New version of the Common Criteria published
In November 2022, a new version of the Common Criteria was published, which is unofficially referred to as “CC 4.0”, but is officially called CC:2022. With this overview, we want to give you some initial information so that you have the opportunity to prepare for the transition to this new version.
First of all, a few notes on the framework conditions of the new CC version: Like its predecessors, CC:2022 has been published as an ISO standard, ISO/IEC 15408:2022, and is also available free of charge here on the CCRA website. The corresponding communication from the BSI can be found under the link here.
The CCRA website also contains the transitional regulation, which in brief contains the following:
– Evaluations according to the previous CC version 3.1 can still be started until 30.06.2024.
– Re-evaluations, re-assessments and maintenance of products certified in accordance with CC 3.1 are still possible within two years of the certificate being issued.
– In evaluations according to CC:2022, PPs written according to CC 3.1 may still be used until 31.12.2027.
Note: The BSI has already signaled that this transitional regulation will change again. There will also be a more detailed transition policy in the near future.
On the changes to the content of CC:2022
The changes to the CC essentially consist of the fact that in future there will be more variety in the creation of the ST and the implementation of the evaluation at different levels, but it is “downwards compatible” with CC 3.1 in terms of content, i.e. anyone who wants to carry out evaluations in the same style as before should essentially be able to do so. In the latter case, the text will have to be adapted slightly in some parts of the ST, e.g. the description of the “Conformance Claim” will have to be somewhat more extensive due to the larger number of options.
We summarize the most important changes here (without any claim to completeness or precision)
– In future, the CC will consist of 5 parts instead of the previous 3. The extension was made because there are now more variants than before, both in the selection of evaluation methods (Part 4) and in so-called “packages” (Part 5).
– As before, the CEM consists of one document.
– Some SFRs that were previously frequently used as “extended” (i.e. self-defined) components have been officially included in the CC. This applies in particular to random numbers.
– A new option is as follows: Until now, the evaluator’s judgment has been based on a vulnerability analysis based on a defined attack potential, for which the evaluator may redefine penetration tests. This previous approach is also known as the “attack-based approach”. In future, in addition to this approach, there will also be a variant of an evaluation for which a set of tests is defined in advance against which each TOE is checked. This is then called the “specification-based approach”.
– Composition evaluation, which has long been common practice in the smart card world, has now also been officially included in the CC (previously it was defined by SOGIS/JIL, i.e. the European CC schemes).
– In future, the “multi-assurance approach” will make it possible to define different assurance components (e.g. different attack strengths) for different parts of a product. (This has also been modeled in individual PPs in the past).
– The “package” concept has been expanded. – Instead of the previous “low assurance” STs (which were hardly used), there will in future be so-called “direct rationale” STs, in which SFRs are not traced back to security objectives but directly to the “security problem definition” (i.e. threats etc.).
– In addition to the previous variants “demonstrable” and “strict”, the possible “conformance” to a PP can now also be “exact”. The latter means that a product exactly fulfills the safety requirements of a PP, but not any additional ones (which is permitted with strict and demonstrable). This has already been used as an extension of CC, for example in many PPs from the USA.
– The “specification based approach” mentioned above is primarily intended for the use of a PP together with the conformance claim “exact”. This means that a PP specifies exactly what the functionality of a product is as well as all the tests that are carried out by the evaluator. (Note: This is an approach often used in the USA today).
– Once again, the reference to “downward compatibility”: If you do not need any of the new features, you can continue to have them evaluated according to one of the known EAL levels and then do not have to make any significant changes to the manufacturer documents (except for the conformance claim in the ST).
In addition to these changes, there are a few others that affect the description of evaluator activities but do not fundamentally change anything for the manufacturer.
Please get in touch with your contact at SRC if you have any questions or need to discuss this.
