Program – Full Style

Traditionally verification in automotive was centered around safety, protection against unintentional problems. Now it is time to look at security, or how do we protect against intentional problems? We show... Read More

Currently Europe implements a Cyber Security Act (CSA) which amongst others sets up a European IT-Security certification framework. It is more than an educated guess that the first implementation of... Read More

IoT systems become highly dynamic and configurable raising evaluation difficulties. They have multiple components with different robustness levels. Connect the components’ security functions during integration is essential. Our “Lego” methodology... Read More

Following on from a presentation at ICMC 2018, this presentation will provide an update on progress with Brexit, the development of ENISA under the EU cyber security act; and the... Read More

The topic of this presentation is the current approach for composite evaluations (where a hardware platform is evaluated separately from the software running on the hardware) and its failure to... Read More

The aim of this presentation is providing an overview of the compositional security certification methodology to be used in the scope of MILS (Multiple Independent Levels of Security) evaluations and... Read More

Distributed products evaluated under the Common Criteria paradigm have their own set of unique challenges. The Network Device iTC has supported distributed TOEs since the release of Network Device Collaborative... Read More

The FIDO Alliance, a 250+ member association developing specifications and certification programs for simpler, stronger authentication, announced back in March 2018 the expansion of its certification program to include multi-level... Read More

This session will present a new approach – BSZ – in the German scheme (comparable to CSPN in France) which aims at providing assurance while drastically reducing both time as... Read More

GlobalPlatform will present the use of Common Criteria to build a Trusted Execution Environment (TEE) security scheme. The speech will cover; Lessons learnt within the TEE ecosystem, The latest evaluation... Read More

Common? C’mon! Over the years, the CC have struggled to establish a common understanding of where the bars shall be positioned that products must clear for a certain certification level.... Read More

Over the last few years Common Criteria has gone through a major change, some would say an upheaval. With the move to PP/cPP based exact conformance paradigm, two distinct schools... Read More

The concept of PP-Modules was added to the CC in 2017. The first PP-Modules are just now being written and published for public consumption. As a new concept, vendors and... Read More

The speakers will showcase tooling that is freely available to the Common Criteria community on GitHub at https://github.com/commoncriteria. Major contributions include: (1) Development of a formally-defined XML schema that provides... Read More

Connected devices are becoming a major part of all our lives. Dedicated connected devices are becoming more and more use case based, targeting for example, industrial applications, household applications, automated... Read More

Session Description TBA

Session description TBA

Session description TBA

Session description TBA

The FIA (Fédération Internationale de l’Automobile) is currently publishing a report of the “On-Board Telematics Platform (OTP) Security”. It addresses the importance for Mobility Clubs and Independent Service Providers (ISP)... Read More

Session Description TBA

CEN/CENELEC/ETSI and Smart Meter developers (ESMIG) started 7 years ago an initiative that resulted in a certified smart meter Protection Profile based on requirements from various countries and in line... Read More

An update from the editors of ISO/IEC 15408 General Model.

Digitalization of health systems is an ongoing process worldwide. This presentation gives an overview of the German eHealth scheme which is currently being established. Interaction of technical components (smart cards... Read More

The new ISO version of Common Criteria introduces an extra part 4 that defines a framework for deriving Evaluation Activities from work units of the CEM (ISO/IEC 18045) and grouping... Read More

In 2019, SGS and Graz University of Technology (TU Graz) announced the Cybersecurity Campus Graz, where SGS then located its global headquarter for Cybersecurity Services next to TU Graz’ Cybersecurity... Read More

Product security certifications in today’s ever-changing environment are impacting traditional markets. Common Criteria certification demand has soared in the European regulated markets for digital signature (eIDAS), deprecation of NIST algorithms... Read More

An update on the current status of the BIO-iTC, with a focus on the PAD toolboxes and how the requirements compare to the FIDO Alliance Biometric Certification program. The presentation... Read More

Presented is a customer experience journey in creating a draft Protection Profile for multi-tenant Software-as-a-Service (SaaS) applications running in a commercial public cloud. We define the security problem, threats, and... Read More

The presentation includes an update of the ND iTC since the last ICCC, latest NDcPP and module postings, where we are today and what we are planning.

This presentation will be an update on the German schema.

