9
min reading time
Common Criteria Certification is pivotal in ensuring that the products we rely on remain resilient in an ever-evolving realm of cyber threats. It represents a dynamic standard that adapts to address emerging challenges, thereby compelling IT devices and systems to sustain their effectiveness against evolving threats. But what are the requirements that need to be met in order for a product to be CC certified? This article delves into the intricacies of Security Functional and Assurance Requirements for CC certification, shedding light on the essential aspects that define its significance.
The Common Criteria (CC) certification stands as a beacon of trust in the realm of IT security. It is an internationally recognized set of guidelines (ISO 15408) meticulously assessing and certifying IT devices' security features and capabilities.
CC comprises two essential elements: The Evaluation Assurance Level (EAL) determines the depth and comprehensiveness of product testing. Security Functional Requirements (SFRs) detail the specific security functions and capabilities expected from the product to meet the defined security objectives.
At its core, CC certification methodology (CEM) provides a systematic framework for evaluating various products' security capabilities and assurance, including software, hardware, and complete systems.
As an internationally recognized standard, in a CC certification process the accredited testing laboratory assesses and the CB (certification body) certifies IT devices and systems' security features and capabilities. It serves as a symbol of trust in the realm of IT security.
At its core, CC certification provides a systematic framework for evaluating products' security capability and assurance. It examines crucial security aspects, such as access control, encryption, secure communication, and vulnerability management, ensuring compliance with stringent security requirements.
CC certification holds global recognition, fostering trust in the product's country of origin and worldwide. It is an independent assessment facilitating secure information exchange across borders.
Common Criteria certification builds confidence by independently verifying a product's security features and controls. It encourages the adoption of security best practices and helps both organizations and individuals make informed choices about secure IT products.
Regarding CC certification, Security Functional Requirements (SFRs) take center stage. These requirements are pivotal in defining a product's security functions and capabilities to fulfill specific security objectives. They ensure that the security features consistently perform, effectively countering potential threats and vulnerabilities.
SFRs form the backbone of CC certification by defining specific security functions and capabilities that products must adhere to. These requirements are not one-size-fits-all; they are tailored to suit the unique security needs of various product types ranging from operating systems to network devices, smart cards, and more.
This approach ensures that each product, whether an operating system, network device, smart card, or something else, meets the necessary security standards. Let's delve into some of the critical security requirements covered by SFRs.
Access control, a critical element of Common Criteria certification, involves managing user permissions effectively. This means granting access based on the principle of least privilege, employing role-based access control (RBAC), and using access control lists (ACLs) to specify who can access what resources. Granularity in access control is essential to finely tune access restrictions, reducing the risk of data breaches.
Encryption, a fundamental security requirement in CC certification, safeguards sensitive data. It relies on robust encryption algorithms like AES and RSA and requires secure key management throughout the lifecycle of cryptographic keys. Encryption applies to data in transit and at rest, ensuring that even if unauthorized access occurs, the data remains unreadable without decryption keys.
Audit logging is a proactive security measure that records and monitors system activities. CC-certified systems must log various security events regularly, review and analyze them to identify security threats and demonstrate compliance with security policies. Effective audit logging enhances visibility into system activities, aiding in detecting and responding to security incidents.
Cryptographic key management is integral to CC certification. It encompasses secure key generation, storage, rotation, and destruction practices. Proper key management ensures the integrity and confidentiality of encrypted data, a fundamental aspect of maintaining a secure IT environment.
Secure communication in Common Criteria certification focuses on safeguarding data during network transmission. It relies on robust encryption protocols like TLS and SSL, establishing secure channels, mutual authentication, and data integrity measures. Securing data in transit is crucial in an era of prevalent data breaches and interception threats.
By understanding these specific aspects of Common Criteria certification more concisely, organizations can better grasp the importance of these security measures in meeting the rigorous standards required for CC certification. These practices collectively contribute to building trust in IT devices' security features and capabilities, aligning with the core objectives of CC certification.
While SFRs focus on the functionality of security features, Security Assurance Requirements (SARs) dive into the dependability, consistency, and quality of these features and their development procedures.
