OVERVIEW

Cybersecurity Certification Guide

Cybersecurity Certification Guide

Global Cyber Landscape
CONTENTS

OVERVIEW 1 Global Cyber Landscape The global cyber landscape has changed

2 Opportunities for Certification dramatically in recent years, with increasing

awareness of the risks and threats faced
by states, businesses, and individuals.
SCHEMES 5 Singapore Common Criteria Scheme
Ransomware attacks, data breaches,
(SCCS)
and other cyber incidents have made
11 National IT Evaluation Scheme (NITES)
the headlines as a stark reminder that
13 The Smart Consumer Device cybersecurity must be taken seriously.
14 Frequently Asked Questions (FAQ)
1
At the same time, people are keen to
maximise the opportunities presented
FUTURE 16 Events & Activities
by the rapid advances in digitalisation
and innovation. Singapore is embarking
on an initiative to create a “Smart Nation”,
and businesses and individuals are keen
to harness the power of technology at
work and play. Singapore’s Cybersecurity
Strategy aims to create a resilient and
trusted digital environment to facilitate that.

New technology products are constantly

coming to market. CSA offers and supports
the use of Certification Schemes to provide
assurance to customers that the product
has been objectively assessed to be more
cyber secure, and has adopted a secure-by-
design approach throughout the product’s
development and life cycle.
 OVERVIEW
Cybersecurity Certification Guide

Cybersecurity Certification Guide

Opportunities for Certification

The speed of technology adoption
continues to accelerate for both
work and play, with new business
models and market opportunities
still being unlocked.
With greater digitalisation and
connectivity comes increased
emphasis on cybersecurity.
While cybersecurity is a concern,
2 it is also a market opportunity.
An internationally-recognised The two schemes listed in this guide,
certification mark has become a catering to different market segments, are:
necessity for local developers to
expand their market reach globally. Singapore Common Criteria
Scheme (SCCS), for certification of
commercial IT products targeting
CSA Cybersecurity Certification
the international marketplace;
Centre operates the following
schemes aimed at providing
National IT Evaluation Scheme
the security assurance that
(NITES), for evaluation of IT
the product has undergone products that meets high
impartial examination and testing assurance requirement for 3

Based on the IDC forecast made to ascertain that it is securely Cyber Security Agency
Singapore government agencies.
in October 2018, worldwide designed, implemented, and of Singapore (CSA) is
spending for cybersecurity is appropriate in mitigating the the national agency that
projected to reach $133.7 billion by specified security threats. Through these schemes, smaller companies, provides dedicated and
2022 1 ; and the demand for higher- who have yet to establish track records, will centralised oversight
quality and secure products will be able to demonstrate the merits of their of national cybersecurity
continue to increase. products that are benchmarked against functions including
international standards. strategy, international
policy, R&D, outreach,
system and industry
development.

Under the ambit of

CSA is the Cybersecurity
Certification Centre
(CCC) which focuses
on the evaluation
and certification of
cybersecurity products.

1
“New IDC Spending Guide Forecasts Worldwide Spending on Security Solutions will Reach $133.7 Billion in 2022”, International
Data Corporation (IDC) Press Release, 04 October 2018, https://www.idc.com/getdoc.jsp?containerId=prUS44370418
 SCHEMES
Cybersecurity Certification Guide

Cybersecurity Certification Guide

About SCCS SCCS: Benefits

Common Criteria (CC), also known For consumers:

as ISO/IEC 15408, is a globally • Trust that the security
recognised technical standard examination of a product is done
for IT security evaluation. To date, impartially, professionally, and
4 5
31 nations have signed the Common meets international standards;
Criteria Recognition Arrangement therefore reducing the need
(CCRA), whereby CC certificates for in-house inspections.
issued by an authorised nation
are mutually recognised across • Better safeguard their digital
all member nations. assets and services by deploying
certified products.
As of January 2019, Singapore
is recognised as a CC Certificate
For developers:
Authorising Nation.
• Meet regulatory requirements
Singapore subscribes to the and gain market access.
objectives of the CCRA: to improve
the availability of IT products • Develop better products
evaluated under high and consistent and differentiate themselves.
standards, and to eliminate the
burden of duplicating evaluations
while improving the efficiency and
effectiveness of the evaluations.
 SCHEMES
Cybersecurity Certification Guide

Cybersecurity Certification Guide

Product Security
Accreditation
Evaluation &
& Recognition
Process of Evaluation
Certification
Developers of a product

Common Criteria
Recognition Arrangement
➀ can apply to CSA-CCC
to have their product
evaluated under SCCS.

➄ Supports development
Recognises CSA as
Supervises evaluation of Common Criteria
CC certification body
Developers engage a

➁
of product standard CCTL approved by SCCS
➂ Requests for certification

to undergo evaluation in
➅ Issues certificate to

accordance to internationally
Common Criteria recognised standards.
Testing Laboratory
6 7
(CCTL)

➃ ➁ Approves
Evaluates Engages
as CCTL
product CCTL

➂
After the evaluation,
an assessment will be
submitted to CSA-CCC.
Common Criteria
Sponsor /Developer Testing Laboratory
(CCTL)

➆ ➀ Accredits CCTL
Provides certified Requires security
with ISO 17025
products to assurance from
If successful, CC

➃
certificate will be issued
which raises the level of
trust and assurance in
Consumer
the product.

