Evaluation Monitoring for CC Certification Procedures
In order to keep up with the growing number of certification procedures, the Federal Office for Information Security (BSI) outsourced the monitoring of the evaluation facilities during evaluation procedures in part to Fraunhofer FOKUS. In coordination with the BSI certifiers, the employees of the Certification Lab (CertLab) take over the monitoring of the evaluation facilities during the evaluation of a software product up to EAL4. The whole certification procedure remains under the authority of the BSI.
As national IT security authority, the Federal Office for Information Security (BSI) aims to promote IT security in Germany. Thereby, the BSI is the central IT service provider of the German Federation but also addresses manufacturers as well as private and commercial users and providers of information technology.
The BSI issues security certificates for information technology products like smart cards, smart meters, operating systems, data bases and firewalls. Such a certificate is issued after the IT product passes the evaluation and assessment in the so-called certification procedure. This procedure includes three phases: Application, evaluation and certification. The manufacturer submits an application for the certification of his product and commissions a BSI approved external evaluation facility to evaluate whether the product complies with the security criteria specified in the CC.
The “Common Criteria for Information Technology Security Evaluation“
The “Common Criteria for Information Technology Security Evaluation“ (CC) are an international standard (ISO/IEC 15408) for the formulation of security functionality of IT products. The evaluation and assessment of the formulated IT security functionality is based on the “Common Methodology for Information Security Evaluation” (CEM). In line with the CC Recognition Arrangement, the national certification bodies have concluded an agreement regarding the mutual recognition of the evaluation results up to EAL4. The Federal Office for Information Security (BSI) is observing the evaluation by BSI-approved evaluation facilities as a national certification body and thereby ensures the comparability of the evaluation results and represents them internationally. The process that is carried out by national certification bodies is coordinated on a national level; the awarded certificates are recognized internationally.