CC2022: What to Expect from The New Update

In cybersecurity, the Common Criteria (CC) is a cornerstone that provides a standardized framework for evaluating the security capabilities of eligible IT products. It is a vital tool for manufacturers seeking to assess the effectiveness and reliability of security solutions in the face of evolving threats.  However, as technology advances at an unprecedented pace, the challenges faced by IT security professionals continue to grow. The new version of the CC (CC:2022 Revision 1) was published in November 2022. 

However, implementing the changes is not easy. Therefore, a transition period allows the CBs, Testing Laboratories, Developers, and other stakeholders of the CC process to prepare for the new requirements accompanying the change.  With the unveiling of CC2022, the latest iteration of the Common Criteria, the landscape of security evaluation and certification undergoes a significant evolution. 

CC2022, the newest update to the Common Criteria framework, is more than just a mere upgrade; it's a response to the ever-changing threat landscape and the growing complexity of modern IT systems. With cybercriminals constantly devising new tactics and exploiting vulnerabilities, CC2022 is a necessary evolution to keep pace with these challenges. 

The Need For an Updated Version of CC: CC2022

One of the key drivers behind the development of CC2022 is the recognition that the previous version, while effective in its time, may have had limitations or areas that needed to be fully addressed. 

These shortcomings could range from outdated evaluation methodologies to gaps in coverage for emerging technologies. The new version aims to rectify these issues by providing a more comprehensive and adaptable security evaluation framework, following EUCC, the new cybersecurity scheme.

By leveraging cutting-edge techniques and methodologies, CC2022 ensures that certified IT products meet the highest security and reliability standards. It also serves as a valuable resource for publications for Common Criteria, aiding stakeholders in staying informed about the latest industry standards and guidelines.

The New Update For Common Criteria

The new update represents a commitment to advancing IT security assessment standards and addressing modern cyber threats' complexities.

CC2022 introduces a host of enhancements designed to bolster the effectiveness and relevance of the Common Criteria framework. Among its key features is a revamped evaluation methodology that places greater emphasis on real-world security scenarios. Unlike its predecessor, CC Version 3.1 Revision 5, the new version ensures that certified IT products undergo even more rigorous testing during the main steps of Common Criteria evaluation to demonstrate their efficacy in practical environments

1. Enhanced Evaluation Methodology

In cybersecurity, the efficacy of evaluation methodologies is vital in ensuring the robustness and resilience of IT products against evolving threats. CC2022 introduces a revamped evaluation methodology and embraces a more dynamic and adaptive approach to security assessment. 

2. Adapting to Real-World Scenarios

CC2022's enhanced evaluation methodology is tailored to address the ever-evolving landscape of cybersecurity challenges. This approach enhances the certification process's credibility and gives end-users greater confidence in the security posture of certified products.

3. Empowering Vendors and Ensuring End-User Confidence

Ultimately, CC2022's enhanced evaluation methodology is designed to empower vendors and ensure end-user confidence in the security of certified products. It enables vendors to demonstrate the efficacy of their products in mitigating actual threats while also providing end-users with timely access to certified products that meet the highest security standards.

Keep up with the latest news in IT security by reading our blog. We regularly update it with insightful articles like this one.

A Comparison between CC2022 and CC v3.1 R5

CC v3.1, long esteemed as the bedrock of IT security evaluation, has provided a sturdy framework for assessing the security posture of IT products. Comprising three core components—Introduction and general model, Security functional requirements, and Security assurance requirements—CC v3.1 has set a high standard for security evaluation practices.

However, the arrival of CC2022 heralds a significant evolution in security evaluation methodology. While CC v3.1 laid a solid foundation, the new update builds upon it by introducing two additional components: "Framework for the specification of evaluation methods and activities" and "Pre-defined packages of security requirements.", of which the former introduces a whole new concept of evaluation methodologies and evaluation activities, while the latter might be familiar for the participants of Common Criteria evaluations, as the Security Assurance packages defined in CC Part 3 of the previous CC version received their own place in CC Part 5."

Ensuring Compatibility and Continuity

Despite these advancements, CC2022 remains committed to ensuring compatibility with previous versions.  

During the transition period, manufacturers can choose between CCv3.1R5 and CC:2022 R1 for evaluations starting before June 30th, 2024, providing flexibility to meet their specific needs. 

Enhanced Flexibility

Furthermore, CC2022's support for three types of conformance—Strict, Demonstrable, and Exact—provides evaluators and product vendors greater flexibility in demonstrating compliance with security requirements.

Exact conformance is used when a Protection Profile (PP) author needs to control what a Security Target may claim conformance to concerning the PP that they have written. It is used in cases where the PP author requires that STs that claim conformance to the PP do not include additional SPD, security objectives or requirements that have not been considered by the PP author.

Implications of CC2022

The ramifications of CC2022 extend far beyond mere procedural adjustments. They herald a profound shift in the IT security evaluation and certification approach, promising to significantly reshape the landscape. Let's delve deeper into these implications to better understand CC2022's transformative power.

Setting a New Benchmark for Security Standards

The updated version of CC raises the bar for security standards, ushering in an era where certified products are secure and demonstrably resilient in real-world scenarios. 

