Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
Common Criteria FIPS 140 Compliance
Eliminating the FIPS 140 Headache During Common Criteria Certification
If your company is making the huge effort and investment required to get Common Criteria certified, don’t waste time and effort working with multiple 3rd parties to get your FIPS 140 CAVP or CMVP certificates. SafeLogic provides one stop shopping for FIPS 140 that will save you time, money, headaches and resources.
What is Common Criteria?
-
Common Criteria (CC) is an internationally recognized set of guidelines (ISO 15408) that define a common framework for evaluating security features and capabilities of commercial off-the-shelf (COTS) Information Technology security products
-
Thirty-one countries including the United States and Canada have signed the Common Criteria Recognition Arrangement (CCRA)
-
Common Criteria certifications are mutually recognized by all participating nations, minimizing the need for multiple evaluations of the same product
-
Common Criteria certification lets buyers know IT products have been rigorously tested and proven to be secure enough for the world's top government defense agencies.
-
Receiving a Common Criteria certification allows vendors to sell their security products to the U.S. Department of Defense, U.S. federal government, international governments, and other highly regulated industries around the globe that require Common Criteria certification
How does Common Criteria Certification Work?
-
In the U.S., Common Criteria is administered by the National Information Assurance Partnership (NIAP). Other countries have their own CC authorities
-
Each authority certifies CC labs, which do the actual work of evaluating products
-
The certification process is an intense evaluation to validate the security robustness of the device's software and hardware as it relates to permissions, access control, data destruction and entropy. It also ensures that other security areas are addressed, such as the National Institute of Standards and Technology (NIST) validated FIPS 140 encryption
-
The Common Criteria authority in each country creates a set of expectations for particular kinds of IT products: operating systems, firewalls, and so on. Those expectations are called Protection Profiles.
-
Vendors work with a third-party lab to document how they meet the Protection Profile. They spend months with the lab getting their package ready for submission
-
Once the package is complete, it is submitted to the relevant authority
Once the authority reviews and approves the package the product becomes “Common Criteria certified” for that target and will appear on the Common Criteria Product Compliance List (PCL).
-
Common Criteria and FIPS 140 have different but complementary purposes. Common Criteria is designed to evaluate security functions in IT software and hardware products, while FIPS 140 is designed specifically for validating software and hardware cryptographic modules
-
Given that cryptography is a key element of security, and the potential for overlapping evaluations and testing, NIST and NIAP have worked closely to clarify the relationship between the two initiatives
-
NIAP clarified this relationship in Policy Letter #5 (update 4) dated 06 December 2019. The letter states:
-
"NIAP-approved PPs [Protection Profiles] may specify cryptographic assurance activities that are intended to verify that the cryptography specified in the Target of Evaluation (TOE) satisfies the corresponding PP security functional requirement."
-
“Since NIST has programs (CAVP [Cryptographic Algorithm Validation Program]and CMVP [Cryptographic Module Validation Program]) to verify algorithm and cryptographic module implementation, NIAP is issuing this policy to minimize redundancies between the activities of the NIST test facilities and the Common Criteria Test Laboratories (CCTLs)."
-
-
-
“This policy applies to evaluations conducted in NIAP for all TOEs that include cryptography to satisfy requirements contained in NIAP-approved PPs."
-
“All cryptography in the TOE for which NIST provides validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components must be NIST validated (CAVP and/or CMVP)."
-
“At a minimum an appropriate NIST CAVP certificate is required before a NIAP CC Certificate will be awarded."
-
Given that virtually all security products covered by Common Criteria incorporate cryptography for one reason or another, this effectively makes FIPS 140 testing a prerequisite for Common Criteria certification.
The Traditional FIPS 140 CMVP/CAVP Certification Process is Slow, Complex and Painful
Traditionally, companies seeking compliance with the FIPS 140 component of Common Criteria have had one choice: hire a FIPS 140 consultant who would then orchestrate a long, complex, difficult, and expensive process involving the applicant, the consultant, a FIPS 140 testing lab certified by NIST, NIST itself, and possibly the encryption module supplier to document, test and certify the exact cryptographic modules being used in the TOE on the exact hardware and software specified in the TOE. Often, this work would be based on an open-source cryptography module or one embedded in the TOE operating system. Given the long queues and limited resources at both the certification labs and NIST itself, this process can literally take years.
SafeLogic Overcomes FIPS 140 Headaches for the Common Criteria Community
SafeLogic’s Common Criteria offering builds on the three pillars of its FIPS 140 Validation-as-a-Service: CryptoComplyTM, RapidCertTM, and MaintainCertTM. Starting with this foundation, SafeLogic offers these four advantages to its Common Criteria customers:
-
SafeLogic provides you one-stop shopping. As opposed to working with a FIPS 140 AND a FIPS certification lab AND NIST AND possibly open source or operating system vendors, vendors only need to work with SafeLogic. Our FIPS 140 experts handle any necessary interaction with any third party. Your resources can then focus on other aspects of your Common Criteria initiative.
-
SafeLogic helps you continue meeting your Common Criteria cryptography requirements as your FIPS 140 requirements change and their needs change. For instance, SafeLogic experts can test new algorithms, test new OEs, etc.
- Should you need one, RapidCert can get you a FIPS 140 CMVP certificate in your own name in two months. In the FIPS 140 world, vendors with their own CMVP certificates can have a distinct competitive advantage over those relying on an open source or operating system CMVP cert from another vendor.
- MaintainCert ensures your underlying FIPS Validated module remains ‘Active’ using a white glove service model for a fixed cost. If a vendor relies on an open-source module or something that comes with the OS, and that module goes historical, that will put their CC status at risk.