Common Criteria Schemes: Tips for Making the Right Choice

So many decisions, so little time. You’ve heard—and likely experienced—this mantra. And if you read this blog regularly, you’ve probably picked up on the fact that security validations involve making a whole host of decisions. When pursuing Common Criteria certification, one often perplexing, yet critical decision I hear people lament about is how to choose the best scheme for your product or system.

As you start out on the path to Common Criteria certification, the decisions that factor into your journey affect not only how long it takes to achieve certified status but also how much it costs—and how many times you reach for an aspirin throughout the process.

So let’s start first with the basics to get us all on the same page. Why Common Criteria? First and foremost, national government agencies are required to purchase security products that have obtained Common Criteria certification, if and when they exist. Second, we need to define the meaning of a certification scheme. Put simply, it’s an official government entity charged with ensuring the security of all government and military acquisitions. And in terms of Common Criteria, the scheme is responsible for making sure that all commercial off-the-shelf (COTS) products evaluated in that particular country have been evaluated consistently and independently according to Common Criteria requirements. Testing labs perform the actual product evaluations, and must be certified through a scheme. The scheme oversees and performs accreditations of testing labs, and is responsible for the issuance of certificates in that country.

Sixteen recognized government schemes for Common Criteria exist in the world today and include the following countries: the United States, Canada, Australia, France, Germany, Italy, Japan, Malaysia, Netherlands, New Zealand, Norway, the Republic of Korea, Spain, Sweden, Turkey, and the United Kingdom.

It stands to reason that if you’re a security product vendor in the United States, you would opt for the U.S. scheme. And if you’re a company in the United Kingdom, you’d go with the UK scheme. It’s important to realize, however, that choosing a scheme outside your home country sometimes makes the most sense. So let’s take a closer look at the variables you need to consider.

Important Considerations

Inclusion in NIAP PCL
If you are looking to be included in the National Information Assurance Product Compliant List (NIAP PCL) in the United States, then work with the U.S., Canadian, UK, or Australian scheme. These schemes have the most experience with the criteria it takes to gain NIAP PCL approval. However, keep in mind that if an evaluation is done outside of the U.S., NIAP imposes partial technical oversight for a portion of the evaluation.

And keep in mind that while NIAP states that you must use NIAP-approved PPs in order to be placed on the PCL, there are not PPs for all products so you are not actually required to conform to a PP. At some point this will, however, likely become a requirement.

Before you make a decision about the NIAP PCL and an associated PP, make sure you know the facts. And if you’re working with an outside consultant on your Common Criteria certification, talk to them about PCL.

Protection Profiles
Does your product conform to a protection profile (PP) for a particular country? All schemes can handle PPs, but the U.S. and Canadian schemes have the most experience with U.S.-approved PPs. In the case of PPs released by other countries, the scheme in the country that publishes a particular PP typically has the most experience.

Evaluation Assurance Levels
If you require an assurance level higher than EAL2, either for competitive reasons or because the agency that wants to acquire your product has dictated a higher level, then consider a scheme in Spain, Sweden, or Germany. The U.S., Canada, Australia, New Zealand and UK do not handle anything higher than EAL2.

Agency preference
If you’re working with an agency that requires or prefers evaluations to be performed in the same country, then start there—in that country.

CAPS certification
CAPS (CESG Assisted Products Service) is a certification exclusive to the UK government market, so if you also require CAPS certification, you must also use the UK scheme for your Common Criteria certification.

Assurance Continuity
Assurance Continuity, a reevaluation that takes place after changes to a certified Target of Evaluation or its environment, must be performed through the scheme that originally certified the product for Common Criteria. This makes the scheme you choose even more important because you’re establishing an on-going relationship.

Your Customer Base
Most schemes require that you prove that you have customers in their country. Canada, for instance, requires a letter from a Canadian customer as proof, while other countries may just ask for a statement from your company. Keep this in mind when taking schemes into consideration.

When you consider not only the time and cost involved but also the reason you want to pursue certification in the first place, Common Criteria is an important undertaking that can affect your revenue substantially. The decision you make regarding the scheme you select will no doubt impact next year’s bottom line.

For help sifting through the options and choosing the right Common Criteria scheme for your objectives and product, contact us today.