What is Common Criteria?
Common Criteria is the most recognized certification used for assessing security in ICT products. This certification is required in some cases by regulations but, in all cases a Common Criteria certificate provides a competitive advantage, by providing trust to customers and users.
Obtaining a Common Criteria certificate, which is issued by National Certification Bodies, requires that the product goes through an evaluation process carried out by an accredited laboratory, who performs documental and technical assessment activities defined by the Common Criteria standard.
Sometimes it may be hard for the vendor to understand how to meet the requirements of the Common Criteria standard. This may result in unforeseen time and money expenses and, in the worst cases, not obtaining the certificate and causing economical losses.
Bigger companies have specialized certification departments that handle the process, but otherwise it is recommended to hire, Common Criteria consultancy services. These are provided by professionals who understand the certification process and can ensure a successful outcome without dedicating internal resources for this task.
How jtsec carries out a Common Criteria project?
As professionals with extensive experience in the field, in jtsec we have successfully faced several evaluations of products developed by vendors of many types and sizes. During our years of work in certification, we have developed a work methodology that makes the process as simple as possible and enables us to guarantee success.
First, our approach with the customer prioritizes understanding the product, the objectives for its certification and the potential risks that, based in our experience, may be found during the certification roadmap. This allows us to perform early consideration of the risky scenarios and we help the customer to plan and implement the immediate measures for avoiding them. This approach allows us to detect and treat issues that, in other cases, rise up later during the evaluation and compromise the success of the process. Every client and every product is unique and that is how we consider every project, knowing that it he needs to be treated with some remarkable particularities
Second, our methodology, we help the customer during the whole process, our experts have developed CCToolBox, a set of automated tools to smooth the Common Criteria certification process including the two main consuming activities: documentation generation and evaluation. The final objective of this innovative methodology is to save about 50% time and costs to the customer
To generate Common Criteria compliant documentation, CCGen is the jewel of the crown in this field. It is a web-based tool that easily generates Common Criteria compliant. It intuitively walks the user through the Common Criteria documental requirements and makes it as simple as filling up a form. CCGen takes care of maintaining consistency and warns about potential issues.
As a result of using CCGen for creating the Common Criteria documentation, we ensure that the generated documents are compliant with the standard and will go through laboratory evaluation without much trouble, saving approximately 50% of the time and money.
But our internally developed tools are not only for helping the product vendor, also the laboratories. We have developed CCEval, oriented to evaluation laboratories. It allows to enter the documental evidences of the evaluation and it guides the evaluators for the applicable evaluation tasks in an easy way. CCEval automatizes as many evaluation tasks as possible, significantly reducing resources used for evaluation. It covers both documental and technical tasks. For technical ones, it assists in calculation of attack potential, and developing functional and penetration tests.
While CCGen generates evaluation evidences (Security Target, User guides, Design documents, etc.), CCEval generates the Evaluation Technical Report (ETR), Observation Reports and assurance class partial evaluation reports. This documentation can be directly delivered to the Certification Body, reflecting the evaluation work performed by the laboratory minimizing the risk of inconsistencies and non-conformities in the side of the evaluator.
Both CCGen and CCEval tools are interoperable and the laboratory work can become as easy as loading the data generated by CCGen in CCEval and let it search for potential issues, with as much automation as possible. Both tools comprise CCToolBox. By using out tools, the path to obtaining the Common Criteria Certificate becomes simple for all actors involved in the process, especially for the vendor
Third, our commitment goes beyond the final certification. It starts at the beginning with two main promises:
- Fixed price: You will know from day one how much the project will cost and that is what you will pay at the end, avoiding surprises.
- Time to market: We put at your disposal the human and material resources necessary to meet the deadline. No delays.
Making Common Criteria Easier.
From jtsec, we can provide our experience, our customer orientation, our solid methodology and our powerful tools to make the Common Criteria certification process easy not only to the customer, but also to the laboratory. Our objective is to provide our services to turn the evaluation process into a successful and grateful experience for all actors involved.
If you need to know more about our consultancy services, click here.
Do you want to know more about CCToolBox? click here.
