What are the main steps of Common Criteria evaluation?

Our new article will provide you with valuable information if you are considering getting your IT security product or technology CC-certified or if you are interested in knowing more about the Common Criteria evaluation process.

We will discuss:

• What is Common Criteria evaluation?
• The main steps of the process
• What is the benefit of agility in evaluation?
• What happens once the evaluation is over?

Besides, we will explain how we can support you at CCLab with your Common Criteria evaluation project from the beginning to the end. 

‍

‍

What is Common Criteria Evaluation?

Common Criteria for Information Technology Security Evaluation or shortly, Common Criteria (CC), is an international collection of specifications and criteria for evaluating IT security products and systems. CC was created to ensure that products and systems fulfill the pre-defined security requirements accepted by all CCRA member countries. CC certification is given to security products that have successfully passed the testing and Common Criteria evaluation performed by an accredited Testing Laboratory.

Useful information about the Common Criteria evaluation process

First of all, it’s essential to understand that a total of 411 Common Criteria certification was issued last year (in 2021), which means that it is a niche solution for special IT security needs. 

In addition, it is necessary to clarify common misunderstandings about who or what will be certified: an IT product or a special technology can get certified, not the business. These can be, for instance, firewalls, file encryption or secure signature solutions, mobile and network devices, application SW, etc. 

Besides, it’s important to know that in a Common Criteria evaluation project, the Sponsor and Developer may be different. The product or technology - so-called TOE (Target of Evaluation) - that the Lab evaluates will be owned by the Sponsor who will need this certificate to support sales, while the Developer might be outsourced by the Sponsor. Although in most cases during Common Criteria evaluation projects of large international companies, usually the Sponsor and Developer are the same. 

‍

‍

The main steps of Common Criteria evaluation

Common Criteria evaluation is a complex process from which we have gathered the main steps. Most of the procedures and concepts we list below are taken from OCSI (the Italian scheme). Therefore, these steps may differ in other schemes, although the core method shall be applied very similarly to each Common Criteria scheme.

Before starting the Common Criteria evaluation

Hiring a Common Criteria expert can significantly ease the entire evaluation process. At CCLab we provide both CC consultation (ISO 15408 support) and Common Criteria evaluation. Besides choosing a competent and accredited Testing Laboratory, you need to make sure that the below steps are completed before starting the Common Criteria evaluation project:

Choose the National Scheme

Common Criteria Certificate Authorizing Schemes were founded by 17 different nations. Thus these countries developed their own national programs, norms, legislation, and Certification Bodies (i.e. Evaluation Authority). The CC Certification is issued by the Certification Body based on the Testing Laboratory's evaluation. Multiple Certification Bodies can accredit a Testing Laboratory to do Common Criteria evaluations. CCLab, for example, has been accredited by both OCSI (Organismo di Certificazione della Sicurezza), the Italian Scheme's Certification Body, and by BSI (Bundesamt für Sicherheit in der Informationstechnik), the German CB.

Choose the Target of Evaluation

The Target of Evaluation (TOE) and the so-called TOE boundary must be decided before starting the Common Criteria evaluation project. The TOE is the subject of the evaluation and can be

• a part of an IT product,
• an IT product,
• a set of an IT product,
• a special technology that may never be made into a product
• or a combination of these. 

Pick an EAL Level

Selecting the appropriate Evaluation Assurance Level (EAL) is a pivotal decision that precedes applying to the certification body. This choice defines the specific security requirements against which the Target of Evaluation (TOE) will be evaluated. The seven available levels are as follows:

EAL1: Functionally Tested

At this level, the focus is on functional testing to ensure basic security functionality. It provides a foundational assessment without delving extensively into design or documentation.

EAL2: Structurally Tested

This level involves structural testing and examining the security architecture and design. While it goes beyond functional testing, it remains relatively basic regarding the depth of Common Criteria evaluation.

EAL3: Methodically Tested and Checked

EAL3 introduces a more methodical approach, combining testing and thorough documentation checks. The evaluation extends to the security mechanisms' robustness and effectiveness.

EAL4: Methodically Designed, Tested, and Reviewed

At EAL4, the evaluation becomes more comprehensive, encompassing methodical design considerations, rigorous testing, and expert reviews. This level emphasizes a holistic approach to security assurance.

