10
min reading time
Our new article will provide you with valuable information if you are considering getting your IT security product or technology CC-certified or if you are interested in knowing more about the Common Criteria evaluation process.
We will discuss:
Besides, we will explain how we can support you at CCLab with your Common Criteria evaluation project from the beginning to the end.
Common Criteria for Information Technology Security Evaluation or shortly, Common Criteria (CC), is an international collection of specifications and criteria for evaluating IT security products and systems. CC was created to ensure that products and systems fulfill the pre-defined security requirements accepted by all CCRA member countries. CC certification is given to security products that have successfully passed the testing and Common Criteria evaluation performed by an accredited Testing Laboratory.
First of all, it’s essential to understand that a total of 411 Common Criteria certification was issued last year (in 2021), which means that it is a niche solution for special IT security needs.
In addition, it is necessary to clarify common misunderstandings about who or what will be certified: an IT product or a special technology can get certified, not the business. These can be, for instance, firewalls, file encryption or secure signature solutions, mobile and network devices, application SW, etc.
Besides, it’s important to know that in a Common Criteria evaluation project, the Sponsor and Developer may be different. The product or technology - so-called TOE (Target of Evaluation) - that the Lab evaluates will be owned by the Sponsor who will need this certificate to support sales, while the Developer might be outsourced by the Sponsor. Although in most cases during Common Criteria evaluation projects of large international companies, usually the Sponsor and Developer are the same.
Common Criteria evaluation is a complex process from which we have gathered the main steps. Most of the procedures and concepts we list below are taken from OCSI (the Italian scheme). Therefore, these steps may differ in other schemes, although the core method shall be applied very similarly to each Common Criteria scheme.
Hiring a Common Criteria expert can significantly ease the entire evaluation process. At CCLab we provide both CC consultation (ISO 15408 support) and Common Criteria evaluation. Besides choosing a competent and accredited Testing Laboratory, you need to make sure that the below steps are completed before starting the Common Criteria evaluation project:
Common Criteria Certificate Authorizing Schemes were founded by 17 different nations. Thus these countries developed their own national programs, norms, legislation, and Certification Bodies (i.e. Evaluation Authority). The CC Certification is issued by the Certification Body based on the Testing Laboratory's evaluation. Multiple Certification Bodies can accredit a Testing Laboratory to do Common Criteria evaluations. CCLab, for example, has been accredited by both OCSI (Organismo di Certificazione della Sicurezza), the Italian Scheme's Certification Body, and by BSI (Bundesamt für Sicherheit in der Informationstechnik), the German CB.
The Target of Evaluation (TOE) and the so-called TOE boundary must be decided before starting the Common Criteria evaluation project. The TOE is the subject of the evaluation and can be
Selecting the appropriate Evaluation Assurance Level (EAL) is a pivotal decision that precedes applying to the certification body. This choice defines the specific security requirements against which the Target of Evaluation (TOE) will be evaluated. The seven available levels are as follows:
At this level, the focus is on functional testing to ensure basic security functionality. It provides a foundational assessment without delving extensively into design or documentation.
This level involves structural testing and examining the security architecture and design. While it goes beyond functional testing, it remains relatively basic regarding the depth of Common Criteria evaluation.
EAL3 introduces a more methodical approach, combining testing and thorough documentation checks. The evaluation extends to the security mechanisms' robustness and effectiveness.
At EAL4, the evaluation becomes more comprehensive, encompassing methodical design considerations, rigorous testing, and expert reviews. This level emphasizes a holistic approach to security assurance.
EAL5 introduces a semi-formal design process, enhancing the depth of security measures. Rigorous testing and a more formalized design contribute to a higher level of confidence in the security of the TOE.
Building upon EAL5, EAL6 incorporates semi-formal verification of the design. This adds an additional layer of assurance, ensuring that the security mechanisms are designed and verified for correctness.
EAL7 represents the highest level of assurance, involving formal verification of both the design and testing. Formal methods are employed to mathematically prove the correctness of the security mechanisms, providing the utmost confidence in the TOE's security.
