Common Criteria Evaluation and Validation Scheme

Last updated
CCEVS Logo Ccevs.png
CCEVS Logo

Common Criteria Evaluation and Validation Scheme (CCEVS) is a United States Government program administered by the National Information Assurance Partnership (NIAP) to evaluate security functionality of an information technology with conformance to the Common Criteria international standard. The new standard uses Protection Profiles and the Common Criteria Standards to certify the product. This change happened in 2009. Their stated goal in making the change was to ensure achievable, repeatable and testable evaluations.

Contents

Objectives

The CCEVS program is a partnership between the U.S. Government and industry to assist themselves and the consumers:

The scheme is intended to serve many communities of interest with very diverse roles and responsibilities. This community includes IT product developers, product vendors, value-added resellers, systems integrators, IT security researchers, acquisition/procurement authorities, consumers of IT products, auditors, and accreditors (individuals deciding the fitness for operation of those products within their respective organizations). Close cooperation between government and industry is paramount to the success of the scheme and the realization of its objectives. [1]

Validation Body

The Validation Body has the ultimate responsibility for the operation of the CCEVS in accordance with NIAP policies and procedures. Where appropriate it will interpret and amend those policies and procedures. The NIST and NSA are responsible for providing sufficient resources to the NIAP so that the Validation Body may carry out its responsibilities. However, as of 2009 the NIAP has reached out to other vendors, labs, academia and customers to help in the evaluation of products therefore diminishing the reliance on the NSA.

The Validation Body is led by a Director and deputy director selected by NIST and NSA management and other personnel include validators and technical experts in various technology areas.

The Validation Body ensures that appropriate mechanisms are in place to protect the interests of all parties within the CCEVS participating in the process of IT security evaluation.

Disputes brought forth by any participating party, i.e. the sponsor of an evaluation, product or Protection Profile developer or CCTL concerning the operation of the CCEVS or any of its associated activities shall be referred to the Validation Body for resolution.

Once the product has been certified it is listed as PP Compliant in the NIAP Product Compliant List (PCL).

Related Research Articles

The U.S. National Security Agency (NSA) used to rank cryptographic products or algorithms by a certification called product types. Product types were defined in the National Information Assurance Glossary which used to define Type 1, 2, 3, and 4 products. The definitions of numeric type products have been removed from the government lexicon and are no longer used in government procurement efforts.

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

The Federal Information Processing Standard Publication 140-2,, is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on May 25, 2001, and was last updated December 3, 2002.

<span class="mw-page-title-main">Green Hills Software</span> American software company

Green Hills Software is a privately owned company that builds operating systems and programming tools for embedded systems. The firm was founded in 1982 by Dan O'Dowd and Carl Rosenberg. Its headquarters are in Santa Barbara, California.

Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications, permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. There are two contexts for the use of multilevel security.

The Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principle security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.

The vast majority of the National Security Agency's work on encryption is classified, but from time to time NSA participates in standards processes or otherwise publishes information about its cryptographic algorithms. The NSA has categorized encryption items into four product types, and algorithms into two suites. The following is a brief and incomplete summary of public knowledge about NSA algorithms and protocols.

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptographic modules.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

<span class="mw-page-title-main">Product certification</span> Performance and quality assurance

Product certification or product qualification is the process of certifying that a certain product has passed performance tests and quality assurance tests, and meets qualification criteria stipulated in contracts, regulations, or specifications.

The National Information Assurance Partnership (NIAP) is a United States government initiative to meet the security testing needs of both information technology consumers and producers that is operated by the National Security Agency (NSA), and was originally a joint effort between NSA and the National Institute of Standards and Technology (NIST).

The Certification Commission for Health Information Technology (CCHIT) was an independent, 501(c)(3) nonprofit organization with the public mission of accelerating adoption of robust, interoperable health information technology in the United States. The Commission certified electronic health record technology (EHR) from 2006 until 2014. It was approved by the Office of the National Coordinator for Health Information Technology (ONC) of the U.S. Department of Health and Human Services (HHS) as an Authorized Testing and Certification Body (ONC-ATCB). The CCHIT Certified program was an independently developed certification that included a rigorous inspection of an EHR's integrated functionality, interoperability and security using criteria developed by CCHIT's broadly representative, expert work groups. These products may also be certified in the ONC-ATCB certification program. The Commission ceased all operations in 2014

A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.

The Common Criteria model provides for the separation of the roles of evaluator and certifier. Product certificates are awarded by national schemes on the basis of evaluations carried by independent testing laboratories.

The CESG Claims Tested Mark, formerly CSIA Claims Tested Mark, is a UK Government Standard for computer security.

The Federal Information Processing Standard Publication 140-3 is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on March 22, 2019 and it supersedes FIPS 140-2.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk. Various methodologies exist to manage IT risks, each involving specific processes and steps.

IEC 62443 is a series of standards that address cybersecurity for operational technology in automation and control systems. The series is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity. The series is also known as ISA/IEC 62443 in recognition of the fact that much of the initial development was done by the ISA99 committee of the International Society for Automation.

<span class="mw-page-title-main">Standardisation Testing and Quality Certification</span> Science and technology agency of the Government of India

Standardisation Testing and Quality Certification (STQC) Directorate, established in 1980, is an authoritative body offering quality assurance services to IT and Electronics domains.

References

  1. "NIAP: CCEVS Objectives". National Information Assurance Partnership. Retrieved 2017-11-07.