EAL5: Semi-Formally Designed and Tested

EAL5 introduces a semi-formal design process, enhancing the depth of security measures. Rigorous testing and a more formalized design contribute to a higher level of confidence in the security of the TOE.

EAL6: Semi-Formally Verified Design and Tested

Building upon EAL5, EAL6 incorporates semi-formal verification of the design. This adds an additional layer of assurance, ensuring that the security mechanisms are designed and verified for correctness.

EAL7: Formally Verified Design and Tested

EAL7 represents the highest level of assurance, involving formal verification of both the design and testing. Formal methods are employed to mathematically prove the correctness of the security mechanisms, providing the utmost confidence in the TOE's security.

‍

‍

Choose the Protection Profile (Optional)

When embarking on the Common Criteria evaluation journey, it's crucial to recognize the pivotal role of both Evaluation Assurance Levels (EALs) and Protection Profiles (PPs). While the selection of an EAL is mandatory, the consideration of a Protection Profile is optional, yet it holds the potential to significantly augment the Common Criteria evaluation process.

A Protection Profile stands as a comprehensive roadmap, delineating the intricate security criteria tailored to a specific category of security devices. Typically crafted by a user or user community, a well-articulated PP serves as a guiding document, ensuring that the Target of Evaluation (TOE) aligns precisely with the nuanced security requirements pertinent to its intended application. 

This optional yet strategic inclusion of a Protection Profile enhances the Common Criteria evaluation by providing a contextual framework for assessing the TOE.

Opting for a suitable Protection Profile introduces a level of specificity and relevance that extends beyond the standardized evaluation process. It becomes a tool for tailoring the evaluation to the unique demands of the TOE's intended use. 

The careful consideration of a Protection Profile fosters a more targeted assessment, aligning the security measures with the specific needs and expectations of the user community. The Common Criteria evaluation process gains depth and precision when complemented by the optional inclusion of a well-defined Protection Profile. This not only signifies a commitment to thorough the evaluation process but also ensures that the TOE is intricately aligned with the distinct security landscape outlined in the common criteria framework.

Prepare the Security Target

A Security Target (ST) is an implementation-dependent statement of security needs for a specific identified TOE. It includes the TOE’s version and configuration and the range of security capabilities being evaluated. From the Common Criteria evaluation point of view, preparing an ST should be a priority. The ST can be prepared by the Developer or an accredited Common Criteria consultant. The Security Target might claim compliance with one or more PPs.

Prepare the Evaluation Work Plan

The Evaluation Work Plan must be prepared by the CC Test Laboratory and approved by the Certification Body (CB). Changes in the EWP may occur during the evaluation. It can happen for instance, if the TOE gets modified due to a new product version or if there are delays on the Developer’s side in supplying the pieces of evidence and deliverables required by the evaluator. No changes to EWP can be made without getting approved by the CB.

The evaluation begins when the Certification Body authorizes the EWP and formally admits the evaluation into the scheme after analyzing the materials presented. Maintaining smooth communication with the Testing Laboratory is the fundament of a successful Common Criteria evaluation.

During the Common Criteria evaluation

The Common Criteria evaluation starts with a kickoff meeting organized by the Certification Body where the following topics are discussed:

• Identification of each party that participates in the evaluation procedure
• Clarification of ST and EWP content
• Handling of evaluation materials
• Evaluation restrictions
• Confident document management

‍

Evaluators’ access to the necessary evaluation materials (i.e. developer documents and TOE, etc.) is essential to successfully and effectively carry out the Evaluation Activities. 

There are two important reports that are part of the Common Criteria evaluation: Activity Reports (AR) and the Observation Report.

Activity Reports

The Activity Reports include the results of the Common Criteria evaluation carried out according to the Common Methodology for Information Technology Security Evaluation (CEM) of each Class. There are 3 possible results: pass, fail, and inconclusive. The ARs are only sent to the Certification Body.

Observation Report

The Observation Report includes the “inconclusive” and “fail” work units and an explicatory verdict paragraph describing the evaluator's decision.

There are two types of Observation Reports: Fault Observation Report (ROE @OCSI) and Anomaly Observation Report (ROA@OCSI). When an exploitable vulnerability is discovered during the Common Criteria evaluation, a ROE is generated that includes recommendations on how to fix it. All TOE-related issues must be reported via a ROA, with the exception of exploitable vulnerabilities. ROAs are shared with the CB and the Sponsor simultaneously, while the ROEs are sent to the CB for review before being provided to the Sponsor.

