 Hi, everyone. As you can see, I'm Eroslav Desnik. If you don't know me, I'm working at Red Hat for the Product Security Compliance and Risk Team. That's like our way, how to try to, you know, concentrate everyone who's doing anything with compliance and especially related to security to one bigger team so we can, you know, talk, cooperate and so on. So, and what I do, I cover the government certifications. So I will explain you what government certifications are about, but I will also talk a little bit about the commercial certifications and other stuff. You can see I call this, you know, talk from security to compliance and back. I will explain why because one thing is like, you know, I will try to answer is if compliance really, you know, leads to a better security and if you have this, you know, security and you are compliant, if you are good or not. So I will try to answer this question and you will see later. I had a very similar talk, I think like two weeks ago and after the talk I was told that it's pretty depressive topic. So if you have sugar, sneakers, whatever, you know, just, you know, pump some sugar into your brain because, you know, it might be no depressive thing and that's my life. So I'm trying to hide all my gray hair under the cap because compliance is not easy and you will see it's not easy. Yeah, so what we will talk about is, the first thing is now I will try to explain what compliance is and not only what it is but why we are doing it because it's important thing to answer. We will talk a little bit about commercial certifications, more about the government certifications because it's where I live and then we can stay here for, I was told this is the last talk today so we can stay here by, I don't know, 10 a.m., sorry, 10 p.m. and people have enough to talk about. Then we are in the EU, so there is some new regulation coming in the European Union so I will touch that thing too and especially this is a developers conference so I expect people are more like this, looking into another practice, how to do things over a noted theory. So I will try to give you some, you know, like overview. Okay, more people are coming, welcome. So I will try to give you more like, you know, these hints and tips, what to do, how to do things, like I think I do this for like eight years now so I believe I have a pretty, you know, good understanding what needs to be done and then at the end I will try to answer this, you know, question, does compliance leads to better security or not? That's the question. Okay, so first, why we do some compliance, why we do try to comply to some standard, it's in the word, we need to comply to some standard. There are, you know, like different ways, how can you look into this is like, you might be forced by your customers because customers wants to see the stamps you have and if you have more stamps, then it's kind of like, you know, competitive advantage over your competition because you have, you know, more stamps, there might be legal reasons, especially, you know, like recently you can see there's a lot of like supply chain attacks, vulnerabilities, hacks, whatever, you know, data breaches, the regulation is getting stricter and stricter, not only in Europe, not only in US everywhere, so there are executive orders by White House for supply chains attacks and so compliance is becoming not only like nice to have, you know, to be able to compete with your competition but it's basically like the legal requirement. In the past, it was okay to wave, wave it like, hey, do you have FIPS? You know, we don't have FIPS yet, so okay, we want your product to use, we will, you know, wave it. Now, it's impossible, almost, because everyone, you know, cares about compliance and everyone will check that you comply to the standards that are required for procurement and you will not get to the list like the, for example, the government list, this is the software you can buy. If you don't have, you know, right, you know, standards, right, certificates, you will not even get to the list and the customers, especially the government customers, will never, ever, you know, like, consider that they can, you know, buy anything from you, so it's important. And of course, you know, as I said, more stamps is like, you know, having more Pokemons, like once, you know, received an email from something, you know, like, product manager and it was like, he said like, please, you know, do it like playing a Pokemon, like give us, you know, as many stamps as possible. So, yes, I'm trying, you know, to collect Pokemons. These are my Pokemons. Okay, so then you have like this, you know, different certifications. You can take a look on certifications from different angles. One, how you can, you know, split it, are these, you know, commercial certifications. I will talk a little bit more about these, like the ISO 2700, it's SOC, PC, IDSS and other things. Then you have this, you know, government-securated certifications. So we will talk about common criteria. We will talk about FIPS. So we will touch briefly FedRAMP. Then, of course, it's not only about, you know, security, but you have the other compliance work. Again, we will show something like VPAT, USGV6, maybe more. Then, of course, you can take a look on this from, not only this, you know, like commercial versus government certifications, but also like a service or process certifications compared to product certifications where you certify a product. Sometimes it's, you know, kind of like combined. I will tell you more about this, you know, FedRAMP, because to have FedRAMP, you need to have FIPS. So even if FedRAMP is more like the service-oriented certifications or even not certifications like audit, then you need to have this product certifications underlying that deployment. So this is for different certifications. And yeah, the talk subtitle was, you know, global overview. As I said, compliance is now required everywhere. So these are just, you know, a few countries. I would probably be able to fill in this map with