What are the main steps of Common Criteria evaluation?

Our new article will provide you with valuable information if you are considering getting your IT security product or technology CC Certified, or if you are interested to know more about the Common Criteria evaluation process.

We will discuss:

• What is Common Criteria evaluation?
• The main steps of the process
• What is the benefit of agility in evaluation?
• What happens once the evaluation is over?

Besides, we will explain how we can support you at CCLab with your Common Criteria evaluation project from the beginning to the end. 

What is Common Criteria Evaluation?

Common Criteria for Information Technology Security Evaluation or shortly Common Criteria (CC) is an international collection of specifications and criteria for evaluating IT security products and systems. CC was created to ensure that products and systems fulfill the pre-defined security requirements accepted by all CCRA member countries. CC certification is given to security products that have successfully passed the testing and Common Criteria evaluation performed by an accredited Testing Laboratory.

Useful information about the process

First of all, it’s essential to understand that a total of 411 Common Criteria certification was issued last year (in 2021), which means that it is a niche solution for special IT security needs. 

In addition, it is necessary to clarify common misunderstandings about who or what will be certified: an IT product or a special technology can get certified, not the business. These can be for instance: firewalls, file encryption or secure signature solution,  mobile and network devices, application SW, etc. 

Besides, it’s important to know that in a Common Criteria evaluation project, the Sponsor and Developer may be different. The product or technology - so called TOE (Target of Evaluation) - that the Lab evaluates will be owned by the Sponsor who will need this certificate to support sales, while the Developer might be outsourced by the Sponsor. Although in most cases during CC evaluation projects of large, international companies usually the  Sponsor and Developer are the same. 

The main steps of Common Criteria evaluation

Common Criteria evaluation is a complex process from which we have gathered the main steps. Most of the procedures and concepts we list below are taken from OCSI (the Italian scheme). Therefore these steps may differ in other schemes, although the core method shall be applied very similarly to each Common Criteria scheme.

Before starting the evaluation

Hiring a Common Criteria expert can significantly ease the entire evaluation process. At CCLab we provide both CC consultation (ISO 15408 support) and Common Criteria evaluation. Besides choosing a competent and accredited Testing Laboratory, you need to make sure that the below steps are completed before starting the Common Criteria evaluation project:

Choose the National Scheme

Common Criteria Certificate Authorizing Schemes were founded by 17 different nations. Thus these countries developed their own national programs, norms, legislation, and Certification Bodies (i.e. Evaluation Authority). The CC Certification is issued by the Certification Body based on the Testing Laboratory's evaluation. Multiple Certification Bodies can accredit a Testing Laboratory to do Common Criteria evaluations. CCLab, for example, has been accredited by both OCSI (Organismo di Certificazione della Sicurezza), the Italian Scheme's Certification Body, and by BSI (Bundesamt für Sicherheit in der Informationstechnik), the German CB.

Choose the Target of Evaluation

The Target of Evaluation (TOE) and the so-called TOE boundary must be decided before starting the Common Criteria evaluation project. The TOE is the subject of the evaluation and can be

• a part of an IT product
• an IT product
• a set of an IT product
• a special technology that may never be made into a product
• or a combination of these. 

Pick an EAL level

Evaluation Assurance Level (EAL) must be decided before submitting the application to the certification body. The level defines the security requirements, which the TOE is evaluated against. There are seven levels:

• EAL1: Functionally Tested
• EAL2: Structurally Tested
• EAL3: Methodically Tested and Checked
• EAL4: Methodically Designed, Tested and Reviewed
• EAL5: Semi-Formally Designed and Tested
• EAL6: Semi-Formally Verified Design and Tested
• EAL7: Formally Verified Design and Tested

Choose the Protection Profile (Optional)

The Protection Profile (PP) is a document that summarizes the security criteria for a class of security devices and is usually set by a user or user community. 

Prepare the Security Target

A Security Target (ST) is an implementation-dependent statement of security needs for a specific identified TOE. It includes the TOE’s version and configuration, in addition to the range of security capabilities being evaluated. From the CC evaluation point of view, preparing an ST should be a priority. The ST can be prepared either by the Developer or by an accredited Common Criteria consultant. The Security Target might claim compliance with one or more PPs.

Prepare the Evaluation Work Plan

The Evaluation Work Plan must be prepared by the CC Test Laboratory and approved by the Certification Body (CB). Changes in the EWP may occur during the evaluation. It can happen for instance if the TOE gets modified due to a new product version or if there are delays on the Developer’s side in supplying the pieces of evidence and deliverables required by the evaluator. No changes to EWP can be made without getting approved by the CB.

The evaluation begins when the Certification Body authorizes the EWP and formally admits the evaluation into the scheme after analyzing the materials presented. Maintaining smooth communication with the Testing Laboratory is the fundament of a successful evaluation.

During the evaluation

The Common Criteria evaluation starts with a kickoff meeting organized by the Certification Body where the following topics are discussed:

• Identification of each party that participates in the evaluation procedure
• Clarification of ST and EWP content
• Handling of evaluation materials
• Evaluation restrictions
• Confident document management

Evaluators’ access to the necessary evaluation materials (i.e. developer documents and TOE, etc.) is essential to successfully and effectively carry out the Evaluation Activities. 

There are two important reports that are part of the evaluation: Activity Reports (AR) and the Observation Report.

Activity Reports

The Activity Reports include the results of the evaluation carried out according to the Common Methodology for Information Technology Security Evaluation (CEM) of each Class. There are 3 possible results: pass, fail, and inconclusive. The ARs are only sent to the Certification Body.

Observation Report

The Observation Report includes the “inconclusive” and “fail” work units and an explicatory verdict paragraph, describing the evaluator's decision.

There are two types of Observation Reports: Fault Observation Report (ROE @OCSI) and Anomaly Observation Report (ROA@OCSI). When an exploitable vulnerability is discovered during the evaluation, a ROE is generated that includes recommendations on how to fix it. All TOE-related issues must be reported via an ROA, with the exception of exploitable vulnerabilities. ROAs are shared with the CB and the Sponsor simultaneously, while the ROEs are sent to the CB for review before being provided to the Sponsor.

At the end of the evaluation

Once the evaluation is completed the Laboratory creates the Evaluation Technical Report (ETR). The Report includes all reviews and verdicts of the Evaluators during the evaluation project. Before completing the ETR all ARs must be finalized, for instance, the verdict of all work units must be a “Pass”. The ETR is sent only to the Certification Body for examination and it is the foundation of the Certification Report of the TOE.

What happens once the evaluation is over?

Depending on the National Scheme's or CBs own regulations, approximately 30 days after the approval of the ETR, the Certification Body issues a draft Certification Report (CR) which is sent to the Sponsor and the Test Laboratory to acquire confirmation. Once the draft is approved by both parties, CB issues the Certification Report in approximately thirty days, depending on the Nat scheme or CB. It’s essential to know that the issued CC Certificate applies exclusively to the specific version of the TOE in its evaluated configuration and claims that the level of protection requested has been accomplished. 

What is the benefit of agility in Common Criteria evaluation?

Agility is one of our unique values that makes CCLab different from other Testing Laboratories. During Common Criteria evaluation, we are in continuous communication with our clients, which allows them to react and amend deficiencies immediately. We use special agile methodologies and toolsets imported from software development in project management and customer development. Thanks to our advanced processes and diversified experiences we can deliver EAL4+ certifications within 4 months.

If you have more questions regarding the topic, do not hesitate to reach out for a free consultation.