Common Criteria Certification: How to Prepare and Apply

In today's digital landscape, where cybersecurity threats loom large, and trust is paramount, Common Criteria certification emerges as a beacon of assurance. This globally recognized standard sets the bar for IT product security, instilling confidence in customers, stakeholders, and regulatory bodies. Beyond mere validation, it serves as a shield against potential risks, fortifying organizations' defenses and fostering a culture of safety in the digital realm.

The Certification Process

Navigating the Common Criteria certification journey requires a structured approach, beginning with a thorough certification process understanding. Each phase is critical in ensuring the product's security robustness from initial assessment to final certification. Let's delve into the intricacies of the certification process, starting with the pivotal pre-evaluation phase.

Pre-evaluation

A meticulous pre-evaluation phase is imperative to lay the foundation for success before diving into the rigorous evaluation process. This initial stage thoroughly scrutinizes the product, delving deep into its intricacies, functionalities, and security measures. Understanding the product's intended usage, operational environment, and potential threat landscape is essential for tailoring the evaluation process effectively to address specific security concerns.

1. Formulating a Robust Security Target

A robust security target is central to the pre-evaluation phase. This document is a comprehensive blueprint articulating the product's security objectives, identified threats, and the security functions employed to mitigate them. It provides a clear roadmap for the evaluation process, guiding evaluators to assess the product's security posture effectively.

2. Significance of Evaluation Assurance Level (EAL)

Choosing the right EAL is important in this phase. The EAL acts as a standardized measure to gauge the product's security robustness, with each level from EAL1 to EAL7 representing a progressively higher degree of scrutiny and validation. Understanding the importance of EAL for the product is crucial for ensuring its readiness to confront emerging cyber threats effectively.

3. Selecting an Appropriate Protection Profile

Moreover, selecting an appropriate Protection Profile is instrumental in streamlining the evaluation process. Protection Profiles provides a standardized framework tailored to specific product categories, offering predefined security requirements that align with industry best practices. 

Aligning the product with the relevant Protection Profile expedites the Common Criteria certification path, facilitating a smoother and more efficient evaluation process.

Organizations can lay a solid groundwork for the Common Criteria certification process by meticulously navigating through the pre-evaluation phase. This preparatory stage ensures that the product is adequately equipped to undergo rigorous evaluation, ultimately enhancing its security posture and bolstering stakeholder confidence in its capabilities. For more information, check out the Protection Profile library.

Evaluation

The evaluation phase is the cornerstone of the Common Criteria certification journey. It represents a pivotal stage where the product's security features are scrutinized. Orchestrated by accredited testing laboratories operating within the framework of national certification schemes, this phase is characterized by meticulous examination and comprehensive testing.

1. Meticulous Scrutiny by Accredited Testing Laboratories

Accredited testing laboratories play a central role in the evaluation phase, meticulously scrutinizing the product—the Target of Evaluation (TOE). These laboratories operate under the umbrella of national certification schemes, adhering to standardized evaluation procedures to ensure consistency and reliability.

2. Comprehensive Battery of Tests

During the evaluation phase, a diverse array of tests is conducted to comprehensively gauge the product's security posture. These tests include user guides, development procedures, product lifecycle management, functional tests, and vulnerability analyses. Each test is meticulously designed to assess the product's security features, providing a holistic evaluation of its capabilities.

3. Adherence to Stringent Protocols

Adherence to stringent vulnerability management and disclosure protocols is paramount throughout the evaluation process. This adherence is essential to ensure the product meets the highest security and resilience standards against evolving cyber threats. Organizations are committed to fortifying their products and enhancing cybersecurity by aligning with prevailing standards and best practices.

4. Commitment to Fortifying Against Evolving Threats

The rigorous evaluation process underscores a commitment to fortifying the product against evolving cyber threats. By subjecting the product to a battery of tests and adhering to stringent protocols, organizations demonstrate their dedication to bolstering security measures and safeguarding against potential vulnerabilities.

‍

The crucible's evaluation phase is where products undergo rigorous testing and scrutiny to earn the coveted Common Criteria certification. Through meticulous examination and adherence to stringent protocols, organizations can enhance their products' security posture and instill confidence in stakeholders regarding their capabilities to withstand cybersecurity threats.

Certification

Upon completing the evaluation phase, the journey toward obtaining Common Criteria Certification enters its final stage. This pivotal step involves submission and registration with the chosen certification body, typically a national certification scheme. Here, the evaluation results undergo thorough scrutiny, encompassing a meticulous review of various facets of the evaluation process.

1. Submission and Registration

The submission and registration process marks the formal initiation of the certification procedure. Organizations must submit comprehensive documentation detailing the evaluation outcomes, including test results, laboratory methodologies, vulnerability analyses, and overall evaluation findings. This documentation is a testament to the product's adherence to stringent security standards and regulatory requirements.

2. Thorough Scrutiny of Evaluation Results

The evaluation results undergo meticulous scrutiny by the certification body, which reviews the laboratory's testing methodologies, vulnerability analyses, and overall evaluation process. This scrutiny aims to ensure the integrity and reliability of the evaluation process and validate the accuracy and validity of the assessment conducted by the accredited testing laboratory.

3. Conferment of Common Criteria Certificate

The certification body proceeds to confer the coveted Common Criteria certificate if the product meets all stipulated requirements and exhibits comprehensive compliance across all evaluation classes. This certificate is a universal badge of honor, attesting to the product's adherence to stringent security standards and regulatory mandates. It symbolizes a significant milestone in the product's journey towards achieving recognition and trust in the global marketplace.

