There has been a great deal of discussion on a new certification process originating in Europe, specifically related to cybersecurity. Corsec outlines what the new certification is, how it will apply to vendors around the world, as well as what to expect next.
What is the EU Cybersecurity Act?
As a result of a request from the European Commission and in accordance with the EU Cybersecurity Act, ENISA (European Union Agency for Cybersecurity) has been appointed to develop a framework for evaluating security of Information and Communication Technology (ICT) products and services.
To meet this goal, the EU Common Criteria scheme (EUCC) has been developed. The EUCC is a successor to Senior Officials Group – Information Systems (SOG-IS) and stipulates a comprehensive set of rules, requirements, standards, and procedures to certify these products in accordance within the scheme.
EUCC uses the Common Criteria standard as a framework but adds additional requirements, specifying certain assurances at different levels. The product assurance levels laid out by EUCC are:
Basic
– Allows for self-attestation
Substantial
– Requires CAB certification
– 1 and AVA_VAN.2 (and associated assurance dependencies)
– EAL 2 or 3
High
– Require scheme certification
– 3 to AVA_VAN.5 (I believe this translates to EAL 4)
– EAL 4 and above
– Technical Domain is required to be defined before going above AVA_VAN.3
Certification is performed by Conformity Assessment Bodies (CABs). The European labs that presently perform Common Criteria evaluations are eligible to become CABs as well.
How does this relate to Common Criteria?
The EUCC uses Common Criteria as its foundation. Once the EUCC is enacted the national schemes will be phased out over time and replaced with the EUCC scheme. Products performing a Common Criteria certification, in Europe, can choose to meet the EUCC requirements as a part of the Common Criteria certification. The EUCC certificates will be listed on a centralized EUCC website as well as on the current CC Portal.
Common Criteria also includes a Common Criteria Recognition Agreement (CCRA) which includes 31 countries that mutually recognize Common Criteria certificates.
Some portions of the EUCC, such as private CABs as certification bodies, conflict with the CCRA. A renegotiation of the CCRA will be required once the Implementing Act has been endorsed. At the recent ICCC conference in Toldeo, Spain both ENISA and NIAP committed to working to harmonize these changes and update the CCRA.
In the meantime, Common Criteria labs in Europe can continue to perform evaluations that are certified by their national scheme. Corsec can work with vendors to understand the best steps to ensure coverage in the markets your product is targeting.
What is the current status?
The Cybersecurity Act has been passed and the draft EUCC scheme has been documented and is awaiting the EU Implementing Act. The Implementing Act must be endorsed by all EU member states before the scheme can take effect. Once the Implementing Act has been endorsed, the process of implementing the scheme will begin.
What should vendors be doing now?
There is still a great deal of work to complete this project as well as coordination and clarification regarding Common Criteria and the EUCC. There is an upcoming conference taking place in March of 2023 in Brussels, the EU Cybersecurity Act Conference, which should help shed additional light on these topics.
Vendors should continue to monitor the status of the certification or watch for updates from Corsec on social media or through our monthly newsletter.
About Corsec Security, Inc.
For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2 / FIPS 140-3, Common Criteria (CC), CSfC, and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.
###
Connect With Us:
Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe
Press Contact:
Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com