Recognised Accreditation Bodies

Scan to find out more

For more information: information about
SCCS Certified Products:
 SCHEMES
Cybersecurity Certification Guide
Testimonials
of developers As a global security
evaluation methodology
and labs recognised by more than
30 countries, there is no
other security standard
in the world that is more
thorough, complete, and
influential than Common
Criteria (CC). The CC
Recognition Arrangement
(CCRA) benefits the
security ecosystem and
lowers the barrier of selling
your security products
to different parts of the
world. Brightsight, the
number one security lab
8 training, as well as their
in the world, has not only
contributed to the creation
of the latest version of the
standard, but also supported
developers getting hundreds
of certifications in the past
years. Brightsight is working
with CSA to enable a smooth
evaluation and certification
process where more
developers can benefit from
CC and face the IoT security
challenges together.
Dirk-Jan Out
Chief Executive Officer
Brightsight
How to sieve out design
flaws? How to prove design
correctness and provide
security assurance to
customers? These are the
questions that developers
often ponder before they
embarked on the CC journey.
What we didn’t foresee was
the amount of engineering,
testing and documentation
effort that is required for
product certification.
It was at this juncture when
CSA provided crucial support
in knowledge build up and
coordinated push for a wider
adoption of CC certification
in local ecosystem.
Attaining CC Certification not
only ensure we deliver more
secure and quality products,
it also elevates our competitive
edge in global markets. What
started as a daunting task has
also help to deepen our team’s
expertise and experience in
the journey of CC.
Goh Eng Choon
Deputy President
Cybersecurity Systems Group,
Electronics,
ST Engineering
In a time of increasing
cyber threats, third party
security evaluation and
certification makes our IT
environment more secure
and reliable. Evaluation
activities including security
testing are performed
by labs according to
the requirements of the
Common Criteria (ISO/IEC
15408). The benefits of the
evaluation and certification
using CC are impartiality
and comparability. CC
certificates are mutually
recognised by CCRA
members. No security
evaluation can reduce
risks to assets to zero,
but to an acceptable level.
Risk owners get a clear
alignment with their actual
security policy determines
at an adequate assurance
level. Common Criteria
reflects the degree of
assurance by different well-
defined Assurance Levels.
Dr. Igor Furgel
Head of Certification Body
T-Systems
Cybersecurity Certification Guide
To be a trusted provider
of mobile security
The Singapore Common
Criteria Scheme not
products and solutions, only strengthens
it is important for us to understanding of
have an independent security in technology
assessment of the security products among the
of our technology so as general population,
to provide the assurance but also the rigorous
that our global customers and internationally
need. Common Criteria recognised standard
is a globally-recognised of evaluation and
standard that not only certification allows
includes the evaluation developers of quality
of our products’ security products to penetrate
functionality but also the new markets. Evaluation
assurance of our design labs that fall under
and development process. this scheme are also
9
Having gone through carefully curated for
Common Criteria evaluation developers’ assurance.
also helped our teams The certification
to formalise many of our process is carried out
processes to enable us to with utmost integrity
become a more security- and professionalism
minded organisation. while maintaining
open communication
among all stakeholders.
An Security, a local
security lab, is proud to
be participating in this
journey with CSA.
Er Chiang Kai Daryl Koh
Chief Technology Officer Managing Director
V-Key An Security
 SCHEMES
Cybersecurity Certification Guide
Common Criteria
Users Forum (CCUF)
The Common Criteria Users Forum (CCUF)
was founded in 2012 and is a community
based around those using the Common
Criteria and ISO/IEC 15408 standards.
The Common Criteria Users’ Forum mission
is to provide a voice and communications
channel between the CC community
and the CC organisational committees,
10 CC evaluation schemes, and policy makers.
For more information
about CCUF:
About NITES
The National IT Evaluation
Scheme (NITES) was launched
in November 2009. Products
intended to be used for handling
sensitive government data have
to be evaluated in accordance
with NITES. The most stringent
requirements are needed when
it comes to safeguarding
Singapore’s national interests.
NITES provides the assurance
that the security measures
provided by the product to
safeguard the highly classified
information in the intended
deployment scenarios are suitable.
Cybersecurity Certification Guide
Products that performs
critical security functions such
as cryptographic operations
are likely to be subjected to 11
security evaluation.
Apart from additional national
requirement, NITES largely
adopts the CC methodology of
evaluating the products at high
assurance level.
For more information,
please contact us at
 SCHEMES
Cybersecurity Certification Guide

Cybersecurity Certification Guide

The Smart Consumer Device

In recent years, consumers are increasingly adopting ‘smart’

devices such as Smart TVs, Smart Home Hubs, and IP Cameras
to improve quality of life. In the future, it is expected that billions
of such devices will be connected to the internet. However,
the growth and proliferation of such devices also increased
cybersecurity concerns and risk of being hacked.

