As you start out on the path to Common Criteria certification, the decisions that factor into your journey affect not only how long it takes to achieve certified status but also how much it costs—and how many times you reach for an aspirin throughout the process.

So let’s start first with the basics to get us all on the same page. Why Common Criteria? First and foremost, national government agencies are required to purchase security products that have obtained Common Criteria certification, if and when they exist. Second, we need to define the meaning of a certification scheme. Put simply, it’s an official government entity charged with ensuring the security of all government and military acquisitions. And in terms of Common Criteria, the scheme is responsible for making sure that all commercial off-the-shelf (COTS) products evaluated in that particular country have been evaluated consistently and independently according to Common Criteria requirements. Testing labs perform the actual product evaluations, and must be certified through a scheme. The scheme oversees and performs accreditations of testing labs, and is responsible for the issuance of certificates in that country.

Sixteen recognized government schemes for Common Criteria exist in the world today and include the following countries: the United States, Canada, Australia, France, Germany, Italy, Japan, Malaysia, Netherlands, New Zealand, Norway, the Republic of Korea, Spain, Sweden, Turkey, and the United Kingdom.

It stands to reason that if you’re a security product vendor in the United States, you would opt for the U.S. scheme. And if you’re a company in the United Kingdom, you’d go with the UK scheme. It’s important to realize, however, that choosing a scheme outside your home country sometimes makes the most sense. So let’s take a closer look at the variables you need to consider.

Important Considerations

Inclusion in NIAP PCL
If you are looking to be included in the National Information Assurance Product Compliant List (NIAP PCL) in the United States, then work with the U.S., Canadian, UK, or Australian scheme. These schemes have the most experience with the criteria it takes to gain NIAP PCL approval. However, keep in mind that if an evaluation is done outside of the U.S., NIAP imposes partial technical oversight for a portion of the evaluation.

And keep in mind that while NIAP states that you must use NIAP-approved PPs in order to be placed on the PCL, there are not PPs for all products so you are not actually required to conform to a PP. At some point this will, however, likely become a requirement.

Before you make a decision about the NIAP PCL and an associated PP, make sure you know the facts. And if you’re working with an outside consultant on your Common Criteria certification, talk to them about PCL.

Protection Profiles
Does your product conform to a protection profile (PP) for a particular country? All schemes can handle PPs, but the U.S. and Canadian schemes have the most experience with U.S.-approved PPs. In the case of PPs released by other countries, the scheme in the country that publishes a particular PP typically has the most experience.

Evaluation Assurance Levels
If you require an assurance level higher than EAL2, either for competitive reasons or because the agency that wants to acquire your product has dictated a higher level, then consider a scheme in Spain, Sweden, or Germany. The U.S., Canada, Australia, New Zealand and UK do not handle anything higher than EAL2.

Agency preference
If you’re working with an agency that requires or prefers evaluations to be performed in the same country, then start there—in that country.

CAPS certification
CAPS (CESG Assisted Products Service) is a certification exclusive to the UK government market, so if you also require CAPS certification, you must also use the UK scheme for your Common Criteria certification.

Assurance Continuity
Assurance Continuity, a reevaluation that takes place after changes to a certified Target of Evaluation or its environment, must be performed through the scheme that originally certified the product for Common Criteria. This makes the scheme you choose even more important because you’re establishing an on-going relationship.

Your Customer Base
Most schemes require that you prove that you have customers in their country. Canada, for instance, requires a letter from a Canadian customer as proof, while other countries may just ask for a statement from your company. Keep this in mind when taking schemes into consideration.

When you consider not only the time and cost involved but also the reason you want to pursue certification in the first place, Common Criteria is an important undertaking that can affect your revenue substantially. The decision you make regarding the scheme you select will no doubt impact next year’s bottom line.

For help sifting through the options and choosing the right Common Criteria scheme for your objectives and product, contact us today.

If you’re in the business of producing IT security products, you should know that attaining Common Criteria certification is critical to your business for some very good reasons, for example:

It opens the door to the government market. All IT security products purchased by the U.S. government for national security systems are required to have Common Criteria certification. Many government agencies, especially the DoD, write Common Criteria certification into their RFPs.

Certification helps you stay competitive. You must have Common Criteria certification if you want to compete against established players who have already been evaluated. This is true not only when selling into the government sector, but also for commercial clients like banks and financial institutions.

Common Criteria helps you improve on the security of your product. Think of the Common Criteria evaluation as the litmus test of your team’s success in developing the product’s security against the appropriate Protection Profile. The Common Criteria certification process may uncover hidden vulnerabilities before you go to market, saving you from having to make costly corrections in the field.

The road to Common Criteria success

When you’re ready to pursue certification, an IT security consultant can make the entire process easier and more cost effective. Make sure your partner has a process that they can describe in detail to guide you through certification to ensure that everything goes smoothly—setbacks can cost not only time but also money. Adhering to this plan can help you ramp up and get underway quickly, and will ensure that you stick to your budget and shorten your evaluation time. Corsec’s process includes these steps:

Begin with an education about the Common Criteria process and an understanding of the sequence of events so that you can schedule time and resources accordingly. Corsec provides customers with a custom compliance report including a blueprint for successful certification—make sure that your partner offers documentation that gives you an understanding of what the process will entail and cost before you actually get started.

With a certification plan in place, you’ll then determine which Protection Profiles you will be validated against, so you can make certain your product meets the requirements specified in the appropriate Protection Profile or Profiles.

Preparation of documentation is a big part of certification. First, you’ll develop a Security Target that provides information about how your product or system meets requirements. A Security Target contains a statement of the requirements to which a specific product or system under evaluation must conform, written to be implementation dependent. A Security Target can be authored to conform to a specific Protection Profile or it can simply state the security functional requirements that your product offers and the assurance levels for the evaluation.

Once that’s done, your team must produce all assurance documentation necessary for submission to the testing lab. It is vital that you have clear, complete documentation, as this is one area where many Common Criteria certifications grind to a halt. Having someone on your team who’s experienced in this type of documentation prep will save you time and costly delays.

The next step is to submit your product and associated documentation to an accredited testing laboratory. The choice you make regarding the lab you’ll work with is really important because different testing labs have different experience levels with particular standards and schemes, different styles of communicating with customers, and different pricing models. Your consulting partner’s relationships will be critical here. Assuming you’ve chosen a good partner to work with, the last step in the process should be “receive certification!”

While Common Criteria certification isn’t a simple process, it’s much easier with an experienced consultant to guide you. Corsec has completed hundreds of certifications for clients. Find out how we can help you.