CCCAB, the European commitment to automation in Certification Bodies

Blog

16
- March
2022
Posted by: jtsec Team
[Cybersecurity research]
CCCAB, the European commitment to automation in Certification Bodies

Collaborating with prestigious media in the cybersecurity sector is always a great satisfaction for us. That is why, when we were contacted by Revista SIC to write an article about CCCAB, the innovative tool we are developing for the Common Criteria validation process, we got down to work. In the last edition of Revista SIC you can find the article that we publish now in our blog:

CCCAB, the European commitment to automation in Certification Bodies

Europe is one of the major leaders in cybersecurity certification, with more than half of the certifications that have been carried out to date following the a Common CriteriaCommon Criteria standard, the most widely used internationally. The number of IT manufacturers/developers, whether software, hardware or firmware, requiring cybersecurity certification for their products is growing. The number of IT manufacturers/developers, whether software, hardware or firmware, requiring cybersecurity certification for their products is growing.

Moreover, Europe is determined to lead the cybersecurity sector by spearheading standardization and certification. A good example of this is the approval of Regulation (EU) 2019/881, better known as the "Cyber Security Act", as well as the preparation of the future "Cyber Resilience Act". The European Union, through its cybersecurity agency, ENISA, is committed to creating certification schemes that are common to all of Europe, allowing for greater cohesion of the internal market and the improvement of cybersecurity at the European level. An example of this is the so-called EUCC (Common Criteria based European Cybersecurity Certification scheme).

What is Common Criteria and who are its main players?

ISO/IEC 15408, more generally known as Common Criteria, is an international standard for IT product cybersecurity recognized in more than 30 countries. In fact, it is the most widely used standard with more than 400 products certified by 2021.

This assessment methodology is very comprehensive, including vulnerability analysis, functional testing, review of development documentation and product lifecycle. It is also multilevel, allowing you to choose the scope and depth of the assessment. This completeness implies that, when a high scope and depth are chosen, the assessment is complex, requiring a high cost in time, human and economic resources, and that the process lasts a minimum of six months, and may take further months longer.

Several stakeholders are involved in the process, as shown in the following graph, the main ones being the developer/manufacturer, the evaluation laboratory and the certification body.

In the case of Spain, the role of certification body is held by the CCN (Centro Criptológico Nacional) which, in the last 5 years, has issued 94 Common Criteria certificates, although the total number of dossiers it has managed exceeds 300 in this period of time.

The workload and specialization required for this type of project means that certification bodies have a high workload per certifying specialist, and the lack of personnel is a major risk for the sector.

Automation, the future of cybersecurity certification

More agility in obtaining certification, in order to comply with the time-to-market of products, is one of the great challenges for improvement facing all of us who are part of the world of cybersecurity certification.

Taking into account the great effort involved in creating an internationally recognized evaluation methodology, involving years of work and involvement by numerous public and private entities in different countries, it does not seem, at least in the short-medium term, that the solution is only a substantial modification of the evaluation standards (a new version of Common Criteria will be published soon), but the most viable approach is to automate processes, thus saving time and effort when performing a cybersecurity evaluation.

In both the private and public sectors, various initiatives have emerged over the years to automate certain processes in Common Criteria evaluations. These include STGen, which is currently being developed by NIAP (the US certification body) and which aims to automate the creation and validation of the security statement (ST) mainly for Common Criteria protection profiles used in the North American market. Regarding private initiatives, it is worth mentioning CCToolBox, a tool that allows to substantially automate the consulting and assessment processes under the Common Criteria methodology. Also to be highlighted is the Greenlight Conformance Automation Platform, a tool developed by the Canadian cybersecurity laboratory Lightship Security Inc, which is based on automating Common Criteria evaluation tests and creating test reports. However, it was still pending to create a tool that would allow the automation of processes of the last step, the validation of the assessment activities by the certification bodies (CAB), which is why the initiative to develop CCCAB arose.

CCCAB tool (Common Criteria Conformity Assessment Body)

This tool will allow Common Criteria CABs (Conformity Assessment Bodies) to facilitate the validation and certification process of ICT products, assisting the certifier and reducing the effort and time required in each process.

The development of this tool is funded by the European Commission in the framework of the Connecting Europe Facility (CEF) program and has three participants within the consortium:

  • jtsec Beyond IT Security: it is the company in charge of the entire development of CCCAB.

  • CCN (Centro Criptológico Nacional): The Spanish public Certification Body, designated by Royal Decree 421/2004 of March 12, 2004, which will validate the adequacy of the tool functionalities to the validation and certification tasks required by the new European certification schemes.

  • Direzione Generale per le Tecnologie delle Comunicazioni e la Sicurezza Informatica - Istituto Superiore delle Comunicazioni e delle Tecnologie dell Informazione (ISCOM): The Italian Certification Body will have a role similar CCN, supporting a double verification of the tool.

    The CCCAB project started in April 2021 and will run for a period of two years, so this tool is expected to be available by April 2023. During these 24 months, the milestones set out in the project roadmap will be met and periodically reported to the European Commission.

    The tool will be released as open source free of charge to all public or private CABs interested in the initiative..

    Technical features and how to use CCCAB

    CCCAB will run as a wizard that will guide the user step by step in the validation of the work of the laboratory, requesting the input of the information needed to validate an assessment. The wizard will inform validators of the next step in the validation process and detect parts of the validation that need to be completed or have any issues.

    CCCAB will also enable knowledge management within the CAB, as it will be easy to add and check expert comments and hints and tips on how to easily validate assessment works following the Common Criteria standard, allowing to write and generate validation reports.

    The most outstanding features and technical advantages that CCCAB will bring could be summarized as follows:

  • Project management and access control for multiple validators with different types of roles available.

  • Intuitive and attractive user interface, allowing the configuration of corporate colors and logos.

  • Easy installation.

  • Web edition and printing of reports in docx/pdf formats.

  • Centralized control panel.

  • Common Criteria requirements integrated online.

  • Based on state-of-the-art web technologies such as HTML5, CSS3 and AngularJS.

  • Specification of machine-to-machine language to exchange information with laboratories.

  • Human-to-machine specification to obtain information from manufacturers.

  • Specification for communication between all parties involved.

  • Automatic generation of validation reports and issuance of certificates.

  • Database storage system.

  • Adaptation to EUCC requirements.

    Conclusions

    CCCAB aims to improve and smooth the validation process, with the purpose of becoming a common tool for the more than 30 countries that recognize Common Criteria and for the rest of CABs within the European Cybersecurity Certification Framework. CCCAB will be adapted to the EUCC (better known as the European Common Criteria) and, being an open source tool, the community will be able to contribute to develop the tool, so the potential for use and improvement is huge, being able in the future to be extended to other European Cybersecurity Certification Schemes that use other evaluation methodologies such as LINCE, 5G scheme or the European cloud scheme, among others.

    The impact of CCCAB in the coming years has excellent perspectives, being the first version to be developed in this first project only the germ of a much more advanced tool.

    • tags
    jtsec Team/Staff

    jtsec: Beyond IT Security Team


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    Jan 17, 2025
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    jtsec & Applus+ Laboratories at ICCC24
    Nov 14, 2024
    jtsec & Applus+ Laboratories at ICCC24
    How to use the CCN product catalog to improve your company's security
    Oct 14, 2024
    How to use the CCN product catalog to improve your company's security
    Common Criteria Statistics 2023
    June 17, 2024
    Common Criteria Statistics 2023
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    CATEGORIES