all different, you know, acronyms. So for example, in the US or North America, it's usually like FIPS, CC, FedRAMP, Australia, there's IRAMP and other regulations. In EU, we will talk more about this with EUCC, the Cyber Security Act, Cyber Resilience Act. I could probably also put like, say, Asia, with, you know, South Korea, I know they do CC a lot and everywhere. So the map will getting, you know, fuller and fuller over time. And it's becoming, and of course, you can imagine that if, you know, EU is going to do something different to US, do you have to do both? Yes, you probably have to do both. Then, you know, Asia, hey, we have our own standard, you know, you have to do it too. That's very common that, you know, these standards conflicts in, you know, many ways. So it's going to be interesting and it's becoming worse than ever. So let's, you know, hey, so let's quickly touch, you know, these, you know, commercial certifications. Not, you know, expert in these, you know, commercial certifications, but one of the, you know, biggest things. So recently is the ISO 2700 family. So there are, you know, several standards. The 2701, 2717, 2718. So it's basically an international standard to manage information security. It's the original 2701. And for the 17 and 18, it actually adds something more to this. So it's more about, you know, the cloud service providers and the 18 adds the privacy and the data privacy to management, to the cloud. So it's pretty common, almost everywhere. Even, you know, here in Czech Republic, there are several companies who can, you know, do the ISO 2700 for you. So this is one of the, you know, the big commercial and it's not a product. Certifications is more like, you know, this, you know, service slash process certification. Then the SOC, the service organization control. So this is the voluntary one again. More commercial by the American Institute of Certified Public Accountants. And they're like the five areas, this, you know, SOC is looking into it. So security, availability, processing integrity, confidentiality and privacy. So these are like the five, you know, major, you know, areas with more details. As I said, I'm not, you know, the commercial guy, so if you would, you know, like to know more about, you know, these certifications, please, you know, reach out to me and I can, you know, connect you to the right people who has, you know, more understanding of this, you know, kind of, you know, certifications. But I will move to my realm so you can see I'm now smiling because it's what I know. And as I said, I can talk about this for like weeks and it will not be enough because it's pretty, you know, difficult to pick. So I will start with common criteria. I really like this one because it's called common. It should be like, as I, you know, there was this, you know, global map. It's like, yeah, we have a common criteria, certifications, but it means it's going to be common. No, it's not common at all. US is doing something, Europe is doing something, different requirements, the mutual recognition. There are, you know, some issues and so on. So basically common criteria should be that international standard, the big one, as a framework for the computer-securated certifications. We are already facing some like a division in this, you know, common criteria thing. So I personally call common criteria like a split criteria because one thing where the split is there are so-called two ways of, you know, how to do these certifications. One is the EAL, the evaluated assurance level, kind of like with the custom security target and there's also so-called protection profile-based common criteria evaluation. What does it mean? As you can see, I will try to, these are, you know, SFRs and ARs, the security functional requirements. So basically for this, you know, evaluated assurance level, you take these, you know, functional requirements. It's like, you know, these, you know, ciphers are used, TLS is used in this, you know, way. Secure boot exists and is tested for secure boot, whatever. So these are the SFRs, the SARs are assurance that, for example, you follow the processes that nobody can, you know, go with your badge, you know, get into your building, swipe it, get into the building, do some coding, commit it, then you release it. So basically the EAL is like this custom security target where you, you know, try to pick from a big database of these, you know, SFRs and try to do something that's meaningful based like on the, let's say, Fred model, some, you know, like assumptions, you know, how, you know, this, you know, could be, you know, affected and so on. So you build your own EAL certificate, security target. I will talk, I will show you a security target later. But protection profile way is doing it different way. It's basically like a template from these SFRs, for example, for operating systems. And there is like a big list of these, you know, SFRs with, you know, actual testing how these, you know, should be tested. And you have to follow it strictly. That means in this EAL, if you realize that you don't make one of, you know, these SFRs, if it's not something that would probably, you know, make the government angry, you just, you know, remove it. We don't care about it. It's probably not, you know, that's secure. So just, you know, remove it. With protection profile, you need to make it, you know, like 100% pass of what's in the protection profile and what needs to be tested. Basically what you can do, for example, we do certifications with NIAP. That's in USA. NIAP only recognizes the protection profile certification. So if there is, for example, for operating system, there is a protection profile. But for some like other, you know, let's say, you have containers, there is no containers protection profile. So the only option is, you know, to go to Europe and Europe in Europe, we still do EAL. Or other option is like, where is, even like the virtualization protection profile, but if you don't fulfill it, you go to Europe. And Europe is