12
What’s going on?
In the market, a large number
of devices are being sold with
poor cybersecurity provisions.
Hackers generally look for
the easiest systems to attack
that will net the most damage
and returns.
While consumers will most
often choose the more
secure product if available,
the amount of security that
is built into these devices is
not usually made known by
the manufacturers. Thus,
consumers are unable to
make informed decisions
towards purchasing more
secure devices.
13
As a general consumer,
how can we better protect
ourselves when we are
unable to determine if a
product is good or bad?
To help general consumers
better protect themselves
against cyber-attacks,
Singapore is exploring a
labelling scheme for these
consumer devices. Under this
scheme, the cybersecurity
labels would help to provide an
indication of the level of security
that is embedded in the products and
empower consumers to make more
informed purchasing decisions. In the
long run, manufacturers would thus
be encouraged to provide products
with better cybersecurity provisions.
 SCHEMES
Cybersecurity Certification Guide
Frequently Asked Questions
Common Criteria (CC)
How long do evaluations take?
A typical evaluation takes around
3 to 6 months. The scope of evaluation,
complexity of the product, and
readiness of the developer may
also affect the duration of evaluation.
Products evaluated at higher
assurance levels will likely take
longer with more effort needed.
14
What can developer do to shorten
the duration of an evaluation?
Developers are recommended to
adopt the security-by-design approach
during the product design phase.
A product with well-designed
security implementations often takes
a shorter period of time for evaluation.
Developers who are new to CC could
consider engaging an independent CC
consultant to support them through
the evaluation process. Additional time
and cost will be incurred when the
developer tries to fit additional security
measures into their existing product
design during evaluation.
How long will a CC certificate
be valid for?
Each CC certificate issued will be
valid for 5 years from the date of issue.
What are the applicable fees for CC?
CSA charges a nominal fee (refer
to CSA Common Criteria website)
for certification services. For
evaluation fees, please contact the
approved CCTL under SSCS as
cost varies based on the scope of
evaluation and complexity of product.
If a product is CC certified with
the highest Evaluation Assurance
Level (EAL), does it mean that it is
impossible to hack the product?
A product with a higher EAL is not
an assurance of an elevated level
of security; instead, it signifies it has
undergone more testing. To achieve
balance among cost, time, and effort,
an evaluation done at a higher EAL is
also often for a more targeted scope;
while an evaluation done at a lower
EAL is likely to be of a broader scope.
Consumers and developers should
consider the security requirements
and the intended deployment
locations to determine which
EAL is more appropriate.
Cybersecurity Certification Guide
To what levels are the CC certificates
mutually recognised?
The Common Criteria Recognition Arrangement
mutually recognised certificates based on:
• collaborative Protection Profile (cPP)
up to and including EAL4 and ALC_FLR
• Up to EAL2 and ALC_FLR
What are the different Evaluation Assurance
Levels (EALs) under Common Criteria?
The EALs provide an increasing scale that balances
the level of assurance obtained with the cost and
feasibility of acquiring that degree of assurance.
NITES and CC
EAL1 – Functionally tested 15
Which scheme to choose?
EAL2 – Structurally tested
NITES or CC?
EAL3 – Methodically tested and checked
Developers who are keen
EAL4 – Methodically designed, tested
to obtain an internationally-
and reviewed
recognised certification to
EAL5 – Semiformally designed and tested
facilitate the exportability of
EAL6 – Semiformally verified design and tested
their products should strive for
EAL7 – Formally verified design and tested CC certification. The NITES is a
high-assurance national scheme
What is the difference between an that is recognised only by the
authorising nation and consuming nation? Singapore Government.
The authorising nation is a compliant Certification
Body operating in their own country and under
the CCRA, that is able to issue certificates which
are mutually recognised. Consuming nation do
not operate any compliant Certification Body,
nonetheless has expressed interest in the
use of certified IT products.
Members of the CCRA:
 EVENTS & ACTIVITIES
Cybersecurity Certification Guide
Events & Activities
16
Common Criteria
(Specialisation)
Training
As part of CSA's strategy to
build a strong community of
practice in product evaluation
and certification, the CC training
aims to provide CC evaluators,
developers, certifiers, and project
managers with CC skills.
Common Criteria
Industry Awareness
Workshop
A series of industry engagements to
spread Common Criteria awareness
to the local industry, the Industry
Awareness Workshop provides
participants with an appreciation
of CC to help companies develop
world-class security products.
Contact
Cyber Security Agency
of Singapore
General Enquiries/Feedback:
contact@csa.gov.sg
Common Criteria
C-Suite Awareness Cybersecurity
Workshop Certification Centre
Schemes Enquiries:
nites@csa.gov.sg
The C-Suite Awareness Workshop
provides senior decision makers
from the private and public Scan for the latest list of
CCTL approved by SCCS:
sectors with an appreciation of
Common Criteria. Through the
sharing by fellow developers and
international experts, the senior
management gained a better
understanding of how CC could
improve security assurance of
product, be leveraged upon to
develop world class security
products and for their companies
to gain access to the wider markets.
Designed by:
APT811 Design & Innovation Agency