2
min reading time
IT vendors often use the Common Criteria (CC) framework for providing clients assurance that their products comply to international standards for information security. To verify claims that a product complies to CC standards, you need to submit your product to evaluation through a testing laboratory.
Choosing a testing laboratory is an essential part of CC compliance. It is also a challenging process as the lab that you choose may impact whether or in how much time you gain the CC certificate for your product. Here are a few questions to ask yourself when choosing your common criteria evaluation and testing laboratory:
What is the lab’s track record of successful evaluations?
As the evaluation process is time-consuming, you should ensure that the lab you choose has a long record of successful evaluations. A successful evaluation is completed on time and on budget. It should also result in the desired CC certificate for your product. Choosing a lab with only a few evaluations may increase the risk of delays, keeping you from releasing your product on time.
Does the laboratory help evaluate different CC schemes?
Depending on the markets you plan to reach with your product, you may need to obtain multiple certificates. For example, you may require evaluations for CC certification through the US via NIAP CCEVS or in Europe via SOGIS member schemes. The right testing laboratory should have the qualifications to pursue the certifications that you require.
Does the laboratory have experience with similar technologies?
If a testing laboratory specializes in a certain product sector,, they may not have the knowledge needed for evaluating IT security-related products. Always inquire about past evaluations and determine whether the laboratory has experience evaluating products in an efficient way.
Does the laboratory offer suggestions for improving products?
The best evaluation laboratories go beyond basic cybersecurity testing. They provide detailed reports of their evaluations’ findings and help identify potential issues with your product. This may include issues that impact performance or user experience. The lab that you work with should also provide copies of their evaluation reports. Your designers or developers may require the insight provided by the report to address any weaknesses. Choosing a laboratory which provides readiness assessment services and consultancy is always a good choice.
What accreditation and credentials does the laboratory possess?
After asking these questions, you should inquire about the laboratory’s accreditation and credentials. Find out if they are accredited to complete CC evaluations that meet domestic and international standards. As with any service, we recommend that you compare options before choosing a testing laboratory. Remember to inquire about the experience of the lab and their ability to pursue the certifications that you require.
You can check CCLab’s accreditations and client references at www.cclab.com
CCLab has great experience with 20+ successful CC evaluation projects delivering some of them within 4 months.
Entering the European market you may need a laboratory like CCLab which is accredited under the Italian scheme (OCSI) and has qualified evaluators working under the German scheme (BSI) as well.
To avoid the top 5 Common Criteria Evaluation mistakes please check the following video:
This downloadable infographics introduces the Common Criteria Evaluation process to you. Explore now for free.
Learn everything you need to know for a successful Common Criteria certification project. Save costs and efforts with your checklist.
Read and learn more about the Radio Equipment Directive (RED), download our free material now.
The EUCC scheme, spearheaded by the European Union Agency for Cybersecurity (ENISA), was released in early 2024. It builds on the SOG-IS Common Criteria evaluation framework already used by 17 EU Member States.
7
min reading time
ICT (Information and Communication Technology) products, encompassing a wide range of digital devices and software, are inherently vulnerable due to their complexity and the ever-present potential for undiscovered security flaws. The interconnected nature of these products further amplifies the risk, as a single vulnerability can lead to widespread security breaches across networks and systems. To mitigate these risks, the strategic integration of cybersecurity certification requirements in ICT products has become paramount.
8
min reading time
The new Common Criteria Scheme, called the European Cybersecurity Certification Scheme (EUCC), is essential for harmonizing high-security cybersecurity certification of ICT products across EU member states. It facilitates mutual recognition of certifications, supports innovation, and ensures compliance with legal requirements. Fully effective from February 2025, the EUCC aims to provide a unified and robust framework for evaluating IT products, boosting consumer trust, and fostering a more secure digital environment.
10
min reading time