JISEC-Evaluation and Certification Processes

This page offers you information to understand the outline of the workflow of IT Security Evaluation and Certification.

The working processes of IT Security Evaluation and Certification consist of the following four steps.

Process Overview

1 Preparation Step

1.1 Necessary preparations for application

To apply the certification, the applicant should be clarifying the purpose and the range of evaluation beforehand. If it is not considered enough, unnecessary expense and the man-hour are spent in the course of the evaluation and the certification.

• To determine the suitability of the scope of TOE for evaluation and EAL.

• To describe the Security Target.

• To arrange the schedule.

• To identify the deliverables needed to support the evaluation.

TOE

• The range and EAL (Evaluation Assurance Level) of TOE (Target of Evaluation) are specified.

• The range of TOE and EAL are related within the range of the test.
  In a word, the more the range of test extends, the more cost and time for evaluation are spent.

ST

• The evaluation period may be extended greatly by going upstream on the process in the evaluation when the maturity of ST is low at the application stage. It is necessary to complete ST at the first stage of the evaluation. The evaluation is executed based on completed ST.

Deliverables

• Besides IT product or IT system of target for evaluation, evidential materials such as design documents used for the development, test related documents, administrator's guide, user's guide and so on are required to be evaluated.

• Necessary materials are different according to EAL.

Schedule

• Make a rough schedule taking the preferred time to get the certification in consideration, whether it is before its release or after the release.

• It is necessary to consider the allocation of development resource to evaluation support work and the influence of mutually work delay in design and certification, if you plan the acquisition of certification in parallel with development.

• Assume that items pointed out as a problem at the evaluation phase, for instance, when the vulnerability is found and it feed back to the development, may affect the development schedule.

1.2 Determination of Evaluation Facility

• To determine the suitable evaluation facility for your TOE evaluation, in consideration of the area of specialty of evaluators or evaluation facilities, schedule, evaluation fee and so on.

• Confirm the EAL that the evaluation facility is approved and check the type of TOEs that the evaluation facility has experienced.

• Select the evaluation facility after adjusting the schedule and cost.

• Make a contract with the evaluation facility including NDA.

1.3 Application for Certification

• An applicant should remit an application fee.
• To submit one copy of each of the following application forms and two copies of ST to the Certification Body.
  • Application for Certifications (Form 1)
  • Evidence showing the corporate entity
  • Written Oath (Form3)
  • ST (two copies)
  • List of the evaluation deliverables
  • Nondisclosure Agreement (Form 12-1)
  • Request for Publication of "In Evaluation"
  • (Form 11, according to the request)
• In addition, following documents must be submitted to the Certification Body by the Evaluation Facility.
  • Evaluation Work Plan (Form 4)
  • Checklist for Impartiality and Independence of Evaluation (Form 5)
• Please refer to "Application" for more details.

1.4 Kickoff Meeting

• The aim of the Kickoff Meeting is to agree the suitability of proposed TOE for evaluation, to discuss the evaluation and certification process for the TOE and the schedule, and to clear the concerns.

2 Evaluation Work Step

The purpose of the evaluation is to determine whether the TOE Security design is suitable, whether the TOE Security Functions fulfill the Security Requirements described on the TOE design and whether the TOE is developed based on the TOE design and free from exploitable vulnerabilities.

The following activities are included;

• Confirmation of the ST.
• Confirmation of the Evaluation Deliverables.
• Evaluation of the TOE, including analysis and testing;
• Production of any Observation Reports (ORs) by the evaluation Facility and response to the ORs by the applicant;
• Site visit;
  (An applicant should accept the site visit of the Evaluation Facility and the Certification Body.)
• Production of the Evaluation Technical Report (ETR) by the evaluation Facility.

An applicant should submit Evaluation Deliverables in a timely manner to the Evaluation Facility concerned pursuant to the predetermined schedule of delivery.

Evaluation deliverables may include:

• Items of hardware, firmware or software which constitute the TOE itself;
• Items of hardware, firmware or software which constitute
• the TOE platform(s);
• Supporting TOE documentation;
• Guidance documentation;
• Access to the development site;
• Supporting Evaluator Test;
• Technical support.

3 Certification Work Step

The Certification Body verifies the validity of the evaluation according to CC/CEM.

3.1 Certification Review

• The Certification Body reviews the ETR. When any problem is identifies with them, the Certification Body issues Certification Review to the Evaluation Facility.
• An applicant should confirm the ETR and take any necessary measures in case the applicant finds any incorrect information or misapprehension in the report, in consultation with the Evaluation Facility and request for corrective action.

3.2 Certification Report

• The Certification Body issues the Certification Report which is the summary of the Evaluation technical Report on the TOE as well as the matters confirmed in the verification process for the Evaluation technical Report.

3.3 Certificate

• The Certification Body issues the Certificate to prove the results of an evaluation.

4 Publication Step

4.1 Publish to the Web

• According to an applicant request, the information of certified product (ST, Certification Report and Certificate) can be listed on JISEC web site and CCRA web site as specified by the application.