First Mover's Perspective – Taking on the Common Criteria Certification Journey

Goh Eng Choon

EVP/General Manager, Info-security, Electronics, ST Engineering

Today more than ever, systems vulnerabilities, design flaws, and backdoors are the main reasons behind the surge in cybersecurity incidents. Governments and enterprises have to constantly review, upgrade and change their security policies and systems to protect their high-value data, sensitive information, revenue, intellectual property and reputation. As a leading player in cybersecurity and information security, the question that we constantly asked ourselves is how we can best assure our customers that our products and implementation processes are robust.

How you can embark on your journey to become CC certified?

To address the needs of our customers, we decided to adopt Common Criteria (CC) certification, a globally recognised standard (ISO 15408). In collaboration with Cyber Security Agency (CSA) the Certification Body (CB), we set sail on a rigorous yet beneficial journey that requires much dedicated resources, determined engineering effort and conscientious conformance to the stringent requirements.   

With one of our products achieving CC certification on June 2018, we gained the first-mover advantage as the first local company to achieve CC certification under the Singapore Scheme in raising our local product standing to be on par with international benchmarking.

 

Why Common Criteria?

Over 30 nations have cooperated and evolved with a global standard to known as the Common Criteria, in short, ISO/IEC 15408 IT product security certification. It is a framework that provides criteria for independent, scalable and globally recognized security inspections for IT products.

This international certification standard is critical to ensure that organisations get the equipment they need, the equipment performs as advertised, and it is as secure as claimed. It provides assurance that the process of specification, implementation and evaluation of an IT security product has been conducted in a rigorous and repeatable manner.

Under the Common Criteria Recognition Arrangement (CCRA), CC certificates are issued by authorised nations, Singapore being one of them; the certification is mutually recognised and accepted among the 30 countries hence facilitates market access and saves cost from repeated testing across nations. 

 

Three Stages Processes

The overall process aids the self-discovery of the products’ design, its vulnerabilities and functional defects if any before launching to the market. The CC Certification goes through three-stages of detailed and vigorous processes:

1. Planning stage. You will need to identify the product(s) and decide on the certification scheme (which country scheme; dependent on target market), whether to claim conformance to protection profile and assess the scope of evaluation to make sure the requirements can be met. Once these are finalised, you will have to plan aside a reasonable budget and timeline.

2. Execution stage. The request documentation and security target are sent to Certification Body for acceptance and accredited test lab for evaluation. Preparation of documentation takes up most of the resources at this stage. Substantial effort is required to generate assurance document, test cases, user manuals and addition following scopes:

- Security Design & Architecture

- Functional Specifications

- Guidance Document

- Test Plan

- Life-Cycle Support

- Vulnerability Assessment

Thorough review and testing need to be performed to prove implementation correctness and conformance to security claims. Once the evaluation is completed, the Test Lab will submit the result to the Certification Body; if everything goes well, the official certificate will be awarded to mark the achievement.

3. Award stage. Once these details are formally accepted and evaluated, the products and solutions are accredited with CC certification.

 

One of the learnings from the team is the need to familiarise with the documentation and conformance requirements. The team took longer than expected to complete the entire evaluation process. We started with evaluating a single product (NetCrypt client) but in the midst of certification, we realised that the backend unit had to be CC certified too. Weighing the cost and benefit, we made the decision to certify the entire NetCrypt family series.

 

Reaping benefits in the CC process

As the saying goes, ‘It’s the journey that counts, not the destination’. Organisations can gain more than what you set out to achieve. For us, it spans as below:

- Better competency

In view of upholding the CC standards, requirements and process, we invested in our people – sending them to attend CC courses, training, workshops and conferences – to improve the skills and competencies of our people. Going through product certification also helps our engineers and system designers understand the notion of security evaluation and gain new insights.

- Better process

The knowledge gained help enhance our in-house design methodology to devise a synergistic way of product testing and evaluation. We also improve our internal process on how we can best sharpen and modify our design and detect flaws. In addition to design and architecture, CC certification scrutinises the process from production to delivery and, at EAL4 and above, mandates ’Development Site Security’ – visits the component manufacturer for security assessment. This may help to address supply-chain trust issue.

- Better product

We will able to raise our product quality through rigorous internal review and testing to validate product functionality and integrity.

- Better business

With CC certifications and our efforts in working towards NITES currently, it reinforces our positioning to win contracts, gain greater access and visibility in the overseas market. 

 

Five tips towards a seamless CC journey

Adopting CC enables us to design products with greater awareness right from its conceptualisation stage. Here are five tips to smoothen your process in the CC journey:

1. Work with the Scheme relevant to your target market

2. Target EAL2 unless an assurance level higher than EAL2 is desirable (for competitive reasons or dictated by the customer)

3. Build a collaborative long-term relationship with Test Lab for cost-effective certification

4. Leverage on Assurance Continuity process for faster re-evaluation due to feature addition or minor changes

5. Leverage CC Training organised by Certification Body to bootstrap knowledge and competency in CC certification

 

In recent years, Common Criteria certification has significantly increased in importance due to government regulations. Ensuring the product’s quality, reliability and security implementation is vital to all organisations. We believe that having CC certification is essential to elevate the standard of our local products to achieve global recognition. As Singapore is one of the certificates authorising nation, CC certifications can be achieved in a shorter timeframe and help organisations to catapult local products to global recognition. What started as a daunting task has helped to deepen our team’s expertise and experience in this learning journey. The opportunity cost invested to embark to CC certification is rewarding in long-term business and cybersecurity capabilities growth.