Common Criteria (CC) certifications are internationally and cross-industry recognized certifications in cybersecurity. A CC-certified product or system offers a significant security advantage since it has been evaluated by an accredited and individual third party testing laboratory using a rigorous and well-defined assessment methodology. If you are interested in getting your product certified this article can provide you with valuable information about the process.
Why are Common Criteria needed?
Common Criteria (CC) are a framework of globally acknowledged and scalable standards (ISO 15408) for IT security certification. It ensures that the process of specifying, implementing, and evaluating an IT product or system is carried out in a standard, rigorous, and repeatable manner. CC certification is required by governments and other organizations when procuring IT systems and products. Common Criteria certificates are recognized by all CCRA (Common Criteria Recognition Agreements) signatories, which are currently 31 member nations.
How does a Common Criteria evaluation work?
First of all, it’s important to name the participants of a CC Evaluation:
- An independent and accredited laboratory that performs the evaluation
- Vendors (called Sponsors in CC) and developers who submit their product or system for evaluation
- The certificate authorizing schemes, also called the certification body, issue Common Criteria certificates.
What is EAL?
Traditionally, Common Criteria assessments are performed against a set of Evaluated Assurance Levels (EALs). There are 7 EAL levels:
- EAL1: Functionally Tested
- EAL2: Structurally Tested
- EAL3: Methodically Tested and Checked
- EAL4: Methodically Designed, Tested and Reviewed
- EAL5: Semi-Formally Designed and Tested
- EAL6: Semi-Formally Verified Design and Tested
- EAL7: Formally Verified Design and Tested
What gets evaluated?
Most importantly the product or system gets evaluated which is called the Target of Evaluation (TOE). The evaluations include the following tasks based on the product or sponsor’s/developer’s needs:
- Penetration testing or Vulnerability analysis
- Life-cycle evaluation
- Design evaluation
- Functional testing
- Guidance evaluation
What are the basic steps of the evaluation?
- Product development and testing
- Preparation of related developer documentation
- Laboratory engagement
- Laboratory evaluation and testing
- Certification issued by the certification body
How long does the Common Criteria evaluation take?
The length of the process depends on numerous factors like the product’s complexity, the chosen EAL level or the readiness and the reaction time of the Sponsor/Developer. The average duration of Common Criteria evaluation process is a few months.
Which are the most typical products getting Common Criteria Certification?
Although the number of CC certifications issued is increasing year by year, it is important to keep in mind that this certification is only for a specific area of IT product. The most common products that get Common Criteria certifications are:
- Firewalls
- Mobile devices
- Network devices
- Application software
- Secure signature
- File encryption solution
How can your business benefit from CC certification?
Common Criteria certification opens doors for firms in the IT security industry. In an ultra-competitive field, it helps to have an edge and expand your field of consumers.
- Improved security: earning certification requires passing a series of tests that can expose any weak points that you missed, meaning you can correct them before releasing the product.
- Level the playing field: it’s the best way to compete with existing products that already earned certification.
- Expanded customer base: it makes your product a viable option for government agencies that require Common Criteria certification.
Common Criteria certification can boost your product’s profile and create a stronger impression with potential buyers. Since certification involves an intense litmus test that complies with international guidelines and standards, it establishes a high bar for your product.
Conclusion
Companies working in cybersecurity might need Common Criteria certifications for their products, but it’s not always easy to work through the process. Therefore, we recommend choosing an experienced and internationally recognized, accredited laboratory that provides pre-evaluation service and will guide you through the procedure.