What is Common Criteria?
Formalized as ISO/IEC 15408, the Common Criteria (CC) defines a hierarchical framework of security concepts and terminology. The CC also defines the Protection Profile (PP) construct which is a product category specific but product agnostic requirements template. This allows prospective consumers, developers and regulatory groups to create standardized sets of security threats, objectives, requirements and assurance measures. The Target of Evaluation (TOE) is that part of the product or system which is subject to evaluation. The Security Target (ST) contains the product specific instantiation of the standardized content from the PP along with a summary specification of how the TOE satisfies the Security Functional Requirements and is used by the evaluators as the basis for evaluation. The Common Criteria Recognition Agreement (CCRA) forms an international cooperative agreement whereby participating government organizations ensure Certification Bodies issuing CC Certificates meet high and consistent standards as well as the conditions for mutual recognition.
Why should I evaluate my product?
In the US the Committee on National Security Systems (CNSS) releases policies binding upon all U.S. Government departments and agencies. Policy 11 requires all Information Assurance (IA) and IAEnabled IT products to be selected from the NIAP Product Compliant List (PCL). IA and IA-enabled products are those that have any mechanism providing for the availability of systems, ensuring the integrity and confidentiality of information, or ensuring the authentication and non-repudiation of parties in electronic transactions. This requirement is also stated in the NIAP FAQ. It is worth noting that this is not always understood or fully enforced by contractors, integrators, procurement, etc. For example, the need to be on the NIAP PCL vs just having a Common Criteria certificate from any CC country/scheme.
How does U.S. NIAP differ from other CC schemes?
The National Information Assurance Partnership (NIAP) operates the Common Criteria Evaluation and Validation Scheme (CCEVS) and approves Common Criteria Testing Laboratories (CCTLs). By design, all Common Criteria evaluations, regardless of country/scheme may, but are not required, to reference conformance to a Protection Profile. Due to the template aspect, Protection Profile based evaluations generally provide more consistent and comparable evaluations. As a result, by policy since 2014, NIAP has only included on the PCL products whose evaluations are in “exact” conformance to a NIAP approved Protection Profile (PP). So, for example, you can search the PCL and see it is possible to evaluate a product through another CCRA scheme (Spain for example) but still done against a “NIAP approved” PP.
“EAL” refers to an Evaluated Assurance Level of the TOE and corresponds to the assurance activities that performed by the CCTL and reflects the level of assurance that a TOE meets the functional requirements listed in the ST. CC part III lists the specific assurance activities that correspond to EAL levels 1-8. For PP evaluations, assurance activities are explicitly indicated in the PP. As a result, they may or may not W: IMS.UL.COM | E: [email protected] 2 exactly correspond to those designated by an EAL level. The assurance activities for NIAP approved PPs generally correspond to EAL1 to EAL2.
Which Protection Profile?
NIAP published a guideline for when no appropriate PP exists which states that “if there is no PP in development or planned, NIAP will work with the end user and/or vendor to determine whether a Common Criteria evaluation is necessary and will provide alternatives for the product security use case requirements.” It is also worth noting that the CC Technical Communities and the CC Users Forum welcome vendors to get involved and provide input and feedback into the PP’s.
It is possible to extend a PP through optional secondary PP’s referred to as extended packages or PP modules. The amount of work and therefore cost of an evaluation depends on the Protection Profile and/or extensions. Each one has an introduction that helps explain what security functionality is covered as well as the features of a compliant Target of Evaluation (TOE). NIAP Publication #5 is a guide to sponsors and provides very useful information on the process and the roles of the various parties involved in the evaluation.
What is the process for evaluation?
UL validation includes assistance with Security Target authoring to ensure your evaluation gets started right. UL also has a strong entropy assessment team and can provide full entropy analysis. UL is a FIPS 140 certified test lab and can provide NIST CAVP algorithm certification required by NIAP.
UL begins an evaluation with an extensive workshop to review the PP requirements and the Target of Evaluation (TOE) design which helps highlight compliance concerns and kick-start the ST documentation authoring. The evaluation process requires 100% compliance with the requirements of the Protection Profile and as a result ends up being an iterative process.
After all documentation has been evaluated and is largely conformant, UL will take delivery of the product and perform functional testing. This testing is typically done at UL facilities, and may leverage some vendor-specific testing tools, depending on the testing required. This is a collaborative process, where UL may reach out to the vendor to address functional issues, typically related to configuration of the product. Once all tests are passing the testing is complete and the project can move to the last phase.
The final phase requires all findings of the project to be submitted to NIAP in a specific form known as the Evaluation Technical Report. This will include a brief summary of activities of the evaluation known as the Assurance Activity Report. UL responds to the Evaluation Coordination Review with NIAP. Upon formal validation, the ST, AAR, and the Validation report will become public record and posted on the NIAP website with the Validation certificate.
Founded in 1894, UL has been a leader in product testing and certification for over 100 years. As such, UL has the ability not only to conduct Common Criteria certification under multiple schemes, but to evaluate products to multiple cyber-security, safety and performance standards in parallel with Common Criteria certification.