Session Description TBA

Japanese Scheme Update

5G systems support a wide range of verticals leading to different sets of security requirements. Some of these can be communalized, while others are exclusive to specific usages or associated... Read More

The purpose of the Hardcopy Devices collaborative protection profile (HCD cPP) is to facilitate efficient procurement of Commercial Off-The-Shelf product using the Common Criteria methodology for information technology security evaluation.... Read More

We were already in an era where new TOEs must be on the market like clockwork: this year’s phone must be evaluated, certified, and production must have started, before the... Read More

The project “National schema for the security and privacy evaluation and certification of IT products and systems compliant with Common Criteria” (KSO3C) is being implemented by a scientific consortium composed... Read More

Join atsec colleagues from Germany, Italy, Sweden, China and the US for an overview of atsec’s global InfoSec service offerings with a special focus on Common Criteria for the ICCC.... Read More

Malaysian has been using biometric fingerprint since 2001 when MyKAD first introduced. In the next few years, we envision a whopping change in trend since the other biometric modalities have... Read More

This presentation by the Certification Body of the CCN is oriented to provide an update of the certification activities of the Spanish Scheme. In the last two years, the scheme... Read More

COVID-19 outbreak has brought difficulties and new challenges to the entire industry, including CC evaluations and certifications. Maintaining the CCRA terms in this new pandemic scenario is crucial, for which... Read More

ISCI-WG1 is a key contributor in the Common Criteria (CC) and SOG-IS certification ecosystem. This talk is about ISCI-WG1 2020 achievements and how to tackle new challenges. Currently, ISCI-WG1 includes... Read More

Side-channel evaluation relies, for CC labs, on the lab expertise. However, owing to the dissemination of SCA requirements, a formal methodology is welcomed. Pioneering work done in ISO/IEC 17825 —... Read More

CC Scraper is a python script that analyses automatically the information from the CC portal using OCR capabilities, pdf reading and other features providing a comprehensive statistics report of the... Read More

We start from a question: How do we rate overall attack resistance level of a solution which is subjected to software exploitation attacks? In this presentation, we discuss solutions currently... Read More

This presentation will focus on the goals of CC certification in Canada, such as international collaboration, economic benefits, and assistance to government, critical infrastructure, and non-traditional applications. Our experiences with... Read More

Common Criteria (CC) or ISO/IEC 15408 allows the certification of the assurance of IT products. The standard has proven to be flexible for high-security use-cases especially for secure elements, security... Read More

An update on efforts by NIAP.An update on efforts by NIAP.An update on efforts by NIAP.

Evolution of the management of the changes in Common Criteria through the work of the ISCI WG1 “Changing certified products” subgroup and Thematic Group 5: “Continuity assurance and handling of... Read More

NIST has announced a transition to new algorithms that affect a wide range of cryptographic functions. The Triple-DES algorithm will be retired. The standards for key agreement, key transport and... Read More

U.S. government agencies need to quickly and affordably assess whether their mobile apps are compliant to NIAP’s Protection Profile for Application Software. A pilot conducted by DHS proved automated app-vetting... Read More

An update and demonstration of recent automation work by NIAP.

The Automotive market is undergoing a massive digital and cultural transformation. Traditionally driven by safety standards, the market is now adopting the new cyber security requirements in different shapes and... Read More

This presentation will give an overview of several initiatives for security evaluation and certification of 5G components, products or solutions. What are the technical challenges? What are the solutions? Is... Read More

More and more standards include the requirement for cryptographic agility. Although, these are just two simple words, they have a significant impact on how systems are designed around cryptographic algorithms.... Read More

Session Description TBA

The car industry’s digital transformation exposes new cybersecurity threats. In order to solve this, various standardizations on automotive cybersecurity are in progress, the most representative of which are the UNECE... Read More

Data is the lifeblood of the connected world. Data is gathered, stored, analyzed, and acted upon. This data is also an enabler in combating attacks from small to large scale.... Read More

Eurosmart ITSC, the evolution towards evaluation of HW IP blocks and the importance of vulnerability analysis and pen-testing against a properly defined PP to guarantee a high-level of security assurance. 

What do PCI, DTSec, ETSI EN 303645 and IEC 62443-4-2 have in common? As the number of IoT security certification frameworks used in public and private sectors, and across multiple... Read More

Conciliating product-based security and IP-protected third-party supplies has become a cornerstone for certification schemes in many sectors. Chip manufacturers, for example, are looking to protect their IP from software providers... Read More

There is no doubt that the state of security of IoT devices, especially Consumer IoT, could be significantly better. Compared to other industries, the security maturity level of the IoT... Read More

The next CC version will incorporate the Composite evaluation methodology as it has been already successfully used for decades within the domain of smart cards and similar devices. Composition evaluations... Read More

In an increasingly connected world, use cases across various IoT verticals now require payment functionality. This includes retail and e-commerce, smart home and entertainment, consumer wearables and mobile payment applications,... Read More

