In the last year, a total of 411 IT products and systems received Common Criteria certification, which is 23 more than the previous year. The recognition of Common Criteria (CC) is growing, but in parallel, the increasing number of certifications raised a few issues. One of them is the certification validity. In the past, Common Criteria certifications were issued with an indefinite validity period unless withdrawn. The legitimacy of this was questionable since there was no way for a standard user, procurer, or regulator to ascertain whether a certified product was still suitable and safe for use. Particularly the ones in continuous use, in a specific context. The members of the Common Criteria Recognition Arrangement (CCRA) provided a solution to this issue in 2019. In relation to this the Operating Procedures were published by CCRA Management Committee on the official Common Criteria portal. In this article, we will provide insight into the CCRA agreement on the expiry of the Common Criteria certification and a possible way to extend the validity.
CCRA Resolution on Common Criteria Certification Expiration
A Common Criteria certificate specifies the level of assurance attained by an IT product or system at the time it is issued. With the rapid development of technology, however, dangerous cyber attacks and malicious software, malware, and other threats are constantly changing and adapting. As the threat environment develops over time, the given Common Criteria certification no longer captures the product’s resistance to new attacks.
Therefore CCRA has approved a resolution, effective June 1, 2019, to limit the validity of mutually recognized Common Criteria certificates over time. SOG-IS concurs with this decision. The document informs vendors, risk managers, and approval bodies about the validity of Common Criteria certificates. It also defines the minimum requirements that SOG-IS member countries have to implement regarding the validity of the certificates.
Common Criteria Certificate Validity
Since the exact evolution of cyber attacks cannot be predicted it is impossible to associate a time period with a Common Criteria certification‘s technical validity. It is not related to the resistance of the product to cyber attacks but should be handled as administrative validity.
It has been determined by the CCRA that a default lifespan of 5 years strikes a good balance between the Certification Bodies’ requirements and the businesses’ needs. For particular Protection Profiles (PPs), the Common Criteria Development Board (CCDB) level may refine this default lifespan. The validity date of a Common Criteria certification is related to administrative duties like advertising certificates on a Certified Product List (CPL) or archiving evaluation data.
Once a Common Criteria certification is expired it is moved to the ‘Archived Certified Products’ lists and is no longer considered valid.
Can CC Certification be Extended?
Yes, it is possible to extend a Common Criteria certification’s validity by using one of the Assurance Continuity methods described in the Assurance Continuity reassessment process document.
The re-assessment enables the Developer to provide updates of a certified product, thus strengthening the trust in their resistance to attacks, taking into account the latest developments. Following a successful re-assessment process, the Common Criteria certificate’s validity will be extended for another 5 years (or the corresponding specified duration provided by the CCRA for any given PP).
The Assurance Continuity document, besides re-assessment, contains two other simplified processes to extend the validity of the product by issuing new certificates: maintenance and re-evaluation.
Initially, Common Criteria certification was issued without an expiration date. However, this raised the problem that after a certain period of time, the certified product no longer resists the cyber threats that develop in parallel with the technology. This was resolved by the CCRA’s 2019 agreement, based on which an average of 5 years is recommended for the validity of the Common Criteria certification. The expiration date may differ from this, but it must be displayed on the certification in any case. The certification can be extended using the re-assessment procedure.