I already have my Common Criteria certified product, now what?

Blog

28
- Sept
2021
Posted by: José Pulido
[Certification]
I already have my Common Criteria certified product, now what?

First of all, congratulations if you have obtained your Common Criteria certification, it is a great challenge!

As an accredited laboratory and expert consultants in Common Criteria, one of the main concerns of our customers and, to our understanding, of manufacturers in general, is to maintain always the latest version of the product (TOE) in the "Certified Products List" of the official Common Criteria portal.

At jtsec we are aware that manufacturers and developers modify, improve and evolve their products continuously, so we understand your concerns in this regard. Certifying a product under the Common Criteria standard is not easy, it can be costly both financially and in terms of time.

In order to shed some light on this issue, we will explain the most common doubts regarding the maintenance of a product within the "Certified Products" catalogue.

How long does my product remain on the "List of Certified Products"?

The product remains in the "List of Certified Products" for 5 years, as long as there is no vulnerability that affects the certified version and therefore entails the revocation of the certificate. Once this time has elapsed since the certificate was issued, the product goes to the "Archived Certified Products List" , unless the validation time is extended using the appropriate procedures for this purpose.

Procedure to extend the validation time of my product or to maintain it in case it has undergone modifications

There is a procedure called "Assurance Continuity" developed to allow manufacturers to keep their product certified to the latest version.

The process to be followed by the manufacturer has the following steps:

  • The manufacturer makes changes to the TOE that has been certified.

  • An Impact Analysis Report (IAR) is drafted and sent to the Certification Body.

  • The Certification Body examines the IAR and determines whether the changes are "major" or "minor".

  • If they are considered "major" changes, a re-evaluation is required and if they are considered "minor" a maintenance process would suit.

  • If the changes are minor, a Maintenance Report will be created and if they are major, a new certificate will be issued. Original source: https://www.commoncriteriaportal.org/files/operatingprocedures/2012-06-01.pdf

    What do "major" and "minor" changes in the TOE mean?

    The Certification Body, based on the Common Criteria Recognition Arrangement (CCRA), qualifies the changes, which can be of two types depending on how they affect the consistency of the product security:

  • "Major" changes: These are changes that affect the security of the product, requiring a re-evaluation of the product. Some of these changes may include modifying the scope of the TOE or making adjustments to the set of declared security requirements.

  • "Minor" changes: Considered to be those that do NOT directly affect the security of the product, and therefore do not require a re-evaluation but a maintenance process. Some of these changes may be, for example, editorial changes. It should be noted that the Certification Body will ultimately consider whether the changes are "major" or "minor" and therefore require a re-evaluation or not.

    How can jtsec help you to keep your product on the "List of Certified Products"?

    At jtsec we have extensive experience in Common Criteria, always providing an approach aimed at saving our clients the maximum amount of time and money, facilitating the processes and adjusting to their needs.

    In all our projects, we include certificate maintenance management at no cost to our clients. Shall we talk?

    • tags
    José Pulido/Consulting Leader

    Senior consultant of the Common Criteria, ISO 27001, SOC2 and ENS standards and expert security software developer. Systems administrator and technology consultant with more than 6 years of experience in the field of computer security. Jose is responsible for the development of the CCGen tool to help generating Common Criteria documentation.

    He has participated in security assessment projects of technological products of multinational firms, being part of both the assessment and consulting teams, providing his expert point of view in strategic decision making for cybersecurity. As a developer, he has taken part in the development of integral security projects, carrying out works oriented from the most internal parts of the systems to the security in the user interaction.

    Currently he is the consulting leader of jtsec's team of cybersecurity experts, focusing his work in the field of cybersecurity consulting, but continuing with the management of security-oriented software project development teams. His main motivation to work in cybersecurity is helping to protect users from cyberthreats and information theft.


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    Jan 17, 2025
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    jtsec & Applus+ Laboratories at ICCC24
    Nov 14, 2024
    jtsec & Applus+ Laboratories at ICCC24
    How to use the CCN product catalog to improve your company's security
    Oct 14, 2024
    How to use the CCN product catalog to improve your company's security
    Common Criteria Statistics 2023
    June 17, 2024
    Common Criteria Statistics 2023
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    CATEGORIES