FIPS… Common Criteria…What Does It All Mean? (Part 2)

By Jon Green, Chief Security Officer

In my last post, I wrote about FIPS 140-2 and what it means for products that obtain that validation.  This post will be about the other major security certification:  Common Criteria.  Aruba Mobility Controllers and access points have now completed two different Common Criteria evaluations, and are in the process of a third.  What that means for our customers is that you're now able to use the latest gigabit Wi-Fi standard (802.11ac) in a completely accredited solution.

While FIPS is focused on cryptography, Common Criteria is focused on the rest of the security functions of an IT product.  Evaluations are primarily concerned with the presence of specific security features, and the correctness of those features.  Examples include cryptography (a FIPS-validated product generally gets an automatic "pass" on that section), trusted channels (IPsec, TLS, SSH), auditing and logging, administrative roles, access controls, and so on.  Those are general categories – specific protection profiles also add mission-specific requirements:  Wi-Fi requirements in the Wireless LAN Protection Profile, VPN requirements in the VPN Protection Profile, and firewall requirements in the Firewall Protection Profile.  For a look at all the available protection profiles, head over to  Pick one of them, such as the Wireless LAN Access System PP and give it a quick read.  If your eyes glaze over at terms like O.RESIDUAL_INFORMATION_CLEARING, have no fear – mine do too.  Skip over those parts, and look for the Security Requirements and Rationale section.

But wait – why aren't we tossing around terms like "EAL4"?  Isn't that the gold standard by which Common Criteria evaluations should be judged?  No, not anymore.  In a nutshell, EALs (Evaluation Assurance Levels) are dead – at least in the US, Australia, New Zealand, Canada, and the UK.  Many other nations have agreed in principle to kill off EALs, but it's a slow-moving process.  Why the change?  You can read the official explanation here:  My unofficial explanation is that vendors were writing Security Targets that contained a lot of useless extra features, and were then producing reams of supporting documentation to back up claims related to those extra features.  The result was a set of evaluated products that an end customer had a very difficult time comparing to one another.  NIAP also concluded that different labs were conducting evaluations in very different ways, leading to inconsistent interpretations of requirements.  Their response was to mandate "strict compliance" evaluations against government-written protection profiles.  Vendors must build products that meet 100% of the requirements in a PP, and labs are given a specific set of activities ("assurance activities") they must conduct to verify those requirements are met.  The end goal should be evaluations that are clear, consistent, and repeatable.

The other interesting thing that happened along the way was Commercial Solutions for Classified (CSfC), which you can read about at  The entrance requirement for CSfC is a Common Criteria evaluation against a government-written PP.  CSfC required that a higher bar be set for security capabilities within a commercial product, and the old EAL scheme didn't have the necessary requirements called out as mandatory – things like cryptographic entropy and required cipher suites, for example.  Any vendor who has completed an older EAL-style Common Criteria evaluation will have to repeat the evaluation under a Protection Profile in order to meet eligibility requirements for CSfC.

That leads in to my final point.  Aruba is now the first and (at the time of this writing) only vendor listed on the CSfC approved components list ( to have completed the required Common Criteria evaluation in the WLAN category.  You'll see a number of vendors and products on that list, but all of them are there because of participation in one or more prototypes/pilots where the products were examined directly by NSA.  Vendors who were part of a prototype have a clock ticking – they must complete the required Common Criteria evaluation within a specific number of months, or they will be removed from the list.  With Aruba now having completed an evaluation under the Wireless LAN Access System PP, our products listed under the WLAN Access System category are now "legit" and no longer have that clock ticking away (the clock is still ticking for us in the IPsec VPN Gateway category – that's the third evaluation we have going on right now.)  It has taken a lot of time and effort to get here, and as much as we love doing Common Criteria evaluations, I have to say I'm glad it's over.  Of course, we don't want (or expect) to remain the only fully-compliant vendor on that list – to do so would undermine the vendor diversity goals of CSfC.  Still, I think being first says a lot about our commitment to the public sector customer base.

Read the first part of the blog FIPS... Common Criteria. What Does It All Mean?