figure1_current_CCCRA_members

CC (Common Criteria) Certification FAQ

HansolNexG product-market

 

In security field, CC stands for Common Criteria.

CC certification has been approved as the International standard (ISO/IEC 15408) following the given evaluation criteria for cross-certifying evaluation result and unifying different criteria among countries.

In case of Korea, issuing certification of information security products has been processing by applying evaluation criteria, which was managed as K Series, to common evaluation criteria since 2002.

For more information about CC certification, please refer to the IT Security Certification Executive Office webpage (http://www.itscc.kr/).

In this post, questions frequently being asked about CC certification are listed as follows:

 

1. Difference between CC for domestic and international

Currently in Korea, CC certification is divided into domestic CC and international CC.

Both domestic and international CC select CC as the evaluation criteria. However, international CC evaluates Common Criteria Recognition Arrangement (hereafter, CCRA) level of product while domestic CC minimizes evaluation submissions and intensively evaluates functions of product and its vulnerability.

Both domestic and international CC have the same effect in Korea, a big difference is, however, domestic CC is not recognized among CCRA members.

So, for those who are considering for market oversea, acquiring international CC must be in consideration.

 

2. What is CCRA?

Common Criteria-Recognition Arrangement (hereafter, CCRA) has started mainly from the advanced countries, such as the U.S, England, and France, as mutual recognition agreement on evaluation certification result of information security products among joined countries to CCRA.

The purpose of CCRA is as follows:
 ●  Improve consistent security technology for CC evaluation result
 ●  Prevent repeat evaluation with different criteria from different countries
 ●  Improve cost-effect and efficiency by standardizing evaluation certification procedures
 ●  Enhance to utilize certified product by promoting forming global market

As of now, globally 25 countries have joined CCRA. Korea also joined CCRA and became a certification issuer since the first half of 2006.

That is, by joining CCRA, even if Korea gets international CC certification in domestic, it still has the same effect among countries joining CCRA so that it helps to shorten cost and evaluation period in inquiring international CC certification.

Currently, countries joining CCRA are as follows:

[Figure 1] Current CCRA Members [Figure 1] Current CCRA Members

 ●  Certification issuer: issue international CC certification, other members of CCRA recognize its certification
 ●  Countries recognizing certification : don’t issue international CC certification, but recognize certifications of other members, certification issuers.

 

3. Difference of each Evaluation Assurance Level?

As [Table 1] shows, Common Criteria (CC) defines assurance level of the product into 7 hierarchical levels from EAL1 to EAL7.

[Table 1] Evaluation Assurance Level Summary
Evaluation_Assurance_level

As you see [Table 1], relatively high evaluation assurance level indicates that more details about relevant product have reviewed and tested.

In general, the higher the rating evaluation assurance, the more submissions to be provided by companies, and the more parts to be reviewed and tested.

 

4. Which products are needed to get CC certification among information security products introduced into the State/Public organizations?

Currently, 28 types of products among information security products introduced into the State/Public organizations are essential to get CC certification.

For more details about products, please refer to [Table-2].

Products essential to inquire CC certification

 

5. What steps should I go through to deliver information security products to the domestic public organization?

To deliver information security products to the domestic public organizations, getting secure compliance verification in accordance with the “National Information Security Framework Directive” is necessary.
However, product receiving the domestic CC certification can replace the security compliance verification, but products receiving the international CC certification must be obtained secure compliance verification.

 

6. CC Common abbreviations

Common abbreviations used in the CC certification are as follows:
 ● CC: Common Criteria
 ● EAL: Evaluation Assurance Level
 ● PP: Protection Profile
 ● ST: Security Target

 

Reference
Information Security System Common Criteria V3.1 R4(CC V3.1 R4)
CC Portal Site: http://www.commoncriteriaportal.org/
IT Security certification executive office Site: http://www.itscc.kr/

  • Writer : Sung-il, Han from QA Center