Certify a product under the Common Criteria standard, with or without a Protection Profile?

Blog

7
- Jan
2021
Posted by: jtsec Team
[Certification]
Certify a product under the Common Criteria standard, with or without a Protection Profile?

Certifying a product under the Common Criteria methodology is not easy, there are several variables, mainly at the beginning of the project, which are key to the proper development of the evaluation.

One of the important decisions to be made is to verify whether the product adapts to the characteristics and requirements of an existing Protection Profile (PP) or not.

But, what is a Protection Profile (PP)?

A Protection Profile (PP) is a document that can be used as part of the process of certifying a product according to the Common Criteria standard (ISO/IEC 15408.). It is developed by a user or community of users, creating a generic Security Target (ST) for the technology concerned. Every Protection Profile includes security activities with the objective of achieving feasible, repeatable and verifiable evaluations within each category.

How to evaluate a product that FITS a Protection Profile?

There are currently 223 PPs divided into en 14 categories according to the official Common Criteria website. These PPs are adjusting to the market as the number of products developed by manufacturers increases and, due to the continuous development of new technologies, new certification PPs are demanded that are not developed.

If your product is within the parameters of a specific PP, the process of certification of your product is speeded up by having it already:

  • An assurance level (EAL).

  • A detailed description of the product, even if specific details that are not in the description are added by the PP.

  • The definition of the security problem: A list of assets, subjects, threats, policies and assumptions is given.

  • The Security Targets of the TOE and the environment.

  • The SFRs (Functional Safety Requirements) list.

    How to evaluate a product that DOES NOT FIT a Protection Profile?

    The development of PPs arises mostly from the demand of the market itself from the type of solutions that the market demands to certify under the Common Criteria standard. However, it may be that a product with a new technology on the market needs to be certified, or that this type of solution has simply never been certified under the Common Criteria methodology.

    If this case arises, the cybersecurity consultant and the company that developed the product are the pioneers in creating the specific Security Target (ST) for that category so it takes more work and time. It is possible that in the future the Security Target will be adopted as part of a Protection Profile for this type of product.

    .

    • tags
    jtsec Team/Staff

    jtsec: Beyond IT Security Team


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    Jan 17, 2025
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    jtsec & Applus+ Laboratories at ICCC24
    Nov 14, 2024
    jtsec & Applus+ Laboratories at ICCC24
    How to use the CCN product catalog to improve your company's security
    Oct 14, 2024
    How to use the CCN product catalog to improve your company's security
    Common Criteria Statistics 2023
    June 17, 2024
    Common Criteria Statistics 2023
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    CATEGORIES