Short answer: probably not much! For most vendors and users of the CC, things will roll on normally. It will be the national certification schemes, labs and technical communities that must adjust.
Long answer: there are some aspects and circumstances arising from the transition to CC:2022 that you may want to pay attention to. These are:
- Assurance Maintenance
- Using an old Protection Profile (CCv3.1) with a new Security Target (CC:2022)
- Being in the first batch of evaluations using CC:2022
We’ll dig into each of these aspects below.
What is the transition policy?
In summary, the official Transition Policy is:
- CC v3.1 R5 is the last revision of version 3.1 and may optionally be used for evaluations of Products and Protection Profiles starting no later than the 30th of June 2024.
- Security Targets conformant to CC:2022 based on Protection Profiles certified according to CC v3.1 will be accepted up to the 31st of December 2027.
- After 30th of June 2024, re-evaluations and re-assessments based on CC v3.1 evaluations can be started for up to 2 years from the initial certification date.
For an overview of Transition Policy and a breakdown of the major changes in CC:2022, see the following Publication from our colleagues at Applus+: Deadlines and updates on the latest Common Criteria Version.
Assurance Maintenance
[Edited 14 September 2023] Lightship Security has confirmed that assurance maintenance is not impacted by the this policy statement.After 30th of June 2024, re-evaluations and re-assessments based on CC v3.1 evaluations can be started for up to 2 years from the initial certification date.
https://www.commoncriteriaportal.org/files/ccfiles/CC2022CEM2022TransitionPolicy.pdf
To understand the implications and applicability of Assurance Maintenance as part of your product certification lifecycle, contact Lightship Security to help you determine the best option.
Using an old Protection Profile (CCv3.1) with a new Security Target (CC:2022)
Security Targets conformant to CC:2022 based on Protection Profiles certified according to CC v3.1 will be accepted up to the 31st of December 2027.
https://www.commoncriteriaportal.org/files/ccfiles/CC2022CEM2022TransitionPolicy.pdf
This policy allows for a gradual update of Protection Profiles from CC v3.1 to CC:2022 – a practical necessity. The devil is in the detail though, and the Transition Policy lays out some complex guidance on how to handle this situation. We will have to wait to see how Schemes interpret this guidance into their own policies and practices to really understand the impact.
Lightship Security will be paying close attention to this policy and will keep our customers appraised of developments.
Being in the first batch of evaluations using CC:2022
With the rollout of any new version of the CC standards and associated policies, there is going to be an adjustment period for all parties involved in the evaluation process including schemes, labs and the vendors pursuing certification.
Lightship remains committed to staying on the forefront of industry changes to provide our clients with the required knowledge to navigate these transitions as smoothly as possible. This is achieved through our active involvement in working groups, industry events and regular communication with industry bodies and schemes.
If you are considering starting a new CC evaluation during the transition period, our team of industry experts would be happy to help from start to finish. Contact us at info@lightshipsec.com today to learn more.
Lachlan has 20+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. As the Director of Cyber Labs, Lachlan has overall responsibility for our Canadian and US Common Criteria laboratories.