Our team at Accelerated Memory Production offer full support through out the complicated validation process of Common Criteria with the National Information Assurance Partnership (NIAP), which can take up to 6 months. If you need more info on how we can support you, please contact us at firstname.lastname@example.org.
What is Common Criteria?
Formalized as ISO/IEC 15408, the Common Criteria (CC) defines a hierarchical framework of security concepts and terminology. The Target of Evaluation (TOE) is that part of the product or system which is subject to evaluation. The Security Target (ST) document defines the security threats, objectives, functional requirements and assurance measures of the TOE including a summary specification of how the TOE satisfies them. The CC also defines the Protection Profile (PP) construct which is a product category specific but product agnostic ST template. This allows prospective consumers, developers and regulatory groups to create standardized requirement and evaluation profiles. The Common Criteria Recognition Agreement (CCRA) forms an international cooperative agreement whereby participating government organizations ensure Certification Bodies issuing CC certificates meet high and consistent standards as well as the conditions for mutual recognition of those certificates.
Why should I evaluate my product?
In the US the Committee on National Security Systems (CNSS) releases policies binding upon all U.S. Government departments and agencies. Policy 11 requires all Information Assurance (IA) and IA-Enabled IT products to be selected from the National Information Assurance Partnership (NIAP) Product Compliant List (PCL). As stated in the NIAP FAQ, IA and IA-enabled products are those that have any mechanism providing for the availability of systems, ensuring the integrity and confidentiality of information, or ensuring the authentication and non-repudiation of parties in electronic transactions. It is worth noting that this is not always understood or fully enforced by contractors, integrators, procurement, etc. For example, the need to be on the NIAP PCL vs just having a Common Criteria certificate from any CC country/scheme.