the binaries are the same and there are not dynamic code paths depending on CPU types.

Interesting notes about document:

• SaaS section – Cloud specific CC add-ons for cPP_App_SW, cPP_DBMS and PP_MDM is a sensible idea. We have to be clear about what the goal is and constraints might be: • Is the goal to allow 3rd party vendors to provide a service in one of the CSPs?
• This is very different to having criteria that would allow a CSP to have their SaaS offerings evaluated. • It must be possible for the 3rd party vendor to make a product that can meet the CC extensions when using any mainstream CSP. • PaaS section – Cloud specific CC add-ons for PP_OS and cPP_ND seems sensible. Goals and constraints: • Is the goal to allow 3rd party OS and network device providers to make OSes and NDs evaluable in the cloud versus on-prem? • The CC add-ons must be configurable on the mainstream CSPs and will thus probably look similar to the common factors of CSP checklists on how to setup secure platforms using the CSP infrastructure. • IaaS section – we expect that this would typically be an evaluation of the CSP offering, although we think there are a few possible use cases like VMware providing IaaS on AWS, Azure Oracle Cloud or others. We would not think there is a lot of possible work in this area.

Good points about being flexible with auditing and TOE guidance. Interesting to see they are saying testing is required per cloud provider and perhaps even more fine grained but there might be some allowed cloud equivalency arguments within a CSP. There was some text about CPU equivalency we did not quite understand – perhaps this is still being figuring out the details. More specific material in the document about the Security Problem Definition, Objectives and Requirements makes sense. There are some gotchas in current PPs like “no general purpose computing that might need cloud-aware modifications. The very good point made about what happens to Critical Security Parameters being different on the cloud with many Cloud Service Providers offering many services to deal with CSOs with different functions.

In summary, this draft CCitC document did a very good job in our opinion. They have gone a long way towards specifying the minimum changes that will allow for existing PP work to be reused and made suitable for dedicated hardware or very generic cloud XaaS. We assume the TC is figuring out how they treat CPU equivalency in the medium term.

///

More comments for us to come. Please let me know your thoughts.

Best regards,

Hin.

Hin Chan (he//him) Manager Australian Certification Authority (ACA) | Australian Information Security Evaluation Program (AISEP)

[jgb1128]

Resolved suggestions. Questions to be discussed.

[jgb1128]

Team will respond in January to Aus scheme for questions. Their editorial suggestions have been incorporated.

[jgb1128]

Is the goal to allow 3rd party vendors to provide a service in one of the CSPs? We understand this question to be that third party vendors = product or application developers like Fortify on Demand as an example. If so the answer is Yes.

Is the goal to allow 3rd party OS and network device providers to make OSes and NDs evaluable in the cloud versus on-prem? Yes one of our goals is to facilitate O/S's and NDs to be evaluable in the cloud. Does this answer your question, if not please clarify.

There was some text about CPU equivalency we did not quite understand – perhaps this is still being figuring out the details. We've revised this section; I hope this makes more sense now.

[jgb1128]

I sent the response to Hin.