Common Criteria Evaluations & Certification
Certify to Common Criteria (ISO 15408) and gain a distinct competitive advantage while best positioning your product within regulated industries and markets, worldwide.
Common Criteria (ISO 15408) is the only global mutually recognized product security standard. The goal of the Common Criteria is to develop confidence and trust in the security characteristics of a system and in the processes used to develop and support it. It proves that a product functions as claimed by the vendors, by following formal, independently verifiable, and repeatable methods. Additionally, Common Criteria provides the basis for internationally recognized certification under the Arrangement on the Recognition of Common Criteria Certificates (CCRA).
Protection Profile (PP) & Collaborative Protection Profile (cPP)
It is important to note the Common Criteria process has changed significantly with the evolution to Protection Profile (PP) and Collaborative Protection Profile (cPP) based evaluation and strict compliance requirements. Where Common Criteria used to be a flexible and malleable process where requirements could be added and/or dropped based on production functionality has now become rigid leaving no room for error.
Evaluation Assurance Level (EAL)
While some CC schemes are moving to a PP/cPP based approach, there are still many markets globally that require an Evaluation Assurance Level (EAL) CC evaluation based on a Security Target (ST) specific to the product. Additionally, there are product categories that are not covered by existing PPs/cPPs. In such cases, we can leverage our partnerships in Europe to achieve EAL 1-4+ and higher certifications. We partner with several laboratories across a varied set of national schemes providing you with the most flexibility.
Working with Intertek
Our goal is to engage early and adopt risk mitigating processes whereby non-compliance is identified early on, fixes are discussed and planned, testing methodology is defined in advance to allow your test teams to plan accordingly, and schedule is tracked religiously to ensure our progress is in step with your development and test plans.
- Gap Analysis and Strategy Workshop
- which route (PP or EAL or combination) to pursue for the subsequent evaluation;
- which security capabilities will be evaluated (may be fixed if a particular PP is chosen);
- identification of any gaps between current product / process capabilities and requirements to be met for the evaluation (so the vendor can work on bridging the gaps);
- time table for the follow-on activities (bridging gaps, documentation development consulting, actual evaluation); and
- which particular CC scheme to pursue the evaluation through.
- Design Consulting
Usually limited to discussing the requirements to be met and whether the product under consideration is likely to PASS analysis and testing for conformance to those requirements for two reasons: 1. the Developer is more qualified to identify how to implement requirements in their product: and 2. providing design guidance (i.e., identifying how to implement) may jeopardize our ability to act as the test lab for the product.
- Evidence Documentation Development
- Security Target (may be based on a PP to be claimed for conformance)
- Design documentation for the product which may include:
- Functional Specification
- Product design specification(s) a different levels of abstraction
- Life cycle support process documentation, which may include:
- Life cycle model
- Configuration Management processes
- Product delivery processes
- Development site security processes
- Tools and techniques used for product development
- Flaw remediation processes for fixing bugs and distributing updates to customers
- Test documentation, which may include:
- Developer’s product test plans
- Developer’s test procedures and test results for the product
- Tracing of test procedures to security functions tested at different levels of abstraction presented in the Security Target and Design documentation
- Vulnerability Analysis of the product
- Evaluation Services
- Analysis and review of the evaluation evidence documentation
- On site review of the application of support processes to the development of the product, including collection of representative samples of the process application evidence.
- Independently running a selection of developer’s test procedures to confirm the test results provided as evidence
- Development and execution of independent evaluator tests of product security functionality
- Development and execution of vulnerability and penetration testing against the product
- Create the record of analysis and testing of the product for submission to the Certification Body in support of their certification of the product
- Post-Certification Support
- Liaison with Certification Body throughout the evaluation until final posting of the certification to the applicable list(s) for certified products
- Assistance in carrying out Assurance Maintenance to extend product certification to new updated versions of the product where applicable.