Understanding Common Criteria and the Future of Cybersecurity Certification

In the ever-evolving cybersecurity landscape, staying informed about international standards and certifications is crucial. The Common Criteria (CC), also known as ISO/IEC 15408, is a globally recognized framework for the independent and scalable security assessment of information technology (IT) products. 

Here's why you should delve into the details of this certification:

1. Rigorous Security Assessment: Common Criteria provides a structured evaluation process for IT systems or products, ensuring they meet predefined security requirements. The certification involves a third-party evaluation, prohibiting self-assessment and guaranteeing a standardized and thorough evaluation.

2. Global Standardization: CC is not just an industry-specific certification but an international standard used to validate the security of IT products. Its widespread recognition makes it an essential benchmark for demonstrating a product's trustworthiness.

3. Evolution from Previous Standards: Common Criteria has evolved from the collaboration of six countries, building upon existing standards such as Canada's CTCPEC, the U.S.'s TCSEC, and Europe's ITSEC. Its roots trace back to 1994, showcasing its long-standing relevance.

4. Rise of Cyber Threats: The surge in cyber threats necessitates collaborative efforts among countries to establish standards and practices that mitigate vulnerabilities globally. CC is a prime example of such collaboration, addressing the need for standardized cybersecurity requirements.

5. EU Cybersecurity Certification (EUCC): The future of Common Criteria involves the EU Cybersecurity Certification (EUCC) scheme, succeeding existing national CC schemes in Europe. This new scheme combines CC methodologies with innovative concepts, enhancing compliance monitoring, vulnerability information visibility, and customer assistance.

6. Key Elements of Common Criteria: Understanding elements such as the Target of Evaluation, Protection Profile, Security Target, Security Assurance Requirements, and Security Functional Requirements provides insight into the depth and scope of CC evaluations.

7. Evaluation Assurance Levels (EAL): CC employs seven EALs, each representing the depth and rigor of an evaluation. From EAL1 (Functionally Tested) to EAL7 (Formally Verified Design and Tested), these levels ensure a comprehensive assessment.

8. Business Benefits: Obtaining Common Criteria certification brings several advantages. It not only identifies and addresses security risks early in the development process but also enhances market competitiveness. Many sectors, especially the government, often require CC certification for procurement.

9. Future-reidentifies and addresses security risks early in the development process address: As technology advances, certifications like Common Criteria play a pivotal role in ensuring that IT products adhere to robust security standards. Staying abreast of such certifications is vital for businesses aiming to navigate the evolving cybersecurity landscape successfully.

Delving into the intricacies of Common Criteria offers valuable insights into global cybersecurity standards and the evolving landscape of certification. Whether you are a developer, evaluator, or part of a certification authority, understanding Common Criteria is a strategic move toward ensuring the security and trustworthiness of IT products in an interconnected world.

To get to know more about CC, read our most popular blog post here: Common Criteria: can this article give you an answer to all of your questions?

What’s New on EUCC?

The European Commission has initiated a public consultation on the draft implementing regulation that establishes the European Common Criteria-based cybersecurity certification scheme (EUCC) for information and communication technologies (ICT) products. This move, announced on October 3, 2023, falls under the EU Cybersecurity Act.

The proposed EUCC scheme relies on third-party evaluation, explicitly prohibiting self-assessment. It introduces seven Evaluation Assurance Levels (EAL), aligning with established international standards. The framework is built upon security functional and assurance requirements outlined in the Common Criteria for ICT Security Evaluation (ISO/IEC 15408). It follows the Common Methodology for ICT Evaluation (ISO/IEC 18045). Utilizing the Common Criteria's vulnerability assessment family AVA_VAN, the EUCC assesses the level of a product's resistance against potential vulnerabilities.

The EUCC certification includes a mark and label for certified ICT products, serving as indicators of trustworthiness and aiding users in making informed choices. Certificates will be valid for a maximum of five years unless extended by a national cybersecurity certification authority.

