Javier Tallón, our Technical Manager is a member of ENISA ad-hoc Working Group on SOG-IS successor scheme to support the preparation of a candidate EU cybersecurity certification scheme as a successor to the existing schemes operating under the SOG-IS MRA.
What is EUCC?
This new scheme, developed for the certification of ICT products cybersecurity, has been named as EUCC scheme (Common Criteria based European candidate cybersecurity certification scheme).
Recommendations about EUCC, the new scheme for the certification of ICT products cybersecurity
Regarding EUCC, these will be our recommendations:
1. You can expect a brief period of uncertainty. If the implementing act is adopted around the end of 2020, there will be a, probably two-year, transition period before the current national SOGIS schemes stops working. We expect the new scheme to be fully operating by the beginning of 2022. Old certificates can be converted to the new scheme. Please, note that there will be zero parallel emission of EUCC and SOG-IS MRA certificates.
2. Prepare for new obligations:
3. Prepare for patch management: the new scheme will have two patch management methodologies that will allow developers to push security updates to their product while staying under the umbrella of the certificate. One of them has been led by jtsec as part of ISO SC27. They may require a bit of preparation, so ensure that you are able to provide patches in a consistent manner with these new methodologies. If you are able to implement patch management from now you will be able to have some benefits in the future, especially if you want to convert already awarded SOG-IS certificates to the new scheme.
4. Closer lab cooperation: the new scheme will need closer cooperation between vendors and lab to work adequately. There may be reassessments and audits of already certified products after certification.
5. Certificates above VAN.3 will not be recognized unless there is a specific technical domain (at the moment, there are two technical domains: "HW Devices with Security Boxes" and "Smartcards and similar devices").
First public consultation for the version-1 of the EUCC Candidate Scheme
The European Union Agency for Cybersecurity, (ENISA) has launched a public consultation for the first candidate cybersecurity certification scheme which will end on July 31st, 12:00 CET. Until this date, there is the possibility to collaborate with the project and share comments that may be useful for the improvement of the scheme and that will be reviewed in a later version.
Our commitment to new cybersecurity regulations
At jtsec, we always strive to innovate in the field of cybersecurity as a part of our technical excellence. We are editors at the thematical group “IACS Cybersecurity certification “, members of the SCCG (Stakeholder Cybersecurity Certification Group) and editors at JTC13 WG3: “Cybersecurity Evaluation Methodology for ICT products”, among many other contributions in the area of cybersecurity.