Securyzr iSE is an integrated Secure Element. It offers multiple services to the host system (ECU, IoT, iUICC, etc.) various services such as Secure Boot, Key management, etc. all along... Read More

EAL6 certifications have recently gained terrain. With CCv4 within reach and with an extensive experience in formal evaluations, the French and German schemes are proposing a formal methods usage approach... Read More

At ICCC 2019, we presented the work that had been carried out since 2014 by the ERNCIP (European Reference Network for Critical Infrastructure Protection) IACS Thematic Group towards the creation... Read More

Session Description TBA  

Common Criteria squarely targets products meant for on-prem. However, increasingly cloud services and containers are becoming increasingly becoming more and more important. Common Criteria risks of becoming slowly irrelevant if... Read More

The Common Criteria has been a framework for product evaluation of security functions since its inception in the late 1990s. As DevOps became the trend for development of agile cloud... Read More

September 21st, 2020 FIPS 140-3 was officially declared open for business! After years of waiting CMVP are now accepting validations based on ISO/IEC 19790 and ISO/IEC 24759. Building on his... Read More

The society in which we live is rapidly digitalising, more devices are developed, used and connected to each other, creating a digital ecosystem in which cyber incidents can have a... Read More

The Common Criteria User Forum provide a voice and communications channel among the CC community including the vendors, consultants, testing laboratories, Common Criteria organizational committees, national schemes, policy makers, and... Read More

In order to accommodate the growing need for IoT devices, this presentation proposes a security evaluation of these devices in the common criteria framework. We present ongoing work in Japan... Read More

An expert panel focused on the potential implications EUCC will have for the Common Criteria landscape.

The fourth edition of the ISO/IEC 15408 and ISO/IEC 18045 standards includes substantial changes. It introduces new mechanisms (multi-assurance, composition, direct rationale, exact conformance, evaluation methods, etc.) to address the... Read More

Worldwide the number of security regulations for end devices is increasing. From the US and Latin America, to Europe and across Asia, more National Agencies are launching their own mandates... Read More

While working on the update to the ISO standards ISO/IEC 15408 and 18045 (“Common Criteria”) the editors and experts in SC27 WG3 recently launched a call for contributions for their... Read More

We are continuously looking for efficient applications of the Common Criteria (CC). We create optimised methodology, utilise highly experienced people, and operate smooth processes to achieve that within the traditional... Read More

Technical standards organization, GlobalPlatform, will provide the latest updates to its security certification scheme, and explain how they are providing an industry-proven framework for manufacturers to build, labs to evaluate... Read More

Just as information and communication technology evolves, so do the security standards against which they are assessed. This presentation will provide an overview of established and emerging security standards and... Read More

The presentation includes an update of the ND iTC since the last ICCC, latest NDcPP and module postings, where we are today and what we are planning.

Patch-Management and how to maintain the level of assurance is one of the longest and challenging problems in the application of CC. The new Patch-Management concept based on an early... Read More

After many years of hard work, the Database iTC published their first cPP in 2020. With the iTC forming in 2018, this may initially look like a short timeline. In... Read More

Smartcards and similar devices are key fundamentals building blocks of today’s security, being included within all devices such as mobile phones, smart home, IOT and getting their way within cars... Read More

An update on the current status of the BIO-iTC, with a focus on the current set of documents under public review. The presentation will also discuss the PAD toolboxes and... Read More

Hardcopy Devices international Technical Community (HCD iTC) is a technical community to facilitate an efficient procurement of hardcopy devices using the Common Criteria methodology for information technology security evaluation. Recently,... Read More

Usually we say that the meaning of an assurance level is the set of evaluation activities that have been carried out. But it can be hard to relate those technical... Read More

The ACSC leads the Australian Government’s efforts to improve cyber security. Its role is to help make Australia a safe place to connect online. This session will present an update... Read More

This presentation states updates for Japanese Scheme.

The presentation will provide brief of India scheme, scope of activities and future plan.

A proposal to support the maintenance of the EU CC Scheme. Implementing the EU Common Criteria Scheme (EU CC Scheme) under the European Cybersecurity Certification Framework will take over the... Read More

jtsec will provide its view on how automatization will be a key factor in the Common Criteria evolution for the whole community (developers, evaluators and certifiers.)

Scheme Update from the German Federal Office for Information Security (BSI).

The session will present the latest activity of Eurosmart-ITSC: Secure Sub-System (3S) in SoC Protection Profile [PP-0117]. This PP describes the trend of integrated security sub system in SoC, such... Read More

This presentation will be an update on the French schema.

