6
min reading time
The annual International Conference on Common Criteria (ICCC) stands as a high-level technical conference. Celebrating its 21st year, this event provides a platform for professional networking and discussion forums on CC policy and implementation for those involved in the specification, development, assessment, certification, and validation of IT security for products and systems.
This important event brings together Certification Bodies, laboratories, experts, policymakers, and product developers who have an interest in the specification, development, evaluation, and certification of IT security.
The recent event was held in Washington, DC., where Mr. Ferenc Molnár, our CEO, and Dr. Katalin Szűcs, our COO and Head of Legal, represented CCLab from October 31st to November 2nd, 2023.
The following insights were gathered during an interview with them after the conference.
It is always a pleasure to participate in such conferences, as we can meet industry experts from all around the world. We also excitedly prepared for this year's ICCC conference, since many changes affecting the cybersecurity industry took place in the past year, so we were curious to hear more about these changes.
One of the most interesting topics at the ICCC conference was the EUCC, the European Union's new cybersecurity scheme for certifying ICT products. Under the new EUCC plan, each member state will have its National Cybersecurity Certification Authority (NCCA) overseeing Conformity Assessment Bodies (CABs). These CABs will conduct certifications and issue assessments to laboratories. Additionally, the EUCC makes ALC_FLR (Flaw remediation) mandatory. Without it, no certificate can be issued under the EUCC in the future. This initiative has gained support from other schemes, such as NIAP (the US CC scheme), and the methodology within CCRA has been developed to complement existing Protection Profiles (PPs) and collaborative Protection Profiles (cPPs).
CCLab is tasked with adapting to this new set-up and successfully integrating it into its organizational structure. This was already part of our plans and preparations have begun during 2023 internally. Negotiations are ongoing with a partner to transform CCLab into a certificate-issuing entity. Initiatives have been launched to help CCLab become a Conformity Assessment Body (CAB).
Yes, another interesting topic discussed at the conference was related to the Common Criteria 2022 transition. An ISO standard has been developed to support the Common Criteria 2022 transition ( ISO/IEC TR 22216:2022). Previously, a major achievement was the free availability of ISO/IEC 15408:2022 and ISO/IEC 18045:2022. The latest information is that ISO has started to make ISO TR 22216:2022 available free of charge.
The Transition Policy to CC:2022 and CEM:2022 summarizes the related information well. Basic rules include that CC v3.1 R5 is the last version of 3.1 and can be used no later than June 30, 2024, and that new Security Targets that conform to CC:2022 and PPs qualified according to CC v3.1 are acceptable until December 31, 2027. This document provides further details on the compatibility of different ratings and PPs, various exceptions and exceptional cases, and other rules applicable during the transition period.
Our US consultancy partner, Corsec Security, Inc., also participated in the conference. We maintain a long-standing partnership with them, having successfully executed numerous joint projects. It's always a pleasure to meet them, not only due to their significance as a partner but also because we hold a genuine appreciation for the professionals within their organization. Over the years, a robust level of trust has evolved between the CCLab team and Corsec. Corsec was represented at the event by Iain Holness (CC Senior Program Manager) and Ryan Butler (CC Consultant).
We engaged in a conversation with Corsec’s President, John Morris, and their Head of Delivery, Kathleen Moyer about specific deals as well as strategic developments with Corsec, alongside our ongoing projects. Corsec proves to be an invaluable partner for us in various aspects. The clients they prepare for the evaluation process experience a smoother, and more efficient evaluation, requiring less time and iteration. We have now come to the point where it is our agile and professional approach that convinces customers to choose us, rather than price. They see that our focus is to understand them, to take them through the assessment as effectively as possible, and if we disagree somewhere, we tell them in a prepared, clear way that makes it easier for them to work with.
We also had the opportunity to meet several officials from the Italian Certification Body, OCSI. Our already-existing strong professional relationship with them was strengthened during our meetings. We also grabbed the opportunity to discuss some operational issues about the ongoing evaluation projects.
Besides our strategic partner, Corsec we also had the chance to personally meet with Ken Lasosky, from Versa Networks, with whom we have just finalized our first project.
We have successfully concluded 8 (certified) +3 (finished, not yet published) CC evaluation projects during 2023, although some of these certificates were only issued after the ICCC conference was over. We are proud to work with the following clients to get their products certified:
During the conference, there was a surprisingly high level of interest in Common Criteria (CC) in the cloud. Repeated mentions of a Gartner study highlighted a government site migration to the cloud, growing at over 20% annually. This topic was inescapable, with some labs reporting ongoing evaluations of products operating in the cloud. Many envision the future of CC heading in this direction. The EU is in the process of developing a cloud certification scheme (EUCS), similar to the EUCC. This scheme is primarily intended to guarantee the compliance of the cloud infrastructure itself and could serve as the basis for a CC evaluation in the cloud.
The topic of ChatGPT and EU5G also garnered considerable interest.
EU5G, particularly relevant to EU participants, is the third scheme ENISA is working on, alongside EUCC and EUCS. It encompasses 5G technology, and under its umbrella, plans include the incorporation of eIDAS and the new eIDAS wallet.
Two presentations from Polish state labs focused on Industrial Control Systems (ICS) discussing the assessment of compliance with IEC 62443-4-1 requirements using CC and the recently published European standard FIT-CEM (EN 17640:2022, Fixed-time cybersecurity evaluation methodology for ICT products). Although the pilot project was successful, they will be working on the validation of whether this methodology is appropriate for compliance in a wider circle.
Furthermore, there was also more interesting information on the IoT.
A colleague from NXP presented SESIP (Security Evaluation Standard for IoT Platforms) and how it is used in different areas to evaluate compliance. The fundamental concept involves "mapping" requirements (RED directive, ETSI 303 645, 62443-4-1/2, UK PSTI, ISO 21434, etc.) to SESIP, enabling the generation of 4-5 certifications from a single SESIP evaluation. SESIP is already undergoing standardization as EN 17927.
Learn everything you need to know for a successful Common Criteria certification project. Save costs and effort with your checklist.
This downloadable infographics introduces the Common Criteria Evaluation process to you. Explore now for free.
Get your FREE A-Z supporting material for smart meter security standards. Learn more about the Swiss METAS data security evaluation projects of smart metering devices.
As cyber threats become more sophisticated, businesses are compelled to implement rigorous protection strategies to stay compliant and secureCertification labs, like CCLab, play a crucial role in supporting businesses with expert testing, assessment and comprehensive compliance services, and specialized training. These labs offer services ranging from security audits to penetration testing, ensuring businesses remain resilient against evolving cyber threats while meeting regulatory standards. This article explores the indispensable role of certification labs, highlighting how they enhance cybersecurity, ensure compliance, and support a safer digital landscape.
9
min reading time
This year, CCLab sponsored the opening reception of the International Common Criteria Conference (ICCC) in Qatar. Like in previous years, CCLab experts were present during the event meeting the most important stakeholders of Common Criteria. The ICCC is a highly prestigious professional event now in its 23rd year. It provides opportunities for networking and various forums to discuss CC policy and development. It is aimed at participants involved in the specification, development, evaluation, certification, and validation of IT security products and systems.
5
min reading time
In an era where digital threats grow in complexity and frequency, cybersecurity is no longer a secondary consideration but an essential part of manufacturing operations. Compliance with security standards offers manufacturers a structured approach to managing the growing risks of digital threats and securely handling sensitive data. Compliance also helps companies meet industry regulations, protect intellectual property, and avoid potentially devastating financial losses.
8
min reading time