I’ve been a bit light on the blogging the last couple of weeks because I’ve been pushing to complete the Field Device Protection Profile (FDPP). The final steps of a Common Criteria document are a bit intense because the rationale mapping threats to objectives to requirements is very detailed, as is the audit and management requirements, and the overall language and structure requirements. It is the type of work that takes a couple of hours to get your mind around just so you can start being productive.

A few related items you may want to look at:

- NIAP’s Common Criteria Evaluation and Validation Scheme (CCEVS) is a US Government program to have USG validated protection profiles. There are already protection profiles for smart cards, firewalls, IDS, … Under NIST’s guidance we decided to modify the FDPP to meet Consistency Instruction Manual for Medium Robustness in the CCEVS. This 155-page manual is another set of specific instructions. It would be cool to see a control system protection profile on the list. Even better, a protection profile validated by the USG is more authoritative.

- The FDPP will be presented at the PCSRF meeting in June. We are going to extract plain language requirements out of the document so it is more easily understood. It also could be used as a checklist or as input to a RFP or assessment. Yet another reason to go to the PCSF/PCSRF/I3P/… in San Diego