Common Criteria Certification
Common Criteria Certification
Digital Cubes supports ICT product manufacturers and developers in the preparation, documentation, and technical activities required to successfully undergo a Common Criteria evaluation under ISO/IEC 15408 and ISO/IEC 18045.
Our service is designed to reduce uncertainty, anticipate evaluation risks, and prepare the product, documentation, and evidence required before and throughout the certification process.
We help define the most appropriate certification strategy based on the product, target market, required assurance level, and applicable scheme, including both Common Criteria certifications recognized under the CCRA and European certifications under EUCC.
Common Criteria: CCRA and EUCC
Common Criteria is one of the most widely recognized international cybersecurity certification frameworks for ICT products. It provides a structured methodology to evaluate a product’s security functionality, development environment, supporting documentation, and the evidence required to substantiate the claimed level of assurance.
Depending on the target market and customer requirements, two primary certification paths may be considered:
Option 1: Common Criteria under CCRA
The Common Criteria Recognition Arrangement (CCRA) is intended for products seeking international recognition through national Common Criteria certification schemes.
This route may be particularly suitable for manufacturers that need to address requirements from international customers, public sector organizations, critical infrastructure operators, or procurement processes requiring Common Criteria certifications recognized beyond the European market.
Option 2: Common Criteria under EUCC
The European Union Common Criteria cybersecurity certification scheme (EUCC) is the European certification framework built upon Common Criteria.
It may be particularly relevant for manufacturers intending to market ICT products within the European Union, address the requirements of regulated customers, or prepare for future European cybersecurity certification requirements.
EUCC includes assurance levels such as Substantial and High and requires a clear definition of the product scope, security functionality, technical evidence, and interactions with accredited or authorized laboratories and certification bodies according to the applicable assurance level.
Our Approach
Digital Cubes acts as an independent technical consultant throughout the certification preparation and evaluation process. Our objective is to ensure that manufacturers enter the evaluation phase with a clear certification strategy, consistent documentation, and evidence aligned with the applicable scheme requirements.
Our services can cover the following phases:
1. Initial Certification Readiness Assessment
We review the product, its architecture, security functionality, available documentation, and business objectives to determine the most appropriate certification path.
During this phase, we identify key risks, dependencies, documentation gaps, and potential technical impacts before the formal evaluation process begins.
2. TOE Scope Definition
We assist in defining the Target of Evaluation (TOE), including its boundaries, included components, external dependencies, evaluated configuration, and intended operational environment.
A well-defined TOE is critical to avoiding ambiguities, reducing evaluation effort, and ensuring that the resulting certificate provides meaningful commercial value.
3. Certification Strategy Definition
We develop a certification strategy tailored to the product and target market.
This strategy may include selecting between CCRA and EUCC, identifying applicable Protection Profiles, determining the appropriate assurance level, planning evaluation evidence, and preparing interactions with the evaluation laboratory and certification body.
4. Security Target Preparation
We support the preparation or review of the Security Target (ST), including the TOE description, security environment, security objectives, Security Functional Requirements (SFRs), and Security Assurance Requirements (SARs).
We also verify consistency between the Security Target, the actual product implementation, user guidance documentation, architecture, and supporting technical evidence.
5. Documentation and Evidence Preparation
We assist in preparing, reviewing, or adapting the documentation required for evaluation, including design documentation, administration and user guides, delivery procedures, secure configuration guidance, lifecycle documentation, configuration management procedures, testing documentation, vulnerability analysis, and development evidence.
Our objective is to ensure that the documentation is evaluable, internally consistent, and fully traceable to the applicable Common Criteria requirements.
6. Technical Review and Security Hardening
Beyond documentation, we support manufacturers in reviewing product security functionality, secure configuration, authentication mechanisms, access control, secure communications, auditing capabilities, cryptographic services, and other security features relevant to the defined scope.
Where gaps are identified, we help prioritize remediation activities and provide technical justification for design decisions.
7. Evaluation Support
Throughout the evaluation process, we support manufacturers in technical interactions with the evaluation laboratory, preparation of responses, review of evaluator observations, management of non-conformities, and updates to supporting evidence.
