Security Functional and Assurance Requirements for Common Criteria Certification

‍Common Criteria Certification is pivotal in ensuring that the products we rely on remain resilient in an ever-evolving realm of cyber threats. It represents a dynamic standard that adapts to address emerging challenges, thereby compelling IT devices and systems to sustain their effectiveness against evolving threats. But what are the requirements that need to be met in order for a product to be CC certified? This article delves into the intricacies of Security Functional and Assurance Requirements for CC certification, shedding light on the essential aspects that define its significance.

The Common Criteria (CC) certification stands as a beacon of trust in the realm of IT security. It is an internationally recognized set of guidelines (ISO 15408) meticulously assessing and certifying IT devices' security features and capabilities. 

CC comprises two essential elements:  The Evaluation Assurance Level (EAL) determines the depth and comprehensiveness of product testing. Security Functional Requirements (SFRs) detail the specific security functions and capabilities expected from the product to meet the defined security objectives.

‍

Common Criteria Certification: An Overview

At its core, CC certification methodology (CEM) provides a systematic framework for evaluating various products' security capabilities and assurance, including software, hardware, and complete systems. 

Internationally Recognized Standard

As an internationally recognized standard, in a CC certification process the accredited testing laboratory assesses and the CB (certification body) certifies IT devices and systems' security features and capabilities. It serves as a symbol of trust in the realm of IT security.

Systematic Security Evaluation

At its core, CC certification provides a systematic framework for evaluating products' security capability and assurance. It examines crucial security aspects, such as access control, encryption, secure communication, and vulnerability management, ensuring compliance with stringent security requirements.

Global Trust and Recognition

CC certification holds global recognition, fostering trust in the product's country of origin and worldwide. It is an independent assessment facilitating secure information exchange across borders.

Building Trust and Compliance

Common Criteria certification builds confidence by independently verifying a product's security features and controls. It encourages the adoption of security best practices and helps both organizations and individuals make informed choices about secure IT products.

Security Functional Requirements

Regarding CC certification, Security Functional Requirements (SFRs) take center stage. These requirements are pivotal in defining a product's security functions and capabilities to fulfill specific security objectives. They ensure that the security features consistently perform, effectively countering potential threats and vulnerabilities.

Diverse Security Requirements

SFRs form the backbone of CC certification by defining specific security functions and capabilities that products must adhere to. These requirements are not one-size-fits-all; they are tailored to suit the unique security needs of various product types ranging from operating systems to network devices, smart cards, and more. 

‍

This approach ensures that each product, whether an operating system, network device, smart card, or something else, meets the necessary security standards. Let's delve into some of the critical security requirements covered by SFRs.

Access Control: Regulating User Permissions

Access control, a critical element of Common Criteria certification, involves managing user permissions effectively. This means granting access based on the principle of least privilege, employing role-based access control (RBAC), and using access control lists (ACLs) to specify who can access what resources. Granularity in access control is essential to finely tune access restrictions, reducing the risk of data breaches.

‍

Encryption: Protecting Sensitive Data

Encryption, a fundamental security requirement in CC certification, safeguards sensitive data. It relies on robust encryption algorithms like AES and RSA and requires secure key management throughout the lifecycle of cryptographic keys. Encryption applies to data in transit and at rest, ensuring that even if unauthorized access occurs, the data remains unreadable without decryption keys.

Audit Logging: Monitoring Security Events

Audit logging is a proactive security measure that records and monitors system activities. CC-certified systems must log various security events regularly, review and analyze them to identify security threats and demonstrate compliance with security policies. Effective audit logging enhances visibility into system activities, aiding in detecting and responding to security incidents.

Cryptographic Key Management: Safeguarding Encryption Keys

Cryptographic key management is integral to CC certification. It encompasses secure key generation, storage, rotation, and destruction practices. Proper key management ensures the integrity and confidentiality of encrypted data, a fundamental aspect of maintaining a secure IT environment.

