jtsec | Blog | EUCC versus Common Criteria, a new cybersecurity scheme for the certification of ICT products in Europe.

- July

2020

Posted by: Javier Tallón

EUCC versus Common Criteria, a new cybersecurity scheme for the certification of ICT products in Europe.

Javier Tallón, our Technical Manager is a member of ENISA ad-hoc Working Group on SOG-IS successor scheme to support the preparation of a candidate EU cybersecurity certification scheme as a successor to the existing schemes operating under the SOG-IS MRA.

What is EUCC?

This new scheme, developed for the certification of ICT products cybersecurity, has been named as EUCC scheme (Common Criteria based European candidate cybersecurity certification scheme).

Recommendations about EUCC, the new scheme for the certification of ICT products cybersecurity

Regarding EUCC, these will be our recommendations:

1. You can expect a brief period of uncertainty. If the implementing act is adopted around the end of 2020, there will be a, probably two-year, transition period before the current national SOGIS schemes stops working. We expect the new scheme to be fully operating by the beginning of 2022. Old certificates can be converted to the new scheme. Please, note that there will be zero parallel emission of EUCC and SOG-IS MRA certificates.

2. Prepare for new obligations:

Offering a security support period to consumers

Monitoring compliance of the product. From now on, include the highest possible level of ALC_FLR in your evaluations!

Having an online repository of publicly disclosed vulnerabilities

Handle compliances

3. Prepare for patch management: the new scheme will have two patch management methodologies that will allow developers to push security updates to their product while staying under the umbrella of the certificate. One of them has been led by jtsec as part of ISO SC27. They may require a bit of preparation, so ensure that you are able to provide patches in a consistent manner with these new methodologies. If you are able to implement patch management from now you will be able to have some benefits in the future, especially if you want to convert already awarded SOG-IS certificates to the new scheme.

4. Closer lab cooperation: the new scheme will need closer cooperation between vendors and lab to work adequately. There may be reassessments and audits of already certified products after certification.

Patch management will require establishing a SLA between lab and vendor to enable fast recertification of vulnerable products!

Compliance monitoring obligations may be subcontracted to the lab and probably also the handling of compliance.

5. Certificates above VAN.3 will not be recognized unless there is a specific technical domain (at the moment, there are two technical domains: "HW Devices with Security Boxes" and "Smartcards and similar devices").

First public consultation for the version-1 of the EUCC Candidate Scheme

The European Union Agency for Cybersecurity, (ENISA) has launched a public consultation for the first candidate cybersecurity certification scheme which will end on July 31st, 12:00 CET. Until this date, there is the possibility to collaborate with the project and share comments that may be useful for the improvement of the scheme and that will be reviewed in a later version.

Our commitment to new cybersecurity regulations

At jtsec, we always strive to innovate in the field of cybersecurity as a part of our technical excellence. We are editors at the thematical group “IACS Cybersecurity certification “, members of the SCCG (Stakeholder Cybersecurity Certification Group) and editors at JTC13 WG3: “Cybersecurity Evaluation Methodology for ICT products”, among many other contributions in the area of cybersecurity.

tags

Javier Tallón/Technical Director

Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.