Discussion of alignment of standardisation deliverables with (EU) Common Criteria

I propose to start discussing cybersecurity standardisation deliverables from the perspective of Common Criteria for Information Technology Security Evaluation (CC v3.1), in particular with respect to the EUCC - the ENISA cybersecurity certification scheme proposed for ICT products, and therefore including IoT, which is currently in preparation.

Problem definition

Given the complexity of the consumer IoT cybersecurity issue, it seems reasonable to expect different approaches that may lead to different solutions. Also considering that no overarching institution / organisation / body has authority when dealing with global IoT ecosystems, a fragmented approach is natural and probably unavoidable under the circumstances.

However, the fragmentation of the cybersecurity processes leads to inefficient use of resources and, very likely, to insufficient coverage of threatened or at risk products.

Proposed examination for a solution

It is therefore useful to analyse and align standardisation deliverables related to cybersecurity, with the aim of reducing fragmentation of the approach to cybersecurity evaluation and certification.

Background information

The EUCC is based on the Common Criteria which is an Information Technology Security evaluation method. The latest revision of the Common Criteria was published in 2017 with supporting contributions from a number of governmental organisations, representing among others EU member states like France, Germany, Netherlands, Spain, and Sweden. According to the Common Criteria Foreword version 3.1 (CC v3.1), it aims to:

• eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product;
• clarify CC terminology to reduce misunderstanding;
• restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed.

In the EU, ENISA is responsible for the EUCC scheme (Common Criteria based European candidate cybersecurity certification scheme) which looks into the certification of ICT products cybersecurity, based on the Common Criteria, the Common Methodology for Information Technology Security Evaluation, and corresponding standards, respectively, ISO/IEC 15408 and ISO/IEC 18045.

In the document “Council of the European Union conclusions on the cybersecurity of connected devices from 2 December 2020”, it is emphasised that any certification scheme for connected devices and related services should specify how the applicable security requirements at the relevant assurance level should be met on the basis of specific European and internationally recognised standards.

Further explanation of the Common Criteria is given on their website, as follows.

The Common Criteria for Information Technology Security Evaluation (CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that:

- Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance;

- Supporting documents, are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;

- The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation;

- These certificates are recognized by all the signatories of the CCRA.

The CC is the driving force for the widest available mutual recognition of secure IT products.