Introducing Fixed-Time Cybersecurity Evaluation Methodology for ICT Products (FITCEM/prEN 17640)

The fifth Insights webinar took place at 12:00-13:00 CEST on 22 July 2021 on the topic, ‘Introducing Fixed-Time Cybersecurity Evaluation Methodology for ICT Products (FITCEM/prEN 17640)‘ and was presented by Dr Helge Kreutzmann from the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI).

A recording of the webinar itself is below. Dr Kreutzmann’s presentation is available for download.

About the webinar

To perform a security evaluation, a sound methodology is required, to ensure comparable and consistent results. While for longstanding standards like Common Criteria those methodologies are present, popular alternatives in the fixed-time or lightweight domain are currently lacking an agreed upon (European) methodology. To fill this need, CEN/CENELC JTC13 WG3 launched the development of such a methodology, for which the speaker is the main editor.

The talk gave a brief overview over the necessity and history of the methodology. Afterwards the agreed design principles and the structure were presented and certain evaluation tasks highlighted. The third part discussed how this evaluation methodology fits into one (or possibly more) cybersecurity certification schemes according to the Cybersecurity Act (CSA) of the European Union. In this part, a brief introduction of the CSA was given. The final part wasd devoted to open questions and unresolved (or postponed) issues.

About the speaker

Helge Kreutzmann received a PhD in physics before joining the Federal Office for Information Security in 2005. He started working on accrediting laboratories for the German certification scheme as well as setting up the auditor certification for IT-Grundschutz. He was involved in several certification and accreditation requirement specifications on the national level. Since 2019 he is in charge of setting up the German fixed-time certification scheme (also known as “lightweight” scheme) BSZ (“Accelerated Security Certification”).

Helge is and has been working in numerous national, European and International standardisation organisations like DIN, CEN/CENELC JTC 13 WG3 and ISO/IEC JTC1 WG1, 3 and 5 and has lead numerous projects as editor to publication. Currently he is leading (amongst others) the work on FIT CEM, an evaluation methodology for fixed time cybersecurity evaluation. He was also involved in the development of drafts for several candidate schemes for the European Cybersecurity Act (CSA).