Below you'll find a list of all posts that have been categorized as “Common Criteria”
No computing system is free from security vulnerabilities. Such flaws can manifest themselves within software, firmware and hardware implementations. Often the ease in widespread mitigation is based in part on whether a vendor can provide updates to software (relatively easy), …
The Protection Profile for Application Software (APP PP) v1.4 has recently been published. Here are some key points from our initial review. PP-Modules. Vendors are now allowed to specify additional protection profiles (PPs) and PP-Modules in a PP-Configuration with APP …
Observations from a CC newcomer If you’re new to Common Criteria (CC), you might be feeling a little overwhelmed and find yourself wondering if the effort in performing the certification is really worth it. As a newcomer to the industry …
For the past few years, the Common Criteria program has been mandating entropy analysis for almost all protection profile based evaluations. Since November 2020, NIST 800-90B has also become a mandatory requirement under the FIPS 140-2 and the forthcoming FIPS …
[Updated July 6, 2021 – NIAP requires exact match CPU specs in CAVP certificates] Most CC evaluations performed in North America include cryptographic security claims called out in the target Protection Profile (PP) that is being used. Those requirements are …
Update 2020-Aug-20: There appears to be a discussion within the OpenSSL project on the semantics of checking the OpenSSL flag we describe below. We are working to clarify this. NIAP (the US Common Criteria Scheme) recently published a series of …
At Lightship, we use a lot of open-source tools to perform our testing. Because of the nature of the tests we perform, we often find that these tools can be a bit too rigid. One specific example is that of …
It’s surprising to think that new-style Common Criteria Protection Profiles have been around in some way shape, or form, since late 2010, when the first Network Devices Protection Profile (NDPP) v1.0 was released by the Information Assurance Directorate (IAD) for …
The Network Device international Technical Community recently (in December 2019) published version 2.2 of the collaborative Protection Profile for Network Devices – aka – NDcPP. The NDcPP is the most often used Common Criteria Protection Profile to achieve listing on …
Vendors with products on NIAP’s Common Criteria Product Compliant List (PCL) may from time-to-time receive a request from NIAP for a mitigation plan addressing a given widespread vulnerability (e.g. Meltdown, Spectre etc.). This is in keeping with NIAP Policy 17 …
