With the spread of COVID-19 worldwide and the subsequent reductions in travel and in person meetings, we’ll all be going more home-office based for a while.
Now, TrustCB was already operating from the home-offices of the individual certifiers, with the secret information only stored on always-offline systems. So in a way we have been ready for this contingency for the last ±10 years under NSCIB and now all the other schemes. Or less lightly: this has no significant impact on our capacity and capabilities.
The biggest gap for us certifiers is the evaluation meetings we were most commonly doing in person. The significant gap in the bigger picture is the work-at-home for developers and evaluators. Below you can see what we’ve done and are doing for these issues.
We’ll keep this page updated and if you are a lab/scheme owner, inform you per email.
Update Thursday 2020-03-19: clarified that discussing Secret information over remote connections is not yet solved, but a trial solution should be in place next week.
Requirements as usual
All stakeholders in the evaluations and certifications of the products set their minimum of what security measures need to be applied. This means that as developer, evaluator and certifier we have to implement the maximum of all these measures.
TrustCB cannot speak for the policies of the developers and evaluators, but we can clarify our certifier policy:
In its role for the various schemes (including MIFARE, NSCIB, PSA Certified and SESIP), the minimum TrustCB always requires (and considers sufficient), is to ensure the confidentially of the information is protected to at least the level of “Knowledge of the TOE” required for the ratings in the vulnerability analysis.
This has been part of the procedures of all parties for the last 10+ years in the overwhelming amount of cases.
Extra flexibility in these times
As governments, companies and people take their responsibility in reducing the spread of the coronavirus by strong reduction of in-person interactions, there is a sudden increased need for the capability to work from home. Policies and measures might not have been fully formally established yet, even if the practices are secure.
For the duration of this COVID-19 situation we’ll also accept developers and evaluators working at home at all levels provided they are following procedures as secure or more secure as the TrustCB certifiers.
In short this means communication is done via PGP-encrypted attachments, and the work is done on always-offline systems sufficient for secret information (see our policies for details like minimum key-sizes) while ensuring the screen is not visible to people without a need to know etc.
Talk to your TrustCB scheme contact should you have concerns or questions on this topic.
Communication at a physical distance
We will be attending evaluation meetings remotely wherever possible. TrustCB was already considering options before this situation, but immediately sped up this process to address this current situation.
For information considered merely Confidential (in evaluation meetings: Knowledge of the TOE is rated below or at Restricted level), such as usually is the case in projects at or below EAL4/AVA_VAN.3 / SESIP3 / PSA Certified L2 (and with care also EM1 of higher projects), it is already clear:
normal commercial conference solutions such as Skype for Business, Webex or Hangouts can be used.
Use industry standard security policies, such as ensuring that only the project members are on the conference, that no recordings are made, and that the video conference does not show the slides/documents (these should be on the offline machines), just the people.
There is no need to speak in code language (so no need for “the second topic on slide 3”) for information of this level of confidentiality.
For information considered Secret, such as those in most smartcard projects, at AVA_VAN.4 / SESIP4 level or higher, there is currently no generally accepted solution (except for limiting the claims of the Knowledge of the TOE to Restricted, but this has impacts on many aspects of this and other evaluations).
Security measures for remote access to such secret information by the developer could be used.
Discuss the labelling of the information with your certifier, and the proposed mechanisms also with your scheme leads.
TrustCB is working on a generally acceptable solution. It looks like this will be available in the next week (CW13) for trial use.
TrustCB has already adapted to this situation and will as usual be reasonable with solutions also in this rapidly moving situation. We’ll be in close contact with you, distancing only in the physical sense.
As the wise saying goes: “don’t panic and know where your towel is”,
and consider knowing that is a lot easier at home!
With all the best wishes of health, humor and connection,