Need your product evaluated against the Common Criteria?
Viden is an ASD licenced and NATA accredited laboratory under the Australian Information Security Evaluation Program (AISEP), for the evaluation of products against the Common Criteria.
Our Software Assurance Capabilities
Our talented team can support software testing across all stages of the Software Development Lifecycle (SDLC), to provide independent assurance and detection of software security and quality issues. As a NATA accredited software assurance laboratory, Viden can provide accurate, repeatable and reproducible assurance techniques to prevent the introduction of security or quality issues to your products.Â
The Common Criteria (CC) is short for the Common Criteria for Information Technology Security Evaluation and is based on the ISO/IEC 15408 – Information Security, Cybersecurity and Privacy Protection series. The Common Criteria is mutually recognised by over 30 countries under the Common Criteria Recognition Arrangement (CCRA) and provides a scheme by which vendors can have their products independently evaluated by licensed laboratories, such as Viden. Evaluations are designed to verify the extent to which a vendor product fulfills particular security claims or properties. The objective of the scheme is to improve the availability of formally evaluated IT products or systems, whilst also ensuring product evaluations are conducted consistently and to the highest standards.
The Common Criteria scheme in Australia is overseen by the Australian Signals Directorate (ASD) in its capacity as the Australian Certification Authority (ACA) for the Common Criteria Recognition Arrangement (CCRA). The ACA manages the Australian Information Security Evaluation Program (AISEP), which was established to certify Common Criteria product evaluations, undertaken by licensed commercial facilities such as Viden. It also oversees the licensing of Australian Information Security Evaluation Facilities (AISEF) to conduct Common Criteria (CC) evaluations.
The Product Compliant List (PCL) is a formal and publicly available US Government list of IT products or systems that have been successfully evaluated and validated for conformance against the Common Criteria for IT Security Evaluations and granted a certificate by the National Information Assurance Partnership (NIAP) or a Common Criteria Recognition Arrangement (CCRA) partner scheme.
The PCL is maintained by NIAP and is formally published on their website, including a copy of the product or system’s CC certificate, as well as the associated Security Target (ST), Assurance Activity Report (AAR), Administrative Guidance, and Validation Report for the product or system. Viden as a licenced laboratory within the CCRA is able to assist companies seeking to have their product or system evaluated and listed on the PCL. Products listed on the PCL can be used in US National Security Systems or Committee on National Security System Instructions (CNSSI) 1253 systems.
Common Criteria evaluations can vary significantly in duration, depending on the complexity of the product or system being evaluated or the maturity of the vendor in developing the necessary product or system artefacts to support the evaluation process. A typical Common Criteria evaluation however can be expected to take between 6 – 12 months. Engagement of a licenced Common Criteria laboratory such as Viden, to provide formal training on the Common Criteria process or advice on artefact development requirements, can significantly reduce evaluation delays caused by product or documentation re-work during the evaluation process.
To have a product or system evaluated, vendors must engage a licenced Australian Information Security Evaluation Facility (AISEF) such as Viden to conduct the Common Criteria evaluation. Once engaged, the AISEF submits an evaluation task in the form of an AISEP Acceptance Package (AAP) to Australian Certification Authority (ACA) for acceptance. If accepted, the ACA issues an acceptance letter and publishes the product on the AISEP website as ‘In evaluation’. The AISEF then completes the Common Criteria evaluation on behalf of the ACA.
Once the Common Criteria evaluation has been completed the AISEF submits a draft Evaluation Technical Report (ETR) to the ACA for review. If accepted, the ACA will finalise the Certification Report (CR) and issues a Common Criteria (CC) Certificate to the vendor. Concurrently, the ACA will post a listing of the certification to the CC Portal, including the final Certification Report (CR) and Security Target (ST) for the product or system. Upon receipt of a CC Certificate, a vendor may use the Common Criteria Certification Mark (CCCM) to market or advertise the product or system for which the certificate has been issued.
Viden can support a broad range of code reviews including but not limited to both static and dynamic code analysis, fuzzing, review of Continuous Integration (CI) / Continuous Deployment (CD) pipelines or review of DevSecOps practices, through to detailed penetration testing.
The AISEP Assurance Continuity (AAC) process allows product or system vendors to conduct discrete maintenance or re-evaluation activities to extend their original Common Criteria (CC) Certificate.
To be considered for AAC maintenance vendors must have had the product or system originally evaluated by an AISEF and provide an Impact Analysis Report (IAR) and covering letter to the Australian Certification Authority (ACA). If the proposed changes are deemed minor by the ACA, the AAC application can be considered a maintenance update. Should the proposed maintenance or changes impact the development environment assurance measures of the product or system however, an AISEF will need to be engaged to conduct a subset evaluation of the applicable assurance components contained in the original Security Target (ST).
If the proposed changes are deemed major by the ACA, the product or system vendor will be notified and given the option of submitting the product or system for re-evaluation by an AISEF.
Ready to get started?
Want to sell your product to the US Federal Government ?
Under the Common Criteria Recognition Arrangement (CCRA), Viden can help facilitate registration of your product on the US National Information Assurance Partnership (NIAP) Product Compliant List (PCL). NIAP certification is mandatory for any product being used in US National Security Systems (NSS).
It’s not a case of if, but when
Modern cyber threats are pervasive and persistent. Let us help you design and build a GRC system that is the Right Fit For Risk (RFFR).