When embarking on the Common Criteria evaluation journey, it's crucial to recognize the pivotal role of both Evaluation Assurance Levels (EALs) and Protection Profiles (PPs). While the selection of an EAL is mandatory, the consideration of a Protection Profile is optional, yet it holds the potential to significantly augment the Common Criteria evaluation process.
A Protection Profile stands as a comprehensive roadmap, delineating the intricate security criteria tailored to a specific category of security devices. Typically crafted by a user or user community, a well-articulated PP serves as a guiding document, ensuring that the Target of Evaluation (TOE) aligns precisely with the nuanced security requirements pertinent to its intended application.
This optional yet strategic inclusion of a Protection Profile enhances the Common Criteria evaluation by providing a contextual framework for assessing the TOE.
Opting for a suitable Protection Profile introduces a level of specificity and relevance that extends beyond the standardized evaluation process. It becomes a tool for tailoring the evaluation to the unique demands of the TOE's intended use.
The careful consideration of a Protection Profile fosters a more targeted assessment, aligning the security measures with the specific needs and expectations of the user community. The Common Criteria evaluation process gains depth and precision when complemented by the optional inclusion of a well-defined Protection Profile. This not only signifies a commitment to thorough the evaluation process but also ensures that the TOE is intricately aligned with the distinct security landscape outlined in the common criteria framework.
A Security Target (ST) is an implementation-dependent statement of security needs for a specific identified TOE. It includes the TOE’s version and configuration and the range of security capabilities being evaluated. From the Common Criteria evaluation point of view, preparing an ST should be a priority. The ST can be prepared by the Developer or an accredited Common Criteria consultant. The Security Target might claim compliance with one or more PPs.
The Evaluation Work Plan must be prepared by the CC Test Laboratory and approved by the Certification Body (CB). Changes in the EWP may occur during the evaluation. It can happen for instance, if the TOE gets modified due to a new product version or if there are delays on the Developer’s side in supplying the pieces of evidence and deliverables required by the evaluator. No changes to EWP can be made without getting approved by the CB.
The evaluation begins when the Certification Body authorizes the EWP and formally admits the evaluation into the scheme after analyzing the materials presented. Maintaining smooth communication with the Testing Laboratory is the fundament of a successful Common Criteria evaluation.
The Common Criteria evaluation starts with a kickoff meeting organized by the Certification Body where the following topics are discussed:
Evaluators’ access to the necessary evaluation materials (i.e. developer documents and TOE, etc.) is essential to successfully and effectively carry out the Evaluation Activities.
There are two important reports that are part of the Common Criteria evaluation: Activity Reports (AR) and the Observation Report.
The Activity Reports include the results of the Common Criteria evaluation carried out according to the Common Methodology for Information Technology Security Evaluation (CEM) of each Class. There are 3 possible results: pass, fail, and inconclusive. The ARs are only sent to the Certification Body.
The Observation Report includes the “inconclusive” and “fail” work units and an explicatory verdict paragraph describing the evaluator's decision.
There are two types of Observation Reports: Fault Observation Report (ROE @OCSI) and Anomaly Observation Report (ROA@OCSI). When an exploitable vulnerability is discovered during the Common Criteria evaluation, a ROE is generated that includes recommendations on how to fix it. All TOE-related issues must be reported via a ROA, with the exception of exploitable vulnerabilities. ROAs are shared with the CB and the Sponsor simultaneously, while the ROEs are sent to the CB for review before being provided to the Sponsor.
Once the Common Criteria evaluation is completed, the Laboratory creates the Evaluation Technical Report (ETR). The Report includes all reviews and verdicts of the Evaluators during the evaluation project. Before completing the ETR all ARs must be finalized: for instance, the verdict of all work units must be a “Pass”. The ETR is sent only to the Certification Body for examination, and it is the foundation of the Certification Report of the TOE.
Depending on the National Scheme's or CBs own regulations, approximately 30 days after the approval of the ETR, the Certification Body issues a draft Certification Report (CR), which is sent to the Sponsor and the Test Laboratory to acquire confirmation. Once the draft is approved by both parties, CB issues the Certification Report in approximately thirty days, depending on the Nat scheme or CB. It’s essential to know that the issued CC Certificate applies exclusively to the specific version of the TOE in its evaluated configuration and claims that the level of protection requested has been accomplished.