going to be okay. Yes, don't worry, we can, you know, get you a stamp. Even you don't have everything from the protection profile. Then there are, you know, two main documents. Or the main document is security target, but actually no lists. How your product, you know, fulfills these requirements. I will show you later how this looks like. And then important thing is the single target of evaluation. That's basically, you can't certify everything. You need to, you know, make that, you know, target of evaluation as small as possible, because then it's easier to pass the evaluation. For example, the nice example is like there. One friend, you know, told me about one of the, you know, CC certification, where it's about, you know, the webcam. Some kind of like that remote webcam. And the target of evaluation is like, yes, the webcam is part of the target of evaluation, but it can be connected to internet. That's, you know, it's easier, you know, to certify something that's not an internet, connected on internet, but if it's a webcam, is it useful? I don't think so. So basically what are you doing? What do we know this testing? There's a lot of documentation that has to be written. And basically this is, you know, how Common Criteria works. If you want to do Common Criteria, first what you need is you are the vendor. You need to hire an accredited lab. That's some company that's accredited by the government that they can, you know, do the testing. And then after they, you know, finish testing by the documentation, they send it to the certification authority. From this, you know, like labs, what you can, you know, we can hire AdSec, you can hire InterTech, Acumen, LightShift. These are all labs we work with in the go summer. Then you have different, you know, national schemes. So that means NIAAP, the BSI in Germany. I have a nice story about this one later, OXIS in Italy. And there is this, you know, plan to make this obsolete to some extent and have just like one big European scheme. If it will happen, I don't know. Then, you know, another funny thing I told you about, I call this, you know, Certification Split Criteria. There is some kind of like the Common Criteria Recognition Agreement. So you can see these are the certificate authorizing members and the certificates consuming members. These countries, you know, try to recognize these, you know, certificates. So you don't have to do it in every single country. Of course, there are buts. Different countries have different requirements on what is, what requirements they have. And also this CCRA is now very limited. I told you about this EAL. So EAL has seven levels. But now you can do, for example, EAL4 plus, you know, floor remediation. And you want it recognized by other country. No, it won't be recognized because the EAL4 will be, for example, recognized in Germany. But in any other country, it will be recognized up to EAL level two. So it basically doesn't matter if you do, you know, this higher, you know, assurance level because it's not going to be recognized internationally. And trust me, you don't want to do anything that's above EAL2 because, well, EAL4 means someone will come, you know, to your site and they'll be doing this, you know, audit, like I told you about the badges. Then they hear, okay, so you have another office? Yeah, we want to visit that, you know, another office. Yeah, in another office. Yeah, you have servers in another server room. Yeah, we want to see that, you know, physical server you ship your software from. So then you can have like, you know, I don't know, five side visits everywhere, especially for companies like Red Hat. We are a global company. We have offices everywhere. And then they realize, okay, you have remote people? They are working from home. It's like, no, you can't, you know, visit anyone at home because, oh, it's impossible. So this happens. And I can show you how these, you know, where you can find more information. So let's try this way. Yeah, so there is this, you know, commoncriteriaportal.org. It's the standard, you know, government kind of a, you know, website. It should be designed soon. And basically if you are interested in, you know, certified products, just, you know, go to the commoncriteria portal and you can see it's, you know, split into categories. So for example, let's go to operating systems. And you will see that there are, you know, different operating systems certified. But for us, we do this, you know, NIAP, I told you, you need to be on some, you know, list. For NIAP, for US, it's called product compliant list. If you are not on this list, you have bad luck. So make sure you will get there. And basically, this is the same, same one, just for, just for US. You can see, for example, RAIL 8.2. If you click on it, you will see the certificate, the security target, that's the document I told you about. Interesting document is this, you know, administrative guide that actually explains how you should configure your product to be in the, you know, evaluated configuration. So it's a target of evaluation. Again, everyone, you know, tries to limit this to the smallest footprint and do some additional hardening and so on. So this is how CC looks like. And let's, let's continue. Now, yeah, I can see a lot of, you know, FIPS people in this room. So there's another standard. It's called FIPS 140-2. Now it's 140-3. So it's a federal information processing standard publication, 140. Now we have this, you know, 140-3 version. It's pretty, you know, recent. Formal, it's the North American standard, but it has now the ISO. So they try to, you know, make it ISO standard. Trust me, it was so difficult to get this, you know, ISO standard to PDF copy. It took us, you know, several months to get a copy. It was probably better when it wasn't standard at all. And this is all about the validation of cryptography. So basically you validate, this is called, you know, cryptographic modules through this, you know, modules validations, validation program. It's under NIST. It's like a