The formal name, Common Criteria for Information Technology Security
Evaluation (CC), is an international standards for certification of computer
technology. CC establishes (by its users) certain security functions and
assurance requirements. The vendor in return can implement these requirements.
Then the independent laboratories can evaluate the products to validate the
claim made by the vendors. (https://www.commoncriteriaportal.org/)
EAL
When a product receive CC certification, it will also have associated level
of assurance. For example, commonly used assurance level seen will be Evaluation
Assurance Level (EAL). EAL ranges from EAL 1 (most basic) to EAL 7 (most
stringent). Higher EAL does not mean more security, it reflect the degree to
which this product has been verified. (https://en.wikipedia.org/wiki/Evaluation_Assurance_Level)
- EAL1: Functionally Tested
- EAL2: Structurally Tested
- EAL3: Methodically Tested and Checked
- EAL4: Methodically Designed, Tested, and Reviewed
- EAL5: Semiformally Designed and Tested
- EAL6: Semiformally Verified Design and Tested
- EAL7: Formally Verified Design and Tested
Simplest way to determine if your product has received a CC certification, go to this link https://www.commoncriteriaportal.org/products/, expand all categories, then press F3 to search.
AF C&A Process: How does having CC Certification affect my ability to use the product on the AF network?
That depends on what type of product it is. If it is IA or IA-Enabled Product, then it must have CC certification in order for you to use it. This will be documented in IA Control: ESCS, DCAS, DCCS. This is also true of Multi-Function Devices (MFDs). If your products is neither, then having CC certificate can provide you (IAM) the assurance that the product has been tested. (https://afkm.wpafb.af.mil/forum/default.aspx?g=rsstopic&pg=posts&t=119258&Filter=OO-SC-IA-01)
No comments:
Post a Comment