Common Criteria certification is a critical determinant for market access, particularly in regions aligned with the Common Criteria Recognition Arrangement (CCRA). The impact on market dynamics is multifaceted:
Common Criteria certification is a robust validation, assuring that products adhere to globally recognized security standards. This assurance is crucial for international market entry, where stringent security requirements are paramount. Products with this certification have a competitive edge, as they are perceived to have undergone rigorous evaluation, making them more trustworthy in diverse markets.
The significance of Common Criteria certification extends to government procurement processes. Many government agencies mandate this certification for IT products, making it a prerequisite for vendors participating in procurement. This mandate aligns with the need for standardized security measures, reinforcing the certification's role in regulatory compliance and fostering trust between governments and vendors.
Attaining Common Criteria certification provides a clear competitive advantage in the marketplace. It signals a commitment to security, which resonates with security-conscious customers. In competitive sectors, the certification distinguishes products as having met stringent security criteria, contributing to a favorable market perception and potentially influencing purchase decisions.
Certain sectors, such as finance, defense, and critical infrastructure, prioritize security due to the sensitivity of their operations. In these industries, products with Common Criteria certification are preferred choices. The certification aligns with the sector-specific security needs, making these products more appealing to customers prioritizing security as a primary consideration.
Common Criteria certification streamlines security compliance by providing a structured framework for evaluating and implementing security measures.
It ensures that products meet basic security requirements and navigate more complex security landscapes efficiently. This streamlined approach saves manufacturers time and resources while ensuring a comprehensive security posture.
Beyond meeting specific security standards, Common Criteria certification is a tangible demonstration of a product's commitment to security. It signifies a proactive approach to ensuring the integrity and confidentiality of data. In an era marked by escalating cyber threats, this commitment becomes a valuable differentiator, enhancing the perceived reliability of the certified products.
Customers are increasingly discerning when it comes to product security. Common Criteria certification enhances consumer confidence by validating a product's security claims externally.
The rigorous evaluation process and adherence to recognized standards contribute to building trust, a critical factor in customer decision-making, especially for products dealing with sensitive information.
CC certification provides a structured pathway for products to gain credibility and penetrate new markets. Coordinated products enjoy smoother market access by aligning with globally recognized security standards.
The Common Criteria evaluation process guides manufacturers in establishing a robust security foundation, instilling customer confidence, and facilitating a more efficient entry into diverse international markets.
Agility is one of our unique values that makes CCLab different from other Testing Laboratories. During Common Criteria evaluation, we are in continuous communication with our clients, which allows them to react and amend deficiencies immediately. We use special agile methodologies and toolsets imported from software development in project management and customer development. Thanks to our advanced processes and diversified experiences, we can deliver EAL4+ certifications within 4 months.
If you have more questions regarding the topic, do not hesitate to reach out for a free consultation.
This downloadable infographics introduces the Common Criteria Evaluation process to you. Explore now for free.
Learn everything you need to know for a successful Common Criteria certification project. Save costs and efforts with your checklist.
Download our ETSI EN 303 635 infographics today and learn about the product certification process for this consumer IoT device cybersecurity standard.
The EUCC scheme, spearheaded by the European Union Agency for Cybersecurity (ENISA), was released in early 2024. It builds on the SOG-IS Common Criteria evaluation framework already used by 17 EU Member States.
7
min reading time
ICT (Information and Communication Technology) products, encompassing a wide range of digital devices and software, are inherently vulnerable due to their complexity and the ever-present potential for undiscovered security flaws. The interconnected nature of these products further amplifies the risk, as a single vulnerability can lead to widespread security breaches across networks and systems. To mitigate these risks, the strategic integration of cybersecurity certification requirements in ICT products has become paramount.
8
min reading time
The new Common Criteria Scheme, called the European Cybersecurity Certification Scheme (EUCC), is essential for harmonizing high-security cybersecurity certification of ICT products across EU member states. It facilitates mutual recognition of certifications, supports innovation, and ensures compliance with legal requirements. Fully effective from February 2025, the EUCC aims to provide a unified and robust framework for evaluating IT products, boosting consumer trust, and fostering a more secure digital environment.
10
min reading time