Fraunhofer Institute for Open Communication Systems
Fraunhofer Institute for Open Communication Systems
Man paying with mobile phone in coffee shop.
© iStock / EXTREME-PHOTOGRAPHER

© iStock / EXTREME-PHOTOGRAPHER

CertLab – Evaluation attendance of CC certification procedures

CC certification procedure for the BSI

The “Common Criteria for Information Technology Security Evaluation” (CC, ISO/IEC 15408) is an internationally recognised set of test criteria for the evaluation of IT security products. The CC provide guidance and set requirements for a suitable representation of the IT security performance (security target) of the product, specify function blocks (SFRs, Security Functional Requirements) for formulating the security functions and describe assurance families and classes (SARs, Security Assurance Requirements) for representing the evaluation requirements and evaluation depth. The “Common Methodology for Information Security Evaluation” (CEM) sets out requirements for the evaluation process and for the activities of evaluators.

Evaluation attendance of CC certification procedures

In order to cope with the growing number of certification procedures for IT security products, in 2010 the German Federal Office for Information Security (BSI) entrusted Fraunhofer FOKUS with the task of overseeing the evaluation facilities (ITSEFs) in CC evaluation procedures. The CertLab is responsible for overseeing the work of the ITSEFs during the evaluation of software products and is the only institution that carries out this responsible task outside the BSI. Throughout the entire certification process, the BSI retains procedural sovereignty.

As the national IT security authority, the BSI aims to advance IT security in Germany. In doing so, the BSI serves as the federal government’s central IT service provider and also works with manufacturers as well as private and commercial users and providers of information technology.

The BSI issues security certificates for IT security products such as smart cards, smart meters, operating systems, databases and firewalls. Such a certificate is issued after successful examination and evaluation of the IT product in the so-called certification procedure. This procedure consists of three phases: application, evaluation and certification.

As the national certification authority (pursuant to the BSI Act), the BSI oversees the evaluation process conducted by evaluation facilities recognized by the BSI, thereby ensuring the comparability of evaluation results and representing them internationally. The process carried out by national certification bodies is internationally harmonized; the certificates issued are internationally recognized.