Navigating the Path to Common Criteria Certification
Embark on your journey to Common Criteria Certification with our guide, designed to clarify the process and its benefits. Ideal for product developers, technology sponsors, or anyone interested in IT security certification, this resource offers essential insights and structured evaluation steps to enhance IT product and system security with confidence.
Understanding Common Criteria Evaluation
Common Criteria (CC) is more than a standard; it's a commitment to security assurance and quality. At its core, CC is an international framework for evaluating the security attributes of IT products and systems, ensuring they meet predefined security requirements recognized by CCRA member countries. The goal is clear: to certify that IT security products have undergone comprehensive testing and evaluation by an accredited Testing Laboratory, ultimately achieving a certification that signifies trust and reliability.
The Certification Journey
Select the National Scheme
Decide under which country's scheme the product will be evaluated. Each has its own norms and certification bodies.
Choose the Target of Evaluation (TOE)
Define what will be evaluated - it could be a part of an IT product, a whole product, a set, a special technology, or a combination.
Pick an Evaluation Assurance Level (EAL):
Choose from EAL1 (basic) to EAL7 (most stringent) based on the depth and rigor of evaluation needed.
Choose the Protection Profile (Optional)
If applicable, select a PP that outlines security criteria for the type of product being evaluated.
Prepare the Security Target (ST)
Develop a statement detailing the security needs for the specific TOE.
Prepare the Evaluation Work Plan (EWP):
Outline the evaluation process, which must be approved by the Certification Body.
Kickoff Meeting
Organized by the Certification Body to discuss evaluation aspects, material handling, and restrictions.
Access to Materials
Ensure evaluators have all necessary documents and access to the TOE.
Activity and Observation Reports
These include evaluation results and any issues found during the evaluation.
The process officially begins with a kickoff meeting led by the Certification Body. This stage includes granting evaluators access to necessary materials and generating initial reports on the evaluation’s progress and findings.
During this phase, thorough evaluation activities are conducted according to the Common Methodology for Information Technology Security Evaluation. This step involves a detailed review of the TOE, addressing any identified issues to ensure compliance with evaluation criteria.
Conduct Evaluation Activities
Based on the Common Methodology for Information Technology Security Evaluation (CEM), focusing on each class's specific security aspects.
Address Findings:
Work through any fail or inconclusive results to ensure all aspects pass the evaluation criteria.
Prepare the Evaluation Technical Report (ETR)
This report includes all reviews and verdicts from the evaluation process.
Certification Body Review
The ETR is sent to the Certification Body for examination, forming the basis of the Certification Report of the TOE.
Activity and Observation Reports
These include evaluation results and any issues found during the evaluation.
In this step, the Evaluation Technical Report (ETR) is prepared, encapsulating all evaluative reviews and verdicts. The report is then reviewed by the Certification Body to form the foundation of the Certification Report of the TOE.
The final stage sees the drafting and issuance of the Certification Report by the Certification Body. This document, once approved, officially certifies the evaluated version of the TOE, affirming its compliance with Common Criteria standards.
Draft Certification Report
Issued by the Certification Body and reviewed by the Sponsor and the Test Laboratory.
Issuance of Certification
Once approved, the Certification Report is issued, applying exclusively to the specific version of the TOE in its evaluated configuration.
Agility in Evaluation
Agility plays a crucial role in the Common Criteria evaluation, especially in adapting to changes and addressing findings promptly. A Testing Laboratory that values continuous communication and agile methodologies can significantly streamline the process, offering the potential to deliver certifications within shorter timeframes while ensuring thorough and effective evaluation.
Impact and Benefits
Achieving Common Criteria Certification opens doors to international markets and is often a requirement for government procurements. It signifies a commitment to security and provides a competitive edge in the marketplace. The structured process not only enhances the product's security but also builds trust with customers and partners, ensuring that the product meets the highest standards of IT security.
Conclusion
The Common Criteria Certification process is a testament to a product's security and reliability. By understanding and navigating this process, organizations can ensure that their products stand up to rigorous international standards, offering assurance in an era where cybersecurity is not just a necessity but a mandate. As you embark on this certification journey, remember that each step is a stride towards a more secure and trusted future for your IT products and systems.
