Last year, a total of 411 IT systems and products got Common Criteria certified globally, which means that although the certification is internationally recognized it’s suitable only for a niche segment of IT industry players. The Common Criteria evaluation process might seem complex and difficult to comply with. If you are planning to get your product certified don’t miss reading our tips to avoid unexpected situations.
What is Common Criteria evaluation?
Common Criteria (CC) evaluation is the process that an eligible IT product or system must go through in order to get certified. The Common Criteria Evaluation Assurance Level (EAL) indicates how thoroughly an IT security product or system has been verified. EALs range from 1 to 7, with 1 indicating the lowest level of evaluation and 7 indicating the highest.
The Common Criteria evaluation process consists of 3 primary elements:
- a country-specific assessment method is called Evaluation Scheme (or National Scheme in countries with a Certification Body).
- the CC Evaluation Methodology (CEM),
- the official Common Criteria, and its accompanying documentation.
In the general Common Criteria assessment model, there are four primary roles: Developer, Sponsor, Evaluator, and Evaluation Authority (or Certification Body).
- Sponsor: responsible to initiate the assessment process, as well as supplying the evaluator with evaluation evidence.
- Developer: provides the Target of Evaluation (TOE) and delivers the evidence required for the evaluation on behalf of the Sponsor. Large, international companies often carry both the sponsor and developer roles.
- Common Criteria Evaluator: an independent and competent accredited Testing Laboratory that carries out the assessment and reports the outcomes to the Evaluation Authority.
- Evaluation Authority (Certification Body): establishes and maintains the scheme, monitors the assessment process, and provides associated reports as well as issues Common Criteria certifications based on the Evaluator’s results.
How to avoid unexpected situations during Common Criteria evaluation?
The Common Criteria evaluation is a complex process that can be highly challenging for product developers. They often struggle to prepare the required information for the CC certification project. Some of them believe that they could use the already existing documents for their product’s evaluation. The most common issue is that they find the process time-consuming and often confusing to comply with Common Criteria requirements.
If these difficulties sound familiar here are 3+1 tips to save time and money during your Common Criteria evaluation while avoiding unexpected inconveniences.
1. Common Criteria consultation or Guide Course
Contracting a Common Criteria expert for consulting services can help you prepare for the certification process. By getting professional support, you can avoid mistakes, as well as save cost and effort while maximizing the efficiency of the evaluation. A CC consultant can help you get through the difficulties and ease the preparation with tips and tricks for the evaluation process. Alternatively, a professional Common Criteria Guide Course is already available on the market, which might save you time, effort, and money.
2. Confirm the process length
The length of the Common Criteria evaluation process is determined by a variety of factors, including the product’s complexity, the EAL, and the Scheme chosen. In order to avoid unexpected surprises, before you sign the contract with the chosen Laboratory, be sure to confirm with them how long the process is expected to take.
3. Ask for a dedicated project manager
For efficient and smooth communication confirm with your lab who will be your dedicated project manager and lead evaluator during your Common Criteria evaluation project. This will also help to minimize the project time as much as possible.
We recommend choosing a lab that has a proven track record with many of the available Protection Profiles and professional processes and tools. Another important factor to consider when choosing a laboratory is agility. The continuous information exchange helps to maximize the efficiency of your team in cooperation with your lab during the evaluation process.
+1. Preliminary consultation
Contracting a Common Criteria expert for a preliminary consultation before starting the project can significantly ease the process. With the help of this service, the lab can also understand where the developer is in the development process and in the preparation of docs. This makes project timing easier and gives a more realistic picture of the whole process to both parties.
The Common Criteria evaluation process may be complex and lengthy, but with professional support, you can overcome obstacles more easily. Take our advice and contract an experienced, agile laboratory for your product’s evaluation. We wish you the best of luck!
Hello, My name is Shari & I am a writer for the ‘Outlook AppIns’ blog. I’m a CSIT graduate & I’ve been working in the IT industry for 3 years.