U.S. Meteorology Institute kind of thing. I was at one talk and they told me, or actually at the talk that the person said, hey, we are NIST. We know how to measure steel. We are the guys who measure steels. And then someone, you know, came to us and told us, hey, you need to, you know, measure software. So they are like fighting, you know, what they should do and how they should do things. And basically what you'd certify is not like a product as well, but you'd certify that, you know, cryptographical primitives or Cypher suites that are in that, for example, library or some hardware module like Ubiqui, whatever it is. Jump to this. One of the things that FIPS is slow, it's challenging because of, you know, many requirements. It could be difficult on both engineering side and financial side. So it's definitely not cheap from the, you know, like investment perspective. Just, you know, to give you how slow FIPS 140-3 is. So in the past, I think like it's mid-June. So in these almost six months, NIST was able to issue only one FIPS 100-3 certificate. And they have another like 146 in the queue. So basically I believe I will retire before we will receive all the certificates we need. So that's one of the challenges there. Then there is a document called security policy that basically explains, you know, how you should use that module in the compliant way. That means, you know, what API you need to use, what algorithms are actually approved and they're tested. And in Red Hat, we validate five cryptographic modules. That means OpenSSL, NSS, Kernel Crypto API, NuTLS and LibgCrypt. And we try to revalidate often. We tried in the past to do it with every minor release. But then I told you, like, it could be, it could take, you know, one year to receive that certificate. And then the lifecycle of the minor release is six months. It doesn't make much sense to spend money on that. And I will tell you more about how slow this thing is, but I have a special offering for you. So if you want fast FIPS certificate, talk to me and I can give you a certificate within a few weeks. I can. And now let's jump to something like that builds on top of it. You can see that we are adding things. There is like this big thing for basic any, you know, cloud deployment or cloud service in the US, FedRAMP. FedRAMP is the must, but US government will not talk to you and will not, you know, buy your cloud service without having FedRAMP. It's the Federal Risk and Authorization Management Program. So it's the US government program to complain that, you know, there is no standardized approach to security, assessment, authorizations. Continuous monitoring is a big part of that of cloud products and services. That's basically FedRAMP. There are several levels. You can have it, you know, tailored. You can have FedRAMP medium and FedRAMP high. Basically my understanding is if you don't have high, it's useless to some extent because everyone wants the highest security. It's always, you know, nice to have the highest security. Then, you know, there is no two ways how to do it. One is like this, you know, agency ATO. That means you will, you know, find some, you know, US government agency and they will be, you know, willing to go through this process with you. Basically, in the end, it's going to be approved for use in this agency. And if you would like, you know, to use this, you know, or some other, you know, US government agency would like to use your product, they would need to do your own assessment on top of, you know, that, you know, this other agency did for you. Then you have this, you know, another JEP route. It's joint authorization board. If this, you know, JEP approves your, you know, FedRAMP, then any agency can use it. So it's basically a way, you know, better, you know, to go through this on JEP, but it's, you know, more difficult. It takes more time. And so usually, you know, what people do, they start with some agency. They try to, you know, to get the process running, get ready, get the agency authorization and then they go for this, you know, JEP. Instead of lab, these, you know, companies who do it for you are called free PAO. It sounds like from Star Wars. It's not C-free PAO, but for whatever reason they liked it. And this is that important part. As I said, we are building things on top of each other. FIPS is the requirement. It kind of like makes sense. Like we have a standard for cryptography in US government, so we should, you know, use it. And so like, you know, forcing you to do something else that might be again in conflict, you know, with, you know. I will just, you know, quickly scan through this, you know, other certifications. One is the VPAT. It's for accessibility. Mandate it through this, you know, section 508, Rehabilitation Act in US. There is international version, and it's based on WCAG 2.0 standard. Then another thing is like USGV6. It's the testing that your network device or OS, whatever it is, is compliant to IPv6. I believe actually in our Czech government also, you know, like ask for IPv6 support, but nobody tests it in US. Yes, they do. Like, you need a stamp. Yes, this is my product, you know, works in IPv6. And now I talk to the lab and they told me, hey, we have actually a new test. Now there is a testing like it, it works for real in IPv6 only network. So it's going to be fun. What do you expect in the new? Yeah, I have a question. Who likes open source in this room? Not that many hands as I expected. I'm surprised, I'm leaving. Yeah, so what's going to happen in Europe? No open source, no more. Sorry. This is, you know, like just, you know, some newspaper titles I was able to get from like last two months. This is the Python Foundation, Warns, EU, the Cyber Resilience Act, they all, you know, sync open source. Yeah, so what's going on in Europe? There are two things, the main things is like the EU Cyber Security Act. Under this act is, you know, EUCC, that should be the one standardized scheme for common criteria in Europe. The EUCS is for cloud services. So basically