In 2020, first European cybersecurity certification scheme was published under the name EUCC. In general, it is intended to be a successor of SOG-IS MRA i.e. the Agreement that gathers... Read More

Mobile app security is often the weak spot in the Internet of Things. A specific issue we find time and again are Insecure Direct Object References (IDORs) in the APIs... Read More

The automotive market is encountering a revolution, under the combined effect of electrification and the progress of advanced driver-assistance systems (ADAS). Electronic chips require to meet very high standards in... Read More

CC Scraper is a tool developed by jtsec four years ago that that analyses automatically the information from the CC portal using OCR capabilities and other features. Including detailed insights... Read More

This presentation will cover the following; Overview of GSMA and 3GPP defined NESAS  Progress made on vendor auditing and product evaluations  NESAS in the context of the EU Cyber Security... Read More

For a couple of years now, NIAP has been promising that someday its validators would be replaced by an army of Common Criteria-aware robots. We are one step closer to... Read More

The goal of this presentation is to highlight the similarities and differences of NESAS and NDcPP certification. In particular the situation for components that can be used in both, mobile... Read More

Quantum Key distribution (QKD) is a vivid and fast developing field where many devices are in a pioneer or prototype stage, deployment of QKD devices in communication infrastructures is planned,... Read More

CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time... Read More

Expert panelists including users of the standard (schemes) and editors of the standard will discuss the future needs of the EUCC.

Luis Jimenez was unable to attend. Jose Miguel Loste from the Centro Criptologico Nacional of Spain presented.

It’s been a while since an ICCC was hosted in Spain. This presentation will provide an historic view on the evolution of the CC standard, market, actors, as well as... Read More

Highlight contributions that NIAP has made to the Common Criteria Recognition Arrangement by leading in Product Evaluations, Liaison between CCDB and CCUF, and serving as the CCMC Chair through 2023.... Read More

I know, I know: some of us come to the ICCC to complain that the CC only meets 1, maybe 2 of these goals. For possibly more years than we... Read More

CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including... Read More

ENISA’s mission is not only to develop the future European Cybersecurity Certification Schemes and related documents but also to make sure the ecosystem has all tools in hand to apprehend... Read More

During the 1990’s the introduction of the internet, web browser, email and resulting electronic services led to an initial commercialization wave of crypto and security technologies. During this time security... Read More

Is it possible to establish a confidential assurance environment that will allow independent 3rd party evaluators to conduct software security analysis of vendor proprietary (sensitive) software, while preserving the confidentiality... Read More

The Internet of Things (IoT) has the potential to connect everything with everything else even in the automotive sector: Vehicles are increasingly connected to backend services and corresponding business models.... Read More

In this session you will receive all information necessary to know what’s about to happen in the EU Cybersecurity certification ecosystem and the conformity assessment developments related to the Cyber... Read More

Within the smartcard and similar devices domain, the site audit must complain to MSSR (Minimum Site Security Requirements). Some of the developer applications to be considered are no more hosted... Read More

The Car Connectivity Consortium (CCC) consisting of over 150 members has developed a protection protocol to securely store, authenticate, and share digital keys in mobile devices and vehicles. The CCC... Read More

ENISA will provide an update on the progress of the EUCC scheme, including its supporting elements (guidance and state-of-the art documents, website, maintenance).

The COVID-19 pandemic crisis that hit the world in 2020, forced many companies to enable remote working opportunities to continue their operation while minimizing the amount of staff that had... Read More

Since July 2022, vehicle manufacturers who aim to place their new vehicles in countries including the EU, UK, Japan, South Korea and others, need to have their vehicles type-approved in... Read More

The CSA will improve the general security level of products and services, yet the implementation of the EUCC might create confusion. For a time, only security experts will be able... Read More

As one of the first iTCs, the Network iTC has received a list of comments from the Common Criteria Maintenance Board (CCMB) on its supporting documents for the NDcPP and... Read More

An important aspect of standards work for 3D printing is the aspect of software security as it pertains to the Digital Additive Manufacturing process thread. Currently there is internationally recognized... Read More

The presentation will cover what EA is and how accreditation works in Europe, the requirements that we expect to be applicable to conformity assessment bodies operating in the EUCC (both... Read More

Presented is an advanced application of the Common Criteria that has led to the development of a Protection Profile for a Quantum Computer. Specifically, we address the security requirements that... Read More

An expert panel focused on the potential implications EUCC will have for the Common Criteria landscape.

CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time... Read More

New concepts and changes in the 2022 edition of the CC standard. CC revision by ISO has generated lot of expectations since the process started back in 2016. With the... Read More

Common Criteria in its over two decades existence has seen many technology changes. Quantum crypto is just one of them – though could be a major one. While Quantum crypto... Read More

In this presentation the speaker will address one of the main challenges of CC evaluation/certification of mobile SOC’s and integrated SE’s. The current timelines for testing of the SOC are... Read More

Looking at comparisons of on-premises and cloud revenue for a Database Management System (DBMS) published by Gartner et al., you will see a dramatic push from on-premises to cloud over... Read More

In recent years, the CC community has intensely discussed the pros and cons of source code analysis as part of CC evaluations. There have been numerous concerns about losing intellectual... Read More

Hardware Security Modules (HSMs) become increasingly important in providing the root of trust for a variety of digital services. Today, HSMs safeguard multiple markets from banking, telecom and enterprise to... Read More

Scheme Update from the German Federal Office for Information Security (BSI).

Generating and validating a security target has historically been a thankless, tedious, and error prone endeavor. NIAP’s automation effort strives to turn this months-long slog into a pain free guided... Read More

The interest for lightweight certifications is increased by the industry in order to provide “quicker” assurance for its products. This talk aims to give a panorama on the different lightweight... Read More

This presentation will be an update on the Japanese Scheme.

ITSEF of Łukasiewicz-EMAG Institute has finished the first pilot evaluation for software TOE (EAL 4+) within the Polish Common Criteria evaluation scheme. The Polish evaluation scheme resulted from an R&D... Read More

Presentation attacks are a severe threat to biometric systems—artificial fingers fool fingerprint sensors, photographs printed on paper bypass facial recognition systems. Presentation Attack Detection (PAD) mechanisms are often in place,... Read More

The Cybersecurity Certification Centre (CCC) operates multiple schemes aimed at providing the security assurance that the product has undergone impartial examination and testing to ascertain that it is securely designed,... Read More

Quantum Key Distribution (QKD), which enables information theoretically secure key establishment, is about to be put into practical use. Security evaluation and certification of QKD modules are under standardization process... Read More

There are currently a large number of biometric solutions on the market, which are increasingly being applied in key sectors such as banking, public administration and insurance. In Spain, last... Read More

This expert panel features schemes, labs, and vendors talking about global developments in CC from their perspective.

AI/ML based solutions provide machines with intelligence where these solutions have the ability to process input from big data sets and provide outcomes. This is basically a prediction based on... Read More

An update on the current status of the BIO-iTC. The two main topics will be the ongoing work on defining requirements for Continuous Multifactor Authentication and updates related to the... Read More

The OpenTitan project is the first transparently developed silicon root of trust (RoT) reference design – for both discrete and integrated solutions. We will describe the unique benefits of openness... Read More

Soft-IP cores facilitate chip development with reusable hardware blocks. Reuse of Soft-IP evaluation results has been experimented with, but there is no widely accepted practice. The Eurosmart Soft-IP taskforce prepares... Read More

This expert panel discussion will focus on the growing problem of multiplicity of standards.

To support a smooth and efficient evaluation of Integrated Secure Elements compliant to PP-0117 (also called the Secure Sub-System (3S) in SoC), ISCI-WG1 and JHAS have collaborated in developing several... Read More

After many years of hard work, the Hardcopy Devices iTC (HCD iTC) published their first HCD cPP v1.0 in August 2022. HCD iTC is a technical community to facilitate an... Read More

Starting in 2019 with Android 9, Google started to evaluate Pixel devices to the requirements of the PP_MDF. While this directly supports Google in showing Pixel devices as capable of... Read More

The Common Criteria in the Cloud Technical Working group has been working on a solution for this problem defined in 2020: There is not yet a defined and accepted method... Read More

This presentation will outline the required steps to assess an entropy source including design analysis, entropy justification, and health testing to meet Common Criteria requirements from the NDcPP based on... Read More

In CSA, the issue of addressing vulnerability handling for Certified Solutions holds an important role, as stated in Articles 51,54 and 55. These provisions are indicative of the strong importance... Read More

Many electronic chips shall nowadays be amenable to be “multi-certified”. Let us consider the example of Vehicle-to-Anything (V2X) chips, which manage the secure transaction between a car and its environment... Read More

An expert discussion on vulnerability handling. Topics include legal issues, how to monitor, time limits, complexity of handling, and the needs of consumers.