This scheme enables the certification of ICT products against their security targets, defined by applicants or incorporating a certified protection profile. Two types of conformity assessment bodies are introduced: IT Security Evaluation Facilities (ITSEF) for testing, and certification bodies for certification and inspection activities. Specific requirements for these bodies, including accreditation and competence management, are detailed in the EUCC scheme.

The public consultation period was open until October 31, 2023, with the final regulation expected in Q4 2023 and planned to become applicable 12 months after it enters into force. Once applicable, national cybersecurity certification schemes and related procedures covered by the EUCC will cease to have effect, specifically, those applying evaluation standards covered by the Common Criteria. The received feedback and the draft of the Commission Implementing Regulation is available on the European Commission's website. Stay up-to-date follow the latest news on the CCLab website, and find out immediately the latest news concerning the EUCC.

Are you preparing for your first Common Criteria evaluation?

Would you like to do the next CC project more efficiently? This training course is made for you.

This educational material package is for Software Developers to maximize the efficiency of the preparation for their product's CC evaluation. How can CCGuide make your life easier?

Download this guide and learn more!

Common Criteria 2023: A Year of Record Certifications and Shifting Trends

The Common Criteria (CC) landscape witnessed significant developments in 2023, making it a standout year in the last five. This article delves into the statistics and trends that shaped the CC certifications, shedding light on the dynamic nature of the industry.

In the period leading up to September 29, 2023, a total of 310 products received CC certification. The quarterly breakdown illustrates a consistent upward trend, with Q1 boasting 106 certifications, Q2 with 117, and Q3 with 87.

The top 10 certifier schemes highlighted the global nature of CC certifications, with France and the Netherlands leading at 58 certifications each, closely followed by the United States with 57. Germany, Canada, Japan, Spain, Sweden, Italy, and South Korea also contributed significantly to the certifications.

Assurance levels varied, with EAL4 being the most prevalent at 23.87%, followed by EAL5 at 18.81%. Protection Profiles (PP) compliance accounted for a substantial 36.77%. The use of EAL6 was notable at 9.03%, while EAL1 had a minimal representation at 0.65%.

ICs, smart cards, and smart card-related devices and systems dominated the certifications at 34%, emphasizing the critical role of these technologies. Other notable categories included network-related devices and systems, multi-function devices, and data protection solutions.

Examining the trend over the past five years, 2023 marked a robust performance, potentially making it the best year in this period. The forecasted 413 certifications suggest sustained growth.

CCLab successfully concluded 10 CC evaluation projects during 2023, although some of these certificates will be issued later, by the end of this year. We are proud to be working with clients like NXP, ID&Trust, Ascertia, Qumulo, Ivanti, Versa, and more to get their products certified.

In conclusion, 2023 has proven to be a formidable year for CC certifications, with high assurance levels and a significant reliance on Protection Profiles. The industry is on the brink of change, with the looming impact of CCv3.1 R5 and the migration of PPs to CC2022.

Looking ahead, the European Union Common Criteria (EUCC) is expected to bring transformative changes, potentially reshaping the certification landscape in Europe. Vendors may adjust their certification roadmaps, and the industry will be closely watching the reactions from the American and Asian CC markets.

As the CC industry navigates through these changes, 2023 stands out as a pivotal year, setting the stage for a future marked by evolving technologies and shifting certification paradigms.

Read the Common Criteria annual reports from 2020, 2021, and 2022. as well.

‍

Learn more about the Common Criteria evaluation, meet our professionals, and listen to useful advice from industry experts.

CCLab always puts great emphasis on having the most up-to-date knowledge in the field of cybersecurity. We wanted to share the knowledge and suggestions gathered over more than 10 years when we decided to hold professional workshops on CC. In addition to our own experts, we have also invited many excellent industry professionals to share their knowledge at our workshops.

The workshops were very popular, so we made them available on-demand so it can be viewed at any time.

‍

                                                         Common Criteria on-demand webinar Part 1.

‍

‍

                                                          Common Criteria on-demand webinar Part 2.