EU is building on common criteria based schemes. The EUCC is almost approved. The EUCS, it's not yet approved. Where was this, you know, private draft? It leaked, then after it leaked. So it costs, you know, like a lot of, you know, fuss in the cloud service providers community. So we will see how this will work. But this, you know, EU Cyber Resilience Act. I really like this subtitle. The road to hell is paved with good intentions. It actually makes perfect sense, you know, that what we use in Europe, whatever it is, hardware, network, hardware, device, whatever it is, software is resilient to cyber security attacks. But the main problem here is like it puts, you know, too much liability on especially, you know, open source projects and how it could, you know, threaten open source project is that there is extension for non-commercial activities. So you can say, yes, open source, it's non-commercial. But even like any, you know, these, you know, foundations like Python software foundation, they always, you know, need to get some money. So the question is like, is it, you know, extant or not? So for example, the Python software foundation, they say that they might, you know, turn off the PyPy repositories in Europe because they can be accountable for, you know, what's in these repositories. They can be, you know, fine. Even, you know, at some, you know, point, at some conference, I've seen that if you don't like your CEO, make, you know, big, you know, security, you know, breach in your product and he will, you know, go to jail. That's one of, you know, the proposals. Well, you'll see, you know. So Europe is going to be interesting if you read about it, if you are open source enthusiast, you know, talk to your, you know, MEPs, your favorite MEPs and explain them that this can, you know, pass in this way because it would threaten open source. Yeah, so we are likely over time now. So I will, you know, quickly show you this, you know, this is the timeline and we are last talk. So this is, you know, how long it can take. You can see that, you know, it could be like a year, two years, three years. So basically like all the work that you need to do. One interesting thing about NIAB is like, they are super strict. You need to finish within 180 days. If you don't finish within 180 days, you fail certification. Okay. So yeah, just, you know, one last slide before we will go to QA is these are the tips I promised you. One thing is like, get ready, be prepared but expect, unexpected. At any time, some you know, changing the standard can come. They are pretty frequent standard changes. The standards are strict, but often very subjective to who reads it. So one person can read in way, another way. So there's, you know, one big thing and of course, vulnerabilities. All these standards hates vulnerabilities in the process, for example, for CC and NIAB CC, there is rule that there can't be any known vulnerability at the time the product receives certificate. This is impossible. Like there's always some vulnerability somewhere. So yes, and in the window of 30 days, it's almost impossible to make it. Maybe one last tip, and I like this one, be honest with your lab, with the government. It's usually, you know, nice. So one of the replies I got recently when I explained to one of the governor, government guy, something he was like, instead many vendors are acting like embarrassed teenagers trying to pretend they don't have ACNE but by not talking about it. So be transparent, but also be careful because you don't want to know sometimes it's close too much. And yeah, yeah, so for the answer, does compliance lead to better security? That's no clear answer. It gives you a better culture. It adds complexity. So it could actually cause additional issues. And if you have time, I will show you this research by the Masary University. I can see one guy from the Masary University here and we can talk about it later. So are certifications useful? Yes. Should you have it? Yes. But you know, be careful. It can take time and it can be expensive. So that's all I have. Any questions? Do you know the European certification? So you know if it would be process based or...? Okay, so the question is like for Europe, is it's going to be the process based or more checklist based? It's Europe. So I expect it's going to be more on the process side because Europe likes processes. So yeah, US version is more like this checklist. Like you need to test this, this, this. If you pass, you are okay. In Europe, they will more be interested in going through this checklist. Usually for every certifications, you need to have some periodic certification. But the validity of certificates could be for like, for example, my app is two years. FIPS is five years, BSI is five years. So it depends country by country. Okay, any other question? The common criteria, certification, do they use the configuration described in the security terms or not? Okay, so the question is if customers requires the common criteria or certification and they will use that, you know, how it's described, how they should use that product. It depends. There are customers who care only about or maybe not customers, like people who care about the stamp. So if it has the stamp, they can, you know, you can sell to the government and government might be okay with just that stamp. There are customers who will read, you know, that maybe security target, security policy, letter by letter. And if something is not what they like, they will tell you, no, it's not enough for us. Especially this, you know, question is when, you know, for example, you have this, you know, certificate on version that has CVEs. Exactly. So I have to respond to them that they should use that, you know, certified version. If you know that remark, but you should be secure. So there is, yeah, I can answer you because it really depends. Yeah, you have to recertify, but again, it takes several months. There will be another CVEs. So I can see no more questions. So yeah, thank you for listening.