At the end of the evaluation

Once the Common Criteria evaluation is completed, the Laboratory creates the Evaluation Technical Report (ETR). The Report includes all reviews and verdicts of the Evaluators during the evaluation project. Before completing the ETR all ARs must be finalized: for instance, the verdict of all work units must be a “Pass”. The ETR is sent only to the Certification Body for examination, and it is the foundation of the Certification Report of the TOE.

What happens once the Common Criteria evaluation is over?

Depending on the National Scheme's or CBs own regulations, approximately 30 days after the approval of the ETR, the Certification Body issues a draft Certification Report (CR), which is sent to the Sponsor and the Test Laboratory to acquire confirmation. Once the draft is approved by both parties, CB issues the Certification Report in approximately thirty days, depending on the Nat scheme or CB. It’s essential to know that the issued CC Certificate applies exclusively to the specific version of the TOE in its evaluated configuration and claims that the level of protection requested has been accomplished. 

‍

‍

Impact of Common Criteria Evaluation on Market Access

Common Criteria certification is a critical determinant for market access, particularly in regions aligned with the Common Criteria Recognition Arrangement (CCRA). The impact on market dynamics is multifaceted:

International Market Entry Assurance

Common Criteria certification is a robust validation, assuring that products adhere to globally recognized security standards. This assurance is crucial for international market entry, where stringent security requirements are paramount. Products with this certification have a competitive edge, as they are perceived to have undergone rigorous evaluation, making them more trustworthy in diverse markets.

Government Procurement Mandate

The significance of Common Criteria certification extends to government procurement processes. Many government agencies mandate this certification for IT products, making it a prerequisite for vendors participating in procurement. This mandate aligns with the need for standardized security measures, reinforcing the certification's role in regulatory compliance and fostering trust between governments and vendors.

Competitive Marketplace Advantage

Attaining Common Criteria certification provides a clear competitive advantage in the marketplace. It signals a commitment to security, which resonates with security-conscious customers. In competitive sectors, the certification distinguishes products as having met stringent security criteria, contributing to a favorable market perception and potentially influencing purchase decisions.

Sector-Specific Preference

Certain sectors, such as finance, defense, and critical infrastructure, prioritize security due to the sensitivity of their operations. In these industries, products with Common Criteria certification are preferred choices. The certification aligns with the sector-specific security needs, making these products more appealing to customers prioritizing security as a primary consideration.

Streamlined Security Compliance

Common Criteria certification streamlines security compliance by providing a structured framework for evaluating and implementing security measures. 

It ensures that products meet basic security requirements and navigate more complex security landscapes efficiently. This streamlined approach saves manufacturers time and resources while ensuring a comprehensive security posture.

Commitment to Security

Beyond meeting specific security standards, Common Criteria certification is a tangible demonstration of a product's commitment to security. It signifies a proactive approach to ensuring the integrity and confidentiality of data. In an era marked by escalating cyber threats, this commitment becomes a valuable differentiator, enhancing the perceived reliability of the certified products.

Consumer Confidence Boost

Customers are increasingly discerning when it comes to product security. Common Criteria certification enhances consumer confidence by validating a product's security claims externally. 

The rigorous evaluation process and adherence to recognized standards contribute to building trust, a critical factor in customer decision-making, especially for products dealing with sensitive information.

Structured Pathway for Market Penetration:

CC certification provides a structured pathway for products to gain credibility and penetrate new markets. Coordinated products enjoy smoother market access by aligning with globally recognized security standards. 

The Common Criteria evaluation process guides manufacturers in establishing a robust security foundation, instilling customer confidence, and facilitating a more efficient entry into diverse international markets.

What is the benefit of agility in Common Criteria evaluation?

Agility is one of our unique values that makes CCLab different from other Testing Laboratories. During Common Criteria evaluation, we are in continuous communication with our clients, which allows them to react and amend deficiencies immediately. We use special agile methodologies and toolsets imported from software development in project management and customer development. Thanks to our advanced processes and diversified experiences, we can deliver EAL4+ certifications within 4 months.

If you have more questions regarding the topic, do not hesitate to reach out for a free consultation.