ENISA has published this week an update of the EUCC (Common Criteria based European candidate cybersecurity certification). A scheme that we are deeply proud to be published, since jtsec has actively participated through the Ad Hoc Working Group and the Stakeholders Cybersecurity Certification Group in the creation of the candidate scheme named by ENISA as valid for the certification of ICT products.
In addition, it supports the use of the Patch Management methodology . This Patch Management is developed in ISO with jtsec as its editor.
What does this new scheme mean at the European level?
EUCC is the first scheme published under the guidelines of the CSA (Cybersecurity Act), which proposes the creation of a common European framework for the certification of "cybersecure" ICT products and services. It can be considered a horizontal scheme, as it can be usable in several sectorial competences.
EUCC is based on Common Criteria (ISO/IEC 15408 and ISO/IEC 18045) and is aimed at replacing the current national certification schemes also based on Common Criteria.
The following chart shows the process followed by the EUCC until it was approved by the European Commission.
The existence of cybersecurity schemes recognized by the European Commission provides a framework in which cybersecurity laboratories, private companies and public administrations can abide when certifying their products within Europe, in the case of the EUCC, for ICT products.
We have always been committed to the standardization and unification of criteria in terms of cybersecurity certifications, so the creation of the EUCC is a major milestone at European level.
Our contributioin in the development of the EUCC
Javier Tallón, Technical Director at jtsec Beyond IT Security, has been part of the ENISA ad-hoc Working Group on the SOG-IS successor scheme, in charge of developing the EUCC scheme. Therefore, we are very proud that, finally, this candidate scheme has been the one selected by the European Commission for the cybersecurity certification of ICT products.
As member of the AhWG, Javier has actively participated in the thematic working groups TG2 and TG5, corresponding to the "Necessary elements to specify, evaluate and certify products in a harmonised way" and "Continuity assurance and handling of vulnerabilities" and is Rapporteur of TG7 "Guidance on harmonized interpretations of ISO/IEC 17025 and 17065".
Moreover, ENISA has relied on jtsec (in collaboration with Red Alert Labs and KPMG) for the creation of three new guides:
It is worth mentioning that recently our CTO, José Ruiz, has also been incorporated to the AhWG as Common Criteria expert for the creation of a label that allows the general public to identify the products certified in the new scheme, not only by the level of assurance according to the CSA (Basic / Substantial / High), but also allowing to introduce the level of assurance using the Common Criteria Security Assurance Requirements (EAL4+ALC_FLR.1).
In this working group will collaborate with other experts in market surveillance and labeling such as those responsible for CE marking or PEGI labeling for use in video games.
*original source ENISA
Finally we are very proud that the work we have done (and are still doing!) in ISO in these last years is bearing a magnificent fruit, allowing the use of the Patch Management methodology developed in ISO.
Of course, there is still some time to go before the scheme is finalized, so we look forward to continuing to give our full support to ENISA and the ECCG.
How is the new EUCC scheme expected to be adapted?
Based on the discussions with the European Commission, the scenario of a "big bang" has been considered as the most probable one, being it consists of the following::
To minimize this impact, ENISA is creating transition guides that will allow laboratories and manufacturers to adapt to the new conditions.
There will be a transition period, however, which will allow:
Furthermore, the scheme foresees some possible reuse conditions as to ease the transition (e.g., reuse of certification activities or reuse of peer assessment results).
What is new in version 1.1.1?
Major changes relate to the:
This version of the candidate scheme will be used by the European Commission for the drafting of the Implementig Act, by which the scheme becomes part of European legislation.
This process will be long and complex, and will probably require new discussions and guidelines to facilitate the transition and use of the new scheme, but progress is unstoppable and it will soon be a reality throughout Europe to which we must adapt as soon as possible.
*original source ENISA
How can we help you evaluating your product complying with the EUCC?
If your are thinking of certifying your ICT product under the EUCC scheme, do not hesitate to contact us so we can help you. In addition, as a Common Criteria expert laboratory, we can assist you in getting your product certified in the shortest possible time, smoothing the process thanks to our technical expertise.