The transition from Common Criteria (CC) 3.1 Release 5 (R5) to CC:2022 marks a pivotal moment in the IT security certification landscape. Here, we present the top 10 things you need to know about this significant shift:
1. Introduction of a New Framework (Part 4)
CC:2022 introduces Part 4, a new addition that focuses on evaluation methods and activities. This innovative section ensures a structured approach to evaluating emerging technologies, providing a robust response to evolving security threats.
2. Enhanced Assurance Packages (Part 5)
Part 5 now includes Evaluation Assurance Levels (EALs) and Component Assurance Packages (CAPs) from CCV3.1R5, along with new assurance packages, offering more tailored options for specific technologies or security contexts.
3. Adoption of Exact and Strict Conformance
CC:2022 adopts exact and strict conformance types. Exact conformance mandates strict adherence to all requirements outlined in a Protection Profile (PP), while strict conformance allows some flexibility for additional elements in a Security Target (ST), ensuring comprehensive coverage.
4. Direct Rationale PP/ST Replacing Low Assurance PP/ST
The emergence of Direct Rationale PP/ST replaces the outdated low assurance PP/ST, streamlining the certification process. This shift ensures that the security problem definition (SPD) in the ST directly aligns with Security Functional Requirements (SFRs), enhancing clarity and coherence.
5. Single vs. Multi-Assurance Evaluations
CC:2022 introduces multi-assurance evaluations alongside single-assurance. This innovation allows for the evaluation of different product components under varying assurance levels, accommodating the diverse security needs of modern products.
6. Distinguished Product Evaluation Methods
The standard now distinguishes between composed and composite product evaluations. Composed evaluations assess individual components independently, while composite evaluations focus on the integration and collective functionality of diverse components, ensuring comprehensive assessment.
7. Introduction of New Functional and Assurance Requirements
New Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) are added to better address current security needs and technological advancements.
8. Standardized Evaluation Methods and Activities
Part 4 provides guidelines for standardized evaluation methods and activities, ensuring consistent and comprehensive evaluation of specific Technology Under Evaluation (TOE) types or technologies.
9. Updates in Common Evaluation Methodology (CEM)
The CEM has been updated to align with CC:2022 standards, including new guidelines for evaluations up to EAL6, accommodating the revised requirements.
10. Enhanced Focus on Composite Product Assurance
CC:2022 places greater emphasis on composite product assurance, introducing new SAR families for composite product evaluations. This includes requirements for evaluating the consistency, design compliance, integration, functional testing, and vulnerability assessment of composite products.