Search
Common Criteria (CC) is an internationally recognized set of guidelines (ISO 15408) that define a common framework for evaluating security features and capabilities of commercial off-the-shelf (COTS) Information Technology security products
Thirty-one countries including the United States and Canada have signed the Common Criteria Recognition Arrangement (CCRA)
Common Criteria certifications are mutually recognized by all participating nations, minimizing the need for multiple evaluations of the same product
Common Criteria certification lets buyers know IT products have been rigorously tested and proven to be secure enough for the world's top government defense agencies.
Receiving a Common Criteria certification allows vendors to sell their security products to the U.S. Department of Defense, U.S. federal government, international governments, and other highly regulated industries around the globe that require Common Criteria certification
In the U.S., Common Criteria is administered by the National Information Assurance Partnership (NIAP). Other countries have their own CC authorities
Each authority certifies CC labs, which do the actual work of evaluating products
The certification process is an intense evaluation to validate the security robustness of the device's software and hardware as it relates to permissions, access control, data destruction and entropy. It also ensures that other security areas are addressed, such as the National Institute of Standards and Technology (NIST) validated FIPS 140 encryption
The Common Criteria authority in each country creates a set of expectations for particular kinds of IT products: operating systems, firewalls, and so on. Those expectations are called Protection Profiles.
Vendors work with a third-party lab to document how they meet the Protection Profile. They spend months with the lab getting their package ready for submission
Once the package is complete, it is submitted to the relevant authority
Once the authority reviews and approves the package the product becomes “Common Criteria certified” for that target and will appear on the Common Criteria Product Compliance List (PCL).
Common Criteria and FIPS 140 have different but complementary purposes. Common Criteria is designed to evaluate security functions in IT software and hardware products, while FIPS 140 is designed specifically for validating software and hardware cryptographic modules
Given that cryptography is a key element of security, and the potential for overlapping evaluations and testing, NIST and NIAP have worked closely to clarify the relationship between the two initiatives
NIAP clarified this relationship in Policy Letter #5 (update 4) dated 06 December 2019. The letter states:
"NIAP-approved PPs [Protection Profiles] may specify cryptographic assurance activities that are intended to verify that the cryptography specified in the Target of Evaluation (TOE) satisfies the corresponding PP security functional requirement."
“Since NIST has programs (CAVP [Cryptographic Algorithm Validation Program]and CMVP [Cryptographic Module Validation Program]) to verify algorithm and cryptographic module implementation, NIAP is issuing this policy to minimize redundancies between the activities of the NIST test facilities and the Common Criteria Test Laboratories (CCTLs)."
“This policy applies to evaluations conducted in NIAP for all TOEs that include cryptography to satisfy requirements contained in NIAP-approved PPs."
“All cryptography in the TOE for which NIST provides validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components must be NIST validated (CAVP and/or CMVP)."
“At a minimum an appropriate NIST CAVP certificate is required before a NIAP CC Certificate will be awarded."
Given that virtually all security products covered by Common Criteria incorporate cryptography for one reason or another, this effectively makes FIPS 140 testing a prerequisite for Common Criteria certification.
Traditionally, companies seeking compliance with the FIPS 140 component of Common Criteria have had one choice: hire a FIPS 140 consultant who would then orchestrate a long, complex, difficult, and expensive process involving the applicant, the consultant, a FIPS 140 testing lab certified by NIST, NIST itself, and possibly the encryption module supplier to document, test and certify the exact
cryptographic modules being used in the TOE on the exact hardware and software specified in the TOE. Often, this work would be based on an open-source cryptography module or one embedded in the TOE operating system. Given the long queues and limited resources at both the certification labs and NIST itself, this process can literally take years.
SafeLogic’s Common Criteria offering builds on the three pillars of its FIPS 140 Validation-as-a-Service: CryptoComplyTM, RapidCertTM, and MaintainCertTM. Starting with this foundation, SafeLogic offers these four advantages to its Common Criteria customers:
SafeLogic provides you one-stop shopping. As opposed to working with a FIPS 140 AND a FIPS certification lab AND NIST AND possibly open source or operating system vendors, vendors only need to work with SafeLogic. Our FIPS 140 experts handle any necessary interaction with any third party. Your resources can then focus on other aspects of your Common Criteria initiative.
SafeLogic helps you continue meeting your Common Criteria cryptography requirements as your FIPS 140 requirements change and their needs change. For instance, SafeLogic experts can test new algorithms, test new OEs, etc.