IT security and Common Criteria certification

Some stats and information were added to this previously posted article.

The need for tested and certified security

Global organisations, governments as well as industry are highlighting cybersecurity, and without doubt, security for software and hardware must continue to develop in line with the advancements in services and technologies such as cloud computing, mobility, video conferencing, unified communications and?so on. Not a day goes by without news about a high profile case of companies and organisations being attacked and services disrupted, data stolen or destroyed.

On?the way to achieving cybersecurity, the common criteria scheme has and is continuing to contribute substantially to make products secure. To date over 4932 products in total of 15 product categories (including firewalls, biometric ID systems, integrated circuits, PKI solutions,?network systems, operating systems, etc) have been assessed and certified by the core of 26 authorizing nations in this global scheme. And it is a global standard, known as ISO/IEC 15408, supervised by the ISO/IEC JTC 1/SC 27 committee.?

Certification of products or systems against standards serves to assess the trustworthiness of a product or system. It has to be understood that the certification cannot tell how safe a product or a system actually is (because it depends on the usage and the integration into other systems), but only how well it fullfils a defined requirement

Status and distribution of the scheme

Here are the latest stats, taken from the https://www.commoncriteriaportal.org/products/stats/ website. Interesting to note is that the past years saw an UPTAKE in CC certifications, and in EU this is of most relevance, as seen by the sheer number of certifications issued.

And take note: the EU is working on a EU common criteria scheme (EUCC, check with ENISA), and this will certainly tie-in with other regulations such as the EU CSA and EU-GDPR.

In this context a quick note on FIPS (140-2, new version 140-3): this is essentially a framework that addresses only security requirements for cryptographic algorithms or modules (CAVP, CMVP). The issue herewith is that in operation or integration with other components there still might be security issues, whereas a common criteria certified products takes that into account.

Why bother? Reasons and benefits of CC certification

So, back to common criteria and certification. It is a fact that a common criteria certification is a lengthy and partially costly process – so: why bother??

Here are 6 reasons and benefits why a common criteria certification is valuable:

1. A thorough technical evaluation by an independent party
2. Evaluation against published or generally accepted security criteria
3. Only accredited labs (list available at common criteria homepage) perform the evaluation
4. The result of the certification is documented
5. Often a certification of the R&D and production (site certification) is part of the process
6. A certification is recognized within the CCRA participating nations (if you check these, you will find that they belong to G7/G20, OECD group, or in other words - all major industrial and economically relevant nations).

TüViT has been at the forefront of the development, contributing to the development of national common criteria schemes, creating protection profiles and security targets, today being recognized a global leader as an testing and evaluation service provider, holding accreditations in Germany,?Netherlands, Japan, Singapore and Qatar.

For more check with these sources: https://www.tuvit.de/de/leistungen/hardware-software-evaluierung/common-criteria/ , https://www.commoncriteriaportal.org/ , https://www.iso.org/standard/50341.html , https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme

?