Welcome to the Acumen Security Blog

Common Criteria and it’s relevance to India

Common Criteria is a new entrant into India. Although India has been a Common Criteria consuming nation for a number of years, it became a Common Criteria certificate issuing nation only about 12 months back. This is a big step for Indian cyber security industry in general and the Government of India in particular. India joins a select group of countries (which includes founding members such as US, UK, Germany etc.) that have exhibited expertise in evaluating and certifying the security of an ICT product. This certification would then be mutually recognized in 25 other CCRA members.

What is Common Criteria?

Common Criteria is the ONLY mutually recognized (in 26 countries) ICT product security standard in the world. It provides a framework of requirements for secure product design, development and deployment. The beauty about Common Criteria is that it is flexible enough to certify a wide variety of technology types. This is evidenced by the fact that a wide variety of products, from smart cards to networking devices to database management systems and even multifunction printers have been evaluated under this CC framework.

Uniqueness of Common Criteria

While there are a number of security standards, both national and international, the uniqueness of Common Criteria is the Common Criteria Recognition Agreement (CCRA). This is an agreement that has been signed by 26 nations (including India) mutually recognizing CC certificates. This means a product that is evaluated in one of the signatory countries is recognized as an evaluated product in the remaining 25 nations. This is a big advantage since global companies can now certify a product once and sell globally. This directly results in reduced costs and faster time to market of certified products. While there are certain caveats and boundary cases where mutual recognition does not work (e.g. sensitive defense systems) in most cases CCRA has worked pretty well for the governments and industry.

Note that there is a recent update to the CCRA details of which will be covered in a separate post.

Common Criteria eco-system

At a high level there are three main parties in a common criteria evaluation:

– Scheme: This is the certification body in each country tapped to administer the Common Criteria standard, accredit third party laboratories, and issue CC certificates. It also represents the country in international forums relating to CC.

– Vendor/Developer/Sponsor: These are companies/associations that have a product that needs to be Common Criteria certified. It is typically developers who pay for the certification

– Laboratories: These are third party private companies that have demonstrated expertise in evaluating products against CC and have been accredited by the national scheme to perform CC evaluations. The CC laboratories are responsible for testing and evaluating the vendor’s products and submitting a report to the scheme indicating how CC requirements are met by the product.

So in a nutshell, the Scheme is the main body issuing certificates and accredits third party Laboratories to do the testing/evaluation of products developed by Vendors.

So how does all of this relate to India?

So you might wonder why all of this is important and relevant to India. To understand this we need to first understand the evolutionary curve of ICT industry in India. Right now India is by far a larger consumer of ICT products than creator. This is true in government as well as the national security systems sector. As such India needs to ensure that the products being procured and deployed are secure, without taint and faithfully employ it’s security services and features. In order to get this assurance India could develop it’s own evaluating scheme. However this takes time, effort, expertise and there is no guarantee all vendors would be willing to take their products through a country specific evaluation (just imagine how global companies can scale if each country has it’s own certification criteria!).

If India leverages CC and mandates that any product to be sold into government and critical infrastructure is CC certified, it receives an assurance that the product has at least a base and known level of security there by significantly mitigating a number of threat vectors. Moreover India can work in the international CC community to define and push for requirements important to ensure security of the national ICT infrastructure. This will then ensure that companies globally are designing and implementing these requirements into their products. This will be a much effective way to mandate security requirements rather than defining them on a per RFP basis.

Finally the private industry can also leverage the gains from India being a key player in the global CC ecosystem by establishing certification laboratories and creating centers of excellence around CC certification. There is little doubt global companies will be willing to leverage the cost efficiency gained by working with Indian companies as long as they get a level of assurance that their intellectual property will be well protected and the Indian certification scheme establishes a reputation of producing credible and respected evaluations.

Interested in learning more about CC?

We are assuming you found your way to our blog by attending ICCC and we had a chance to interact at our booth or during coffee breaks or in the various talks. We hope you found the ICCC useful and worth your while. Please reach out to us via email, facebook, twitter or phone call. If you are based in India we especially would like to hear from you and learn more since we are in the process of setting up a CC laboratory in India.