|
|
Summary policy of CESG Certification Body regarding requests
for above CC EAL2:
CESG has been working with the international Common Criteria
Development Board (CCDB) to address concerns regarding the efficiency
and effectiveness of the Common Criteria (CC) process.
The CCDB has recently agreed to use 'technical communities'
(consisting of end-users, consumers, developers, evaluators
and Certification Bodies) to develop Protection Profiles (PPs)
and supporting documents, for each significant area of technology.
The long-established technical community for 'smartcards' has
shown how such an approach can be used to manage, in a consistent
way, any essential subjectivity in the evaluation process.
CESG supports the formation of these technical communities and
is providing inputs to each of them. The input of vulnerability,
mitigation and assessment evidence is particularly important
in this regard, and CESG is working to have this aligned with
the 'security characteristics' being used in the Commercial
Product Assurance (CPA) process at the 'Foundation' grade.
Until outputs from these technical communities are available
and have been adopted, requests for certifications (whether
for new evaluations or re-evaluations), other than those for
'smartcards and similar devices', will now only be considered
by the CESG Certification Body (CB) at EAL1 or EAL2. However
the CB will continue to consider requests for assurance maintenance
involving 'minor' changes, at the original EAL, for a period
of 2 (two) years from the original certification date.
Further details may be provided in due course, as appropriate.
Common Criteria
CC (Common Criteria) is an ISO standard (ISO15408) and is widely
recognised.
For further details of the CC Scheme and associated evaluation
methodology, together with the supporting Assurance Continuity
process,
see the web-site www.commoncriteriaportal.org/.
UK Information Technology
Security Evaluation and Certification Scheme
Under the UK Information Technology Security Evaluation and
Certification Scheme, managed by CESG, the security features
of IT systems and products are tested independently of suppliers
to identify logical vulnerabilities. This type of testing is
known as security evaluation and it is carried out by CommerciaL
Evaluation Facilities (CLEFs) against standardised criteria
to a formalised methodology. The criteria lay down a number
of degrees of rigour known as Assurance Levels. Certificates
are issued by the Scheme Certification Body for products meeting
the requirements for a claimed level of assurance. United Kingdom
certificates are recognised in many countries of the world.
Key features of the certification process are:
- Primary emphasis on the technical aspects of the product
being certified
- Timely Certification Body contributions, giving clear
approvals at defined checkpoints in the evaluation cycle
- Focussed assessment of evaluation scope ahead of Security
Target review, offering the customer a better risk management
service
- Certification Report drafted by CLEF, promoting faster
confirmation of certification on completion of its evaluation
work
- Overall customer costs are expected to be no greater than
those associated with the previous certification process
- Demonstration of CC and ITSEC assurance levels (and PP
conformance)
- Mutually recognised certification
Further details of the contributions required from both the
customer and CLEF are given in relevant publications, including
UKSP01, UKSP03 and UKSP02 Part II, to be found under Formal
Documentation.
Mutual
Recognition
The CCRA (Common Criteria
Recognition Arrangement (pdf)) provides for recognition
of CC Certificates up to EAL4 issued by Australia and New Zealand,
Canada, France, Germany, The Netherlands, UK and USA by each
of these countries. New countries are added to the list as the
CC community expands, and an up-to-date list can be found at
the CC Web-site at www.commoncriteriaportal.org/.
Within Europe, recognition of CC certificates up to EAL7 (for
IT products related to certain technical domains only) has additionally
been agreed under the SOGIS
arrangement (pdf) by Finland, France, Germany, the Netherlands,
Norway, Spain, Sweden and the UK.
Mutual recognition of ITSEC (Information Technology Security
Evaluation Criteria) certificates has also been agreed under
the SOGIS arrangement (pdf).
As the ITSEC assurance approach is obsolescent, any continued
use of ITSEC should be discussed with the Certification Body
via the CESG Enquiries.
|
