Common Criteria Certification 101 and Current Tendencies
Under Common Criteria, various types of IT products can be evaluated and certified by independent security evaluation facilities and certification bodies. The products which can be certified based on the methodology include SW products (e.g. data erasure, antiviruses, databases, operating systems, etc.), as well as hardware and embedded products (smart cards, ICs, IoT devices, medical devices, smart meters, network devices, etc.). A product can be evaluated based on seven possible levels of assurance (Evaluation Assurance Level – EAL), increasing in the depth and coverage of testing.
A Common Criteria evaluation strictly follows a set of security requirements and evaluation requirements defined in the methodology. This methodology consists of several documents, as follows:
- Part 1: Introduction and general model
- Part 2: Security functional components
- Part 3: Security assurance components
- Common Methodology for Information Technology Security Evaluation (CEM)
The requirements defined in “Part 2: Security functional components” serve as a basis for the evaluation of products. These requirements define the expected (claimed) security capabilities of the product in the scope of the evaluation. Examples of such capabilities include cryptography, authentication, authorization, physical protection, logging of events, etc. In this way, all the products evaluated based on Common Criteria need to select relevant capabilities from the list defined in Part 2, with also the possibility to define custom capabilities if needed. In this way it is ensured that the same expectations in terms of security are in place, no matter of the type, make or category of the product. This ensures uniformity and international recognition of the results.
From an evaluation point of view, the necessary requirements are also standardized in “Part 3: Security assurance components”. The requirements included in this part provide a clear way in which a security evaluation lab should perform the assessment activities in scope. Typically, these include a combination of documentation review, process review, validation and penetration testing. The way in which the conclusions of the conducted evaluation are interpreted and reported is also defined in the requirements from Part 3. This ensures that every licensed laboratory will test the product and interpret the results in the same way.
A Common Criteria certificate can currently be issued by various certification bodies, members of national certification schemes. Various national schemes are grouped into mutual recognition agreements, based on which they directly recognize the results and certificates of products evaluated by one another. The most relevant mutual recognition agreements in the domain of CC are CCRA (global agreement recognizing certificates up to level 2 – EAL2), and SOGIS (European based agreement recognizing certificates irrespective of the level).
Companies certify their products to gain various benefits which include but not limited to:
- International mutual recognition of the certificate
- Strong demonstration of claimed security capabilities in a product
- Strong basis for obtaining strategic partnerships with local governments or product integrators and bringing the product to the new markets
- Advantage over similar uncertified competitor products
In the last several years, CC evaluations and certifications have been especially popular in the world of smart cards and integrated circuits.
However, recently the tendencies are shifting towards a bigger variety
of products that companies are willing be certify. Product lines that
are starting to get specific interest with respect to CC include, for
example, software threat protection applications, network devices and
software, multi-functional printers and even consumer IoT devices. For
the domain of smart cards or ICs, typically an evaluation goes in line
with higher levels of assurance (EAL5 or higher) to reflect the high
risks associated with these products.
Such a high EAL evaluation will be relatively challenging on the other hand for an IoT device for example, given its duration and cost. IoT products (and embedded devices in general) need quick and smooth certification options, which are much more in line with CC evaluation levels such as EAL1, EAL2 or EAL3. An evaluation in line with these lower assurance levels provides the high recognition of a CC certificate, while on the other hand keeps the duration, budget and customer interaction lower.
About Secura CC Lab
Secura is currently licensed as a CC laboratory under the Dutch
Common Criteria scheme – NSCIB. Despite challenging times of COVID-19,
the Dutch NSCIB scheme has secured an impressive position on CC market
with the 3rd place in the number of certified products in
2020. As the majority of countries have faced an overall decline in
numbers, the Netherlands was able to significantly grow the number of
issued certificates in the past few years including 2020. Advantages of
the NSCIB scheme include a clear and predictable process for the
evaluation, as well as clear planning of activities, thus avoiding
Secura is specialized in performing CC evaluations on a broad range of product categories, including SW and application products, IoT devices, medical and industrial products, smart meters, network and telecommunication equipment, etc. By using our 20+ years of experience in software and embedded security, combined with the rigorousness of the CC methodology, a smooth evaluation process is guaranteed. Secura is able to support interested companies in the whole journey towards achieving a CC certificate – including initial consultation and document preparation, the evaluation itself and support with achieving a certificate in a quick manner.
Feel free to reach our for more details, or access our dedicated page on Common Criteria here.