Common Criteria – verified and certified quality

Common Criteria (ISO/IEC 15408, ISO/IEC 18405) is a leading international standard specifying requirements for evaluation of IT security for different types of products and is the driving force for the widest available mutual recognition of certifications of secure IT products. In this blog post we will give a brief introduction to this, often underrated, internationally recognised “stamp of approval”.

Written by Magnus Ahlbin, Head of EC/ITSEF, and Anders Staaf, Consultant Unit Manager, both at Combitech.

Types of certifications

There are two ways to complete a Common Criteria certification process:

A Protection Profile (PP) is a set of security criteria for a specific product type. Each “product profile” contains varying requirements that must be addressed, and the evaluated product must conform to all requirements specified within the PP.

Common Criteria evaluations can also be performed against a set of predetermined Evaluation Assurance Levels (EAL). The EAL is a grade given in relation to how the product addresses the functional and assurance requirements. There are seven EALs 1-7, each level more rigorous than the previous one.

Three roles are involved in a certification whether it is a Protection Profile certification or an EAL-based certification:

  • The certification body - FMV/CSEC is the certification body in Sweden
  • The evaluation lab (ITSEF) - Combitech AB since 2007
  • The Sponsor - normally the developer

An internationally recognised standard – the CCRA

Successfully evaluated products receive a certificate which will be published. A Common Criteria certification is an acknowledgment of quality, and a guarantee to customers and stakeholders that the security features of the product have undergone appropriate reviews, testing and analysis.

Certifications are internationally recognized, and a Common Criteria certificate issued by a certification body in one country is recognized by all other members of the Common Criteria Recognition Arrangement (CCRA).

Thirty-one countries have signed CCRA, making it a very important measure of security for IT products. The CCRA established that evaluations can be recognized by all participating countries, regardless of where the evaluation was completed.

Established in 1995, their web portal support with information on the status of the CCRA, the Common Criteria and the certification schemes, licensed laboratories, certified products, and related information.

Common Criteria and the EU Cybersecurity Act

With the EU Cybersecurity Act (CSA) a supplementary Common Criteria agreement was created within the EU. The aim of the CSA is to improve cybersecurity across a wide range of digital products, services, and processes within EU. The Common Criteria-based European Cybersecurity Certification Scheme (EUCC) is the result of this and is now an established certification scheme created under the Cybersecurity Act (CSA). How this will integrate with CCRA is still under discussion.

IT Security Evaluation Facility (ITSEF)

Combitech - ITSEF is a licensed and accredited IT Security Evaluation Facility (ITSEF) operating within the Swedish scheme of Common Criteria (ISO/IEC 15408, ISO/IEC 18405), part of the CCRA. Our experts will take on the same role in the EUCC, and as private Conformity Assessment Bodies (CABs) are allowed within the EUCC in contrast to the CCRA (where it must be an authority), we can also act as a Certification Body.

We have long and extensive experience with Common Criteria and has delivered successful evaluations since the lab was established in 2007. On the list of the 57 certified evaluations we have done so far, both Protection Profile-based and EAL-based, are both national and international manufacturers.

Examples of successful evaluations include multi-function printers developed by Kyocera Document Solutions Inc and Lexmark International Inc, databases developed by Oracle America Inc, PKI systems developed by Primekey AB and Entrust Corporation, networks devices developed by Microfocus and Clavister AB, KVM-switches developed by High Sec Labs Ltd and Vertiv, security application modules developed by Kapsch TrafficCom AB and Link22.  Several evaluations are also published on NIAP’s Product Compliant List, PCL, as information to US-purchasing authorities. All the products evaluated by the Combitech – ITSEF are listed at the Swedish scheme website.

In our opinion, the need for certified products will only increase. So far, mainly market requirements and requirements from NSTISSP No. 11 (The National Information Assurance Acquisition Policy) in the US, as well as other national regulations have been driving forces. The number of security incidents is constantly increasing and the pressure on IT products to implement sufficient security functionality is only getting higher. We can therefore expect the CSA to have a significant market impact within the EU.

EU CC gives organisations the possibility to be CABs without dependencies on governmental bodies. This could lead to time schedules becoming more predictable when completing certifications, which is of course important to all stakeholders.

Altogether, it is our opinion that certification of IT-products not only adds to the trustworthiness of any product but adds direct value to the suppliers.