Process

Evaluation and certification

Common.SECC provides certificates based on CC evaluations. Common.SECC is closely associated with JTEMS, and security evaluations are based on Common Criteria (CC) / ISO/IEC 15408.

Evaluations will be based on SOGIS certified and Common.SECC approved protection profiles. The full CC evaluation process is required, although CC Certification Body (CB) certification will not be mandated initially, and Common.SECC certificates will be based on ETRs, STs and supporting documentation. However, Common.SECC will cooperate closely with SOGIS Certification Bodies (CBs) and reserves the right to require CB certification. Laboratories must be approved under SOGIS for the domain ‘Hardware Devices with Security Boxes’ or “All products” (see www.sogis.eu/), and should be active in JTEMS.

A Common.SECC certificate is for a specific version of a specific Product (or set of such versions). Patches, updates and security-affecting variations to a Product imply a new or modified Product (see ‘maintenance‘).

Depending on the protection profile, an evaluation may be of a complete POI, or the evaluation of a Component – a module which will form part of a POI. Such a module may obtain a Common.SECC certificate, but cannot be deployed in its own right; it can only be deployed as a component of a full POI which is itself certified.

Payment Applications may optionally be submitted to Common.SECC for certification. Such an application may have been included in a Device or Component when it was evaluated, or it may be loaded onto the Device or Component later. Payment Applications are evaluated as described in Annex 8 of the Rule Book. Approval bodies may mandate their certification or an equivalent approval process.

The process for getting a Product certified by Common.SECC is in outline as follows:

The vendor registers with Common.SECC its intention to apply for a Common.SECC certificate. See “Registration form” below.
The vendor selects an eligible CC evaluator (laboratory), prepares appropriate documentation including a Security Target document, and requests a CC evaluation.
The evaluator performs the CC evaluation and prepares an ETR and associated documentation.
The Common.SECC CCB assesses the formal conformity and the contents of the ETR and associated vendor and laboratory documentation.
If the results of assessment are positive, the CCB issues a Common.SECC Certificate and depending on the type of product adds a record of the certification on the Common.SECC web site.
For a Device (POI), the vendor can use the Common.SECC certificate to apply to one or more approval bodies (currently GBIC and UKF) for approval to deploy the product in their market.

Flexibility

Common.SECC recognises that flexibility is needed in many respects, such as when certifying POIs that are innovative and may not fit easily with current protection profiles, and when dealing with aspiring laboratories. Thus test results based on best endeavours will be accepted for innovative products, and evaluation reports will be accepted from aspiring laboratories that can show they are working toward accreditation. In both cases Common.SECC may require third party review which may include CB certification.

Common.SECC recognises that there will be cases where pilot deployments can be used to satisfy commercial pressures and provide user feedback. As a result, a project trial assessment may be authorised by Common.SECC based on partial laboratory reports that cover at least a full Common Criteria vulnerability assessment. Such trials will be subject to conditions imposed by approval bodies.

Maintenance

A Common.SECC certificate is specific to a Product at the time of its evaluation, including the hardware and software versions of its component parts.

If any aspect of a certified Product considered to be security-relevant changes following evaluation, the vendor must inform the CC laboratory. The laboratory should assess the modifications, and if they are confirmed to be security-relevant should perform a delta evaluation to ensure that the security requirements are maintained. Likewise, if any other aspects of the POI change (such as the introduction of a new development site) the laboratory should assess the changes and perform a delta evaluation. The resulting delta evaluation should then be submitted to the Common.SECC CCB. Patches, updates and security-affecting variations to a Product imply a new or modified Product, and the changes may be reflected on the Common.SECC web site. In some cases the changes may result in there being more than one variant of the POI being offered for sale and deployment concurrently.

Surveillance

A Common.SECC Certificate is valid for six years from its date of issuance. Three years after the date of issuance a re-assessment of the evaluator is required confirming that the TOE version certified three years ago still meets the Common.SECC security requirements. The re-assessment should preferably be delivered by the evaluator that carried out the original assessment of the TOE. If the re-assessment is delivered after three years this will be shown on the Common.SECC web page device library. If the re-assessment is not delivered after three years this will be indicated on the Common.SECC web page device library as “Re-assessment Missed”.

This applies to all TOE versions included in the originally issued certificate. If an already Common.SECC certified TOE is changed in a security relevant way it needs re-evaluation and a new certificate will be issued for this new version of the TOE. For this newly issued certificate the process described under a) applies accordingly. The three and six year validity dates of such a delta certificate will be the same as for the original certificate for the product.

Registration form

Please download and complete the registration form which can be accessed here, and email it to common-secc@ukfinance.org.uk