Cyber Security Common Criteria Evaluation and Certification

ISO/IEC 15408-1:2009, "Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model," provides an internationally-accepted framework for evaluating the security of information technology equipment (ITE) Also widely known as the "Common Criteria," the standard details commonly accepted criteria for the design, development and evaluation of IT equipment with regard to cyber security considerations. 

In brief, an evaluation for compliance with the Common Criteria detailed in ISO/IEC 15048 -1 consists of two quality assurance aspects. The first is an assessment of security assurance requirements (SARs), that is, a review of the processes undertaken during the development and evaluation of a given IT system or device to assess compliance with the prescribed security functionality. Security functionality requirements may vary from device to device, depending on their intended use and anticipated risk environment. 

The second aspect, the evaluation assurance level (EAL), assesses the depth and rigour of the evaluation process itself. EALs range from EAL 1, representing the most basic level of cyber security assessment, to EAL 7, representing the most rigorous process to verify the claimed level of cyber security. It is important to note that an EAL is only an assessment of the rigour of the evaluation process itself and that ITE with a higher EAL does not necessarily mean that a device is more secure.

Certification in accordance with the Common Criteria detailed in ISO/IEC 15408-1 provides assurances that specific claims regarding the cyber security of ITE have been evaluated in a comprehensive and rigorous manner. As a result, the Common Criteria have been adopted by a number of government agencies and corporations around the world as a prerequisite for the procurement of ITE from third parties. 

 

How Nemko Can Help

Nemko can provide your organization with comprehensive guidance on the evaluation of IT equipment in accordance with the Common Criteria requirements detailed in ISO/IEC 15408-1. This guidance includes:

  • Protection Profile Assessment—A protection profile (PP) is a set of security requirements applicable to a specific type of secure device. Procurement organizations may require third-party vendors to offer evidence that their product has been designed to conform to the requirements of one or more PPs. Nemko experts can work with you to assess your equipment's compliance with relevant PPs and provide attestation to support your claims. 
  • EAL/Security Target (ST) Assessment—The PP assessment then serves as a basis for defining the required security properties, also called the security target (ST), of a given device, and establishing the recommended EAL Nemko experts can conduct an evaluation of your equipment consistent with both the required STs and the requisite EAL
  • In addition to these specific offerings, Nemko can also conduct a preliminary functional gap assessment (FGA) ahead of more formal security analysis to help you identify security issues requiring further development. We can also conduct a formal certification evaluation to help ensure that your ITE meets essential Common Criteria requirements.  

 

The Benefits of Working with Nemko

Partnering with Nemko can provide your organization with several important advantages in your efforts to address the challenges of today's cyber security landscape. These benefits include:

  • Recognized Cyber Security Expertise—Acquired by Nemko in 2020, Systemsikkerhet is Norway's oldest information security consultancy and is one of just four information security testing laboratories certified by the Norwegian National Security Authority. 
  • Active Involvement in Standards Development and Implementation—Nemko technical professionals are active participants in efforts to develop state-of-the-art cyber security standards and protocols and are knowledgeable about new and emerging requirements that can help to improve security. 
  • Single Source Solution—With its combined expertise in cyber security, product safety, Radio/Telecom and electromagnetic compatibility (EMC), Nemko represents a robust single source for manufacturers seeking comprehensive testing and certification services for their IT systems and devices. 

 

Global Support—With nearly 30 locations on six continents around the world, Nemko is well-positioned to support your efforts to achieve global market access for your products, regardless of your location or target market.   

For more information about how Nemko can help your organization meet current and emerging cyber security challenges, contact us