FIPS 140 Common Criteria Compliance
FIPS 140 is a Prerequisite for Common Criteria, an International Framework for Evaluating and Testing the Security Capabilities of IT Products
FIPS 140 is a Prerequisite for Common Criteria, an International Framework for Evaluating and Testing the Security Capabilities of IT Products
Common Criteria (CC) is an internationally recognized set of guidelines (ISO 15408) that define a common framework for evaluating security features and capabilities of commercial off-the-shelf (COTS) Information Technology security products
Thirty-one countries including the United States and Canada have signed the Common Criteria Recognition Arrangement (CCRA)
Common Criteria certifications are mutually recognized by all participating nations, minimizing the need for multiple evaluations of the same product
Common Criteria certification lets buyer know IT products have been rigorously tested and proven to be secure enough for the world's top government defense agencies.
Receiving a Common Criteria certification allows vendors to sell their security products to the U.S. Department of Defense, U.S. federal government, international governments, and other highly regulated industries around the globe that require Common Criteria certification
In the U.S., Common Criteria is administered by the National Information Assurance Partnership (NIAP). Other countries have their own CC authorities
Each authority certifies CC labs, which do the actual work of evaluating products
The certification process is an intense evaluation to validate the security robustness of the device's software and hardware as it relates to permissions, access control, data destruction and entropy. It also ensures that other security areas are addressed, such as the National Institute of Standards and Technology (NIST) validated FIPS 140 encryption
The Common Criteria authority in each country creates a set of expectations for particular kinds of IT products: operating systems, firewalls, and so on. Those expectations are called Protection Profiles.
Vendors work with a third-party lab to document how they meet the Protection Profile. They spend months with the lab getting their package ready for submission
Once the package is complete, it is submitted to the relevant authority
Once the authority reviews and approves the package the product becomes “Common Criteria certified” for that target and will appear on the Common Criteria Product Compliance List (PCL).
Common Criteria and FIPS 140 have different but complementary purposes. Common Criteria is designed to evaluate security functions in IT software and hardware products, while FIPS 140 is designed specifically for validating software and hardware cryptographic modules
Given that cryptography is a key element of security, and the potential for overlapping evaluations and testing, NIST and NIAP have worked closely to clarify the relationship between the two initiatives
NIAP clarified this relationship in Policy Letter #5 (update 4) dated 06 December 2019. The letter states:
"NIAP-approved PPs [Protection Profiles] may specify cryptographic assurance activities that are intended to verify that the cryptography specified in the Target of Evaluation (TOE) satisfies the corresponding PP security functional requirement."
“Since NIST has programs (CAVP [Cryptographic Algorithm Validation Program]and CMVP [Cryptographic Module Validation Program]) to verify algorithm and cryptographic module implementation, NIAP is issuing this policy to minimize redundancies between the activities of the NIST test facilities and the Common Criteria Test Laboratories (CCTLs)."
“This policy applies to evaluations conducted in NIAP for all TOEs that include cryptography to satisfy requirements contained in NIAP-approved PPs."
“All cryptography in the TOE for which NIST provides validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components must be NIST validated (CAVP and/or CMVP)."
“At a minimum an appropriate NIST CAVP certificate is required before a NIAP CC Certificate will be awarded."
Given virtually all security products covered by Common Criteria incorporate cryptography for one reason or another, this effectively makes FIPS 140 testing a prerequisite for Common Criteria certification.
In the FIPS world, "FIPS Compliant" (called by some 'FIPS Inside') means your product uses a cryptography module authored by another organization that had the module validated and has a FIPS certificate in its own name. In some cases, FIPS compliance can be a valid FIPS strategy
CC certification takes place on a very specific set of software and hardware configurations. The specific hardware and software being evaluated is called a Target of Evaluation (TOE)
FIPS CMVP and CAVP certificates list the exact hardware/software Operating Environments (OEs) on which cryptographic modules and algorithms were tested
If you are using a FIPS compliance strategy to satisfy the Common Criteria FIPS prerequisite, and your crypto author did not test their algorithms on the EXACT same environment as your TOE, your Common Criteria application will be rejected.
Your government go-to-market efforts will be dead in the water until you can find a FIPS certified cryptographic module with a CMVP or CAVP certificate that exactly matches your TOE
Given FIPS validation can take 2+ years, you could be putting millions of dollars of revenue at risk by counting on a FIPS Compliant strategy as a foundation for your Common Criteria initiative
With SafeLogic, you can get the necessary FIPS CAVP certificates in your own name that list your exact TOE in just a few months. SafeLogic provides this unique capability through the three pillars that make up its FIPS Validation-as-a-Service. As a result, you will satisfy NIAP’s Policy Letter #5 requirements, your Common Criteria initiative and government GTM strategy will be back on track, and you will unlock potentially millions in potential revenues.
CryptoComply is SafeLogic's drop-in compatible, FIPS validated cryptographic module. CryptoComply is available for a wide range of platforms, operating systems and languages.
RapidCert is SafeLogic's expedited FIPS validation program. SafeLogic will get your CryptoComply solution certified by NIST in your name in two months.
As an option to its MaintainCert white glove managed service, CryptoComply and RapidCert customers can choose to have their cryptographic algorithms tested on additional platforms. The end result will be a CAVP certificate in your name that lists your exact TOE.