I am often asked to explain the Common Criteria certification process. If you dig below the surface a bit you will find that Common Criteria certification is very Un-Common. The name originated in the multilateral agreement that established the process in 2000: Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security. The certification is called ‘Common’ criteria because the ‘Arrangement’ was initially agreed to, in common, by the nations of Australia, Canada, Finland, France, Germany, Greece, Italy, The Netherlands, New Zealand, Norway, Spain, the United Kingdom, and the United States of America. It just so happens that these countries often cooperate on global security issues, more so than, for example, with China or the Russian Federation.
The value of the certification is the assurance to manufacturers that the product certificate will be accepted by signatories to the Arrangement. In many cases a project engineer or architect may look first to the list of certified products rather than marketing collaterals when designing a secure system. So, if vendors expect to sell into a secure environment, the applicability of Common Criteria certification should be a consideration early in the product roadmap.
A few years ago I did some consulting work with a client who was submitting a hardware product (an optical switch) for Common Criteria certification and have some first-hand experience with the process. Obtaining a Common Criteria certificate for a hardware or software product takes from one to two years and the fees that the manufacturer must pay to the certification lab can easily exceed $250,000, depending on the certification level. Currently there are nine approved Common Criteria Testing Laboratories (CCTL) in the United States. Other countries also have licensed laboratories for certification. Questions from vendors concerning the certification process and related fees for a specific product can be best answered by the points of contact at these labs.
Vendors cannot just show up at a lab with a check and start the certification process. Coordination with a prospective buyer as a sponsor for the development of a Security Target and Evaluation Assurance Level is necessary to ensure that the certification will meet the needs of the buyer. The sponsor also normally defines, in coordination with the manufacturer, the Evaluation Assurance Level that the product can meet and must achieve if it is to be used by the buyer in a specific environment.
EALs range from EAL-1: Functionally Tested, through EAL-7: Formally Verified Design and Tested. EAL-7 is expensive because it requires the analysis of source code using what is called in software engineering, Formal Methods. Use of Formal Methods ensures that, for example, nuclear weapons software doesn’t have annoying bugs. (Wouldn’t it be nice if more software products were designed using Formal Methods? Tweak.
Since the Common Criteria certification process was established only 1,272 products have been certified, and only 510 have been certified to EAL-4 or EAL-4+, which seems to be the most requested level. The Arrangement members maintain a web site with a list of certified products with the certification report and security target for public review. A brief review of a few of the certification documents will give you a better understanding of the scope of the testing requirements. DLT vendor products that are certified include:
- Oracle Database 11g Enterprise Edition and Standard Edition (EAL 4+)
- Oracle Identity and Access Management 10g (EAL 4+)
- Oracle Label Security for Oracle Database 10g (EAL 4+)
- Oracle Internet Directory 10g (EAL 4+)
- Oracle Database 10g Release 2 (EAL 4+)
- Oracle HTTP Server (OHS) 10g (EAL 4+)
- Oracle Enterprise Linux Version 5 Update 1 (EAL 4+)
- Red Hat Enterprise Linux Ver. 5 (various hardware platforms) (EAL 4+)
- Red Hat Enterprise Linux Version 5.1 (EAL 4+)
- JBoss Enterprise Application Platform Version 4.3 CP03 (EAL 2+)
- NetApp Data ONTAP Version 7.3.1.1 (EAL 3+)
- Symantec Network Access Control Version 11.0 (EAL 2+)
- Symantec Endpoint Protection Version 11.0 (EAL 2+)
- Blue Coat ProxySG v5.3.1.9 (EAL 2+)
- Brocade Director (various models) (EAL 3+)