Enhancing the evaluation methodology ensures that certified IT products undergo rigorous testing, leaving no room for complacency or loopholes. This thorough approach instills greater confidence in end-users, assuring them that accredited products can withstand the ever-evolving threat.

Are you a manufacturer looking to navigate the changes introduced by CC2022? Our team of experts is here to help. Contact us today!

Cultivating Collaboration and Innovation

At the heart of CC2022 is a culture of collaboration that encourages stakeholders to come together to pursue a common goal: enhancing cybersecurity. It paves the way for innovation and knowledge-sharing within the industry by fostering greater stakeholder engagement. 

This collaborative ethos enhances the efficacy of security evaluations and fosters a sense of shared responsibility for cybersecurity. As stakeholders collaborate to address emerging threats, they contribute to developing more robust and adaptive security solutions.

Expanding the Reach of Certification

The streamlined certification process introduced by CC2022 is poised to democratize access to certification, making it more accessible to a broader range of vendors.

This leads to an expansion of the pool of certified IT products available to end-users, thereby enhancing the overall security posture of the digital ecosystem. With more certified products, end-users can be more confident that devices meet stringent security standards.

Important dates and timeline of transition

Starting of projects based on the old version:

CC v3.1 R5 is the last revision of version 3.1 and may optionally be used for evaluations of Products and Protection Profiles starting no later than June 30th, 2024. This means that until June 30th, 2024, the old version (3.1 R5) and the new version (CC2022 R1) can be simultaneously chosen for a new evaluation. Still, after June 30th, it is compulsory to use the new version.

Using PPs conformant to the old version:

Security Targets conformant to CC:2022 and based on Protection Profiles certified according to CC v3.1 will be accepted up to the 31st of December 2027. Developers can still use the PPs based on the old version until this date.

Re-evaluation/re-assessment based on the old version:

After the 30th of June 2024, re-evaluations and re-assessments based on CC v3.1 evaluations can be started for up to 2 years from the initial certification date.

PP or PP-configuration based on the old version:

Product certifications based on CC v3.1 R5 against a PP or PP configuration claiming exact conformance may be started until the 31st of December 2025. The PP authors must update the PP or PP configuration to CC:2022 as soon as possible, and any new or updated PPs or PP configurations published after 30 June 2024 must be based on CC:2022. 

The transition phase allows for upward and backward compatibility in re-evaluations, re-assessments, and maintenance procedures, but it has some rules. 

The table below illustrates these rules, but the main points are briefly: 

• The re-evaluation, re-assessment, or maintenance of a certified product based on CC v3.1 R5 may reuse ALC evaluation results based on CC:2022. (only if the evaluation is re-evaluation, maintenance, or re-assessment). 
• Product certifications based on CC:2022 may claim conformance to a Protection Profile based on CC v3.1.
• Platform certificates based on CC v3.1 R5 are allowed in a composite certification. (Only if the platform certificate does not use concepts introduced in CC:2022 (particularly multi-assurance or direct rationale) if not already established by Supporting Documents.) – This means that test laboratories can accept a platform certificate based on the old CC version if it does not use concepts that appear first in CC2022 R1. This does not apply to exact conformance, for example, because this concept appeared in the CCAddenda supporting document before CC2022 was published.

How will it affect manufacturers?

The new update introduces significant changes in IT security evaluation, albeit with minimal direct impact on most vendors and users of the Common Criteria. For them, operations will continue normally. 

However, the national certification schemes, labs, and technical communities must adapt to the new landscape. Despite the smooth sailing for many, there are nuances and adjustments to be aware of during the transition to the new version of CC. 

Essential Aspects to Consider

1. Assurance Maintenance

Maintaining assurance levels becomes pivotal under CC2022. Understanding the updated requirements and ensuring compliance is vital for continued certification.

2. Utilization of Old Protection Profiles with New Security Targets

The compatibility between old Protection Profiles (CC v3.1) and new Security Targets introduces complexities—strategies for seamless integration and compliance must be developed.

3. First Wave of Evaluations

Participating in the initial evaluations using the updated version requires careful planning and preparation. Early adopters must navigate potential challenges and ensure a smooth transition.

The official Transition Policy outlines the guidelines for this transition period, including deadlines and provisions for evaluations based on previous versions. 

For instance, Security Targets that adhere to CC2022 standards but are derived from Protection Profiles validated under CC v3.1 will be eligible for acceptance until December 31, 2027. This transition policy allows for a gradual update of Protection Profiles, ensuring practical adaptability. 

However, the Transition Policy presents complex guidance on managing this situation. Certification schemes' interpretation and implementation of this guidance will determine the true impact on the industry. It's a waiting game to see how these policies and practices unfold and influence the broader ecosystem of IT security evaluation.

Summary

While CC v3.1 laid the groundwork, CC2022 propels security evaluation into a new era, offering enhanced flexibility, precision, and compatibility to meet the evolving demands of the cybersecurity landscape. With its expanded framework, streamlined processes, and commitment to compatibility, the new update stands poised to drive advancements in IT security evaluation for years to come.

Independent and certified cybersecurity labs, like CClab offer assessment and advisory services to companies seeking Common Criteria evaluation certifications. By employing agile methodologies in the consultation and pre-evaluation stages, clients can adeptly address potential obstacles, avoid unexpected costs, and enhance the efficiency of the certification procedure.