Our role is to help ensure that responses are consistent, complete, and aligned with scheme requirements, minimizing rework and reducing evaluation delays.
8. Certificate Maintenance and Lifecycle Support
Following certification, products may require maintenance activities, impact assessments for changes, vulnerability management support, documentation updates, or preparation for subsequent product versions.
Digital Cubes can assist manufacturers in managing product changes and preparing the evidence necessary to maintain the validity and commercial value of their certification over time.
Frequently Asked Questions
What is the difference between CCRA and EUCC?
CCRA and EUCC are both certification frameworks based on Common Criteria, but they serve different regulatory and market needs.
CCRA provides international recognition through participating national Common Criteria schemes, making it suitable for products targeting global markets and international procurement requirements.
EUCC is the European Union cybersecurity certification scheme based on Common Criteria and is designed to support cybersecurity certification within the European market.
The most suitable option depends on the target market, customer requirements, product category, and the level of assurance required.
What is the TOE?
The TOE (Target of Evaluation) is the product, or the specific part of a product, that is subject to the Common Criteria evaluation.
Properly defining the TOE is one of the most important decisions in the certification process, as it determines which components, security functions, configurations, interfaces, and supporting documentation will be included within the scope of the evaluation and certification.
A clearly defined TOE helps avoid ambiguities, reduces evaluation effort, and ensures that the resulting certificate accurately reflects the security capabilities of the product being assessed.
What is a Security Target?
The Security Target (ST) is the central document of a Common Criteria evaluation. It defines the product being evaluated, its security functionality, intended operational environment, security assumptions, identified threats, security objectives, and the security requirements that will be assessed during the evaluation.
The Security Target establishes the scope and security claims of the certification and serves as the primary reference document for evaluators, certification bodies, and stakeholders throughout the evaluation process.
A well-structured Security Target is essential to ensure consistency between the product, its documentation, and the security assurance activities performed during the evaluation.
Do I Need a Protection Profile?
It depends on the type of product, the applicable certification scheme, and the requirements of the customer, procuring organization, or regulator.
When an applicable Protection Profile (PP) exists, it may be mandatory or highly recommended to use it as the basis for the certification. Protection Profiles define standardized security requirements for specific categories of products and can facilitate acceptance by customers and certification authorities.
In other cases, certification may be based on a product-specific Security Target, allowing the security requirements and evaluation scope to be tailored to the particular characteristics of the product.
Determining whether a Protection Profile should be used is typically one of the first decisions made when defining the certification strategy.
What Assurance Level Do I Need?
The appropriate assurance level depends on the product’s risk profile, target market, intended use, and the requirements imposed by customers, regulators, or procurement processes.
In traditional Common Criteria evaluations, assurance is typically expressed through Evaluation Assurance Levels (EALs) or other assurance packages defined by the applicable certification scheme or Protection Profile.
Under the European Union Common Criteria certification scheme (EUCC), assurance is additionally categorized into the levels Substantial and High.
Selecting the most appropriate assurance level is a key part of the certification strategy, as it directly affects the evaluation scope, required evidence, evaluation effort, certification timeline, and overall project cost.
How Long Does a Common Criteria Certification Take?
The duration of a Common Criteria certification project depends on several factors, including the type of product, the scope of the TOE, the required assurance level, the quality and maturity of the available documentation, the availability of the technical team, and the overall complexity of the evaluation.
Certification projects can range from a few months to more than a year, depending on the evaluation scope and the level of preparation before engaging with the evaluation laboratory.
An initial certification readiness assessment helps estimate the expected effort, identify potential risks and documentation gaps, and establish a realistic certification plan before the formal evaluation process begins.
What Happens if Non-Conformities Are Identified?
Receiving observations, questions, requests for clarification, or findings from the evaluation laboratory is a normal part of the Common Criteria evaluation process.
When issues are identified, Digital Cubes assists manufacturers in analyzing each finding, preparing technically sound responses, updating supporting documentation, and coordinating the corrective actions required to address the evaluator’s concerns.
Our objective is to ensure that responses are clear, consistent, and aligned with the certification requirements, helping to minimize delays and avoid unnecessary rework during the evaluation.