Secure Communication: Protecting Data in Transit

Secure communication in Common Criteria certification focuses on safeguarding data during network transmission. It relies on robust encryption protocols like TLS and SSL, establishing secure channels, mutual authentication, and data integrity measures. Securing data in transit is crucial in an era of prevalent data breaches and interception threats.

‍

By understanding these specific aspects of Common Criteria certification more concisely, organizations can better grasp the importance of these security measures in meeting the rigorous standards required for CC certification. These practices collectively contribute to building trust in IT devices' security features and capabilities, aligning with the core objectives of CC certification.

Security Assurance Requirements

While SFRs focus on the functionality of security features, Security Assurance Requirements (SARs) dive into the dependability, consistency, and quality of these features and their development procedures.

Assurance Across the Lifecycle

SARs evaluate a product's entire lifecycle, from design and development to testing and maintenance. They demand well-defined and documented security development processes, emphasizing the need for thorough assurance.

Evaluating Assurance Levels

EALs, or Evaluation Assurance Levels, classify products based on the rigor of their security evaluation and assurance methods. These levels range from EAL1 (essential) to EAL7 (officially validated design and tested). 

‍

Unlike private tech firms, sectors such as essential services, government agencies, critical infrastructures, and prominent organizations must address the necessity of EAL4+ certification.

‍

Organizations select the appropriate EAL based on their product's intended use and the level of confidence they need in its security. 

‍

A Protection Profile (PP) outlines a standardized set of security prerequisites tailored to a particular product category, like a firewall. In 2022, according to the 2022 Common Criteria Statistics Report, a staggering 74% of certifications used Protection Profiles (with or without assigned EALs). 

The most common IT products getting CC-certified 

From integrated circuits and smart cards for authentication to versatile multi-function devices and critical network infrastructure, CC certification plays a vital role in safeguarding various components of the digital ecosystem.

ICs, Smart Cards, and Smart Card-Related Devices and Systems 

Integrated Circuits (ICs), smart cards, and related devices play a pivotal role in secure authentication and access control. With numerous certifications, CC ensures security, safeguarding sensitive data, and authentication processes.

Multi-Function Devices

Multi-function devices encompass a broad spectrum of office equipment. CC-certified multi-function devices demonstrate their functionality and robust security features, including secure printing, scanning, and document handling.

Network and Network-Related Devices and Systems

Network devices and systems are the backbone of modern IT infrastructure. Common Criteria certification for these products guarantees strong network security, encompassing encryption, access control, and effective threat detection.

‍

Challenges and Considerations

While CC certification holds immense value, it has challenges. Here are some critical considerations for organizations seeking this certification journey.

Technical Complexity

The path to CC certification is characterized by the intricacies of specialized security criteria and the complexities of their practical implementation. Expertise in cybersecurity is essential for organizations to navigate this terrain effectively and ensure their products meet these criteria with technical precision, reinforcing their digital security.

Intricate Security Criteria

CC certification involves adhering to a comprehensive set of specialized security criteria, covering many aspects, including cryptography, access control, secure logging, and network protocols. These criteria are often highly detailed and technically intricate.

Complex Implementation

Translating these criteria into practical security measures can be complicated. Organizations must ensure that their products not only meet the requirements but do so in a technically sound manner. This requires a deep understanding of security principles and practices.

Expertise Required

To tackle this complexity effectively, organizations need personnel with expertise in cybersecurity and CC certification. These experts are crucial in designing, implementing, and documenting security measures.

Resource Requirements

Embarking on the CC certification journey requires expertise and significant resource allocation. Organizations must navigate these challenges, from trained personnel to financial investments and time commitments to fortify their cybersecurity measures.

Trained Personnel

Successfully pursuing Common Criteria certification necessitates access to trained personnel who understand the intricacies of the certification process. These individuals are essential for guiding the certification efforts, ensuring compliance, and addressing potential challenges.

Time Investment

CC certification is a process that unfolds over time. It demands a significant investment of time, from initial planning and documentation preparation to evaluation and feedback incorporation. This extended timeline can strain an organization's resources.

Financial Inputs

Achieving CC certification involves financial costs, including personnel salaries, evaluation fees, and potentially acquiring specialized hardware or software tools. These financial inputs are necessary to support the certification process.

