EUCC (from “European Union” and “Common Criteria”) is the first european security certification scheme for ICT products being defined under the umbrella of the CyberSecurity Act (CSA), as we mentioned in our previous article dedicated to the CSA.
Maintaining our goal to make things as simple as possible for our clients in their efforts to certify their products, we provide here a brief and concise description of the main characteristics of this new certification scheme.
Currently (December 2020) the first draft of the EUCC is available and it is expected that the final version be approved during 2021.
EUCC is based on Common Criteria (ISO/IEC 15408 & ISO/IEC 18045) and it is destined to replace the current national certification schemes also based on Common Criteria (ENECSTI in Spain), which are currently operating under the mutual recognition agreement SOG-IS MRA.
Its scope will be the security certification of ITC products that do not belong to any other specific scheme (in the near future it is expected to have specific schemes for particular technologies or markets, like IoT, cloud services, or mobile communications).
NOTE: Since this is still a draft version, the characteristics described below might be modified prior to its final approval, so for the time being they can not be taken as completely certain.
EUCC offers the two highest assurance levels defined in CSA: “substantial” and “high”. Level “basic” has been left out of the scope of EUCC, to be covered by other future certification schemes with lesser security requirements. The assurance level is assigned based on the assurance level selected in the AVA (Vulnerability Assessment) class of Common Criteria: AVA_VAN.1 and AVA_VAN.2 are considered of level “substantial”, while AVA_VAN.3 a AVA_VAN.5 are considered level “high”.
Certificates will be issued by certification bodies that will need to be accredited (ISO/IEC 17065), but that might be different from the national cybersecurity certification authority of each country. Nevertheless, certificates of assurance level “high” will have to be issued by the corresponding national cybersecurity certification authority, or certifiction bodies authorized by them.
Laboratories (IT Security Evaluation Facilities, ITSEF)
The evaluation of the security of the products will be conducted by accredited (ISO/IEC 17025) laboratories, which may be internal or external to the corresponding certification body. This particular aspect is not different from the current certification schemes.
During the lifetime of their certificate, the products will be subject to a maintenance process in response to changes that might affect its certification status. Maintenance activities will include revision and decision making by the certification body and, when necessary, evaluation by the laboratory.
EUCC mandates that all vulnerabilities that might appear during the lifetime of the certificate be managed according to an adapted version of the following standards:
ISO/IEC 30111 : Information technology — Security techniques — Vulnerability handling processes
ISO/IEC 29147 : Information technology — Security techniques — Vulnerability disclosure
EUCC includes the possibility that the vendor includes a patch management mechanisms to be analized during the certification of the product. In this manner, in the future they will be able to follow that mechanism to keep their product always patched against potential new vulnerabilities that might be detected, maintaining the certification status of their product.
EUCC recommends a transition period of 2 years between the date when EUCC becomes active and the date when the current schemes based on the SOGIS agreement become inactive, thus ensuring the no interruption of the service. During this transition period, vendors will need to familiarize themselves with, and adopt, the new requirements imposed by EUCC (compulsory maintenance, vulnerability management and patch management). Laboratories and certification bodies will also need to use that transition period to adapt their operation to the new scheme.
As said before, it is still a draft version, so some of the described characteristics could still suffer modifications before its final approval, but the draft is considered to be quite mature and no big changes are expected. Therefore, we recommend vendors to start familiarizing themselves with the new requirements that EUCC will impose for the certification of their products.