SARs evaluate a product's entire lifecycle, from design and development to testing and maintenance. They demand well-defined and documented security development processes, emphasizing the need for thorough assurance.
EALs, or Evaluation Assurance Levels, classify products based on the rigor of their security evaluation and assurance methods. These levels range from EAL1 (essential) to EAL7 (officially validated design and tested).
Unlike private tech firms, sectors such as essential services, government agencies, critical infrastructures, and prominent organizations must address the necessity of EAL4+ certification.
Organizations select the appropriate EAL based on their product's intended use and the level of confidence they need in its security.
A Protection Profile (PP) outlines a standardized set of security prerequisites tailored to a particular product category, like a firewall. In 2022, according to the 2022 Common Criteria Statistics Report, a staggering 74% of certifications used Protection Profiles (with or without assigned EALs).
From integrated circuits and smart cards for authentication to versatile multi-function devices and critical network infrastructure, CC certification plays a vital role in safeguarding various components of the digital ecosystem.
Integrated Circuits (ICs), smart cards, and related devices play a pivotal role in secure authentication and access control. With numerous certifications, CC ensures security, safeguarding sensitive data, and authentication processes.
Multi-function devices encompass a broad spectrum of office equipment. CC-certified multi-function devices demonstrate their functionality and robust security features, including secure printing, scanning, and document handling.
Network devices and systems are the backbone of modern IT infrastructure. Common Criteria certification for these products guarantees strong network security, encompassing encryption, access control, and effective threat detection.
While CC certification holds immense value, it has challenges. Here are some critical considerations for organizations seeking this certification journey.
The path to CC certification is characterized by the intricacies of specialized security criteria and the complexities of their practical implementation. Expertise in cybersecurity is essential for organizations to navigate this terrain effectively and ensure their products meet these criteria with technical precision, reinforcing their digital security.
CC certification involves adhering to a comprehensive set of specialized security criteria, covering many aspects, including cryptography, access control, secure logging, and network protocols. These criteria are often highly detailed and technically intricate.
Translating these criteria into practical security measures can be complicated. Organizations must ensure that their products not only meet the requirements but do so in a technically sound manner. This requires a deep understanding of security principles and practices.
To tackle this complexity effectively, organizations need personnel with expertise in cybersecurity and CC certification. These experts are crucial in designing, implementing, and documenting security measures.
Embarking on the CC certification journey requires expertise and significant resource allocation. Organizations must navigate these challenges, from trained personnel to financial investments and time commitments to fortify their cybersecurity measures.
Successfully pursuing Common Criteria certification necessitates access to trained personnel who understand the intricacies of the certification process. These individuals are essential for guiding the certification efforts, ensuring compliance, and addressing potential challenges.
CC certification is a process that unfolds over time. It demands a significant investment of time, from initial planning and documentation preparation to evaluation and feedback incorporation. This extended timeline can strain an organization's resources.
Achieving CC certification involves financial costs, including personnel salaries, evaluation fees, and potentially acquiring specialized hardware or software tools. These financial inputs are necessary to support the certification process.
Smaller organizations or those with limited financial resources may need help adequately allocating these resources. The cost and resource demands of CC certification can pose barriers to entry for such organizations.
Achieving CC certification is a multifaceted process that involves documenting compliance, engaging with evaluation labs, mastering complex standards, and embracing continuous improvement to ensure long-lasting security.
The CC certification process consists of multiple phases, each requiring meticulous documentation to demonstrate compliance with CC requirements. This documentation is essential for evaluation and certification.
Organizations must engage with testing laboratories that assess their products. This interaction involves submitting documentation, responding to queries, and addressing evaluator feedback. Effective communication is crucial during this process.
Understanding and interpreting Common Criteria standards can be complex. Organizations must have a comprehensive grasp of these standards to implement them correctly. Misinterpretation or misunderstanding can lead to non-compliance. An experienced CC consultant can be a huge asset in avoiding these kinds of misunderstandings.