4. Universal Recognition and Trust

The Common Criteria certificate holds immense significance, both domestically and internationally, as it signifies the product's credibility and reliability in cybersecurity. Its universal recognition instills trust and confidence in stakeholders worldwide, including customers, regulatory bodies, and industry partners. By obtaining Common Criteria certification, organizations demonstrate their unwavering commitment to upholding the highest standards of security and integrity.

5. Fostering Trust and Confidence

Ultimately, the attainment of Common Criteria certification serves as a testament to the product's robust security features and resilience against emerging cyber threats. It fosters trust and confidence among stakeholders, reaffirming their belief in the product's ability to safeguard sensitive information and mitigate cybersecurity risks effectively. As a result, organizations can leverage Common Criteria certification to differentiate themselves in the marketplace and gain a competitive edge in an increasingly security-conscious environment.

How to Prepare for Common Criteria Certification

Protection Profiles (PPs)

Protection Profiles (PPs) serve as the blueprint for security requirements tailored to specific product categories, such as firewalls, operating systems, network devices, and smart cards. Aligning a product's security objectives with the relevant Protection Profile sets the stage for a smooth evaluation process.

Protection Profiles is instrumental in guiding the development and evaluation of product security measures. They provide a standardized framework ensuring consistency and clarity in security requirements, facilitating the certification process. Understanding and adhering to these profiles are essential to achieving Common Criteria certification.

Assembling Documentation for Common Criteria Certification

1. Security Target (ST)

At the core of the preparation process lies the Security Target, which is the basic document for ASE class evaluation. This comprehensive document serves as a roadmap for the product's security aspects. It outlines the product's intricacies, intended usage, security objectives, and necessary security measures. Crafting a robust Security Target is essential for demonstrating how the product aligns with the relevant Protection Profile.

2. Design Documents

Complementing the Security Target are design documents that offer detailed insights into the product's architecture, design rationale, and security implementation strategies. These documents during ADV class evaluation give evaluators a deep understanding of the product's inner workings, enabling them to assess its security posture effectively.

3. User Guides

User Guides are pivotal in facilitating secure installation, configuration, and product usage. By providing clear and concise instructions, these guides empower end-users to effectively leverage the product's security features. Including comprehensive guidance on security best practices enhances the overall security posture of the product, further supporting its Common Criteria certification process during AGD class evaluation.

4. Lifecycle documentation

Lifecycle documentation refers to a set of documents that are produced during the different phases of a project, product, or service lifecycle. These documents outline the processes, tasks, or events that occur throughout these stages, and generally serve to record, guide, and monitor the progress and quality of the project/product/service. These documents will be evaluated during ALC class.

5. Integrating Documentation with Common Criteria Certification Process

The meticulous assembly of requisite documentation forms the backbone of the Common Criteria certification process. Each document demonstrates the product's adherence to security standards and requirements outlined in the Protection Profile. By meticulously crafting and aligning these documents, organizations can streamline the evaluation process and increase the likelihood of achieving Common Criteria certification.

Choosing a Licensed Evaluation Laboratory

Selecting a licensed evaluation laboratory is critical in the Common Criteria certification journey. Independent cybersecurity laboratories or a so-called ITSEF (Information Technology Security Evaluation Facility), like CClab, can provide more information about Common Criteria and the necessary support.

1. Accreditation and Expertise

Evaluation laboratories accredited by national certification bodies demonstrate compliance with rigorous standards and protocols. Their accreditation attests to their competence and reliability in conducting evaluations according to established criteria. Moreover, these laboratories boast a wealth of experience, expertise, and industry acumen, invaluable assets in navigating the certification process.

2. Track Record and Specialization

A crucial consideration is the evaluation laboratory's track record in assessing similar products. Laboratories with a proven history of successful evaluations in the relevant product domain inspire confidence and mitigate risks associated with the certification process. 

Additionally, specialization in specific product categories or industries enhances the laboratory's understanding of unique security requirements and challenges, ensuring a more tailored and effective evaluation approach.

3. Familiarity with Protection Profiles and Evaluation Assurance Levels (EALs)

An essential criterion for selecting an evaluation laboratory is its familiarity with relevant Protection Profiles and Evaluation Assurance Levels (EALs). 

‍

Proficiency in interpreting and applying these standards is essential for aligning the evaluation process with certification requirements. A thorough understanding of the nuances of different Protection Profiles and EALs enables the laboratory to provide informed guidance and recommendations throughout the certification journey.

4. Industry Standing and Reputation

The evaluation laboratory's standing within the industry ecosystem is another crucial factor. Laboratories with a reputation for integrity, professionalism, and reliability are preferred partners in the certification process. Positive endorsements from peers, clients, and regulatory bodies indicate the laboratory's credibility and trustworthiness.

5. Cultivating Collaboration and Agile Methodologies

Establishing a positive working relationship with the evaluation laboratory is essential for fostering seamless collaboration throughout the evaluation process. 

Embracing agile methodologies promotes flexibility, responsiveness, and iterative progress, facilitating timely resolution of issues and challenges encountered during the certification journey. Effective communication, mutual respect, and a shared commitment to excellence are fundamental principles that underpin successful collaboration between organizations and evaluation laboratories.

Summary

Common Criteria certification is a gold IT standard underpinning trust, confidence, and security assurance. 

Independent cybersecurity labs, like CClab, provide evaluation and consultation services to organizations pursuing Common Criteria evaluation certifications. Through agile methodologies during the consultation and pre-evaluation phases, clients can effectively manage potential challenges, prevent unforeseen expenses, and streamline the certification process.

You can find more information about the process on Common Criteria’s official website.

‍