Some Common Criteria schemes accept the Linux kernel’s random number generator as a sufficient entropy source only if the device from which applications request random data blocks requests until it... Read More

n-doc is an open source platform for creating developer CC documentation. n-doc produces high quality PDF files with generated hyperlinks for easy navigation. n-doc consists of LaTeX macros, Lua programs,... Read More

With more than 70 participants, the Eurosmart ISCI WG1 group is one of the main contributors to a common framework for certifications based on the Common Criteria standard up to... Read More

The security of mobile networks is as important as it’s ever been and with the advent of 5G, networks consider it part of critical infrastructure. Equipment Vendor Manufacturers looking to... Read More

Some products seem to defy certification when they are validated against a single security evaluation scheme. This situation becomes more difficult when validation against a second scheme is required and... Read More

Security protocols in emerging technologies, such as in networking area, are getting complex and requires a separate evaluation. For example, in IoT, there are now cryptographic protocols for provisioning, multi-factor... Read More

Protection Profile for Mobile Device Fundamentals has been used for many years in CC evaluations. ETSI has recently published a PP for Consumer Mobile Device (CMD). How does that affect... Read More

The use of different automation tools in Common Criteria is a reality. In recent years, it has been demonstrated that the capacity to take on a large number of Common... Read More

An expert panel discussion on the current cryptographic standards ecosystem, the status of FIPS 140-3, and its relationship to ISO/IEC 19790, with updates from the ISO WG, and CMUF.

FIPS Approved and NIST recommended cryptographic algorithms are integral to a successful PP-based Common Criteria evaluation. Several impactful NIST algorithm transitions are taking place which could add significant risk to... Read More

This panel, featuring industry leaders, will take a future-focused look at key challenges for Common Criteria, including ISO Standard developments, the move to to EUCC, automation, vulnerability management, maintaining converged... Read More

The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in... Read More

This is on behalf of the 2022 – 2024 CCUF MG Chair. The Common Criteria User Forum provide a voice and communications channel among the CC community including the vendors,... Read More

Expert discussion on the status and outlook for EUCC.

An update on NIAP and CCRA, U.S. Scheme Updates, and NIAP Top Five Priorities for upcoming year.

Common Criteria and LINCE (i.e., Essential National Security Certification) are the two evaluation methodologies used by the Spanish Scheme to certify the security of IT products. However, these methodologies are... Read More

Expert discussion on the status and outlook of vulnerability handling.

This talk will be an update on work of the Biometrics iTC since the last ICCC. The topics covered will include: – work to align requirements across several evaluation schemes... Read More

Scheme update from the Certification Body of CCN (National Cryptologic Center) in Spain

In the context of the vulnerability analysis (AVA), automating the validation of the target resistance against physical attacks is a must. Checking the efficiency of side-channel and fault injection countermeasures... Read More

As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using... Read More

In this talk an update will be provided of the current and upcoming Common Criteria Schemes in the Netherlands: – The current CC scheme operating under CCRA and SOGIS: NSCIB... Read More

Side-channel attacks have been, for a long time, a threat on devices embedding cryptography. In terms of taxonomy, it is known as “Inherent Information Leakage (T.Leak-Inherent)”. Recently, the field of... Read More

This expert panel will review achievable conditions necessary to obtain mutual certificate recognition between the CCRA and the EUCC.

Overview of news, current projects and challenges in the German CC certification scheme.

The new Common Criterial brings in several upgrades over its predecessor especially in the evaluation methodology with a new part introduced as ISO/IEC 15408-4 titled “Framework for the specification of... Read More

Certificate maintenance is a quick and cost efficient process which allows us to extend the certificate validity to a new TOE version. However, the use of the maintenance process is... Read More

CC:2022 Release 1 includes substantial changes compared to the former versions. One of the most important is the inclusion of the new modularity and composition models. Modularity and composition could... Read More

ENISA will present an update on EUCC, with a presentation of the legal text, and explaining the different assurance levels and which CABs will operate, how CCRA and SOG_IS mandatory... Read More

The Common Criteria in the Cloud Technical Working group has been working on a solution for the following problem defined in 2020: “There is not yet a defined and accepted... Read More

1. ISO/IEC 15408:2022, ISO/IEC 18045:2022 2. Collaboration between ISO/IEC JTC 1/SC 27/WG 3 and the CCRA 3. CC Roadmap: PWI 19562 “Investigation of the feasibility and implementation of changes to... Read More

ENISA will present the possible evolution of the EUCC, such as new supporting documents into preparation, and possible evolutions in the selection of the standards supporting the accreditation of CABs…

