Get CC International Certification, Open International Market for IT Products

As the development of information technology matures, more and more products include security functions like authentication, access control to resources, or cryptographic functions. Pursuing product evaluation and certification based on the Common Criteria is very important for products in this sector.

Common Criteria (CC), also known as the international standard ISO/IEC 15408, is receiving more and more attention by a large number of national governments, such as the U.S., Canada, Japan, Singapore, South Korea, Australia, and all major European countries, like Germany and France. The Common Criteria Mutual Recognition Arrangement (CCRA) signed by government officials of more than 20 nations worldwide ensures that evaluations and certifications performed in one country are accepted in all the other participating countries.

IT development in China is very rapid; many network or security products with the competency to compete in international market are emerging. Many respected Chinese vendors already have their eye on the international market so that they can expand beyond limited local markets. CC evaluation and certification is necessary for these vendors because of the requirements of some foreign government. For instance, U.S. purchase policy requires that security products purchased by federal government organizations must earn a CC certificate; France has instituted a CC certification regulation for public management domains; the EU information and network security solution, electronic signature, and EU central bank systems all require CC certification; and the German multimedia regulation requires CC certification for e-signature systems. In some tenderer’s requirements circulated in the EU, U.S., Singapore, and many other countries, a CC security certificate with a particular evaluation assurance level (EAL) is explicitly proposed. CC-certified products include a wide scope, and while international certification work focuses on operating systems (like Linux), smartcards, and network equipment, Chinese vendors put more attention on CC certification for firewall, IDS, and other security products.

In addition to satisfying regulatory requirements, IT companies that invest in security evaluation and certification can also greatly improve their ROI (Return on Investment). Customer acceptance increases; the risk of fraud and misuse is lessened; and the risk of damage to the company’s reputation because of security problems in the product is minimized. Evaluation results can be used in sales and marketing. Because the CC is an internationally-accepted standard, business partners will accept the test results rather than performing their own expensive assessments during the lifetime of the product. Maintenance becomes easier and, therefore, less expensive.

China is not yet a CCRA member country, so vendors who want to export products to international markets should select an experienced evaluation agency to help them get their products certified. atsec information security is one of the world’s top evaluation laboratories, accredited by both the U.S .NIAP CCEVS and German BSI. Evidence of atsec’s successful evaluations can be verified on the official Common Criteria Portal web site. atsec is particularly predominant in the most challenge CC evaluation domain – operating system (OS) evaluation and test.

CC evaluation and certification have implemented a mature procedure and scheme. The time and expense to complete the evaluation and certification process depend on the selected Protection Profile (PP) and Security Target (ST) for the product, and also the security functions and security assurance levels the vendor requests. Vendors should strongly consider pursuing evaluation and certification when the time is right to push their products to international markets.



About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec was founded in Munich (Germany) in January 2000 and has extensive international operations with offices in the US, Sweden, the UK and China. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Vodafone, Swisscom and RWE.