CC certification procedure in cooperation with the BSI

The “Common Criteria for Information Technology Security Evaluation” (CC, ISO/IEC 15408) is an internationally recognised set of test criteria for the evaluation of IT security products. The CC provide guidance and set requirements for a suitable representation of the IT security performance (security target) of the product, specify function blocks (SFRs, Security Functional Components) for formulating the security functions and describe trustworthiness families and classes for representing the test requirements and depth of testing.

Test support for CC certification procedures

In order to cope with the growing number of certification procedures for IT security products, the German Federal Office for Information Security (BSI) entrusted Fraunhofer FOKUS with the task of supporting the test centres in the evaluation procedures in 2010. The CertLab is responsible for supporting the test centres in the evaluation of software and hardware products and is the only institution that carries out this responsible task outside the BSI. Throughout the entire certification process, the BSI retains procedural sovereignty.

The BSI issues security certificates for information technology products such as smart cards, smart meters, operating systems, databases and firewalls. Such a certificate is issued after successful examination and evaluation of the IT product in the so-called certification procedure. This procedure consists of three phases: Application, evaluation and certification. As part of the CC Recognition Arrangement, the national certification bodies have concluded an agreement on the mutual recognition of test results up to EAL4.