Q1-1:What is the IT Security Evaluation and Certification Scheme?
It is a scheme that security functionalities of IT products are evaluated and certified by a third party to meet the security requirements required by government procurement personnel; i.e., to counter assumed threats by means of countermeasures, and to appropriately implement the countermeasures in the products.
Q1-2.What are ISO/IEC 15408 and Common Criteria(CC)?
ISO/IEC 15408 defines common criteria for security evaluations of IT products. It is used as an international standard to promote the use of the evaluated and certified products in terms of ensuring security of the IT products that possess information properties.
ISO/IEC 15408 and the Common Criteria (CC) mean the same.
While ISO/IEC JTC1/SC27/WG3 is in charge of standardization of ISO/IEC 15408, CCRA develops the CC. They maintain a collaborative relationship to update Common Criteria (CC), i.e., ISO/IEC 15408.
The latest CC/CEM can be found at the following page.
Part 1: Introduction and general model Version 3.1 Revision 5
Part 2: Security functional components Version 3.1 Revision 5
Part 3: Security assurance components Version 3.1 Revision 5
Evaluation methodology Version 3.1 Revision 5
Q1-3.What are TCSEC and ITSEC?
TCSEC (Trusted Computer System Evaluation Criteria) was developed by NCSC (National Cybersecurity Center) under NSA (National Security Agency) in USA and issued in 1983 (revised in 1985) as the criteria for the procurement of computer systems to be used for the military purpose, which affected the development of ITSEC and CC. It was published as one of the Rainbow Series and is frequently referred to as the Orange Book according to its color of the cover page of the book.
ITSEC stands for Information Technology Security Evaluation Criteria. Four countries in Europe, including United Kingdom, Germany, France and Netherlands, developed it as the European Uniform standard for evaluation and published V1.2 to start the formal operation in June, 1991.
Q1-4.What is the CCRA?
The official name is Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security. It is also called Common Criteria Recognition Arrangement for short and is abbreviated to CCRA.
On October 5, 1998, a letter of agreement regarding the IT Security Evaluation and Certification based on Common Criteria was prepared and opened to the public.
At the same time, five participating countries, Canada, France, Germany, United Kingdom and United States, which have already started its operation, signed up the MRA (Mutual Recognition Agreement), and the framework of international mutual recognition has started.
By this agreement on mutual recognition, an IT product evaluated and certified by one participating country based on CC is recognized by another participating country.
This Mutual Recognition Agreement (MRA) was revised in May 2005, and the name of the agreement is changed to Common Criteria Recognition Agreement (CCRA)
The CCRA categorized participants into two groups, "Certificate Authorizing Participants (CAP)" and "Certificate Consuming Participants (CCP)." Certificate Authorizing Participants (CAP) are countries with evaluation and certification/validation scheme based on ISO/IEC 15408 under CCRA, while Certificate Consuming Participants (CCP) are countries that accept the certification results of CAP.
Japan joined CCRA as a CAP in October, 2003.
Regarding the latest information on CCRA, please refer to Topics page.
Q1-5.Can you explain the Security Target and Protection Profile?
ST (Security Target) is an implementation-dependent statement of security needs for a specific identified target of evaluation, created by vendors. It describes security functionalities, objectives, measures, and the assumed operational environments. It is used for procurement personnel to determine which products satisfy their needs in terms of their own operational environments and purposes.
PP (Protection Profile) is a formal document defined in the CC, expressing an implementation-independent set of security requirements for a category of IT products that meet specific consumer needs. PP is standardized so that developers and procurement personnel could have a common interpretation on security requirements.
The CC Part 1 includes the specification of the ST and PP. For more details, please refer to CC Part 1, Annexes A and B.
Q1-6. What is the difference between evaluation and certification?
Evaluations are carried out by the ITSEF (IT Security Evaluation Facility; hereinafter referred to as the "Evaluation Facility"), who performs independently of the developers of the IT products evaluated. Evaluations under JISEC are performed by commercial Evaluation Facilities, and they are approved by National Institute of Technology and Evaluation (NITE), the Accreditation Body.
Certification is a process carried out by the Certification Body, leading to the issuance of a Common Criteria Certificate. Japan's Sole Certification Body is established within the Information-technology Promotion Agency, Japan (IPA), and it implements the Certification or ST confirmation based on the results of evaluations made by the Evaluation Facilities.
2.Practical side of Evaluation and Certification
Q2-1.Can you explain the procedure to apply for evaluation and certification?
EF: Evaluation Facility / CB: Certification Body
What to do
Prepare evaluation documentation, such as ST
What to do
Select and contract with an Evaluation Facility for evaluation
What to do
Make a "Evaluation Wok Plan" and get an approval from the Applicant
What to do
Submit "Application for Certification" to CB
For more details on application, refer to First-Time Applicants page.
