What is the Common Criteria?
The Common Criteria (CC) is an international standard for evaluating the security properties of IT products. It defines a framework for the oversight of evaluations, syntax for specifying the security requirements to be met and a methodology for evaluating those requirements. The CC is used by governments and other organizations around the world to assess the security of information technology products and is often specified as a pre-requisite to procurement.
See www.commoncriteriaportal.org for more information or to obtain the standard.
Who recognizes CC certificates?
At the time of writing: Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Republic of Korea, Malaysia, the Netherlands, New Zealand, Norway, Pakistan, Singapore, Spain, Sweden, Turkey, the United Kingdom and the United States. Also check www.commoncriteriaportal.org for the latest.
What is the CC evaluation process?
There are three parties involved in the CC evaluation process:
- Vendor. The vendor engages an accredited lab and submits their product and associated evidence for evaluation.
- Lab. The lab performs the evaluation and reports evaluation results to the scheme. Evaluation is iterative in nature and the vendor is able to address findings during the evaluation.
- Scheme. The scheme issues the CC certificate and performs certification/validation oversight of the lab. Each country that recognizes CC certificates will typically operate a scheme (also known as a certification body). Each scheme has its own policies with regard to how the CC is used in that country and what products may be accepted into evaluation.
What gets evaluated?
The following provides a high-level overview of what gets evaluated:
- Security Target evaluation. Evaluation of the Security Target (ST) - a claims document that specifies the functions under evaluation and the assurance requirements being met.
- Design evaluation. Evaluation of design documents - at the most basic level this will simply be an interface specification. Depending on the assurance requirements this can include multiple layers of very detailed design specs and source code review (this is becoming less common).
- Guidance evaluation. Evaluation of all the guidance documents that are shipped with the product and a CC specific addendum or 'Secure Installation Guide' for achieving the evaluated configuration.
- Life-cycle evaluation. Evaluation of configuration management practices, delivery procedures and security bug tracking (flaw remediation). Can also include development practices and site security audits.
- Functional testing. The evaluators repeat a sample of the developer’s functional tests and come up with some independent tests to confirm the operation of the security functions as specified.
- Penetration testing. The evaluators don their white hats and try to break the security policy enforced by the security functions.
Whether a particular evaluation activity gets performed is dependent on the assurance requirements that are specified in the ST.
What is a Security Target?
A Security Target is the document that defines the Target of Evaluation (TOE), that is, the product configuration and version, and scope of security functionality being evaluated. The CC allows the TOE to be all or part of a product or system. The Security Target is put together using CC constructs. The Security Target defines both functional requirements as well as assurance requirements. A Security Target may conform to a Protection Profile but is not required to. A Security Target (written by vendor) goes beyond a Protection Profile (written by consumer) by including a description of how the product achieves the defined requirements. The US requires conformance to an approved Protection Profile.
Security Target examples may be found at http://www.commoncriteriaportal.org/products.html
What is a Protection Profile?
A Protection Profile is a requirements statement put together using CC constructs. They are generally published by governments for a specific technology type, like Firewalls for example, as part of procurement policy. A Protection Profile specifies both functional requirements as well as assurance requirements. EALs specify the assurance part. So a Protection Profile may reference an Evaluation Assurance Level (EAL) but will also specify a set of functional requirements to be met.
The most commonly used Protection Profiles are those published by US National Information Assurance Partnership (NIAP) at http://www.niap-ccevs.org/pp/
How long does evaluation take?
Evaluation projects will typically take one year however the time of an evaluation depends on many factors with the most critical being timely input of evidence. Although the US scheme now has a ’90 day’ evaluation timeframe, this time only represents the validation phase of the project.
What happens when a certified product changes?
CC evaluation only applies to the configurations and versions specified by the certified Security Target. So for example, if your product goes from v1.0 to v1.0.1, the certification no longer applies to that new version, however, there is a process called Assurance Continuity which has been developed to accommodate this.
What is Assurance Continuity?
Assurance Continuity allows non-security related changes to be performed to an evaluated product and subsequent versions appended to the original CC certificate. Where changes are security related (and are classified as ‘major’), Assurance Continuity allows these changes to be rapidly evaluated through ‘re-evaluation’, which utilizes results from the original evaluation.
Further details about the Assurance Continuity program are included in the Common Criteria Recognition Arrangement (CCRA) Supporting Documents at: http://www.commoncriteriaportal.org/cc/#supporting
What Common Criteria services does CSC provide?
CSC has accredited labs in Australia, Canada, Germany and the USA which offer the following services:
- Strategic consulting. CSC provides strategic consulting for clients with large and complex evaluation projects involving multiple products and vendors. Services focus on identifying compliance requirements, scoping, planning and costing the evaluation effort to efficiently achieve business outcomes.
- Preparedness assessments. CSC offers preparedness assessments for vendors seeking to further understand CC concepts and how prepared they are for evaluation. These are short engagements that also assist in scoping the evaluation effort.
- Evidence preparation. CSC is able to assist vendors in collating and writing evaluation evidence.
- Evaluation. CSC is accredited to perform CC evaluations in Australia, Canada, Germany and the USA.
- Training. CSC consultants are experienced training facilitators able to develop and deliver training material on a range of subjects including: CC evaluation and related methods, functional testing, vulnerability analysis and penetration testing, quality management and cryptographic evaluation.
- Protection Profile development. CSC consultants are able to develop Protection Profiles to reflect consumer requirements.
How much does an evaluation cost?
There are many factors affecting cost, including assurance level, product complexity and vendor process maturity. Please contact us for a detailed quotation.
For More Information:
Contact us and let our Common Criteria experience help you produce results.