While CC evaluations traditionally focused on on-premises topologies, the increasing adoption of cloud infrastructure necessitates the assessment of product security in these environments. The CC in the Cloud Working Group... Read More

Now that the EUCC act is in public review and soon will be signed, the long held questions of “how does a CAB implement the EUCC?” and how “how do... Read More

Over recent years, the emphasis in intelligent vehicle research has turned to Cooperative Intelligent Transportation Systems (C-ITS), in which vehicles communicate with each other and/or with the infrastructure via C-ITS... Read More

On October 25, NIAP’s first public Cloud evaluation “kicked-off” – Microsoft Intune conforming to NIAP’s Mobile Device Management Protection Profile version 4.0 and Mobile Device Management Agent PP module version... Read More

1. ISO/IEC 15408:2022, ISO/IEC 18045:2022 2. Collaboration between ISO/IEC JTC 1/SC 27/WG 3 and the CCRA 3. CC Roadmap: PWI 19562 “Investigation of the feasibility and implementation of changes to... Read More

This talk will be an update on the Japanese Scheme.

An expert discussion on the status and outlook for Common Criteria in the cloud.

An update from the CC scheme down under—the Australian Information Security Evaluation Program (AISEP)

What’s new in Common Criteria 2022 (CC:2022) and what is different from Common Criteria 3.1 Revision 5? (CC 3.1R5). This talk will outline some of the major differences and will... Read More

This talk explores the evolution of Malaysia’s cybersecurity certification scheme, transitioning from the globally recognized Common Criteria Evaluation and Certification Scheme to the Technology Security Assurance (TSA) – Malaysia Product... Read More

The new version of Common Criteria includes new entities in its conceptual model, most of them based on the evolution of the NIAP’s evaluations (PP configurations, PP modules, Functional Packages,... Read More

Imagine a scenario where one is tasked with drafting a Protection Profile (PP) or Security Target (ST) that must align with the rigorous Common Criteria (CC) standards. The process involves... Read More

Virtualized environments rely on high-quality entropy for generating cryptographic keys and securing sensitive data. In many cases, the entropy sources within the VM or sourced from hypervisor may be of... Read More

PP-Modules and Functional Packages ensure common requirements across different product types, which is great and as it should be. Yet at the same time, this has led to an increase... Read More

Artificial Intelligence is taking the world like a storm. AI is also very different from conventional Common Criteria evaluations where it is mainly focused on products. This talk explores the... Read More

Expert discussion on the status and outlook of cryptographic standards.

The qualification of the lab which performs a CC evaluation is absolutely crucial for the level of assurance you will get. The International Common Criteria Recognition Agreement (CCRA) and the... Read More

This talk discusses the implementation of a measurable life cycle in a medium-sized company specializing in high-tech secure communication solutions. The company has developed and implemented models, processes, and tools... Read More

This talk will provide an update on the work of the DSC iTC over the last year. The topics will include: – Current status of updates to feedback from the... Read More

Can a Dilithium signing component meet the AVA_VAN.5 security level? At this level, the evaluating laboratory operates under “gloves off” conditions, thoroughly assessing the device’s security against a highly capable... Read More

A high level of trustworthiness in CC certifications require high evaluation efforts, since proven security can only be based on knowledge and facts, not on trust. An unjustified criticism of... Read More

There is a noticeable rise in the demand for certifications of MDM Trusted Servers against BSI-CC-PP-0115/0116 on EAL4+(ALC_FLR.3), which aligns with EUCC requirements. The following points will be addressed during... Read More

Quantum computing is on the horizon, algorithm choices are crystalizing, and vendors are facing a forced trek through a lattice of uncertainty. This talk will discuss the quantum resistant algorithms... Read More

An overview of the supply chain cybersecurity program of the US Department of Defense.

The actual operation of quantum key distribution (QKD), which is necessary for realizing information-theoretically secure key sharing, is about to begin in various countries. As part of the activities of... Read More

In their talk, the speakers will discuss how the implementation of Common Criteria will contribute to the growth of Europe’s industrial ecosystem for quantum communication technologies and systems. They will... Read More

Open RAN technology (and in general multi-vendor mobile network) is a novel approach for the building of mobile networks that assumes the open definition of interfaces for the separation of... Read More

The CCDB Crypto WG is tasked by the CCDB to develop a catalogue with a collection of often used crypto SFRs with already completed operations on the SFRs with the... Read More

The typical developer will document their source code reasonably well, at times substituting code comments for formal documentation entirely. Still, little effort is taken to generate documentation for evaluations from... Read More

This talk shows how CC and CEM can be adapted to the security evaluation of industrial automation and control systems (IACS). The IACS are often used in critical infrastructures like... Read More