Assign a person in charge and send "Notification for Confirmation of Evaluation Work Plan"
EF, and CB
What to do
Have a Kick-off meeting with Applicant, EF, and CB to confirm the Evaluation Work Plan
What to do
Report the evaluation progress to Applicant and CB
Deal with the issues pointed out by EF
What to do
Make "Evaluation Technical Report" and submit to CB
What to do
Verify "Evaluation Technical Report"
If OK, issue "Certificates" and "Certification Report"
Q2-2. Let me know the term and cost for evaluation and certification.
The Term and cost it takes are different for each evaluation because the complexity of the TOE and Evaluation Assurance Level (EAL) is different for each case. For example, in case of EAL2, it takes four to six months at least. In case of EAL4, it could take more than twelve months.
The cost includes the expense for the Evaluation Facility, as well as the preparation of evaluation documentation specified by the CC, and testing environments, etc. Depending on the complexity of the TOE, the expense for the Evaluation Facility is decided between the Evaluation Facility and applicant.
In addition, the application fee for the Certification Body is also required.
Q2-3.When having a consulting service from the Evaluation Facility, is it possible to have an evaluation with the same Evaluation Facility?
The Evaluation Facilities are prohibited from providing the consulting service as a general rule. The Evaluation Facility and evaluators are required to maintain the impartiality and independency in evaluation. Only if those are assured to be maintained, there might be a special case, where an independent section of the Evaluation Facility provides the consulting service in a manner that never affect the evaluation.
Q2-4.What kind of products can be a target of evaluation?
Basically, software, hardware, and firmware of the IT products that have security functions can be a target of evaluation and certification.
ISO/IEC 15408 is a standard to objectively evaluate whether security functions implemented to the IT products can protect the information against attacks.
Therefore, the target of evaluation must be able to specify "Information/assets to be protected," "threats/attacks to be countered" and "environment to be applied."
Currently, the product categories to be targeted in the Japanese government procurement include Multifunction Printer (MFP), Firewall, Intrusion Detection/Prevention System (IDS/IPS), OS (Server OS), Database Management System (DBMS), and Smartcard.
Q2-5. What is required for the evaluation?
For CC evaluations, it is required to prepare design documents, testing plans, administrator's guidance, user guidance, and evaluation documentation, in addition to the IT product itself. The necessary documents vary depending on EAL.
For more details, please refer to Application Forms page.
Q2-7.Which should decide EAL, developers or procurement personnel/users?
For procurement in general, procurement personnel/users specify EAL in order to meet their needs. There might be cases where developers decide EAL for package products in consideration of the product's characteristics and market trends. In either case, selecting appropriate EAL will lead to smooth evaluation and certification.
Q3-1. Can venders apply to JISEC in languages other than Japanese?
Non-Japanese vendors can also apply to JISEC. However, it is necessary to understand our scheme documents which are written in Japanese at the moment. Please consult with the Evaluation Facility described in the list of Evaluation Facilities for the support for the application.
(Please note that we are preparing for application forms in English right now. In the meantime, please contact us if you wish to obtain application forms in English.)
4. CC Glossary
Q4-1.Can you explain the terms that are specific to the CC?
EAL stands for Evaluation Assurance Level.
EAL is a scale that represents levels of assurance in evaluation where IT products ensure the proper operation of security functions. (Note that EAL does not mean the strength of security functions.)
CC evaluations are carried out against a set of defined assurance levels from EAL1 to EAL7, which is defined in the CC Part 3 of ISO/IEC 15408.
Higher level means the greater the degree of rigorousness in assurance.
OSP stands for Organizational Security Policy.
OSPs are security rules, procedures, or guidelines to be imposed by an organization in the operational environment. When there are organizational security policies to be met by the procurement side, etc., OSPs shall be described in the ST of the TOE.
SAR stands for Security Assurance Requirement.
SARs are the requirements to assure that the security functions are certainly implemented. In the CC Part 3, SARs are divided into 6 major classes to be specified; i.e., Development, Guidance documents, Life-cycle support, Security Target evaluation, Tests, and Vulnerability assessment.
For more details, please refer to the CC Part 3.
SFP stands for Security Functional Policy.
SFR is a set of policies that describe specific security behavior, which are implemented by the TOE Security Functionality.
SFR stands for Security Functional Requirement.
SFRs are the requirements regarding security functions that products should implement. In the CC Part 2, SFRs are divided into 11 major classes to be specified.
For more details, please refer to the CC Part 2.
TOE stands for Target Of Evaluation.
A TOE is defined as a set of software, hardware and/or firmware to be targeted, possibly accompanied by guidance. The TOE may be an IT product, a part of an IT product, a set of IT products, a unique technology that may never be made into a product, or a combination of these.
Scope of the TOE functions and TOE external interface related to security functions need to be strictly defined.
TSF stands for TOE Security Functionality.
TSF is a general term of the security functionalities of the TOE. TSF serves as a role of directly or indirectly implementing security. It consists of software, hardware and/or firmware of the TOE.
Object is a passive entity of the TOE, which receives and stores information, and it could be a target of operations by a subject.
Subject is an active entity of the TOE, which performs operations against an object.