CC certification is not a one-time effort; it requires an ongoing commitment to maintaining security standards. Organizations must continuously adapt to evolving threats and standards, necessitating ongoing efforts to ensure their products remain secure and compliant.
Hiring a Common Criteria specialist can greatly streamline the entire evaluation process. As an accredited agile cybersecurity lab, CCLab offers CC consultation (support for ISO 15408) and Common Criteria evaluation services.
CC consultancy supports template creation, document writing, security target creation, and pre-vulnerability assessment, parallel to ongoing guidance from certified experts.
CClab’s consultants hold certifications from the OCSI (Italian scheme) and BSI (German scheme) as a Common Criteria testing laboratory, demonstrating their expertise in adhering to CC guidelines and best practices.
Their extensive experience encompasses essential aspects of evaluations, including creating high-quality documentation, enhancing development site security, and optimizing product preparation and development for maximum protection, efficiency, and speed. Their proficiency in these areas ensures a comprehensive and effective approach to Common Criteria evaluations.
With a comprehensive training course, like CCGuide, clients could get access to a great tool during the preparation phase of an upcoming CC evaluation project.
In addition to selecting a capable and accredited Testing Laboratory, it is vital to ensure that essential steps are finalized before commencing the Common Criteria evaluation project.
During the evaluation, a kickoff meeting begins, addressing various aspects such as participant identification, content clarification, material handling, and document management.
Evaluators' access to essential materials, including developer documents and the Target of Evaluation (TOE), is crucial for practical evaluation activities. Two key reports are integral to the evaluation: Activity Reports (AR) detailing pass, fail, or inconclusive results and Observation Reports covering inconclusive and failed work units with explanatory verdicts.
Upon the conclusion of the evaluation, the Laboratory proceeds to generate the Evaluation Technical Report (ETR), encompassing all assessments and judgments made by the Evaluators throughout the evaluation endeavor.
To ensure the ETR's completion, all Activity Reports (ARs) must be fully resolved, with every work unit receiving a "Pass" verdict. Subsequently, the ETR is exclusively forwarded to the Certification Body for meticulous examination, serving as the cornerstone for the Certification Report of the Target of Evaluation (TOE).
CC certification process is based on a globally recognized standard that systematically evaluates and certifies IT product security. It enhances trust, promotes compliance with rigorous security standards, and contributes to a more secure digital landscape. However, achieving Common Criteria certification can be a complex and resource-intensive endeavor.
Hiring a Common Criteria specialist can significantly enhance the security posture of manufacturers, fostering a safer digital environment.
CCLab, an agile cybersecurity lab, provides comprehensive support by offering CC consultation (support for ISO 15408) and Common Criteria evaluation services to its clients. The company empowers manufacturers to navigate the complexities of cybersecurity evaluations efficiently, ultimately creating a more secure digital landscape.
Learn everything you need to know for a successful Common Criteria certification project. Save costs and efforts with your checklist.
This downloadable infographics introduces the Common Criteria Evaluation process to you. Explore now for free.
Download our ETSI EN 303 635 infographics today and learn about the product certification process for this consumer IoT device cybersecurity standard.
The EUCC scheme, spearheaded by the European Union Agency for Cybersecurity (ENISA), was released in early 2024. It builds on the SOG-IS Common Criteria evaluation framework already used by 17 EU Member States.
7
min reading time
ICT (Information and Communication Technology) products, encompassing a wide range of digital devices and software, are inherently vulnerable due to their complexity and the ever-present potential for undiscovered security flaws. The interconnected nature of these products further amplifies the risk, as a single vulnerability can lead to widespread security breaches across networks and systems. To mitigate these risks, the strategic integration of cybersecurity certification requirements in ICT products has become paramount.
8
min reading time
The new Common Criteria Scheme, called the European Cybersecurity Certification Scheme (EUCC), is essential for harmonizing high-security cybersecurity certification of ICT products across EU member states. It facilitates mutual recognition of certifications, supports innovation, and ensures compliance with legal requirements. Fully effective from February 2025, the EUCC aims to provide a unified and robust framework for evaluating IT products, boosting consumer trust, and fostering a more secure digital environment.
10
min reading time