Common.SECC provides certificates based on CC evaluations. Common.SECC is closely associated with JTEMS, and security evaluations are based on Common Criteria (CC) / ISO/IEC 15408.
Evaluations will be based on SOGIS certified protection profiles. The full CC evaluation process is required, although CC Certification Body (CB) certification will not be mandated initially, and Common.SECC certificates will be based on ETRs, STs and supporting documentation. However, Common.SECC will cooperate closely with SOGIS Certification Bodies (CBs) and reserves the right to require CB certification. Laboratories must be approved under SOGIS for the domain ‘Hardware Devices with Security Boxes’ (see www.sogisportal.eu), and should be active in JTEMS.
A Common.SECC certificate is for a specific POI with a specific version of hardware and software (or set of such versions). Patches, updates and security-affecting variations to a POI imply a new or modified POI (see ‘maintenance‘).
Depending on the protection profile, an evaluation may be of a complete POI, or the evaluation of a module which will form part of a POI. Such a module may obtain a Common.SECC certificate, but cannot be deployed in its own right; it can only be deployed as a component of a full POI which is itself certified.
Common.SECC recognises that flexibility is needed in many respects, such as when certifying POIs that are innovative and may not fit easily with current protection profiles, and when dealing with aspiring laboratories. Thus test results based on best endeavours will be accepted for innovative products, and evaluation reports will be accepted from aspiring laboratories that can show they are working toward accreditation. In both cases Common.SECC is likely to require CB certification of an evaluation.
Common.SECC recognises that there will be cases where pilot deployments can be used to satisfy commercial pressures and provide user feedback. As a result, a project trial assessment may be granted for limited deployment of a very small number of devices for a limited period based on partial laboratory reports that cover at least a full Common Criteria vulnerability assessment. Such assessments will be subject to the vendor’s agreement to conditions which include removing the deployed devices from service at the end of the waiver period.