Eliminating the FIPS 140 Headache During Common Criteria Certification

• Common Criteria (CC) is an internationally recognized set of guidelines (ISO 15408) that define a common framework for evaluating security features and capabilities of commercial off-the-shelf (COTS) Information Technology security products

• Thirty-one countries including the United States and Canada have signed the Common Criteria Recognition Arrangement (CCRA) 

• Common Criteria certifications are mutually recognized by all participating nations, minimizing the need for multiple evaluations of the same product

• Common Criteria certification lets buyers know IT products have been rigorously tested and proven to be secure enough for the world's top government defense agencies.

• Receiving a Common Criteria certification allows vendors to sell their security products to the U.S. Department of Defense, U.S. federal government, international governments, and other highly regulated industries around the globe that require Common Criteria certification

• In the U.S., Common Criteria is administered by the National Information Assurance Partnership (NIAP). Other countries have their own CC authorities

• Each authority certifies CC labs, which do the actual work of evaluating products

• The certification process is an intense evaluation to validate the security robustness of the device's software and hardware as it relates to permissions, access control, data destruction and entropy. It also ensures that other security areas are addressed, such as the National Institute of Standards and Technology (NIST) validated FIPS 140 encryption

• The Common Criteria authority in each country creates a set of expectations for particular kinds of IT products: operating systems, firewalls, and so on. Those expectations are called Protection Profiles.

• Vendors work with a third-party lab to document how they meet the Protection Profile. They spend months with the lab getting their package ready for submission

• Once the package is complete, it is submitted to the relevant authority

Once the authority reviews and approves the package the product becomes “Common Criteria certified” for that target and will appear on the Common Criteria Product Compliance List (PCL).

• Common Criteria and FIPS 140 have different but complementary purposes. Common Criteria is designed to evaluate security functions in IT software and hardware products, while FIPS 140 is designed specifically for validating software and hardware cryptographic modules

• Given that cryptography is a key element of security, and the potential for overlapping evaluations and testing, NIST and NIAP have worked closely to clarify the relationship between the two initiatives

• NIAP clarified this relationship in Policy Letter #5 (update 4) dated 06 December 2019.  The letter states:

  • "NIAP-approved PPs [Protection Profiles] may specify cryptographic assurance activities that are intended to verify that the cryptography specified in the Target of Evaluation (TOE) satisfies the corresponding PP security functional requirement."

  • “Since NIST has programs (CAVP [Cryptographic Algorithm Validation Program]and CMVP [Cryptographic Module Validation Program]) to verify algorithm and cryptographic module implementation, NIAP is issuing this policy to minimize redundancies between the activities of the NIST test facilities and the Common Criteria Test Laboratories (CCTLs)."

• • “This policy applies to evaluations conducted in NIAP for all TOEs that include cryptography to satisfy requirements contained in NIAP-approved PPs."

  • “All cryptography in the TOE for which NIST provides validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components must be NIST validated (CAVP and/or CMVP)."

  • “At a minimum an appropriate NIST CAVP certificate is required before a NIAP CC Certificate will be awarded."

Given that virtually all security products covered by Common Criteria incorporate cryptography for one reason or another, this effectively makes FIPS 140 testing a prerequisite for Common Criteria certification.

1. SafeLogic provides you one-stop shopping. As opposed to working with a FIPS 140 AND a FIPS certification lab AND NIST AND possibly open source or operating system vendors, vendors only need to work with SafeLogic. Our FIPS 140 experts handle any necessary interaction with any third party. Your resources can then focus on other aspects of your Common Criteria initiative.

2. SafeLogic helps you continue meeting your Common Criteria cryptography requirements as your FIPS 140 requirements change and their needs change. For instance, SafeLogic experts can test new algorithms, test new OEs, etc.

3. Should you need one, RapidCert can get you a FIPS 140 CMVP certificate in your own name in two months. In the FIPS 140 world, vendors with their own CMVP certificates can have a distinct competitive advantage over those relying on an open source or operating system CMVP cert from another vendor.
   
   
4. MaintainCert ensures your underlying FIPS Validated module remains ‘Active’ using a white glove service model for a fixed cost. If a vendor relies on an open-source module or something that comes with the OS, and that module goes historical, that will put their CC status at risk.