Enhancing information security
Last Updated:Dec 10, 2024
It is a scheme that security functionalities of IT products are evaluated and certified by a third party to meet the security requirements required by government procurement personnel; i.e., to counter assumed threats by means of countermeasures, and to appropriately implement the countermeasures in the products.
For an overview of JISEC scheme, please refer to
JISEC Overview.
For the historical background of the scheme, please refer to
Background of the Scheme.
ISO/IEC 15408 defines common criteria for security evaluations of IT products. It is used as an international standard to promote the use of the evaluated and certified products in terms of ensuring security of the IT products that possess information properties.
ISO/IEC 15408 and the Common Criteria (CC) mean the same.
While ISO/IEC JTC1/SC27/WG3 is in charge of standardization of ISO/IEC 15408, CCRA develops the CC. They maintain a collaborative relationship to update Common Criteria (CC), i.e., ISO/IEC 15408.
The latest CC/CEM can be found at CC/CEM (English and Japanese).
TCSEC (Trusted Computer System Evaluation Criteria) was developed by NCSC (National Cybersecurity Center) under NSA (National Security Agency) in USA and issued in 1983 (revised in 1985) as the criteria for the procurement of computer systems to be used for the military purpose, which affected the development of ITSEC and CC. It was published as one of the Rainbow Series and is frequently referred to as the Orange Book according to its color of the cover page of the book.
ITSEC stands for Information Technology Security Evaluation Criteria. Four countries in Europe, including United Kingdom, Germany, France and Netherlands, developed it as the European Uniform standard for evaluation and published V1.2 to start the formal operation in June, 1991.
The official name is Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security. It is also called Common Criteria Recognition Arrangement for short and is abbreviated to CCRA.
ST (Security Target) is an implementation-dependent statement of security needs for a specific identified target of evaluation, created by vendors. It describes security functionalities, objectives, measures, and the assumed operational environments. It is used for procurement personnel to determine which products satisfy their needs in terms of their own operational environments and purposes.
PP (Protection Profile) is a formal document defined in the CC, expressing an implementation-independent set of security requirements for a category of IT products that meet specific consumer needs. PP is standardized so that developers and procurement personnel could have a common interpretation on security requirements.
The CC Part 1 includes the specification of the ST and PP. For more details, please refer to CC Part 1, Annexes.
Evaluations are carried out by the ITSEF (IT Security Evaluation Facility; hereinafter referred to as the "Evaluation Facility"), who performs independently of the developers of the IT products evaluated. Evaluations under JISEC are performed by commercial Evaluation Facilities, and they are approved by National Institute of Technology and Evaluation (NITE), the Accreditation Body.
Certification is a process carried out by the Certification Body, leading to the issuance of a Common Criteria Certificate. Japan's Sole Certification Body is established within the Information-technology Promotion Agency, Japan (IPA), and it implements the Certification or ST confirmation based on the results of evaluations made by the Evaluation Facilities.
Applicant
Applicant
EF
Applicant
CB
Applicant,
EF, and CB
EF
Applicant
EF
CB
The Term and cost it takes are different for each evaluation because the complexity of the TOE and Evaluation Assurance Level (EAL) is different for each case. For example, in case of EAL2, it takes four to six months at least. In case of EAL4, it could take more than twelve months.
The cost includes the expense for the Evaluation Facility, as well as the preparation of evaluation documentation specified by the CC, and testing environments, etc. Depending on the complexity of the TOE, the expense for the Evaluation Facility is decided between the Evaluation Facility and applicant.
In addition, the application fee for the Certification Body is also required.
The Evaluation Facilities are prohibited from providing the consulting service as a general rule. The Evaluation Facility and evaluators are required to maintain the impartiality and independency in evaluation. Only if those are assured to be maintained, there might be a special case, where an independent section of the Evaluation Facility provides the consulting service in a manner that never affect the evaluation.
Basically, software, hardware, and firmware of the IT products that have security functions can be a target of evaluation and certification.
ISO/IEC 15408 is a standard to objectively evaluate whether security functions implemented to the IT products can protect the information against attacks.
Therefore, the target of evaluation must be able to specify "Information/assets to be protected," "threats/attacks to be countered" and "environment to be applied."
Currently, the product categories to be targeted in the Japanese government procurement include Multifunction Printer (MFP), Firewall, Intrusion Detection/Prevention System (IDS/IPS), OS (Server OS), Database Management System (DBMS), and Smartcard.
For CC evaluations, it is required to prepare design documents, testing plans, administrator's guidance, user guidance, and evaluation documentation, in addition to the IT product itself. The necessary documents vary depending on EAL.
For more details, please refer to Application Forms page.
You can refer to Annex of the CC Part 1.
JISEC as well as Evaluation Facilities run various training courses to develop the Security Target.
For more details, please contact with the Evaluation Facilities listed.
For procurement in general, procurement personnel/users specify EAL in order to meet their needs. There might be cases where developers decide EAL for package products in consideration of the product's characteristics and market trends. In either case, selecting appropriate EAL will lead to smooth evaluation and certification.
Non-Japanese vendors can also apply to JISEC. However, it is necessary to understand our scheme documents which are written in Japanese at the moment. Please consult with the Evaluation Facility described in the list of Evaluation Facilities for the support for the application.
(Please note that we are preparing for application forms in English right now. In the meantime, please contact us if you wish to obtain application forms in English.)
EAL |
EAL stands for Evaluation Assurance Level. |
---|---|
OSP |
OSP stands for Organizational Security Policy. |
SAR |
SAR stands for Security Assurance Requirement. |
SFP |
SFP stands for Security Functional Policy. |
SFR |
SFR stands for Security Functional Requirement. |
TOE |
TOE stands for Target Of Evaluation. |
TSF |
TSF stands for TOE Security Functionality. |
Object |
Object is a passive entity of the TOE, which receives and stores information, and it could be a target of operations by a subject. |
Subject |
Subject is an active entity of the TOE, which performs operations against an object. |
Nov 1, 2023
Some descriptions have been updated to reflect the upgrade to CC/CEM:2022.