The Netherlands scheme for Certification in the Area of IT Security (NSCIB) has been set up to enable the evaluation and certification of information technology (IT) product security aspects. The objective of the Scheme is to enable IT products and systems to be evaluated and certified in the Netherlands in a way that conforms to the so called 'Common Criteria' methodology (ISO-standard 15408) for Evaluation and Certification.
The Common Criteria is the result of an initiative to develop common requirements for an international standard and method for evaluating the security properties of IT-products and systems.
The Common Criteria was originally developed in co-operation between international standardization and security bodies in Canada, France, Germany, Great Britain, Netherlands and the US. The objective was to replace national methods for security evaluation with common criteria that could be appplied and recognized internationally, hence the name.
The objective for using Common Criteria is to facilitate the evaluation of security properities of IT products and systems against specified requirements. The method is flexible and makes it possible to specify security requirements on a product or category of products.
The official version of the 'Common Criteria is version 3.1 (revision 5).
More information on the Common Criteria standard and the method of evaluation may be found on this webiste.
The marks that are presented on a certified product is used to inform the user that a product or system has been evaluated in accordance with the Common Criteria and the terms of the Common Criteria Recognition Arrangement (CCRA) and the SOG-IS Mutual Recognition Agreement (SOG-IS MRA).
More information on the Common Criteria standard and the method of evaluation may be found on this website.
Netherlands Position Statement regarding the SOG-IS MRA in the context of the revised CCRA
The Netherlands Common Criteria Scheme (NSCIB), considering the ratification of the revised CCRA where international mutual recognition of certificates is based on evaluations that claim compliance to collaborate Protection profiles (cPPs) or Evaluation Assurance Levels 1 through 2, has determined their policy how to use cPPs in their scheme in relation to the European context.
The role of SOG-IS MRA in the European context
National competent authorities are collaborating within SOG-IS MRA at European level. Hence, SOG-IS MRA is the single point of contact for all stakeholders including the Commission when it comes to IT security product certification. This group provides a neutral and objective platform to address todays trust challenge in a pragmatic, result-oriented manner. SOG-IS MRA particularly promotes so-called “recommended” Protection Profiles that are of interest to all members and might possibly be EU mandated. They are harmonised by all members following an endorsement procedure and therefore sustainably enforce the trust in the digital society and economy.
High assurance certification
IT-security of products is essential in building the trust of citizens, businesses and administrations in the digital society, in particular while protection of privacy online has become a growing concern in the EU. Several EU legislations now mandate high assurance IT security product certification. The supporting PPs are developed by ESO or other bodies, published as SOG-IS MRA “recommended”, and applied by SOG-IS MRA member schemes.
While the CCRA focusses on evaluations being fully comparable and repeatable, the SOG-IS MRA acknowledges that especially for the higher assurance levels, more evaluation effort is necessary that maximises the use of the evaluator’s skills and capabilities. This sound expertise and experience within certain product categories/ technical domains is established in cooperation with industry in technical working groups and is regularly proven by a thorough and technical assessment between the SOG-IS MRA members.
Compared to the CCRA, SOG-IS MRA allows mutual recognition of a larger range of assurance levels, allowing industry to seek a certificate recognised by several countries, and at the same time achieving, when necessary, a high assurance level. SOG-IS MRA is therefore beneficial to international trade, not only for EU industry but also for non-EU product providers.
The Netherlands Common Criteria Scheme will make use of international collaborative Protection Profiles as far as they fulfil the specific needs of National stakeholders or the European Community (governments, market and industry). This could mean that additional security functionality may be required and adjustments for higher assurance levels are needed.
Under the revised CCRA, certificates can only be issued against cPPs if the product exactly conforms to the security requirements as stated in the cPP (See CCRA Annex K.3). This means a certificate issued under the CCRA cannot claim additional security functionality, or higher assurance components. In these cases the Netherlands Common Criteria Scheme will issue two (2) certificates based on a single evaluation for a compliant product where one will be CCRA cPP compliant and the other SOG-IS MRA compliant including the additional security requirements.
For non-cPP compliant evaluations, the Netherlands Common Criteria Scheme will continue, as before and in compliance with the SOG-IS MRA, to issue certificates beyond EAL2 as appropriate and to recognise certificates at the EAL4 level, or higher for specific technical domains.