Small and Limited Funds

Smaller organizations or those with limited financial resources may need help adequately allocating these resources. The cost and resource demands of CC certification can pose barriers to entry for such organizations.

Navigating the Process

Achieving CC certification is a multifaceted process that involves documenting compliance, engaging with evaluation labs, mastering complex standards, and embracing continuous improvement to ensure long-lasting security.

Phases and Documentation

The CC certification process consists of multiple phases, each requiring meticulous documentation to demonstrate compliance with CC requirements. This documentation is essential for evaluation and certification.

Interactions with Evaluation Laboratories

Organizations must engage with testing laboratories that assess their products. This interaction involves submitting documentation, responding to queries, and addressing evaluator feedback. Effective communication is crucial during this process.

Understanding Standards

Understanding and interpreting Common Criteria standards can be complex. Organizations must have a comprehensive grasp of these standards to implement them correctly. Misinterpretation or misunderstanding can lead to non-compliance. An experienced CC consultant can be a huge asset in avoiding these kinds of misunderstandings.

Continuous Improvement

CC certification is not a one-time effort; it requires an ongoing commitment to maintaining security standards. Organizations must continuously adapt to evolving threats and standards, necessitating ongoing efforts to ensure their products remain secure and compliant.

‍

How can CCLab help?

Hiring a Common Criteria specialist can greatly streamline the entire evaluation process. As an accredited agile cybersecurity lab, CCLab offers CC consultation (support for ISO 15408) and Common Criteria evaluation services. 

Common Criteria Consultancy

CC consultancy supports template creation, document writing, security target creation, and pre-vulnerability assessment, parallel to ongoing guidance from certified experts.

CClab’s consultants hold certifications from the OCSI (Italian scheme) and BSI (German scheme) as a Common Criteria testing laboratory, demonstrating their expertise in adhering to CC guidelines and best practices. 

Their extensive experience encompasses essential aspects of evaluations, including creating high-quality documentation, enhancing development site security, and optimizing product preparation and development for maximum protection, efficiency, and speed. Their proficiency in these areas ensures a comprehensive and effective approach to Common Criteria evaluations.

With a comprehensive training course, like CCGuide, clients could get access to a great tool during the preparation phase of an upcoming CC evaluation project.

Common Criteria Evaluation

In addition to selecting a capable and accredited Testing Laboratory, it is vital to ensure that essential steps are finalized before commencing the Common Criteria evaluation project.

During the evaluation, a kickoff meeting begins, addressing various aspects such as participant identification, content clarification, material handling, and document management. 

Evaluators' access to essential materials, including developer documents and the Target of Evaluation (TOE), is crucial for practical evaluation activities. Two key reports are integral to the evaluation: Activity Reports (AR) detailing pass, fail, or inconclusive results and Observation Reports covering inconclusive and failed work units with explanatory verdicts. 

Upon the conclusion of the evaluation, the Laboratory proceeds to generate the Evaluation Technical Report (ETR), encompassing all assessments and judgments made by the Evaluators throughout the evaluation endeavor.

To ensure the ETR's completion, all Activity Reports (ARs) must be fully resolved, with every work unit receiving a "Pass" verdict. Subsequently, the ETR is exclusively forwarded to the Certification Body for meticulous examination, serving as the cornerstone for the Certification Report of the Target of Evaluation (TOE).

Conclusion

CC certification process is based on a globally recognized standard that systematically evaluates and certifies IT product security. It enhances trust, promotes compliance with rigorous security standards, and contributes to a more secure digital landscape. However, achieving Common Criteria certification can be a complex and resource-intensive endeavor.

Hiring a Common Criteria specialist can significantly enhance the security posture of manufacturers, fostering a safer digital environment. 

CCLab, an agile cybersecurity lab, provides comprehensive support by offering CC consultation (support for ISO 15408) and Common Criteria evaluation services to its clients. The company empowers manufacturers to navigate the complexities of cybersecurity evaluations efficiently, ultimately creating a more secure digital landscape.

‍