With NIST requiring compliance with SP 800-9B and NIAP moving that way, figuring out how to meet all the 90B requirements has become a real challenge for vendors. This talk... Read More

Meeting Customers Expectations and Requirements in times of dramatically changing legal and technological environment is not easy. Upcoming legislation and regulation changes in Europe meet changes in the United States... Read More

This talk examines the transition from the Security Evaluation for Secure IoT Platforms (SESIP) to the more stringent Common Criteria, focusing on the challenges faced by vendors. While a single... Read More

The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology)... Read More

This talk will provide an update on the ND iT since the last ICCC, including the latest NDCPP and module postings. The speakers will discuss the current status of the... Read More

Over the past two years, we have seen numerous failings of products due to issues within their software supply chain. Unfortunately, supply chains have become a key attack vector. Supply... Read More

Overview of the Commercial Solutions for Classified (CSfC) program’s structure and value to its end customer community, and this program’s reliance on layered security provided by multiple CC certified products.... Read More

This expert panel discussion will reprise a discussion from 2022 focusing on the growing problem of multiplicity of standards, and will cover progress in the year since.

This talk highlights the progress made by the Hardcopy Devices international Technical Community (HCD iTC) in advancing hardcopy device security standards. It focuses on the development and publication of the... Read More

Overview the Department of Defense Information Network (DoDIN) Approved Products List (APL) certification as a DoD procurement requirement for hardware products. Compared and contrasted the objectives of CC and DODIN... Read More

As many authorities and regulated industries have published guidelines emphasizing the importance of defense-in-depth and reliance on database security, the security of a Database Management System (DBMS) holds great relevance... Read More

The State of Qatar aims to advance supply chain cyber resilience at a national level by proactively identifying and addressing key risk areas within the cyber security supply chain. This... Read More

This talk provides an update on the activities of the CCDB.

This talk provides an update on the activities of the CCMC.

A ceremony to welcome new members to the CCRA.

Certified products do not contain known vulnerabilities is a common theme for many regulatory frameworks including Common Criteria. As new vulnerabilities pop up all the time, it makes evaluations of... Read More

The Common Criteria User Forum provides a voice and communications channel among the CC community, including vendors, consultants, testing laboratories, Common Criteria organizational committees, national schemes, policymakers, and other interested... Read More

This expert discussion covers the status and outlook for EUCC.

This expert discussion covers the status and outlook of vulnerability handling. Common Criteria (CC) addresses vulnerability handling through a combination of security requirements and evaluation activities. CC primarily focuses on... Read More

As usual in previous editions of ICCC, the statistical insights regarding Common Criteria provide invaluable market data. This year, a sustained growth in the number of certifications can be observed.... Read More

This talk aims to provide an overview of the recent developments in the Singapore Common Criteria Scheme and Cybersecurity Labelling Schemes. This session will delve into the enhancements made to... Read More

The study of the Common Criteria ecosystem, involving over 5,700 certified products and aided by the analytical tool sec-certs, unveils compelling findings. Notably, 61% of smartcard-related items have certified dependencies,... Read More

This talk will provide an update on JISEC and Japan Scheme updates.

Confidential computing provides protection to data during processing, particularly for data being processed in a cloud or mobile environment. Beyond that, the definitions vary from vendor to vendor. This talk... Read More

Soft-IP cores facilitate chip development with reusable hardware blocks. Reuse of Soft-IP evaluation results has been experimented with, but there is no widely accepted practice. As presented two years ago,... Read More

With the adoption of the European Regulation eIDAS 2.0, a legal framework of requirements for electronic signatures is established, introducing the notion of electronic signatures created using a remote signature... Read More

This talk will explore the insights gained from the implementation of EUCC in the Netherlands. Additionally, future actions and the steps towards authorizing the issuance of the first EUCC certificates... Read More

Tracking known vulnerabilities in open-source libraries as Common Vulnerabilities and Exposures (CVE), and distribution via special databases such as those hosted by MITRE, has been the de-facto standard for supply... Read More

This talk will discuss the latest updates of the French scheme. It will highlight the most recent improvements, especially an internal reorganization to welcome EUCC.

NIAP started a SBOM pilot on 1st March 2024 (Policy 30) for NIAP’s Application Software Protection Profile. The purpose of this project is the usage of SBOMs for vulnerability analysis... Read More

Common Criteria’s biggest benefit for vendors is the mutual agreement between signatory countries. This enables vendors to certify once and sell in multiple geographies. One of the biggest pain points... Read More