Establishing Accredited Cybersecurity Test Certification Programs, Part 2

11 Dec 2020

The Testing and Certification Process for Products/Systems

In our previous blog on test certification and accreditation program support (TCAPS) services we went over the fundamental information, terminology and needs to an effective TCAPS program.  In this blog, we will take a closer look at the testing and certification process.

For every accredited test-certification program development, the following principles must first be agreed upon:

• Need statement. It is important to address the client's main concerns and operational needs.
• A clear definition of scope for the project/program. A phased approach is recommended to ensure manageable outcomes.
• For each data deliverable, the purpose & audience for the document should be concisely defined and agreed upon (e.g., use cases/ context in which the deliverable will be used by users).

These principles can be met using a systematic approach.

Five W's & How

Before establishing an accredited test-certification program, it is important to answer the Why, What, Who, Where, When and the How questions related to defining, planning, and implementing. This is illustrated in the figure below.

Three P's

The "Three P's" (people, product and process) are essential to establish accredited test-certification programs/schemes. That is, ensure that properly qualified and experienced people use the requisite product (facilities, equipment and tools) and follow approved process and standard operating procedures in testing and certifying ITS products/systems.

Product Testing/Certification – Operational Context

The operational context for product testing/certification is depicted in the figure below.

Vendors submit their products (systems under test (SUT) or items under test (IUT)) to the security test labs who test/certify the product/systems. The CB certifies the products/systems and issues certificates and certification reports based on evidence, reports, and recommendations made by the security test lab(s). The CB also maintains a certified products list (CPL). The CB sets the requirements for and oversees the security test labs and their test activities. The end user uses the certified products/systems in accordance with the operational/deployment environment and product/system secure configuration recommended in the test certification report.

Note: Although the above figure shows a CB, the CB may not be initially established in an accredited test-certification program/scheme. That is, the security test lab(s) themselves may produce test certification reports and product certificates until such time as the CB is established.

Security Levels

Products are typically assessed to different security Levels (e.g., three (3) or four (4) levels). For example, the basic security level is defined as SL1 in which fundamental security testing and analysis is performed in terms of scope and depth of testing. Higher SL2, SL3 and SL4 levels involve increased scope/depth of testing and analysis. Hence a SL4 assessed product/system offers the highest level of assurance/confidence in the security of the product/system and its protection of assets. A higher SL assessed product can be deployed in higher operational risk environments with higher security asset/data sensitivity (classifications).

Risk-Based Approach

The TCAPS process is risk-based and involves setting up a test-certification program predicated on a defined threat risk assessment (TRA) process. The TRA process is a formalized method to address the negative consequences of a threat actor or threat event exploiting a vulnerability to affect an asset of value adversely. The TRA process includes asset identification and valuation, threat, vulnerability, and risk assessments. The TRA process forms input to risk treatment recommendations and residual risk calculations.

In the situation that a product/system under test does not achieve an overall passing grade as a result of testing, or retesting, the security test lab (and if applicable the CB) must make an assessment of any residual vulnerability in the product and any resulting residual risk in the use of the product in its proposed deployment scenario.

Test Certification Report and Certificate

Vendors receive test certification reports and certificates certifying that their product has been tested and certified under a licensed security test lab's scope of accreditation. Details of the testing are described in the test certification report. The certificate applies only to the specific version of the product identified when configured and deployed as detailed in the test certification report. The named product is suitable for use in the operational/deployment environment, data classifications and risk levels defined in the test certification report.

Learn more about Intertek's cybersecurity solutions, including TCAPS services.