Common Criteria (CC) Evaluations
Certification to Common Criteria or ISO 15408 provides a distinct competitive advantage while best positioning your product within regulated industries and markets, worldwide.
Common Criteria (CC), known as ISO/IEC 15408 is an international standard designed to be a flexible and an adaptable way to specify and measure IT security. Common Criteria captures the users’ functional and assurance requirements, translates policy into product and system specifications, guides product and system development, and is a basis to evaluate products and systems.
The goal of the Common Criteria is to develop confidence and trust in the security characteristics of a system and in the processes used to develop and support it. It proves that system function as claimed by the vendors, by following formal, independently verifiable, and repeatable methods. Additionally, Common Criteria provides the basis for internationally recognized certification under the Arrangement on the Recognition of Common Criteria Certificates (CCRA).
The Common Criteria process can be lengthy and a complex endeavor. The selection of an experienced, accredited testing facility plays a key role in ensuring a successful, cost-effective evaluation. Intertek’s EWA-Canada IT Security Evaluation & Test Facility (ITSET) is a fully accredited (SCC Lab number 303) Common Criteria Test Lab (CCTL) providing the full complement of capabilities that support all facets of the CC process.
Intertek EWA-Canada works together with you through four key areas:
Common Criteria (CC) evaluations can be complicated, costly, and a drain on your developer resources, which is why proper pre-planning is essential to ensuring success and avoiding frustrating delays. Intertek’s EWA-Canada IT Security Evaluation & Test Facility (ITSET) provides pre-evaluation support and consulting services on all aspects of the CC evaluation process.
Intertek EWA-Canada’s years of experience and EAL4 approved CC evaluators can help simplify the CC process by training you on CC requirements and how best to satisfy them.
We can conduct initial assessments to provide assistance and guidance with product design and engineering and help you develop a roadmap that meets your requirements, schedule and budget by determining the following:
- Possible areas of non-conformance;
- The scope of the Target Of Evaluation (TOE)
- Any CC requirements that are already satisfied and identification of those which must be addressed before a product can be properly evaluated;
- The completeness and applicability of existing documentation;
- A realistic Evaluation Assurance Level (EAL; refer to Part 3 of the CC standard, section 7.2);
- Level of effort required to achieve certification;
- Estimated evaluation costs; and
- A viable schedule
Intertek EWA-Canada provides comprehensive services for the evaluation or re-evaluation of products under the requirements of the internationally recognized Common Criteria for IT Security Evaluation (CC; aka ISO 15408).
Prior to beginning an evaluation, vendors should have an understanding of the CC requirements and the evaluation process itself. Those vendors that are new to or unfamiliar with the process may wish to consider our CC Pre-Evaluation Consulting capability.
CC Product Evaluation
Intertek EWA-Canada offers a full range of CC evaluation capabilities which can be tailored to your particular needs and can include:
- Evaluation of products under the Canadian Common Evaluation and Certification Criteria Scheme (CCS see important note below) for Evaluation Assurance Levels (EALs) 1 through 4 (EALs are described in section 7.2 of Part 3 of the CC standard) including some augmentations; and
- FIPS 140-2 and approved algorithm validations to verify any claimed cryptographic functionality (as outlined in the CCEVS guidance ‘Specifying Cryptographic Requirements in Security Targets’). Select FIPS 140-2 Services for details on EWA-Canada’s FIPS 140-2 services.
Vendors should note that the criteria for acceptance of submissions into the CCS are much less restrictive than that of the U.S. Common Criteria Evaluation and Validation Scheme (CCEVS), which will generally only accept CC submissions for products that are, at a minimum, compliant with Medium and High Robustness Protection Profiles (PPs). In addition, the CCS has no plans to introduce evaluation fees as recently announced by the CCEVS. CC evaluations performed under the CCS up to Evaluation Assurance Level (EAL) 4+ are fully recognized in the U.S. and all other countries who participate in the Arrangement on the Recognition of Common Criteria Certificates (CCRA).
Intertek EWA-Canada can provide Common Criteria evaluation support services in addition to performing the Common Criteria evaluation of a product. This is done by specifically designating highly-qualified evaluators, who are not performing the Common Criteria evaluation of the product in question, to perform the work. The evaluation support services provided can be tailored to your particular needs and can include:
- Security Target / Protection Profile authoring;
- Development documentation creation, e.g., writing of the functional specification, high-level / low-level design, representation correspondence (design traceability document), security architecture description, etc.;
- Creation of the developer test plan or test coverage documentation;
- Support in transitioning from version 2.3 to 3.1 of the Common Criteria standard;
- Guidance on documentation preparation for composite Target of Evaluations (TOEs); and/or
- Any directed training on the Common Criteria, documentation creation, the Common Criteria evaluation process, etc.
The awarding of a Common Criteria (CC) evaluation certificate indicates to the user community that the CC evaluation authority is convinced that all necessary evaluation work has been performed, that the product meets all the defined assurance requirements that are required for the particular Evaluation Assurance Level (EAL) and functionality being claimed, and that the product meets its security objectives.
CC certification is directly tied to a specific version and configuration of a product as identified in the awarded Certificate, Certification Report and Security Target. Certification does not automatically extend to new versions of the product as changes are made to either introduce new features or capabilities or address known issues.
In order to address the types of changes that are always a part of the life cycle of Information Technology (IT) and IT Security products, the Common Criteria utilizes the concept of assurance continuity, whereby certification may be extended to include updated versions of products as they evolve. CC Assurance Continuity recognizes that, as changes are made to a certified Target of Evaluation (TOE) or its environment, evaluation work previously performed need not be repeated in all circumstances. Assurance Continuity, therefore, defines an approach to minimizing redundancy in IT security evaluation, allowing a determination to be made as to whether independent evaluator actions need to be re-performed.
EWA-Canada can help determine if the set of changes and updates made to the product qualify for extending certification under Assurance Continuity. EWA-Canada can also help put together the package of information, including the Impact Assessment Report (IAR) and regression testing, needed by the Certification Body to determine that Assurance Continuity applies and that certification may be extended to the updated version of the product and/or TOE.