Vendors undertaking a Common Criteria project for the first time are often surprised by the scope and focus of the testing for a Network Devices collaborative Protection Profile (NDcPP) CC evaluation. Lightship’s Technical Director, Greg McLearn often refers to the testing involved in the NDcPP as “ensuring that the product is a good network citizen”. This is the NDcPP philosophy.
At a high level, the testing focus of the NDcPP is primarily on the management/control plane of the Target of Evaluation (TOE), and not the user/data plane. The reason behind this approach is to ensure that the TOE can be managed and administered in a secure way within a broader network.
Newer style Protection Profile based CC evaluations are not designed to showcase unique security features that may set a product apart from the competition. The Protection Profile design and emphasis is on ensuring that products have implemented a very specific set of security capabilities based on their technology type. For this reason, the CC evaluation process is not a great vehicle for showcasing specific features, at least in the North American context.
EAL (Evaluation Assurance Level) or “Security Target only” evaluations allow for much more customization of what gets evaluated including unique functionality and varying assurance levels. These types of evaluations can still be performed here in Canada, and are prevalent outside of North America but are not recognized for acceptance on NIAP’s PCL.
Hopefully, this information will provide some context as to why PP based CC evaluations are unable to provide “bonus points” to vendors for unique security features that differentiate their solutions in the marketplace. The certification only demonstrates to those procuring the technology that a core set of security capabilities of the product have been thoroughly vetted to the standard by an independent, accredited 3rd party, like Lightship.
As you think about your next CC evaluation, bear in mind that CC certification readiness often requires revisiting and updating the implementation of a product’s management and security capabilities to ensure it will indeed be a ‘good network citizen’.