Common Criteria Testing Laboratory
The Common Criteria model provides for the separation of the roles of evaluator and certifier. Product certificates are awarded by national schemes on the basis of evaluations carried by independent testing laboratories.
A Common Criteria testing laboratory is a third-party commercial security testing facility that is accredited to conduct security evaluations for conformance to the Common Criteria international standard. Such facility must be accredited according to ISO/IEC 17025 with its national certification body.
List of laboratory designations by country:
- In the US they are called Common Criteria Testing Laboratory (CCTL)
- In Canada they are called Common Criteria Evaluation Facility (CCEF)
- In the UK they are called Commercial Evaluation Facilities (CLEF)
- In France they are called Centres d’Evaluation de la Sécurité des Technologies de l’Information (CESTI)
- In Germany they are called IT Security Evaluation Facility (ITSEF)
Common Criteria Recognition Arrangement
Common Criteria Recognition Arrangement (CCRA) or Common Criteria Mutual Recognition Arrangement (MRA)  is an international agreement that recognizes evaluations against the Common Criteria standard performed in all participating countries.
|“||It is mutually understood that, in respect of IT products and protection profiles, the Participants plan to recognise the Common Criteria certificates which have been authorised by any other certificate authorising Participant in accordance with the terms of this Arrangement and in accordance with the applicable laws and regulations of each Participant.||”|
— International Agreement, Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security
There are some limitations to this agreement and, in the past, only evaluations up to EAL4+ were recognized. With on-going transition away from EAL levels and the introduction of NDPP evaluations that “map” to up to EAL4 assurance components continue to be recognized.
In the United States the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) accredits CCTLs to meet National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme requirements and conduct IT security evaluations for conformance to the Common Criteria.
These laboratories must meet the following requirements:
- NIST Handbook 150, NVLAP Procedures and General Requirements
- NIST Handbook 150-20, NVLAP Information Technology Security Testing — Common Criteria
- NIAP specific criteria for IT security evaluations and other NIAP defined requirements
CCTLs enter into contractual agreements with sponsors to conduct security evaluations of IT products and Protection Profiles which use the CCEVS, other NIAP approved test methods derived from the Common Criteria, Common Methodology and other technology based sources. CCTLs must observe the highest standards of impartiality, integrity and commercial confidentiality. CCTLs must operate within the guidelines established by the CCEVS.
To become a CCTL, a testing laboratory must go through a series of steps that involve both the NIAP Validation Body and NVLAP. NVLAP accreditation is the primary requirement for achieving CCTL status. Some scheme requirements that cannot be satisfied by NVLAP accreditation are addressed by the NIAP Validation Body. At present, there are only three scheme-specific requirements imposed by the Validation Body.
NIAP approved CCTLs must agree to the following:
- Located in the U.S. and be a legal entity, duly organized and incorporated, validly existing and in good standing under the laws of the state where the laboratory intends to do business
- Accept U.S. Government technical oversight and validation of evaluation-related activities in accordance with the policies and procedures established by the CCEVS
- Accept U.S. Government participants in selected Common Criteria evaluations.
A testing laboratory becomes a CCTL when the laboratory is approved by the NIAP Validation Body and is listed on the Approved Laboratories List.
To avoid unnecessary expense and delay in becoming a NIAP-approved testing laboratory, it is strongly recommended that prospective CCTLs ensure that they are able to satisfy the scheme-specific requirements prior to seeking accreditation from NVLAP. This can be accomplished by sending a letter of intent to the NIAP prior to entering the NVLAP process.
Additional laboratory-related information can be found in CCEVS publications:
- #1 Common Criteria Evaluation and Validation Scheme for Information Technology Security — Organization, Management, and Concept of Operations and Scheme Publication
- #4 Common Criteria Evaluation and Validation Scheme for Information Technology Security — Guidance to Common Criteria Testing Laboratories
In Canada the Communications Security Establishment Canada (CSEC) Canadian Common Criteria Scheme (CCCS) oversees Common Criteria Evaluation Facilities (CCEF). Accreditation is performed by Standards Council of Canada (SCC) under its Program for the Accreditation of Laboratories – Canada (PALCAN) according to CAN-P-1591, the SCC’s adaptation of ISO/IEC 17025-2005 for ITSET Laboratories. Approval is performed by the CCS Certification Body, a body within the CSEC, and is the verification of the applicant's ability to perform competent Common Criteria evaluations.
- "Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security" (PDF). CSEC. 2013. Retrieved 2013-03-03.
- US: Common Criteria Evaluation and Validation Scheme
- US: Common Criteria Testing Laboratories
- Canada: Common Criteria Scheme
- Canada: Common Criteria Evaluation Facilities
- Common Criteria Recognition Agreement
- List of Common Criteria evaluated products
- ISO/IEC 15408 — available free as a public standard